Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
-
Size
192KB
-
MD5
233794f132386671cb917b52ffdfeba2
-
SHA1
66b1488954ac92ec1239e5f33b6cfe653053b51c
-
SHA256
6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca
-
SHA512
03a405485504be6b14cc4c1441e24e5c7e374e3779896c806ad99c2fa1751da41fae35690ae721c27026eb9c716d80c7d4977ea407b2ba66f13d66dbd77e274f
-
SSDEEP
1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0007000000023225-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023235-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0012000000023225-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023231-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00030000000006e3-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F7331A0-22A3-4d27-B823-055FFA12AC0D} {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}\stubpath = "C:\\Windows\\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe" 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}\stubpath = "C:\\Windows\\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe" {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95A02336-7808-465a-945B-FC0D58D8A9D0}\stubpath = "C:\\Windows\\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe" {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1} {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72} {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4DCF4-16FB-4520-B476-3FCE91156985}\stubpath = "C:\\Windows\\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe" {CA393A86-E956-46ea-925B-787B479810E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C44764-5C87-4468-A42C-D836DF05A5D4}\stubpath = "C:\\Windows\\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe" {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47D746C-470F-4e7e-9D13-F2BE78D394B6} {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2} {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95A02336-7808-465a-945B-FC0D58D8A9D0} {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}\stubpath = "C:\\Windows\\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe" {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA393A86-E956-46ea-925B-787B479810E4} {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19} {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}\stubpath = "C:\\Windows\\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe" {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA393A86-E956-46ea-925B-787B479810E4}\stubpath = "C:\\Windows\\{CA393A86-E956-46ea-925B-787B479810E4}.exe" {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9} 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}\stubpath = "C:\\Windows\\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe" {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4DCF4-16FB-4520-B476-3FCE91156985} {CA393A86-E956-46ea-925B-787B479810E4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C44764-5C87-4468-A42C-D836DF05A5D4} {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}\stubpath = "C:\\Windows\\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe" {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}\stubpath = "C:\\Windows\\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe" {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe -
Executes dropped EXE 11 IoCs
pid Process 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe 4976 {E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe File created C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe File created C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe File created C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe File created C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe File created C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe File created C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe File created C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe File created C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe File created C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe File created C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe {CA393A86-E956-46ea-925B-787B479810E4}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe Token: SeIncBasePriorityPrivilege 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe Token: SeIncBasePriorityPrivilege 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe Token: SeIncBasePriorityPrivilege 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe Token: SeIncBasePriorityPrivilege 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe Token: SeIncBasePriorityPrivilege 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe Token: SeIncBasePriorityPrivilege 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe Token: SeIncBasePriorityPrivilege 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe Token: SeIncBasePriorityPrivilege 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe Token: SeIncBasePriorityPrivilege 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe Token: SeIncBasePriorityPrivilege 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 764 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 97 PID 4720 wrote to memory of 764 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 