Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
-
Size
192KB
-
MD5
233794f132386671cb917b52ffdfeba2
-
SHA1
66b1488954ac92ec1239e5f33b6cfe653053b51c
-
SHA256
6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca
-
SHA512
03a405485504be6b14cc4c1441e24e5c7e374e3779896c806ad99c2fa1751da41fae35690ae721c27026eb9c716d80c7d4977ea407b2ba66f13d66dbd77e274f
-
SSDEEP
1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000d000000012259-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000144b8-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012259-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012259-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012259-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012259-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0012000000012259-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3D2D6A-73E4-4353-B3D3-79710853549A} {6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07E15AA0-838C-47af-9BE8-F985E6E52703} {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07E15AA0-838C-47af-9BE8-F985E6E52703}\stubpath = "C:\\Windows\\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe" {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7} {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24709C6-1087-4996-B4F9-63619F204394} {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B} {C24709C6-1087-4996-B4F9-63619F204394}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}\stubpath = "C:\\Windows\\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe" {C24709C6-1087-4996-B4F9-63619F204394}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF} {327039B7-8EF7-49ca-A627-81846274F320}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}\stubpath = "C:\\Windows\\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe" 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}\stubpath = "C:\\Windows\\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe" {327039B7-8EF7-49ca-A627-81846274F320}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}\stubpath = "C:\\Windows\\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe" {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}\stubpath = "C:\\Windows\\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe" {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019F3C91-6F1A-4f21-87A4-8A5903704DB3} {9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3D2D6A-73E4-4353-B3D3-79710853549A}\stubpath = "C:\\Windows\\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe" {6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E39DDC6-65E2-4d09-857A-B99563E4B957}\stubpath = "C:\\Windows\\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe" {019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54} 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24709C6-1087-4996-B4F9-63619F204394}\stubpath = "C:\\Windows\\{C24709C6-1087-4996-B4F9-63619F204394}.exe" {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327039B7-8EF7-49ca-A627-81846274F320} {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327039B7-8EF7-49ca-A627-81846274F320}\stubpath = "C:\\Windows\\{327039B7-8EF7-49ca-A627-81846274F320}.exe" {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E} {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}\stubpath = "C:\\Windows\\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe" {9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E39DDC6-65E2-4d09-857A-B99563E4B957} {019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe -
Deletes itself 1 IoCs
pid Process 2112 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 2940 {9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe 2944 {019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe 1492 {6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe 1468 {EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe File created C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe File created C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe File created C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe File created C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe File created C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe {9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe File created C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe {C24709C6-1087-4996-B4F9-63619F204394}.exe File created C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe File created C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe {327039B7-8EF7-49ca-A627-81846274F320}.exe File created C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe {019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe File created C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe {6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Token: SeIncBasePriorityPrivilege 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe Token: SeIncBasePriorityPrivilege 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe Token: SeIncBasePriorityPrivilege 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe Token: SeIncBasePriorityPrivilege 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe Token: SeIncBasePriorityPrivilege 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe Token: SeIncBasePriorityPrivilege 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe Token: SeIncBasePriorityPrivilege 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe Token: SeIncBasePriorityPrivilege 2940 {9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe Token: SeIncBasePriorityPrivilege 2944 {019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe Token: SeIncBasePriorityPrivilege 1492 {6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 852 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 28 PID 2368 wrote to memory of 852 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 28 PID 2368 wrote to memory of 852 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 28 PID 2368 wrote to memory of 852 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 28 PID 2368 wrote to memory of 2112 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 29 PID 2368 wrote to memory of 2112 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 29 PID 2368 wrote to memory of 2112 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 29 PID 2368 wrote to memory of 2112 2368 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 29 PID 852 wrote to memory of 2544 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 30 PID 852 wrote to memory of 2544 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 30 PID 852 wrote to memory of 2544 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 30 PID 852 wrote to memory of 2544 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 30 PID 852 wrote to memory of 2664 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 31 PID 852 wrote to memory of 2664 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 31 PID 852 wrote to memory of 2664 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 31 PID 852 wrote to memory of 2664 852 {AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe 31 PID 2544 wrote to memory of 2820 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 32 PID 2544 wrote to memory of 2820 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 32 PID 2544 wrote to memory of 2820 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 32 PID 2544 wrote to memory of 2820 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 32 PID 2544 wrote to memory of 2428 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 33 PID 2544 wrote to memory of 2428 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 33 PID 2544 wrote to memory of 2428 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 33 PID 2544 wrote to memory of 2428 2544 {07E15AA0-838C-47af-9BE8-F985E6E52703}.exe 33 PID 2820 wrote to memory of 2036 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 36 PID 2820 wrote to memory of 2036 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 36 PID 2820 wrote to memory of 2036 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 36 PID 2820 wrote to memory of 2036 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 36 PID 2820 wrote to memory of 2452 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 37 PID 2820 wrote to memory of 2452 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 37 PID 2820 wrote to memory of 2452 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 37 PID 2820 wrote to memory of 2452 2820 {6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe 37 PID 2036 wrote to memory of 2788 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 38 PID 2036 wrote to memory of 2788 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 38 PID 2036 wrote to memory of 2788 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 38 PID 2036 wrote to memory of 2788 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 38 PID 2036 wrote to memory of 2896 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 39 PID 2036 wrote to memory of 2896 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 39 PID 2036 wrote to memory of 2896 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 39 PID 2036 wrote to memory of 2896 2036 {C24709C6-1087-4996-B4F9-63619F204394}.exe 39 PID 2788 wrote to memory of 1116 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 40 PID 2788 wrote to memory of 1116 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 40 PID 2788 wrote to memory of 1116 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 40 PID 2788 wrote to memory of 1116 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 40 PID 2788 wrote to memory of 2716 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 41 PID 2788 wrote to memory of 2716 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 41 PID 2788 wrote to memory of 2716 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 41 PID 2788 wrote to memory of 2716 2788 {12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe 41 PID 1116 wrote to memory of 2600 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 42 PID 1116 wrote to memory of 2600 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 42 PID 1116 wrote to memory of 2600 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 42 PID 1116 wrote to memory of 2600 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 42 PID 1116 wrote to memory of 2604 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 43 PID 1116 wrote to memory of 2604 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 43 PID 1116 wrote to memory of 2604 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 43 PID 1116 wrote to memory of 2604 1116 {327039B7-8EF7-49ca-A627-81846274F320}.exe 43 PID 2600 wrote to memory of 2940 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 