Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
-
Size
168KB
-
MD5
54ce192027ed3fdc340f6646a9ae6bab
-
SHA1
1978009c2929cc4c5f2f7dd1f79490bbcb1d64e2
-
SHA256
109b34023a9cc232e0c95081a5c482107e459cca1cfa877c5f2f112ae980bcca
-
SHA512
adf3b2dffe314738c081fa3bcbf402c128432b5eb47107abad6079e138b78bb64dfe1383cd81338185a61e4e0d53939a569e2dcf5e067a6c33b2ea53e452d313
-
SSDEEP
1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000012246-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00040000000130fc-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0013000000014fa3-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00050000000130fc-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00060000000130fc-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00070000000130fc-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000130fc-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}\stubpath = "C:\\Windows\\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe" 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{210A6396-2554-4879-9390-D502CC668292} {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95DE7661-C070-4595-940E-6244FD65BEEE}\stubpath = "C:\\Windows\\{95DE7661-C070-4595-940E-6244FD65BEEE}.exe" {8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}\stubpath = "C:\\Windows\\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe" {FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}\stubpath = "C:\\Windows\\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe" {907FE030-4B94-4658-B184-1215277D7E1C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3A9788-2CB3-49f3-9707-518E38884056}\stubpath = "C:\\Windows\\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe" {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}\stubpath = "C:\\Windows\\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe" {9AC28808-B49C-4346-A083-B9C0C126D898}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7092B21-2618-4960-8442-8EA36BF4CEB3}\stubpath = "C:\\Windows\\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe" {5F3A9788-2CB3-49f3-9707-518E38884056}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC28808-B49C-4346-A083-B9C0C126D898}\stubpath = "C:\\Windows\\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe" {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8} {9AC28808-B49C-4346-A083-B9C0C126D898}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB931F42-EA4C-4d19-AF36-15C1D037A642}\stubpath = "C:\\Windows\\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe" {6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C} {FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{210A6396-2554-4879-9390-D502CC668292}\stubpath = "C:\\Windows\\{210A6396-2554-4879-9390-D502CC668292}.exe" {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{907FE030-4B94-4658-B184-1215277D7E1C}\stubpath = "C:\\Windows\\{907FE030-4B94-4658-B184-1215277D7E1C}.exe" {210A6396-2554-4879-9390-D502CC668292}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7092B21-2618-4960-8442-8EA36BF4CEB3} {5F3A9788-2CB3-49f3-9707-518E38884056}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF7A5A3-585D-46b2-8E97-06D2C5605488} {FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}\stubpath = "C:\\Windows\\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe" {FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95DE7661-C070-4595-940E-6244FD65BEEE} {8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3A9788-2CB3-49f3-9707-518E38884056} {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC28808-B49C-4346-A083-B9C0C126D898} {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB931F42-EA4C-4d19-AF36-15C1D037A642} {6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF} 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{907FE030-4B94-4658-B184-1215277D7E1C} {210A6396-2554-4879-9390-D502CC668292}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D} {907FE030-4B94-4658-B184-1215277D7E1C}.exe -
Deletes itself 1 IoCs
pid Process 2948 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 2712 {6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe 1536 {FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe 1992 {FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe 2224 {8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{95DE7661-C070-4595-940E-6244FD65BEEE}.exe {8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe File created C:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe File created C:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe {907FE030-4B94-4658-B184-1215277D7E1C}.exe File created C:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe File created C:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe {5F3A9788-2CB3-49f3-9707-518E38884056}.exe File created C:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe {FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe File created C:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe {FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe File created C:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exe {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe File created C:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exe {210A6396-2554-4879-9390-D502CC668292}.exe File created C:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe File created C:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe {9AC28808-B49C-4346-A083-B9C0C126D898}.exe File created C:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe {6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Token: SeIncBasePriorityPrivilege 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe