Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe
Resource
win10v2004-20240319-en
General
-
Target
8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe
-
Size
216KB
-
MD5
1e66159cc53bd746bbebea594023123e
-
SHA1
8df5d5f9ed90b130c529f29b24e045deffb4cdb9
-
SHA256
8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe
-
SHA512
f4e505c27fa982da82e0774727f578891f6653856b3bc3363f3e46a59c6adc8f98afce7a1c6905868454deed337fccae51357f7c832e53f9c8fd1e55eb7abf2e
-
SSDEEP
3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000900000001225b-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000800000001227e-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f3-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000900000001227e-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000001227e-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000016ce0-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}\stubpath = "C:\\Windows\\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe" {00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}\stubpath = "C:\\Windows\\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe" {6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066E9405-A88F-475b-B516-A11BC7FF20DE} {AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F22C96-E553-449c-86B8-D666997174A9}\stubpath = "C:\\Windows\\{68F22C96-E553-449c-86B8-D666997174A9}.exe" 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4} {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3} {00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}\stubpath = "C:\\Windows\\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe" {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}\stubpath = "C:\\Windows\\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe" {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}\stubpath = "C:\\Windows\\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe" {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303224E0-AA94-47d8-957E-2698585A1C1A}\stubpath = "C:\\Windows\\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe" {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F} {303224E0-AA94-47d8-957E-2698585A1C1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FACE99A-378C-4315-9FE4-FBE55743F25C} {68F22C96-E553-449c-86B8-D666997174A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E} {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A} {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3} {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303224E0-AA94-47d8-957E-2698585A1C1A} {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}\stubpath = "C:\\Windows\\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe" {303224E0-AA94-47d8-957E-2698585A1C1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021} {6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066E9405-A88F-475b-B516-A11BC7FF20DE}\stubpath = "C:\\Windows\\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe" {AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F22C96-E553-449c-86B8-D666997174A9} 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FACE99A-378C-4315-9FE4-FBE55743F25C}\stubpath = "C:\\Windows\\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe" {68F22C96-E553-449c-86B8-D666997174A9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}\stubpath = "C:\\Windows\\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe" {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe -
Deletes itself 1 IoCs
pid Process 2496 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 2180 {00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe 1532 {6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe 1964 {AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe 2636 {066E9405-A88F-475b-B516-A11BC7FF20DE}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe {303224E0-AA94-47d8-957E-2698585A1C1A}.exe File created C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe {6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe File created C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe {68F22C96-E553-449c-86B8-D666997174A9}.exe File created C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe File created C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe File created C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe File created C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe {AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe File created C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe File created C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe File created C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe File created C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe {00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe Token: SeIncBasePriorityPrivilege 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe Token: SeIncBasePriorityPrivilege 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe Token: SeIncBasePriorityPrivilege 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe Token: SeIncBasePriorityPrivilege 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe Token: SeIncBasePriorityPrivilege 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe Token: SeIncBasePriorityPrivilege 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe Token: SeIncBasePriorityPrivilege 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe Token: SeIncBasePriorityPrivilege 