97 PID 4720 wrote to memory of 764 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 97 PID 4720 wrote to memory of 3120 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 98 PID 4720 wrote to memory of 3120 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 98 PID 4720 wrote to memory of 3120 4720 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe 98 PID 764 wrote to memory of 3916 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 100 PID 764 wrote to memory of 3916 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 100 PID 764 wrote to memory of 3916 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 100 PID 764 wrote to memory of 3572 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 101 PID 764 wrote to memory of 3572 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 101 PID 764 wrote to memory of 3572 764 {6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe 101 PID 3916 wrote to memory of 4848 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 102 PID 3916 wrote to memory of 4848 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 102 PID 3916 wrote to memory of 4848 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 102 PID 3916 wrote to memory of 3296 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 103 PID 3916 wrote to memory of 3296 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 103 PID 3916 wrote to memory of 3296 3916 {D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe 103 PID 4848 wrote to memory of 4320 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 104 PID 4848 wrote to memory of 4320 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 104 PID 4848 wrote to memory of 4320 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 104 PID 4848 wrote to memory of 4492 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 105 PID 4848 wrote to memory of 4492 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 105 PID 4848 wrote to memory of 4492 4848 {CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe 105 PID 4320 wrote to memory of 4524 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 106 PID 4320 wrote to memory of 4524 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 106 PID 4320 wrote to memory of 4524 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 106 PID 4320 wrote to memory of 4008 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 107 PID 4320 wrote to memory of 4008 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 107 PID 4320 wrote to memory of 4008 4320 {95A02336-7808-465a-945B-FC0D58D8A9D0}.exe 107 PID 4524 wrote to memory of 1560 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 108 PID 4524 wrote to memory of 1560 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 108 PID 4524 wrote to memory of 1560 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 108 PID 4524 wrote to memory of 4816 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 109 PID 4524 wrote to memory of 4816 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 109 PID 4524 wrote to memory of 4816 4524 {E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe 109 PID 1560 wrote to memory of 4716 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 110 PID 1560 wrote to memory of 4716 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 110 PID 1560 wrote to memory of 4716 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 110 PID 1560 wrote to memory of 4672 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 111 PID 1560 wrote to memory of 4672 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 111 PID 1560 wrote to memory of 4672 1560 {E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe 111 PID 4716 wrote to memory of 1628 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 112 PID 4716 wrote to memory of 1628 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 112 PID 4716 wrote to memory of 1628 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 112 PID 4716 wrote to memory of 1824 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 113 PID 4716 wrote to memory of 1824 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 113 PID 4716 wrote to memory of 1824 4716 {CA393A86-E956-46ea-925B-787B479810E4}.exe 113 PID 1628 wrote to memory of 3732 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 114 PID 1628 wrote to memory of 3732 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 114 PID 1628 wrote to memory of 3732 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 114 PID 1628 wrote to memory of 2952 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 115 PID 1628 wrote to memory of 2952 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 115 PID 1628 wrote to memory of 2952 1628 {D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe 115 PID 3732 wrote to memory of 4568 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 116 PID 3732 wrote to memory of 4568 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 116 PID 3732 wrote to memory of 4568 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 116 PID 3732 wrote to memory of 1792 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 117 PID 3732 wrote to memory of 1792 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 117 PID 