Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
-
Size
380KB
-
MD5
837c0fd552356df3d2305046cc7d3d4b
-
SHA1
23cf430ffb0c039c39500fe2aa072dcdd34d9d93
-
SHA256
ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c
-
SHA512
d1a5e7fb6af1e81da050658b37c0d137eadb2ed8c7f033b4b25567f9bb88604724aa4d3f827ecf3acb3b1883aade945b5f3d8601025881de6f1db94421cc9939
-
SSDEEP
3072:mEGh0oFlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGzl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000014738-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000014fe1-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000014738-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000014738-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000014738-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000014738-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001300000000f680-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76BB640B-575A-428a-BE82-C5786FAD51B9} {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1} {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}\stubpath = "C:\\Windows\\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe" {A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}\stubpath = "C:\\Windows\\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe" 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}\stubpath = "C:\\Windows\\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe" {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552C4C99-FF3B-465b-BA8D-2677E978339B} {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4} {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09BEC34-7243-435f-8B72-74C5DBC25840}\stubpath = "C:\\Windows\\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe" {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E} {6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966} 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B} {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552C4C99-FF3B-465b-BA8D-2677E978339B}\stubpath = "C:\\Windows\\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe" {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}\stubpath = "C:\\Windows\\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe" {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F} {A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09BEC34-7243-435f-8B72-74C5DBC25840} {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76BB640B-575A-428a-BE82-C5786FAD51B9}\stubpath = "C:\\Windows\\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe" {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B755DF5-4E59-4cca-897E-FB39F787FD9F} {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}\stubpath = "C:\\Windows\\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe" {6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F} {27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}\stubpath = "C:\\Windows\\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe" {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}\stubpath = "C:\\Windows\\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe" {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}\stubpath = "C:\\Windows\\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe" {27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe -
Deletes itself 1 IoCs
pid Process 2860 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 2236 {A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe 2972 {6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe 1096 {27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe 2920 {A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe {6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe File created C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe {27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe File created C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe File created C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe File created C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe File created C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe File created C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe File created C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe {A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe File created C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe File created C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe File created C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Token: SeIncBasePriorityPrivilege 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe Token: SeIncBasePriorityPrivilege 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe Token: SeIncBasePriorityPrivilege 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe Token: SeIncBasePriorityPrivilege 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe Token: SeIncBasePriorityPrivilege 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe Token: SeIncBasePriorityPrivilege 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe Token: SeIncBasePriorityPrivilege 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe Token: SeIncBasePriorityPrivilege 2236 {A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe Token: SeIncBasePriorityPrivilege 2972 {6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe Token: SeIncBasePriorityPrivilege 1096 {27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1352 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 28 PID 2248 wrote to memory of 1352 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 28 PID 2248 wrote to memory of 1352 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 28 PID 2248 wrote to memory of 1352 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 28 PID 2248 wrote to memory of 2860 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 29 PID 2248 wrote to memory of 2860 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 29 PID 2248 wrote to memory of 2860 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 29 PID 2248 wrote to memory of 2860 2248 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 29 PID 1352 wrote to memory of 2612 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 32 PID 1352 wrote to memory of 2612 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 32 PID 1352 wrote to memory of 2612 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 32 PID 1352 wrote to memory of 2612 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 32 PID 1352 wrote to memory of 2636 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 33 PID 1352 wrote to memory of 2636 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 33 PID 1352 wrote to memory of 2636 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 33 PID 1352 wrote to memory of 2636 1352 {77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe 33 PID 2612 wrote to memory of 2352 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 34 PID 2612 wrote to memory of 2352 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 34 PID 2612 wrote to memory of 2352 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 34 PID 2612 wrote to memory of 2352 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 34 PID 2612 wrote to memory of 2388 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 35 PID 2612 wrote to memory of 2388 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 35 PID 2612 wrote to memory of 2388 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 35 PID 2612 wrote to memory of 2388 2612 {CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe 35 PID 2352 wrote to memory of 2800 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 36 PID 2352 wrote to memory of 2800 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 36 PID 2352 wrote to memory of 2800 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 36 PID 2352 wrote to memory of 2800 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 36 PID 2352 wrote to memory of 1032 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 37 PID 2352 wrote to memory of 1032 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 37 PID 2352 wrote to memory of 1032 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 37 PID 2352 wrote to memory of 1032 2352 {552C4C99-FF3B-465b-BA8D-2677E978339B}.exe 37 PID 2800 wrote to memory of 1780 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 38 PID 2800 wrote to memory of 1780 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 38 PID 2800 wrote to memory of 1780 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 38 PID 2800 wrote to memory of 1780 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 38 PID 2800 wrote to memory of 1996 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 39 PID 2800 wrote to memory of 1996 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 39 PID 2800 wrote to memory of 1996 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 39 PID 2800 wrote to memory of 1996 2800 {5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe 39 PID 1780 wrote to memory of 2640 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 40 PID 1780 wrote to memory of 2640 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 40 PID 1780 wrote to memory of 2640 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 40 PID 1780 wrote to memory of 2640 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 40 PID 1780 wrote to memory of 2688 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 41 PID 1780 wrote to memory of 2688 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 41 PID 1780 wrote to memory of 2688 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 41 PID 1780 wrote to memory of 2688 1780 {D09BEC34-7243-435f-8B72-74C5DBC25840}.exe 41 PID 2640 wrote to memory of 1796 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 42 PID 2640 wrote to memory of 1796 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 42 PID 2640 wrote to memory of 1796 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 42 PID 2640 wrote to memory of 1796 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 42 PID 2640 wrote to memory of 1972 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 43 PID 2640 wrote to memory of 1972 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 43 PID 2640 wrote to memory of 1972 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 43 PID 2640 wrote to memory of 1972 2640 {76BB640B-575A-428a-BE82-C5786FAD51B9}.exe 43 PID 1796 wrote to memory of 2236 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 44 PID 1796 wrote to memory of 2236 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 