2180 {00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe Token: SeIncBasePriorityPrivilege 1532 {6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe Token: SeIncBasePriorityPrivilege 1964 {AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2480 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 28 PID 2156 wrote to memory of 2480 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 28 PID 2156 wrote to memory of 2480 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 28 PID 2156 wrote to memory of 2480 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 28 PID 2156 wrote to memory of 2496 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 29 PID 2156 wrote to memory of 2496 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 29 PID 2156 wrote to memory of 2496 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 29 PID 2156 wrote to memory of 2496 2156 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe 29 PID 2480 wrote to memory of 2516 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 30 PID 2480 wrote to memory of 2516 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 30 PID 2480 wrote to memory of 2516 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 30 PID 2480 wrote to memory of 2516 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 30 PID 2480 wrote to memory of 2508 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 31 PID 2480 wrote to memory of 2508 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 31 PID 2480 wrote to memory of 2508 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 31 PID 2480 wrote to memory of 2508 2480 {68F22C96-E553-449c-86B8-D666997174A9}.exe 31 PID 2516 wrote to memory of 2420 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 34 PID 2516 wrote to memory of 2420 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 34 PID 2516 wrote to memory of 2420 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 34 PID 2516 wrote to memory of 2420 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 34 PID 2516 wrote to memory of 1472 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 35 PID 2516 wrote to memory of 1472 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 35 PID 2516 wrote to memory of 1472 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 35 PID 2516 wrote to memory of 1472 2516 {0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe 35 PID 2420 wrote to memory of 984 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 36 PID 2420 wrote to memory of 984 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 36 PID 2420 wrote to memory of 984 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 36 PID 2420 wrote to memory of 984 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 36 PID 2420 wrote to memory of 528 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 37 PID 2420 wrote to memory of 528 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 37 PID 2420 wrote to memory of 528 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 37 PID 2420 wrote to memory of 528 2420 {F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe 37 PID 984 wrote to memory of 1064 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 38 PID 984 wrote to memory of 1064 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 38 PID 984 wrote to memory of 1064 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 38 PID 984 wrote to memory of 1064 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 38 PID 984 wrote to memory of 2376 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 39 PID 984 wrote to memory of 2376 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 39 PID 984 wrote to memory of 2376 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 39 PID 984 wrote to memory of 2376 984 {B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe 39 PID 1064 wrote to memory of 2728 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 40 PID 1064 wrote to memory of 2728 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 40 PID 1064 wrote to memory of 2728 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 40 PID 1064 wrote to memory of 2728 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 40 PID 1064 wrote to memory of 1840 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 41 PID 1064 wrote to memory of 1840 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 41 PID 1064 wrote to memory of 1840 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 41 PID 1064 wrote to memory of 1840 1064 {2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe 41 PID 2728 wrote to memory of 1948 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 42 PID 2728 wrote to memory of 1948 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 42 PID 2728 wrote to memory of 1948 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 42 PID 2728 wrote to memory of 1948 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 42 PID 2728 wrote to memory of 1476 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 43 PID 2728 wrote to memory of 1476 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 43 PID 2728 wrote to memory of 1476 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 43 PID 2728 wrote to memory of 1476 2728 {C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe 43 PID 1948 wrote to memory of 2180 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 44 PID 1948 wrote to memory of 2180 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 