Token: SeIncBasePriorityPrivilege 2652 {210A6396-2554-4879-9390-D502CC668292}.exe Token: SeIncBasePriorityPrivilege 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe Token: SeIncBasePriorityPrivilege 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe Token: SeIncBasePriorityPrivilege 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe Token: SeIncBasePriorityPrivilege 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe Token: SeIncBasePriorityPrivilege 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe Token: SeIncBasePriorityPrivilege 2712 {6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe Token: SeIncBasePriorityPrivilege 1536 {FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe Token: SeIncBasePriorityPrivilege 1992 {FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1692 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 28 PID 2356 wrote to memory of 1692 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 28 PID 2356 wrote to memory of 1692 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 28 PID 2356 wrote to memory of 1692 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 28 PID 2356 wrote to memory of 2948 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 29 PID 2356 wrote to memory of 2948 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 29 PID 2356 wrote to memory of 2948 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 29 PID 2356 wrote to memory of 2948 2356 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 29 PID 1692 wrote to memory of 2652 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 30 PID 1692 wrote to memory of 2652 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 30 PID 1692 wrote to memory of 2652 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 30 PID 1692 wrote to memory of 2652 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 30 PID 1692 wrote to memory of 2504 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 31 PID 1692 wrote to memory of 2504 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 31 PID 1692 wrote to memory of 2504 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 31 PID 1692 wrote to memory of 2504 1692 {B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe 31 PID 2652 wrote to memory of 2380 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 34 PID 2652 wrote to memory of 2380 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 34 PID 2652 wrote to memory of 2380 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 34 PID 2652 wrote to memory of 2380 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 34 PID 2652 wrote to memory of 2412 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 35 PID 2652 wrote to memory of 2412 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 35 PID 2652 wrote to memory of 2412 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 35 PID 2652 wrote to memory of 2412 2652 {210A6396-2554-4879-9390-D502CC668292}.exe 35 PID 2380 wrote to memory of 3048 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 36 PID 2380 wrote to memory of 3048 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 36 PID 2380 wrote to memory of 3048 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 36 PID 2380 wrote to memory of 3048 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 36 PID 2380 wrote to memory of 2360 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 37 PID 2380 wrote to memory of 2360 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 37 PID 2380 wrote to memory of 2360 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 37 PID 2380 wrote to memory of 2360 2380 {907FE030-4B94-4658-B184-1215277D7E1C}.exe 37 PID 3048 wrote to memory of 544 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 38 PID 3048 wrote to memory of 544 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 38 PID 3048 wrote to memory of 544 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 38 PID 3048 wrote to memory of 544 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 38 PID 3048 wrote to memory of 2744 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 39 PID 3048 wrote to memory of 2744 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 39 PID 3048 wrote to memory of 2744 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 39 PID 3048 wrote to memory of 2744 3048 {BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe 39 PID 544 wrote to memory of 1648 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 40 PID 544 wrote to memory of 1648 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 40 PID 544 wrote to memory of 1648 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 40 PID 544 wrote to memory of 1648 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 40 PID 544 wrote to memory of 2752 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 41 PID 544 wrote to memory of 2752 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 41 PID 544 wrote to memory of 2752 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 41 PID 544 wrote to memory of 2752 544 {5F3A9788-2CB3-49f3-9707-518E38884056}.exe 41 PID 1648 wrote to memory of 1084 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 42 PID 1648 wrote to memory of 1084 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 42 PID 1648 wrote to memory of 1084 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 42 PID 1648 wrote to memory of 1084 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 42 PID 1648 wrote to memory of 760 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 43 PID 1648 wrote to memory of 760 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 43 PID 1648 wrote to memory of 760 