Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
-
Size
408KB
-
MD5
346d60fa715d70c9f021f642ca8c062c
-
SHA1
80861531b692c44698e5e540d68070ab917444f8
-
SHA256
f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73
-
SHA512
cd46e07b06cd52f62b4825437d9016e5d3cdfe8f8a1b39bd7c9311a7d9fb3e031e80f2ea720355dc134cf5273bd3933f5d064b2b9ecfbe71356c1ae8c1f1ee36
-
SSDEEP
3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012255-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000014284-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012255-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d0000000144e9-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012255-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012255-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012255-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}\stubpath = "C:\\Windows\\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe" {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A} {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E}\stubpath = "C:\\Windows\\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe" {99373C54-02F4-495b-97A9-65C87D956FD8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D} {CB87218E-4D48-491f-A19C-DD567919EE72}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}\stubpath = "C:\\Windows\\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe" {CB87218E-4D48-491f-A19C-DD567919EE72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656} {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D} {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4} {908FD874-865D-4f44-87FA-699F30C32656}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}\stubpath = "C:\\Windows\\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe" {908FD874-865D-4f44-87FA-699F30C32656}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}\stubpath = "C:\\Windows\\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe" {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8}\stubpath = "C:\\Windows\\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe" {6745D736-4401-43cd-A530-9210F5AA488A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72}\stubpath = "C:\\Windows\\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe" {E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9}\stubpath = "C:\\Windows\\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe" 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656}\stubpath = "C:\\Windows\\{908FD874-865D-4f44-87FA-699F30C32656}.exe" {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E} {99373C54-02F4-495b-97A9-65C87D956FD8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}\stubpath = "C:\\Windows\\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe" {24607556-3412-454f-86CD-0EB280ED1E1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9} 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A}\stubpath = "C:\\Windows\\{6745D736-4401-43cd-A530-9210F5AA488A}.exe" {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4} {24607556-3412-454f-86CD-0EB280ED1E1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72} {E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC} {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8} {6745D736-4401-43cd-A530-9210F5AA488A}.exe -
Deletes itself 1 IoCs
pid Process 1580 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 2824 {24607556-3412-454f-86CD-0EB280ED1E1E}.exe 1364 {E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe 2912 {CB87218E-4D48-491f-A19C-DD567919EE72}.exe 1056 {550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe {908FD874-865D-4f44-87FA-699F30C32656}.exe File created C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe File created C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe {6745D736-4401-43cd-A530-9210F5AA488A}.exe File created C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe {24607556-3412-454f-86CD-0EB280ED1E1E}.exe File created C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe {E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe File created C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe {CB87218E-4D48-491f-A19C-DD567919EE72}.exe File created C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe File created C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe File created C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe File created C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe {99373C54-02F4-495b-97A9-65C87D956FD8}.exe File created C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Token: SeIncBasePriorityPrivilege 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe Token: SeIncBasePriorityPrivilege 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe Token: SeIncBasePriorityPrivilege 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe Token: SeIncBasePriorityPrivilege 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe Token: SeIncBasePriorityPrivilege 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe Token: SeIncBasePriorityPrivilege 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe Token: SeIncBasePriorityPrivilege 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe Token: SeIncBasePriorityPrivilege 2824 {24607556-3412-454f-86CD-0EB280ED1E1E}.exe Token: SeIncBasePriorityPrivilege 1364 {E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe Token: SeIncBasePriorityPrivilege 2912 {CB87218E-4D48-491f-A19C-DD567919EE72}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 280 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 28 PID 2152 wrote to memory of 280 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 28 PID 2152 wrote to memory of 280 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 28 PID 2152 wrote to memory of 280 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 28 PID 2152 wrote to memory of 1580 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 29 PID 2152 wrote to memory of 1580 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 29 PID 2152 wrote to memory of 1580 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 29 PID 2152 wrote to memory of 1580 2152 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 29 PID 280 wrote to memory of 2636 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 30 PID 280 wrote to memory of 2636 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 30 PID 280 wrote to memory of 2636 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 30 PID 280 wrote to memory of 2636 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 30 PID 280 wrote to memory of 2736 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 31 PID 280 wrote to memory of 2736 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 31 PID 280 wrote to memory of 2736 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 31 PID 280 wrote to memory of 2736 280 {0211D33B-49D6-4a60-B177-C3D2076206C9}.exe 31 PID 2636 wrote to memory of 2564 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 32 PID 2636 wrote to memory of 2564 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 32 PID 2636 wrote to memory of 2564 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 32 PID 2636 wrote to memory of 2564 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 32 PID 2636 wrote to memory of 1756 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 33 PID 2636 wrote to memory of 1756 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 33 PID 2636 wrote to memory of 1756 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 33 PID 2636 wrote to memory of 1756 2636 {908FD874-865D-4f44-87FA-699F30C32656}.exe 33 PID 2564 wrote to memory of 3000 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 36 PID 2564 wrote to memory of 3000 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 36 PID 2564 wrote to memory of 3000 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 36 PID 2564 wrote to memory of 3000 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 36 PID 2564 wrote to memory of 2296 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 37 PID 2564 wrote to memory of 2296 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 37 PID 2564 wrote to memory of 2296 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 37 PID 2564 wrote to memory of 2296 2564 {9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe 37 PID 3000 wrote to memory of 2968 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 38 PID 3000 wrote to memory of 2968 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 38 PID 3000 wrote to memory of 2968 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 38 PID 3000 wrote to memory of 2968 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 38 PID 3000 wrote to memory of 3024 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 39 PID 3000 wrote to memory of 3024 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 39 PID 3000 wrote to memory of 3024 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 39 PID 3000 wrote to memory of 3024 3000 {64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe 39 PID 2968 wrote to memory of 2676 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 40 PID 2968 wrote to memory of 2676 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 40 PID 2968 wrote to memory of 2676 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 40 PID 2968 wrote to memory of 2676 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 40 PID 2968 wrote to memory of 1528 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 41 PID 2968 wrote to memory of 1528 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 41 PID 2968 wrote to memory of 1528 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 41 PID 2968 wrote to memory of 1528 2968 {CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe 41 PID 2676 wrote to memory of 2696 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 42 PID 2676 wrote to memory of 2696 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 42 PID 2676 wrote to memory of 2696 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 42 PID 2676 wrote to memory of 2696 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 42 PID 2676 wrote to memory of 2780 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 43 PID 2676 wrote to memory of 2780 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 43 PID 2676 wrote to memory of 2780 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 43 PID 2676 wrote to memory of 2780 2676 {6745D736-4401-43cd-A530-9210F5AA488A}.exe 43 PID 2696 wrote to memory of 2824 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 44 PID 2696 wrote to memory of 2824 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 44 PID 