44 PID 1948 wrote to memory of 2180 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 44 PID 1948 wrote to memory of 2180 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 44 PID 1948 wrote to memory of 1700 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 45 PID 1948 wrote to memory of 1700 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 45 PID 1948 wrote to memory of 1700 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 45 PID 1948 wrote to memory of 1700 1948 {303224E0-AA94-47d8-957E-2698585A1C1A}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exeC:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exeC:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exeC:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exeC:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exeC:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exeC:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exeC:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exeC:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exeC:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exeC:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exeC:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe12⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AEFB0~1.EXE > nul12⤵PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EF92~1.EXE > nul11⤵PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00EA5~1.EXE > nul10⤵PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30322~1.EXE > nul9⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6028~1.EXE > nul8⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A462~1.EXE > nul7⤵PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9BDB~1.EXE > nul6⤵PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F6F00~1.EXE > nul5⤵PID:528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0FACE~1.EXE > nul4⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68F22~1.EXE > nul3⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E1359~1.EXE > nul2⤵
- Deletes itself
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5f21dd0c54ffdd702af0ec41b37573c33
SHA14f0ceef4fdce62eaf327f36797546d5afe9a8fc4
SHA256362c69ca0640db50dc4227c67221c69becf7ef66f0adcff0672b7c06499fb8fc
SHA512fd80fcdb70e8afae3d0e5fd35bfe8576b4df7591185c470109bd56885c63f4515d6d7a5b642b474e96c5abec46c37c280a4c657aa6145ca50bfc8ed0a9f3d7b7
-
Filesize
216KB
MD5b21530b4588e71e37aac540ecf945240
SHA15015cfd40393818a5ec3bfb4aab18a0ce2b665f3
SHA256e4cd0cac4659f54250063d3a70639d069689bcbcfd0eefb32fb4c0dcac8c45cd
SHA512eb7a90288ea01425ab25951b30c9a6c580fce12946ba42760b8da3016562980e61034712cbff9bc0e2c7e6e7461bb18663623959520d7182a3be792881db9e27
-
Filesize
216KB
MD594f2a84bc53615bf08316f280f5c6c57
SHA1ecd1f265fa288f0ccc4a5ba0f6cf88b687005867
SHA256542a23cc31a8659742cbcad7920a2a8917a3315fc72b173921d13b8d42141671
SHA512b07faa27e978efa291707f962c5d842e0efffb12a980c4c23a87b66f5bceac7337beb90dba4f0a571a41fb99d3a2da4bf4f1b640b588ba323d147519d3eff8ab
-
Filesize
216KB
MD59a503735f186c5f1c7a547005e5627b7
SHA1619e166763683bfb463a3358e3c67aacee6fcd85
SHA2564feb3beedd9bd9fc33720e3a12a961e331f2c22fe3da740d1978466694d220ac
SHA512afedec6a3466b063d5355543a85f9eaec0cb0ec33b47f3ce2ec71fff98b8e968047e7a55f1eeaa471d7df4216a51f2a8c4741497e7ca65236fd7d376f213966f
-
Filesize
216KB
MD505e589f625b0564ee3ba8589566abbbe
SHA13f93475a6ee68e484edc62d2b3f643d2bac9a0b3
SHA256ea14ce9eca5bf6f7386a64a42d301feaaae39c1fd22c78e118e6c41fb6dc0a43
SHA5123aec7139e083aabc7093351c320b153a01d407b8418d3ade6911576f047f0970edb4e3a3f2b3764c44e8cbba8b35f80465c2ff194c3863e9f90ad1ec3c82ef88
-
Filesize
216KB
MD59f6af2fb1d6bdfad030cf037b58f526c
SHA1719038e916328846a8d183ed5699779df2a38703
SHA256633f799f66dcfed1b298eb0c634e0e9bebcd9364ea13cf887028257022321145
SHA51248901a80bf1b20e0914584fb046f77f11dd1b7f4d9925f91046ebf573ea5f654c83330ae5b05b803d91cebff7c86718ec47c4ccfee4076f8ff70a8f8c7d4b3c4
-
Filesize
216KB
MD572a3aa1705cdc4a4af341ec60211718a
SHA1a5ce790f066a99e024bf5a9486d08e49ee8b2098
SHA2560d049330559c85e516ed78dcae2671793eb21d3f449eb288d0b058df2ca87d29
SHA5127103b8f67378a324df8955d4e8f57c9a5dd502aae58da76f62a3630ed59cfc16638755b457cee0710a7e88ecace9c2e1c86c66571c330fb7e078a000197d0fd2
-
Filesize
216KB
MD577037ec05af61aea53de36d4e550a4fd
SHA1453e6a2533a0aa993149e52426b52e0eb4eda2ba
SHA2565276464f860d4cd8126aabd5df38209986650f2664e4fcfdaeca9d01c2ff665c
SHA512352d1cd375a0684cf1a6cc689458b0888ecae691984baa8c4e881b14dedca06e5283d53f1d54dfe80aea00675568665ecfaf62293c9d04ea46bb4b22dd0ec32a
-
Filesize
216KB
MD58d6aa06fb642f30330b4e79a226eaa13
SHA10c34adaf6d5a785fbae62a8414b141bddcde1c38
SHA256905d83f96d25a9a2cb8692bc37e1bcb8ad5e0ca6e4d052c0e8ff00070425e75e
SHA51218fdae530af2bef6728c0e13c16b18bf03707642db468e9af216a0db5294d10371bc301b1f4866959bbc157830937e552bb127dc8f76ad22cbd4577972fd573d
-
Filesize
216KB
MD50731f0f975ddfb10e480fc924b0e7dcb
SHA1a8fd2d42489450b2c641784657c2d085a03881c8
SHA256090532feae0e8530aebbce4abf2c31d7221f153523df869d8ca29ae8d8bd8539
SHA512124c273e82e104012265598d623f8d75eb05121aacbb43cd546110a7e9509709b1ecbd0bda4dec0518f15e4a3c8dac310cd6480b88fa118e760953099ccb9534
-
Filesize
216KB
MD5137ebfe52a54c96d59bf193492e8e49e
SHA1576d57b325c59b1c0927b16af8ee78392a413f23
SHA256b283bcd47383a5a97d7ef1b515419e1b752025ad190befccbcc9b0ef4ad83f91
SHA512aab549d86c0008baaf626cb6c6f14e82968d6f23ec67f2882883c94445442efbc671b5302b997fd44f30be7560f69eaba898262adc2d266e060f7e740a5e74f7