3732 wrote to memory of 1792 3732 {59C44764-5C87-4468-A42C-D836DF05A5D4}.exe 117 PID 4568 wrote to memory of 4976 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe 118 PID 4568 wrote to memory of 4976 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe 118 PID 4568 wrote to memory of 4976 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe 118 PID 4568 wrote to memory of 4112 4568 {5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exeC:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exeC:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exeC:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exeC:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exeC:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exeC:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exeC:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exeC:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exeC:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exeC:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exeC:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe12⤵
- Executes dropped EXE
PID:4976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F733~1.EXE > nul12⤵PID:4112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59C44~1.EXE > nul11⤵PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0F4D~1.EXE > nul10⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA393~1.EXE > nul9⤵PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7E42~1.EXE > nul8⤵PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1E9F~1.EXE > nul7⤵PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{95A02~1.EXE > nul6⤵PID:4008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC529~1.EXE > nul5⤵PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D47D7~1.EXE > nul4⤵PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6D7C3~1.EXE > nul3⤵PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5b5e10c0a47bc761fd755e8aad08a9520
SHA152d96215d832c45e6b25b0629a9474c841b4ee48
SHA256d0df1486908d612e9953b046ed4b5348377a3ca16655a765a392447ad38559d4
SHA51206d5076fac92caf32acc9ef73874a1dc7cf3d1ad1e05643fe9ed983ef83683f2d220add8ac85465a86a1a239c7143a4165e4a1a46ec12df55e0eb003bc52ccf2
-
Filesize
192KB
MD540e419d87af1172b6eff3d04d6ceab03
SHA1cfb743bd2c67bbb3baab81527f1c00507a4d8984
SHA25612da1d069f2eeaa344d5919549ed0d8bf0c9ddaccb131e6880016dd2cbadcc63
SHA51258c48acff61304c9f4fafe8c77c6b3c9bee9c42f5ec7d38d62505b64cf725f45c9641a1902a9dc42967b1a118497835f1d0eae529b5d25b657c6a6f3e57a52d3
-
Filesize
192KB
MD511d2b39fccbe57dca31891393a28d152
SHA14c33468352fba8a30eedac7e8c8d763c4c569208
SHA25636aad4d4de6a7b1675775b0b6360b768c5e8142258c2b870ee5f201e7deb2235
SHA512d50f8261e3ad14c9c01b411c16083193f39c0b40ce454f8d70b389561f82133184984d353ebb1e241dce04936c833be471a7255351067c8031c21eea102fe84f
-
Filesize
192KB
MD5c11423d5a54c00037d1a5b4d19fdb531
SHA1f8b6b3a22eca8f315158bdfcf09429a159b052b9
SHA256b10192135acd888895fe3f6bab0a44ed2f06522521ac6153b4eb3ea5fcd64968
SHA51212526c6e05f21df6e38482e68b0c83d8ca7c3af39a5ee5ed2781dbbf4e39fbc42e08d57f72a099a5920ede934e453750b35255710368dfb66d569e23b4ead6fa
-
Filesize
192KB
MD5b27c86063d111ba48a6e5f6ec5cf1528
SHA1d09f8f32e69b2edb501233df06c776df5a1979f6
SHA256cf2f91ca33764e7066120e12ba1640accd50629fcd31502c81a163c18b1de98e
SHA5125679ab49c1f301438565ffba6014f18c868f1f59c8885dff218e67ea42711e81ecdcb143b58a5e8bdd5e596cbffd262fc40fc8f1a7a9db5badeba055189ef7d6
-
Filesize
192KB
MD5eea200ab71ba0ff81fb96bb6cad11538
SHA182669fb5cd75a323ac92ea78213adf3ade36e12e
SHA256d668d722711ca94a99aaf69b1d578a9dd9eabc7fddca00f704c1cc2add19de54
SHA5126ad812b850dc15a641d565e7fa0731c42364e2790efe4f2bd0d2cece5c7b3013dc7c4ce2eb015e53bfeb41c44bcb6a0cd02e7d99d68d562d4402a3d1aabe7761
-
Filesize
192KB
MD58869666a938433ecde66844bead44af0
SHA1345556f4bea6f7d869537af803f7095e0563d021
SHA2567fb565d6f9fa817d6ecb5b17ca6bf6d16e16966604f3737b3a946b070127774e
SHA5127593f375385f6d0c443811768804e3ba38f654d0e018b668afc5948e2268b080811281135a77b7b888112840c9cc0021b79e6bfb7c356afa5c6e147fe5f0b9ac
-
Filesize
192KB
MD5b79783a7182f5c7031557d98e3e79bef
SHA1e376f07929ccf6b06f7e18dc3dc78e9e27c980c5
SHA2568893998f9145355fe7051ebfdce77b01d2488b546e279ad91af114aff8d3e937
SHA5120c709f93656b8660b55f73b90beac1bf8951072e701fd86ad88bde7c4ae159ff609425ede530c9f5b485e46177ae4fd1ea5354db21d307462efae7ca58ccd046
-
Filesize
192KB
MD5f6e4b2d6e2dea2d17563ad4b6fb697ff
SHA1a0e35b5913c5bf802738ca58f812193f788570dd
SHA25643a6f449e8d573f68f9462c16f0769e5fb4a41e09491f6468dc26b26601483da
SHA5122cccbb3395d5922d394e2ff43833ee1ec237495cdbba1377540d407db3457a0ce9ca4642a9a5c77ac999e7c208a39645a800cb7a9786428d8bf4aacc913804bd
-
Filesize
192KB
MD5685614506e1e41cfc951ac56ccb37de1
SHA1c7621451c55831f90872d771338eaaaca3a4dac5
SHA256549922d1bd43b1c0654e1089b5e391e9847633a0d29a0d8af437b5df9d48dc2f
SHA512ff920a4b57f8d1f5d0e4d767cb99aaae99824dda8c3e59f37dfc20459feff7a41ba8793f16b760f5e2a6bed50786ced2645fa5926d5eed55b0b2212bfdc172d4
-
Filesize
192KB
MD54a11989bf4353c1a27d15beee5438d59
SHA1efc5d170b56be7564d0782ba1fa752641fa0a113
SHA256d6af72a489964c8afd0d2f340590b2d334089a9dd0109543da376f327ff45a2d
SHA512834deaba0c12277706f9441174cd6a0a2bca10867f170baeecf78b975da1a37f8984fca3d5724ee34e6f7098a6be75cec47ec6f23b14982d31eca8dc6b914f71