44 PID 1796 wrote to memory of 2236 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 44 PID 1796 wrote to memory of 2236 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 44 PID 1796 wrote to memory of 1772 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 45 PID 1796 wrote to memory of 1772 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 45 PID 1796 wrote to memory of 1772 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 45 PID 1796 wrote to memory of 1772 1796 {7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exeC:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exeC:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exeC:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exeC:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exeC:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exeC:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exeC:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exeC:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exeC:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exeC:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exeC:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe12⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27DEC~1.EXE > nul12⤵PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B8BF~1.EXE > nul11⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A1D1A~1.EXE > nul10⤵PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B755~1.EXE > nul9⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76BB6~1.EXE > nul8⤵PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D09BE~1.EXE > nul7⤵PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5084D~1.EXE > nul6⤵PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{552C4~1.EXE > nul5⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CDBC6~1.EXE > nul4⤵PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77CD1~1.EXE > nul3⤵PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5ecfa67ca309dcd91067482210fbc5acc
SHA14ed2fd71943e7201a7299588877e6bc15a340be3
SHA2568e9ad34c2b3bd026fdb5de263d56d6c59aebb7b29a5bc5b14fa0a40518a4216b
SHA51288ecdc92cd85d885d2f2babc2f4e5e2c423c8f9d70f6b776d443f8259b2d1093fdd54c0b4e7ef8ee73117f5523985812ac687125691207c6ebc0e841b71e64fb
-
Filesize
380KB
MD5606ec459a4b6e3bd1207bd9f95b5e6cb
SHA12f1b89e60ba4c6eaa489b2913807e64b436bb0f5
SHA2562b7dd6a4f0c21c7a3d1a7510497696062d88904510d7494b73d6627764776722
SHA512093d41a0ba1325288a5136ea7b7bddc04b3f8e6e08710203899b280ecad91de908d9e895e2adcafe65e9cfdc3d1b2c0572f9722d667ae1c648fb64dc4509eaa2
-
Filesize
380KB
MD52777fa5e1be5c605e5fd6f9440d0baa4
SHA1e0fba6a706320d4f170c5d696ba30eee8aee7351
SHA256b76a14689b09ce1bd70d2dd550da3f3a512f1f87636deba606ae1847b9b9cdb3
SHA512e31cae8fa14a6224d1527d3d03fbbfb36caf6cc567bc1bf67575c437b51e4b99c64f77e928be1a157e28da98041d442be6fd84b4a5941d9e6d650901381a3cdd
-
Filesize
380KB
MD561222317d009b4b6cac9003d1f166e08
SHA124da2b0e6b15468c9b45f0ce3071e9cf2c9a6998
SHA2567d2811fe8a42c3a0f60accac941a0c68e7f02e6dc5102eb4b85695ca9069c10f
SHA512e367a7e16f1c9dce20516cf4dd46de19274a0e6649f6ff8c320bd3ad0ddd3021481ba900f22af1092ab9ce8ffbee2d041fbf8ab0757f224f588841651be26a9e
-
Filesize
380KB
MD5bc185c4496e190b3b9195773a4c6cce1
SHA148718264dff644847a29d526fcd67f6cde9dc83a
SHA2567534c9685edfd1c3942dee12f5cd57ebcf7ed58cf1d1e9139f3a3728eadb65b4
SHA512bd09df3132d134566817d8ad4d5f1d273ae34cca06227e1b3336ae0776966605836a7957617007dcb50fd9e0418eb38be18145395809b980e0a5c76202e5333f
-
Filesize
380KB
MD58119276d91f4b40b60adce6c21f71219
SHA1b63287e100b2cfa3116a0d3ef2db616f691cdcbf
SHA256cf6f4ce7e613fcae276d50ca2f69f367ddd8f02b65c97cb973b6024579293e95
SHA51211ea2c286f28e0252e89aaa0927f7b439a86fcfbd68ff31b01c0f62f951019ea14a4b2dd063d310a4a8a540a1952a9ec437ee21d4543ea37c485217b90ed0d2b
-
Filesize
380KB
MD55a794c77f05bfa80939af48e2ed512e2
SHA11591a153627a0e003b165375e45fff9f3a5544f1
SHA2565da35fceb0fea8246f18968acf0bd991fc07f4fa129be35a4638538abfa19a04
SHA5129aad56d130cd778ed884191edd36330d5da47600d313ec922b6db7f3150b18951033b1efbd689348fd7f609331ae28b26872381ed46c853604c8490ec737037f
-
Filesize
380KB
MD5d1a27f97a01b3dd2d390063e96b7fae3
SHA1e8724a98c3bcd2a980cab66a25eb47a87ab938aa
SHA25678d24c1cac5b0c701eddec1d08e60f81a101dc27e026c909272cba1276025c45
SHA51299f1b4f7ffab9c111d3901eb2ae359b7381eda31effe2c42ef231cca45cb4deb4a86d607c48dc3ff06db28e47db5607cb4ea3384f967f3a51476ca1e936468db
-
Filesize
380KB
MD581f52e039898ec0933e7b58d350ae348
SHA11cd8cbdce585b3c78a714d12e48d8dfb05c8f9a6
SHA25614a099c3994ca6bd0202ca995999e65c3b4025245514292c6850aac8662e7ded
SHA512c1ddb2b4fc2c57656f3caf08605236efe1dd938e1586af5942a2aa6076d6f61f65e4c719e37c222118636853fb22aaccb168e1ddb61cbb0ca8b79a558550fbd5
-
Filesize
380KB
MD51ba8316b339c048e713544a6e277a9f4
SHA124c01ecfdb09578bd776bf1a45775766465531cf
SHA256fefa335cf3babb286be5cf274fd1696729ba30013dea193a62d6a7de2d19f0a6
SHA5123d34278b5968cb560808662510ffc408aeae5ead12beda3ee321e93ba5c51021551d0f323cf210479d5136f470a841a1782cb9f70b6d72cb431a097f40b6bcfb
-
Filesize
380KB
MD53456312515fc86c9e6c61185dfe845b1
SHA1d38203b6777979800a19ec64e7070d0c0c89f337
SHA256c7270ee7923058514b091f8d35b433884581702aa1646ec2c93afebcba755471
SHA512d6844cc0026409abc52ee57b97bb046038830fbf9932e868e06dc0e0c7ddea4f1965d99cd383755a93b6c05322783ae41f97faa5038ba40627d13fd91bc079d5