44 PID 2600 wrote to memory of 2940 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 44 PID 2600 wrote to memory of 2940 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 44 PID 2600 wrote to memory of 2940 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 44 PID 2600 wrote to memory of 880 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 45 PID 2600 wrote to memory of 880 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 45 PID 2600 wrote to memory of 880 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 45 PID 2600 wrote to memory of 880 2600 {2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exeC:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exeC:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exeC:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exeC:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exeC:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exeC:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exeC:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exeC:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exeC:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exeC:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exeC:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe12⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E39D~1.EXE > nul12⤵PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{019F3~1.EXE > nul11⤵PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9B834~1.EXE > nul10⤵PID:972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2746D~1.EXE > nul9⤵PID:880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32703~1.EXE > nul8⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{12D27~1.EXE > nul7⤵PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2470~1.EXE > nul6⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6F24C~1.EXE > nul5⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07E15~1.EXE > nul4⤵PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE4CE~1.EXE > nul3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5e52e3649da71475abb261e2dda37fa0a
SHA1c442fb2123bc7be8e8c69855b3246f10f7709501
SHA256ccde3e736ea1d2a787cc40d27a3ff31ad8810a2909ecafa44f3f22a5eac03eec
SHA5126bcebbf23af1c58d9314f42f4905af1fa3b34d13abbaf31ad7d1e0c22d17f39d47d8ca9e946bd657385ad6a30d91cb133e3af82d4ef1778e535a547780ee6e74
-
Filesize
192KB
MD5fcc76f62220ac0e273afc83c450419eb
SHA1472e8b3b030577072e7a236e820535ea9c5a756e
SHA25614611197552b7b0455564a8e6ac2647758376a91266859b99639dc3523cf6a6c
SHA512a5cc822187ac9a331d7e19646825ac607577e17269f24bcee55c5ab73af268e1a6c7b1f5a65fba605860aa8bcc5e6e7153cc4f9aa675d0460672233814912e8a
-
Filesize
192KB
MD5b17387195f4f5fa928621ba6f145506e
SHA11d632f21e5342fc817f29c6d5098b42f683fa6a6
SHA2561c6d498f3b55eaab7d5534e16721f3d1c3553c9d4100c2e72ac9f4ffea4d7388
SHA5122782bd4f5d0251b0f1658753bbf8111bc978ab5fd5f18640e67e48ac18240217dd3b91e245095cfea3f4e94348b20b160034d4c6ee7dfca2e22ae9dc6be74ba2
-
Filesize
192KB
MD5956755c3bd08eacf22f37378fa468ce4
SHA19f0e14720df41b06a5f8741307623a7aba27ba42
SHA256bb642811efa6bc6813056b207e13a1f70140ebd1d1d40a38b84c15a04fa28a11
SHA512741b42446f74aa5eca458735fb049342a4b7411bfea946b8103c186c0a3d8d5a86e6789a9bef38e7827108011f4ec420b1a6375cdc134cf6b44ddff15746ca50
-
Filesize
192KB
MD5ba6399440727e6fde997e76d9edce870
SHA1484a44d10205bf1e225014551661baf802c5d091
SHA25687ac8c5685d21226d25e9748c92915aca9788ad7fd2649599cd0c152d5a2d6b0
SHA5129d54049c61894499d17191e635c418f8671d52a7af48a7ce7b1babb351ad1d3d8db173a90966c7acb26274bed1be8e95210a949ef887526f2542b3b71b340d1f
-
Filesize
192KB
MD5bf9e801f4e10fa6d8bd791a5df81b479
SHA169c9190fe5c56a224b3d970e5b3a05a55cdebee7
SHA256f626653ceca8c02588f1169d635508a5bef8b895de91a232a4bb0d2a8943168b
SHA5120fe72330fdde0571d2e8b0a6eeae72891e28d71c92720d246e565ecd9fa0e9dc33177f157df8229382581cc75a0bfe1a0ddf4acdb6954da55206cbf9b79e7794
-
Filesize
192KB
MD54ec2d8c10373c496f77aff3c54e3ffea
SHA1ac4a3edfabd218da480672a829ed48a6470fc2ce
SHA2564d6818b7694ac9a2960a9685825c15d45a2d38357d62e33bcc933ed804aeb3a5
SHA5123d07243823a9d779c9c3cbefefe6932c575e86a44a99dd3de8784fba7406fe9a19f5232ca0d625c8d0bc5666f8985defc6c9a8084cea63e1f5cefc22edc4460a
-
Filesize
192KB
MD52d7ee6f42bcb302c56fb9405b9964661
SHA1b11280e53cfa351fc48e755f6f9063464244e9df
SHA2561b0bb2ecf75f63722f5b054828c5a28bbce5b045e93db71c1039b15658d670fc
SHA51238e23e44dc62160e73610bfe024ccf89e0573b3fd62e6d37958fc0b45bdc290cb96ee48131efb19c1927a77b48b0a74f6e4441328c557ca175cdf3d1a4201296
-
Filesize
192KB
MD5da816347c1013cfa70d2ebe71552991d
SHA124046358bee3c6e74202bfd40e95bd50bd246bb6
SHA256821fa7840ac63da0fa1b55efa79f7c11b0044f7f3e01940cafaed3b3bf8ae405
SHA5129cc80dae8a7595f1f592f6ecc9314783d5d35a39bb6b91b024265d815bff9a70d789347454df351d505bc70804eb77521376ec06d228b93d72c637280b1e1ea2
-
Filesize
192KB
MD50a1989b04d1f92d1741d4d9c3eef5ad8
SHA10600da15f20bc802af832c455d06107e6e3d7d7e
SHA256eb7ecd5b6eb02d44d797cd9e72e4b1e1c8395b287248ad232d160741259e80fd
SHA5121a474dfb12e9de9044a3f9e7dda99d7daefb468e89905e272d74207c9a596268f6859e2c9c7d1fa1513e8e0b25475af64cee3e0548fbea877d7a9ebb5afe07cb
-
Filesize
192KB
MD592e021b594efea11035e5a1f6f8f9214
SHA1b16e290caf89e2ec4a25071e2792744ed0e37905
SHA256bbc65b7decb29e5f6192c30288a5408ae137288da509617890e7496c8bf72f3b
SHA5129bc0c096cae020689862937df90c24e0da8354d0c0c1da0d8215d5e9a131b6c878f9a5cc68421f6624ba3f6478e408cf8667abf1df1e6bf283859770b9c41462