Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
-
Size
180KB
-
MD5
8d82a2b777d782e76bfac9ed6d45addd
-
SHA1
5c9fe416cf462ab504a214ad40878e31e3443624
-
SHA256
969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5
-
SHA512
bdda495669ac9472b57e5a5c5d1254fe6218bf0aa4a0083af896f75a4b0c15c6b2604b639ae43cb56848e59bd0d6b91572cdecbdd9f00c69dc6aa6b6ce0a88ec
-
SSDEEP
3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000014454-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0037000000014708-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000014454-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x003800000001471d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000014454-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000014454-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000014454-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407049F9-154A-4f38-A988-6DCF262C8374} {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407049F9-154A-4f38-A988-6DCF262C8374}\stubpath = "C:\\Windows\\{407049F9-154A-4f38-A988-6DCF262C8374}.exe" {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34239C63-5A02-4f46-AC44-CA746C59DFF9} {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}\stubpath = "C:\\Windows\\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe" {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}\stubpath = "C:\\Windows\\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe" {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC94C7-DEE2-45b0-8CD2-299380742F36} {8A52C194-A382-4a98-8D16-46270DCD1027}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC94C7-DEE2-45b0-8CD2-299380742F36}\stubpath = "C:\\Windows\\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe" {8A52C194-A382-4a98-8D16-46270DCD1027}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}\stubpath = "C:\\Windows\\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe" {02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E037E02-F335-4fed-AB31-E2C49B1E0823}\stubpath = "C:\\Windows\\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe" {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144} {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34239C63-5A02-4f46-AC44-CA746C59DFF9}\stubpath = "C:\\Windows\\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe" {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD} {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F212FD2-E7F2-47a7-A344-2C22C2665C91} 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}\stubpath = "C:\\Windows\\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe" 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E037E02-F335-4fed-AB31-E2C49B1E0823} {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}\stubpath = "C:\\Windows\\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe" {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC} {407049F9-154A-4f38-A988-6DCF262C8374}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}\stubpath = "C:\\Windows\\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe" {407049F9-154A-4f38-A988-6DCF262C8374}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93FDDD8-765D-4767-9B22-8C43F8147A6C} {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A52C194-A382-4a98-8D16-46270DCD1027} {D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A52C194-A382-4a98-8D16-46270DCD1027}\stubpath = "C:\\Windows\\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe" {D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACC91CB-61D7-49c8-8271-B3BC73B132A4} {02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe -
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 1248 {D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe 1568 {8A52C194-A382-4a98-8D16-46270DCD1027}.exe 688 {02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe 1812 {DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe File created C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe File created C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe File created C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe File created C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe File created C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe File created C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe File created C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe {407049F9-154A-4f38-A988-6DCF262C8374}.exe File created C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe {D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe File created C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe {8A52C194-A382-4a98-8D16-46270DCD1027}.exe File created C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe {02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Token: SeIncBasePriorityPrivilege 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe Token: SeIncBasePriorityPrivilege 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe Token: SeIncBasePriorityPrivilege 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe Token: SeIncBasePriorityPrivilege 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe Token: SeIncBasePriorityPrivilege 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe Token: SeIncBasePriorityPrivilege 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe Token: SeIncBasePriorityPrivilege 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe Token: SeIncBasePriorityPrivilege 1248 {D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe Token: SeIncBasePriorityPrivilege 1568 {8A52C194-A382-4a98-8D16-46270DCD1027}.exe Token: SeIncBasePriorityPrivilege 688 {02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1744 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 28 PID 2196 wrote to memory of 1744 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 28 PID 2196 wrote to memory of 1744 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 28 PID 2196 wrote to memory of 1744 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 28 PID 2196 wrote to memory of 2604 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 29 PID 2196 wrote to memory of 2604 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 29 PID 2196 wrote to memory of 2604 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 29 PID 2196 wrote to memory of 2604 2196 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 29 PID 1744 wrote to memory of 2032 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 30 PID 1744 wrote to memory of 2032 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 30 PID 1744 wrote to memory of 2032 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 30 PID 1744 wrote to memory of 2032 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 30 PID 1744 wrote to memory of 2440 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 31 PID 1744 wrote to memory of 2440 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 31 PID 1744 wrote to memory of 2440 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 31 PID 1744 wrote to memory of 2440 1744 {9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe 31 PID 2032 wrote to memory of 2460 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 32 PID 2032 wrote to memory of 2460 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 32 PID 2032 wrote to memory of 2460 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 32 PID 2032 wrote to memory of 2460 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 32 PID 2032 wrote to memory of 2420 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 33 PID 2032 wrote to memory of 2420 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 33 PID 2032 wrote to memory of 2420 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 33 PID 2032 wrote to memory of 2420 2032 {0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe 33 PID 2460 wrote to memory of 2816 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 36 PID 2460 wrote to memory of 2816 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 36 PID 2460 wrote to memory of 2816 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 36 PID 2460 wrote to memory of 2816 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 36 PID 2460 wrote to memory of 2928 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 37 PID 2460 wrote to memory of 2928 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 37 PID 2460 wrote to memory of 2928 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 37 PID 2460 wrote to memory of 2928 2460 {C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe 37 PID 2816 wrote to memory of 2684 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 38 PID 2816 wrote to memory of 2684 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 38 PID 2816 wrote to memory of 2684 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 38 PID 2816 wrote to memory of 2684 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 38 PID 2816 wrote to memory of 1564 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 39 PID 2816 wrote to memory of 1564 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 39 PID 2816 wrote to memory of 1564 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 39 PID 2816 wrote to memory of 1564 2816 {34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe 39 PID 2684 wrote to memory of 2672 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 40 PID 2684 wrote to memory of 2672 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 40 PID 2684 wrote to memory of 2672 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 40 PID 2684 wrote to memory of 2672 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 40 PID 2684 wrote to memory of 2748 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 41 PID 2684 wrote to memory of 2748 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 41 PID 2684 wrote to memory of 2748 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 41 PID 2684 wrote to memory of 2748 2684 {407049F9-154A-4f38-A988-6DCF262C8374}.exe 41 PID 2672 wrote to memory of 2648 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 42 PID 2672 wrote to memory of 2648 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 42 PID 2672 wrote to memory of 2648 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 42 PID 2672 wrote to memory of 2648 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 42 PID 2672 wrote to memory of 1552 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 43 PID 2672 wrote to memory of 1552 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 43 PID 2672 wrote to memory of 1552 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 43 PID 2672 wrote to memory of 1552 2672 {381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe 43 PID 2648 wrote to memory of 1248 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 