Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
-
Size
192KB
-
MD5
81e1743ca873a4fd9ec172c5a57c236d
-
SHA1
124af3bf4796489d6cd7df309631e1d88b4d9607
-
SHA256
90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811
-
SHA512
abc65e510002bd437512fa9edf7b8329280803c05941174f87dcd6a57be15c33fc4f7ba8b171473b54130c417f828fc31748e3114d76cc729c998cbc778dfb46
-
SSDEEP
1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000012246-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00040000000130fc-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0013000000014fa3-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00050000000130fc-32.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00060000000130fc-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00070000000130fc-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000130fc-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893}\stubpath = "C:\\Windows\\{431A6667-4647-415b-BF7D-1DB71C339893}.exe" {B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}\stubpath = "C:\\Windows\\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe" {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A}\stubpath = "C:\\Windows\\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe" {5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}\stubpath = "C:\\Windows\\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe" {AABE60BD-C741-4afe-9545-1FF019089B7A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}\stubpath = "C:\\Windows\\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe" {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A} {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC} {014E8685-45A4-4b53-A26A-E2F47321866A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5} {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC} {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF} 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}\stubpath = "C:\\Windows\\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe" 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1} {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893} {B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}\stubpath = "C:\\Windows\\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe" {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A} {5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39} {AABE60BD-C741-4afe-9545-1FF019089B7A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A}\stubpath = "C:\\Windows\\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe" {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360} {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360}\stubpath = "C:\\Windows\\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe" {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC}\stubpath = "C:\\Windows\\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe" {014E8685-45A4-4b53-A26A-E2F47321866A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5} {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}\stubpath = "C:\\Windows\\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe" {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe -
Deletes itself 1 IoCs
pid Process 2948 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 1644 {5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe 1488 {AABE60BD-C741-4afe-9545-1FF019089B7A}.exe 2476 {B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe 860 {431A6667-4647-415b-BF7D-1DB71C339893}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe File created C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe File created C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe {5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe File created C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe {AABE60BD-C741-4afe-9545-1FF019089B7A}.exe File created C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe {B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe File created C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe File created C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe File created C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe File created C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe {014E8685-45A4-4b53-A26A-E2F47321866A}.exe File created C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe File created C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Token: SeIncBasePriorityPrivilege 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe Token: SeIncBasePriorityPrivilege 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe Token: SeIncBasePriorityPrivilege 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe Token: SeIncBasePriorityPrivilege 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe Token: SeIncBasePriorityPrivilege 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe Token: SeIncBasePriorityPrivilege 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe Token: SeIncBasePriorityPrivilege 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe Token: SeIncBasePriorityPrivilege 1644 {5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe Token: SeIncBasePriorityPrivilege 1488 {AABE60BD-C741-4afe-9545-1FF019089B7A}.exe Token: SeIncBasePriorityPrivilege 2476 {B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1692 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 28 PID 3044 wrote to memory of 1692 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 28 PID 3044 wrote to memory of 1692 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 28 PID 3044 wrote to memory of 1692 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 28 PID 3044 wrote to memory of 2948 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 29 PID 3044 wrote to memory of 2948 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 29 PID 3044 wrote to memory of 2948 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 29 PID 3044 wrote to memory of 2948 3044 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 29 PID 1692 wrote to memory of 2652 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 30 PID 1692 wrote to memory of 2652 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 30 PID 1692 wrote to memory of 2652 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 30 PID 1692 wrote to memory of 2652 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 30 PID 1692 wrote to memory of 2504 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 31 PID 1692 wrote to memory of 2504 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 31 PID 1692 wrote to memory of 2504 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 31 PID 1692 wrote to memory of 2504 1692 {DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe 31 PID 2652 wrote to memory of 2436 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 34 PID 2652 wrote to memory of 2436 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 34 PID 2652 wrote to memory of 2436 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 34 PID 2652 wrote to memory of 2436 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 34 PID 2652 wrote to memory of 2400 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 35 PID 2652 wrote to memory of 2400 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 35 PID 2652 wrote to memory of 2400 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 35 PID 2652 wrote to memory of 2400 2652 {99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe 35 PID 2436 wrote to memory of 2964 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 36 PID 2436 wrote to memory of 2964 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 36 PID 2436 wrote to memory of 2964 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 36 PID 2436 wrote to memory of 2964 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 36 PID 2436 wrote to memory of 2364 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 37 PID 2436 wrote to memory of 2364 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 37 PID 2436 wrote to memory of 2364 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 37 PID 2436 wrote to memory of 2364 2436 {014E8685-45A4-4b53-A26A-E2F47321866A}.exe 37 PID 2964 wrote to memory of 468 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 38 PID 2964 wrote to memory of 468 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 38 PID 2964 wrote to memory of 468 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 38 PID 2964 wrote to memory of 468 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 38 PID 2964 wrote to memory of 2736 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 39 PID 2964 wrote to memory of 2736 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 39 PID 2964 wrote to memory of 2736 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 39 PID 2964 wrote to memory of 2736 2964 {65A368A8-9708-4512-87B1-6603EC5F97FC}.exe 39 PID 468 wrote to memory of 1928 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 40 PID 468 wrote to memory of 1928 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 40 PID 468 wrote to memory of 1928 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 40 PID 468 wrote to memory of 1928 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 40 PID 468 wrote to memory of 2120 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 41 PID 468 wrote to memory of 2120 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 41 PID 468 wrote to memory of 2120 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 41 PID 468 wrote to memory of 2120 468 {36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe 41 PID 1928 wrote to memory of 1676 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 42 PID 1928 wrote to memory of 1676 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 42 PID 1928 wrote to memory of 1676 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 42 PID 1928 wrote to memory of 1676 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 42 PID 1928 wrote to memory of 2680 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 43 PID 1928 wrote to memory of 2680 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 43 PID 1928 wrote to memory of 2680 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 43 PID 1928 wrote to memory of 2680 1928 {E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe 43 PID 1676 wrote to memory of 1644 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 44 PID 1676 wrote to memory of 1644 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 44 PID 1676 wrote to memory of 1644 