2696 wrote to memory of 2824 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 44 PID 2696 wrote to memory of 2824 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 44 PID 2696 wrote to memory of 1804 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 45 PID 2696 wrote to memory of 1804 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 45 PID 2696 wrote to memory of 1804 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 45 PID 2696 wrote to memory of 1804 2696 {99373C54-02F4-495b-97A9-65C87D956FD8}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exeC:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exeC:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exeC:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exeC:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exeC:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exeC:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exeC:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exeC:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exeC:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exeC:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exeC:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe12⤵
- Executes dropped EXE
PID:1056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul12⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1BC2~1.EXE > nul11⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{24607~1.EXE > nul10⤵PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99373~1.EXE > nul9⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6745D~1.EXE > nul8⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CB6D1~1.EXE > nul7⤵PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64E3B~1.EXE > nul6⤵PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C87E~1.EXE > nul5⤵PID:2296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{908FD~1.EXE > nul4⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0211D~1.EXE > nul3⤵PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5dce4e8e727d3ba1fa933a84a8c3bc6f4
SHA1f71f7aeaf2fcbc11906d07986270b64963e9a773
SHA25669c91a240a6619c6a8259d457d7558d03778022bf999059ab1dfbd88e7c6263f
SHA5123ef90d9df5dad8dabfe50ca7bf3fb830a5a377d95028e8d2df31cf7592d8bc3730232cc5cef4491553131d612ff243f1a01f2c14fcd2740635df56f43172d2f4
-
Filesize
408KB
MD5e152146427e118b2230e15424b91019b
SHA12b6a2403214715a5607eb067ba2895010f1bdd34
SHA25669d19b2e9cc74b7ca079b03c8cf7d99e96bd7840191562e98d9ded705f6e26a1
SHA512c589533548512f1ad900115692acde76b40efd5728bb0c5039f8fbbd7e74b89fdf16489378af69243b68b6a63028756ef45c7f10b61b7ab437511a5e42644a36
-
Filesize
408KB
MD5f9f7e8a3221ba80b83e66a6852836a0a
SHA103d8e2a8708e9e6dba6884970eba44736b063c71
SHA256ef71a3882825a498b765195ceb699591b1e7863f429736d68fa132b5a25cf678
SHA5126ebea0766dfd240014ce86b6653fad34ebf0d384e08645a9637bd970495925953322cf4f3a4a874b063eadc0e1cc27fb704ce40d71b28e2d7a79417ae4c3b3b1
-
Filesize
408KB
MD524fc97171619e6a892af1aa6a60ad421
SHA1564485de8d3ef0a333f80e70d6ec0eaf38a94721
SHA25653e4a8811aa1ef84e8c8f96321ba9f3b65b694f3312ae14443e65ba91712f271
SHA512fc510a331c3f94f9fe343116cdb6fc592aaf819826e6bedf6a328ee9321dfaa25896f5d365fd9dbe9e09a598740aed49c1c1620ac7cc030ba91a2dd10d8c1dbb
-
Filesize
408KB
MD532e536437cade2f388f78ac411f54c1e
SHA14586bae80be4f17e14aa68540a12ba3668d5f8ff
SHA2561e0c8272234b4b55c2e76eb7d284e8b27c91c3b97afdc5e8617a432620499ef5
SHA512b67448bcceb057dd7e58cf147968fc45bc0bacc5b29cbb4ea2f728fb7204de9a5bfb2846adfcf76d79e4a128948d3f0fb410be5b1431e0bc1e7312f536bc8879
-
Filesize
408KB
MD526d51f31bee81c85057055998cc7d4cb
SHA101846bd8ac7cb096045fcdb203fbf9b9418e41c8
SHA25627e560f0abf4d09864dda1df5471043ecbc67a9facb255cc39b5fb8f8a31b698
SHA5129aa0ab6a7fc8acf2b2ee717030470dfd6e6e11a07b38117bf8d972d91ac32702909607fd9479d1734b743a536a622d64ed9a52bb87dc569b4a5501ba9ce6d7fb
-
Filesize
408KB
MD5bd26f557f376d3f9d301c038503e106f
SHA1d9a40c33dbe30ffee391dccaee58ee33784d9bc2
SHA2563935db407a0dcc76247589f3f86205a68922cd367128ea4fb7ab4c7a4ab0ceae
SHA512dc7a5d6dfd436d23a31fb1803114c378cd8b41dc5911ff80fcba2b713f82f350101eaa692bda0b2a07d8f6d757f783a20b45420772b97f2c0f51239ca357b3c4
-
Filesize
408KB
MD59a60153d16a63fb17944c59ab0b694de
SHA11a2b9457b2584e7e631091a04f1d70e222804cde
SHA256f7e798f31bea8ca86b5b272883cb38c506fe76cce9ed5437a05322e552ebc402
SHA512ce25dbfc1a1c53c9fbdaf3d820d65f0f0e582078e97b26ebb2d18349ee5286b0acb8b31a13ba6f7d6068daa0796a78acc748bbfef247a6344f4bf2fb6dbe165d
-
Filesize
408KB
MD58f18f1106410cc241aa6e22a444b5535
SHA170141f1019add2cce2fcd3c6ea6afce727f1ec48
SHA256f7f28ccd94520285daf62799b364bf7519d333d9f726216b3aa6caac0510115e
SHA512f74e7ff539c4acce91b7f17a61c9a99080d4501211488294217f4f51342e7cc5e2ec446aef0805c5f6cb81e07530cef07f1d2135d7836265cd074d8c5d6a02d3
-
Filesize
408KB
MD5478958ff58825f015071757f8d75448d
SHA1fffafab9988ad965e02dbdbcda4020956419cda9
SHA25692d64707f479a711c1d23b3b7ca1778e0aa86fc026182f7d1d0342c1dc7bcd69
SHA512da73e7008c5b11e1effe45c2b085ff5a26a593b0ae9c3aea8dd2810064e5b9d194da365fb49e1a717cae916f055b3923c9264c737c50e613ad7fca03e06a63ca
-
Filesize
408KB
MD57a13ac389293950deec8fd8b40f7a535
SHA1e5a102cc35eebd1ee8cfa1aa46e590a1c7d4c888
SHA2562bf4fce610797f3873c472ffc10c5916b6c214d62623ba54807acae575cd6f5f
SHA51282c5931785da4ab26e96913baf354a0658d479a9ab5f6bb1b5ee4048d3cff49f8418696b6b738f5373028450b078bb5f4eec2121eaf88d53435c9b12e565c8da