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 43 PID 1648 wrote to memory of 760 1648 {D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe 43 PID 1084 wrote to memory of 2712 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 44 PID 1084 wrote to memory of 2712 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 44 PID 1084 wrote to memory of 2712 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 44 PID 1084 wrote to memory of 2712 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 44 PID 1084 wrote to memory of 2672 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 45 PID 1084 wrote to memory of 2672 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 45 PID 1084 wrote to memory of 2672 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 45 PID 1084 wrote to memory of 2672 1084 {9AC28808-B49C-4346-A083-B9C0C126D898}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exeC:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exeC:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exeC:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exeC:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exeC:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exeC:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exeC:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exeC:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exeC:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exeC:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exeC:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
PID:2224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FCCA3~1.EXE > nul12⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB931~1.EXE > nul11⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6AB3A~1.EXE > nul10⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AC28~1.EXE > nul9⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D7092~1.EXE > nul8⤵PID:760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F3A9~1.EXE > nul7⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF4B2~1.EXE > nul6⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{907FE~1.EXE > nul5⤵PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{210A6~1.EXE > nul4⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B5D14~1.EXE > nul3⤵PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD558611829034c594cf41404bb571a3118
SHA19e6f96c03f14d21bc95fc4ad7a615592dec7daf8
SHA25637f9134758f865d902c80fbe7692866f48f6fddfb7c3bf062bfd513ca717f293
SHA5128de323edb14c5fcaf01f194fd3a5d1e02ea7b1bf6d0ed1156ef4be3440615f731e0e65ddd4171b9c618517173ea96b20e3506a75b10799092ddb2ee0ff94abf9
-
Filesize
168KB
MD5c6dda87db59cad47ac3b5f9dd41fcef9
SHA1e2e083d8906ec8f100244c56afe21177ed5b3a45
SHA25635415f97c38f3afd7ed0954257a08c783e6eec99c50a204bf1daefdac04fcd3e
SHA51238d8bebe273dacf1977436af05ff169f94c3e2332edc51ff8010045b4dfed87c095e5666c6fc8002fdb68a25dcdf691209e8ab10e5fd89a564c8d37db27107ae
-
Filesize
168KB
MD543740ff40c188de30e88f4c340073184
SHA18629676c0c1f5a079cd583756c2d14fa89fccbf1
SHA256e30d758d72aafd338e498d7f18ddfad108a476ae08b50232b46d956875026dd0
SHA51288c74de0bf5b2d3a90840e4d5b9c86927bb9f210605e99aad0d8ab66b95987f2f2cc3b44db4d891fe0094faeb93aa821f9ae3911aa5ebbf6cbb272093b06ee4e
-
Filesize
168KB
MD533faf0436973ad97b9657bf97c612a8f
SHA114c7af03fb8ba6617abbf4b0b1219ed21cc4fe80
SHA256023e652b5e980655be217c0f9d377292817c508e9ae3015329b02756f51d73ee
SHA512286f4b6471ff1144d627fdaaf3763c33a2aaaab4ca2814136860ebd8ecaefe1c605384c4fb08f729ef90d41e1731906287930e81ae64f810c50e26fd8472c086
-
Filesize
168KB
MD56bad7b14bf02fdda10d7d934fc89d5d5
SHA1bd9696f47c45dc29f8037e302372cd1a91cc2fe3
SHA2567483e294768a7a6a119a7a0730de4ccd6c318ffbf53e3e720916972161ab82dc
SHA5120437c63edcebc89aa05e477f384e64e7f9bbfb0caf8b66fa3f1eb058f7020768080e9b4bd803b9613462bc726049aaab1ce0459384416fedf281101c944d5a81
-
Filesize
168KB
MD54e11639e653c1a0fd2998408b1264a78
SHA162248825ceb0768e299088d5b8b079ff0e610f91
SHA256e9212b0e55595b9535600bc12b9ed60adcb23cde64b50548ae0bca4f88217f2e
SHA51287fcf3f7bc5b617d09eae0b7025dafceb4f405d94b528cc62d1276314c53696b1263a78f5d0fe679c29f1e3dc3237ce7d22a2dc08a82177d508a51816bd66190
-
Filesize
168KB
MD53d70680ca82973c967e2b5848b923582
SHA124d3c1df47cd2e0df547da1d5ed400af730f7cdf
SHA256e1919c1c5d8ef52d9f30031758a0a9c5f310b614695621c9db71eb39676bec5a
SHA512f7d93d0e58932c815ef910c155f28cd3d325d70135a2e28a98fa42e3af48ae4544d73852d750ef20eb22438923c69a945e759525ca9c6ebd455796acc11d0909
-
Filesize
168KB
MD515025d93b71e579a2e8d72c925a97ed6
SHA1885d56f547e80dc314767ae25a6a9816dbfcd325
SHA25689a0ff10c81e7b72678ffc20b8898d88c871cba91c8f3f25ba1bb9e771e58112
SHA5120bbee332ccabd1d182ecfea5b9de6d993045cfd1a2cab239474a7ba1882ba2ec47e61c6c9c4aea9607d334bbc8d0ca2858bd38f50d2cda1e8173e39c90339ee2
-
Filesize
168KB
MD5296fce1141a975d834165700256492b7
SHA19d1a0e8eaf8166a08212da9489f04b6179030296
SHA256a351c5b9785cdfa4536f8ba10bc50b7e93b5030d458493e655c0bca8ecca5c4f
SHA512674a866340ae2c34c051c87149fd969157d3cbdd0f5ce5ef6dd3bdab9d04998fa77eecb5e22c3eb35ffad757608147f1228813f91b50511d142be3a6cc46719b
-
Filesize
168KB
MD5870361acb692138bcd337165c4d647ce
SHA163171a263de266b8f9479e47b8c5831ad238ab23
SHA256da37e19cdc93f1984901ad5fbe2a42a32c62ea7e9e61285e943b409a3f23ce95
SHA51230a558bdd88d7ac867550a6b04661257030362b9ebe9b7dc0d87d6985768a4df84f55934b4b76f9eb3c2ad7d1e90cd6bdcb25f85c22b044ef127b0a2af0b0f89
-
Filesize
168KB
MD56555767c5513ec9e06929d60b5a72109
SHA1a145b644215a39f5d04542afb0a555a4f827b9d2
SHA256dd39040f8f49f694cc7b8dedb4dc86dd515cd9f4a63ee2839a3fcacec2e20463
SHA51274272a72439939a59955478e23d2a402a7bb36478f2cb77de1871372f83470ca7801229ec0f89bd97f5a54caeeee8c1dbda57942b6ffc7026ed8337f6f7d4eb0