44 PID 2648 wrote to memory of 1248 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 44 PID 2648 wrote to memory of 1248 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 44 PID 2648 wrote to memory of 1248 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 44 PID 2648 wrote to memory of 2216 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 45 PID 2648 wrote to memory of 2216 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 45 PID 2648 wrote to memory of 2216 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 45 PID 2648 wrote to memory of 2216 2648 {57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exeC:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exeC:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exeC:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exeC:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exeC:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exeC:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exeC:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exeC:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exeC:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exeC:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exeC:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe12⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02EC9~1.EXE > nul12⤵PID:2444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8A52C~1.EXE > nul11⤵PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D93FD~1.EXE > nul10⤵PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57FA5~1.EXE > nul9⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{381BB~1.EXE > nul8⤵PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{40704~1.EXE > nul7⤵PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34239~1.EXE > nul6⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C08CF~1.EXE > nul5⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E037~1.EXE > nul4⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F212~1.EXE > nul3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD521bc7436d9478f9131e14f9855d72401
SHA1d6c7d683be20f50389fc5a29c9628d4e3c1a1864
SHA25688f9059cc843fb1d8d5ca4541340113d9adcd967a2868b2ad9a034713a7a3374
SHA5124ef6b6e267cbf712c89738a351e11edcce79ac11b18bdd05a59f716c36136a70937883c41c434bdaca184baff9ae6d0c7544e2210875c890d43287fc181862a3
-
Filesize
180KB
MD55fa0084ea6a69bf7e98516fecf8ef6c5
SHA1d5edec9d8854bf3153e0eac32f5e36ca5afd051f
SHA25678916a038b4f035deb02ab14ba0caa75c732ebc1a2bbdabea5d934764f7fad04
SHA512fe6147065847c6ddc6bf33e52a61234b4595f49bcedaf3ff130f37041f98e227364955aeeca464beae6bd3bed8518e7dfe3d4230f8e7e752fd7f6f0b30e4e344
-
Filesize
180KB
MD5d4187015c4c16bf2de929c7891f689d9
SHA1d7bfccd8c1927c2721c527c0ef254ef3c3250f5d
SHA256d873681be2a38c8a4fd14acba2d81bb20bef850012b03780dae52d9217683b11
SHA512d632cc1ceaf5327c09515011e22a09228587191973180f2d346c0e4d0762649d7b1d920d33515e0c61a71fa0d2b2a655202fc16e8eebf5e4f4ac4addd0678b3e
-
Filesize
180KB
MD54651cd0b5ef1a128f28fe22b5d611f70
SHA180b8937e2b2eb9328aeb8129fcdc3bfd30f27a8c
SHA256d3c656b9a7f22dce8b388f065513106b41b403c6ba9b1032bc0fd834d4505bb2
SHA5127b33300fcf3f8de865add60a4d1ef67890e25e2d138cc7d0375b6c57aededc82db40a05b4a161b321431d696ab728c3568341725eba7773d7b656ca857290465
-
Filesize
180KB
MD55392ecc05f6cdb9a359c2bfe70d15158
SHA15d18789c6df531bd6db2b6b896d4ca13978c20a8
SHA256f6208bdc71d71f5920a2741ff139ca6b5747abe0b505b317e4f8bd1359b282b9
SHA51273f24e93f46a9a0daea02872fb34bded30282649e5af782f0a12e7967367588770f9be5df6a42a7aee76c9929c08d3f55497968fb8c3689407990ef5beb2fa53
-
Filesize
180KB
MD5d269e90beca3d45f4244adfa7011f427
SHA129b73d5d1283c61388cb9de1c83575d43528b1ae
SHA2563143bea3e4379d83d6a66f0c57982cdb43e5f60d6d08a0638045b2de8fa2b127
SHA512a0e199ff4b5fd6e112bfc9e88b3a4c734b33ee5f47dd5f99ed5775d1816abdc19924f6d4f58108c1c0208628eeaea63d616d432ee53a3b8705cbc85260b310f7
-
Filesize
180KB
MD56cea902fc332e2c74cba3f05f9d314eb
SHA14fbd768f83add22faf116b126ab602743ac7fc85
SHA25605a2f099f6882fdbd39839f0f35eab7953f1a0815635f2e73587cd224098685a
SHA5129e541791d428c722b381d31f0d38ab9aebd7bf37ff31cada3f5e12921cb776635ff4ea503c621572bd9b8457636eec2e654278f9b349c1327449137d19ca21db
-
Filesize
180KB
MD5f5982fb9bf7efd7d07b9abd717c1d524
SHA1a42b25d2d7a2ac8abae97ca23a04dabf49d77a7a
SHA2563d3d79d15a598a7bf0047f26022645f04374e187d71751533d45fe08755eefb8
SHA51248999ebc379680246d1ca2262698892167591f9d3011870c8be09e5c1d6563363d84c1b988929ecbf32fe5a5b5d44531b66c68b7cb258a8198ceb3915e268221
-
Filesize
180KB
MD5645f1e94b9481f93d97252ac617ef36d
SHA1252a58b7ea7d003505b539ec575b013d882810bf
SHA256c9eb0804423967adf6b6052447924168bde170e6a1da01c2f92e7b2c27e4b61a
SHA512668c890a2c397160c640d9e0ea64863634cc7b2f74cdf283f34747161c61c511bb1a4046d1e3f30dd0716d928dc93a577f7fbab19a6d06dd8e7dee36c4eba530
-
Filesize
180KB
MD5708a4a2b231b6715d1fa392392001e32
SHA15c4acdfa9020eca54a073b9d032c666744c4f167
SHA2569b7f051c49f6e993879c889ae8e7c6837ab583769cb4f41d849fa346928fd63e
SHA512fa4e3fe0713e89f892a3d39f295598cb340e09b1e10dcbff7dc4cae7f240df5b65998781586708719e28e70d9cf8addb5ff9865c3c5211fad381cbedad093212
-
Filesize
180KB
MD5f125b894f3c72dda6670c1c3d4936fb0
SHA15a488bbd79f9cbf3f4aa0b9aae8b983637bf87bf
SHA25661f3aa50b5f3aea2f004b555f9d347cdb5c2798507fa9cdd1eb9ddffcc8591a7
SHA5122df315d36c4ead43b78c090f5f64fe4ade5d3b4f6aafe25133123644e6950cb0050d5d0ca4d40325cec141c9a997fc74533a5d5278e5cbff25df7edce80309b1