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 44 PID 1676 wrote to memory of 1644 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 44 PID 1676 wrote to memory of 2852 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 45 PID 1676 wrote to memory of 2852 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 45 PID 1676 wrote to memory of 2852 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 45 PID 1676 wrote to memory of 2852 1676 {0058770B-2F97-4cdf-9061-995DBFC7E360}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exeC:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exeC:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exeC:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exeC:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exeC:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exeC:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exeC:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exeC:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exeC:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exeC:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exeC:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe12⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B0CD9~1.EXE > nul12⤵PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AABE6~1.EXE > nul11⤵PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5E559~1.EXE > nul10⤵PID:628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00587~1.EXE > nul9⤵PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E5672~1.EXE > nul8⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36360~1.EXE > nul7⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65A36~1.EXE > nul6⤵PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{014E8~1.EXE > nul5⤵PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99CDB~1.EXE > nul4⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE330~1.EXE > nul3⤵PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD53676a0b39fea3ff0550740acbabccc48
SHA1bf75ed13abd00528ceb189d45321a16a48fa6212
SHA2562067b5a0904ed2787a6504113ee425e5990a769b7a53479e1bee6a05dc762e91
SHA512b69ebb1a696e4eb4e35bca678f10bf7976ff4dac85d5531622d437963558e33b3c8ca5728e1f68a3dd56da0e3766f39a5c6d9a27d05f77c411ee40343b9e9fbc
-
Filesize
192KB
MD5cc88fe9641bc4dd52adfda5343d53406
SHA17494fbd3e57967d58bca0e384fc921f7f46448b7
SHA256321ae1fd42e4e8365854813ebfa57f519546d116947b5bc1360e05f287c1efa9
SHA51226cd03707ed6baed35cec44eb63e71b4e119cfcaf65026e6c816d560e47bfa06e6f27f9c0d54765fafbcd10fd1d6505e02a3ca8f728e3ac864b601f5b26d6f5f
-
Filesize
192KB
MD57e03607394275d6189d04533b4d0f503
SHA14c4d95b784b812f7fd1aca2ba44a7625a75693b7
SHA25662e33872fe852a18df6960267ce3e1d5550a56805e6967ee1b069e96eeaa8f7e
SHA512e148c42d3bb3a250a315c823f39ca1c6309b927bca97bffc3144bf618b6d3061fa8f2afa9fb5bb08da234af2096e0f5c5db90abfba8336fc2cf53d4cf3b21349
-
Filesize
192KB
MD5af2226b1f99ea6e3cef0aa350d449f61
SHA1975ed800da6df9dd2cf07fcf9c43c75bcc3b6f83
SHA256b671b48dce982152aaea611f2c9421e02802242c5dfb63eaa6ae507daa01c082
SHA512427c5448196fe3f921c31725fd0aa78cfa77b7b778d71c30635fe50a2ba1ab5f211f5d2ae4f6565e27f220b9d85709b81f01c12f7b183278e68a083f5a4dbf15
-
Filesize
192KB
MD57c9674bb77aa94fbbf68319a0ea655a9
SHA1712d4a9c14a64c8f774265dfaa6e3e9371bbe5df
SHA2560c7afec432553d1fc3496b5514654818a1a8c8a0cdc42b322d64110c75d68042
SHA512c94e5cd8b9a78af06c074718606b30c1c1a7d7b81220b1814b71bc1e21717debf4bf9ce6dba26c63fdf77a485637faa7b9a88382a2b3307fa6e7a5c956a1515e
-
Filesize
192KB
MD5bd4ec6d4525e8b587136394971beba94
SHA120534777e5834dbfb4e35c3a5f94767e5458e99b
SHA256992e6c349ba887d6218eb267c63f9e85470df60c2f55fe814cb6fda44d9de4d3
SHA512f8015eb6404c2f97c66704dd97727c819d3c168d477597592d0dda8235b52bf169d91063c313fa136c654f134d55361b9932ab52493a68975b785681329df8f9
-
Filesize
192KB
MD52e1bc942e8496036a7ec152dafb49be8
SHA149bdb411dab31499e68fa530d72e780b1f347941
SHA25673cb93940dabafadafff46649320fc2890411e4bd5441c97d885afa6fd96fd85
SHA512296430ca0ac0d68a0ef235af848b1450e4628da1a868a9389922a8559638a0a4773577f0e37e3a65478e71ee32cc44d2f44f2ddb1e9b001737fd80a0964dd555
-
Filesize
192KB
MD56ade46bec34defa673c810246aea28cf
SHA119acf06bf3d8f40627f486705a5e4c3e957ea3e7
SHA256fb925708eb0f2128ed2a63ecc7fca2314abf1376fb05cc04a4d56d6b52216ef6
SHA5129566a754bc3a0c2d383ad2fd7a1f8139125cd45819d06922ab41a012a175bf93d58d2bbece1de52c8c770db9931bea2eae6318d5681de345352d42725157474b
-
Filesize
192KB
MD5aa5b1822951f496cde3997df058ee316
SHA19364ed6126601c4ca70c13e99e288feb35239af1
SHA2561cacd2d2a2202134de18e6caa101031ff05c1c8b7751642d9b371ff861612066
SHA51252ca09ea1749678f04f3608bf4aa56048e774b7af15a1c8e984c18668f241a83fb425e2fc9d947407ecb778c8825665b04b7c873f8a66ececd243f2f157ca5ae
-
Filesize
192KB
MD5e13aca139107da106545a2d03b31bd18
SHA176a9425041ab4fd03cc452685a34c144361ffadf
SHA2560046739247a69b062926e9a3865069020397c20918798c0b42eb55a690b95f88
SHA512e94a1e446ba6b39b3094881128696313e1ec1d7ac7a0e0051f16075b37b5575ef6a1dfac11a14696f3e4284fe1cb229b65f87aca62a893c1746907da21f72e4e
-
Filesize
192KB
MD5157f984840c33b695fa372f84a49ff54
SHA13cd2cfb10b6e8d161a28883fb78c89b91260def1
SHA256c7bf0d2140c2737dc7fbca9aaf814e6d205c9e31c3d2c158810d44d22fa7ca9d
SHA5120e96c5d2b96bcf6b97b6efc06a49a6c3c2e05794f76d56a05a3b3c04759690053608aa1e7bc3f1192feb5e0b91080a871c5b5ef47451f3a5a0493bc550cc6e78