Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
-
Size
168KB
-
MD5
54ce192027ed3fdc340f6646a9ae6bab
-
SHA1
1978009c2929cc4c5f2f7dd1f79490bbcb1d64e2
-
SHA256
109b34023a9cc232e0c95081a5c482107e459cca1cfa877c5f2f112ae980bcca
-
SHA512
adf3b2dffe314738c081fa3bcbf402c128432b5eb47107abad6079e138b78bb64dfe1383cd81338185a61e4e0d53939a569e2dcf5e067a6c33b2ea53e452d313
-
SSDEEP
1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x00020000000228bf-3.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023223-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002322b-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023223-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000000070d-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA18A-04BC-46c4-BA82-266FE5E2001D} {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B} {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2CBD14-7366-4e33-98B0-BEE679E075AD} {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7} {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}\stubpath = "C:\\Windows\\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe" {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4} {962A767F-57F4-482d-86A8-532E764053D1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}\stubpath = "C:\\Windows\\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe" 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B962E929-D87D-4fa2-8417-2F922E5991DE} {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}\stubpath = "C:\\Windows\\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe" {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFACBC31-C29C-45b0-9F23-2A64502A9F44} {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962A767F-57F4-482d-86A8-532E764053D1} {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}\stubpath = "C:\\Windows\\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe" {962A767F-57F4-482d-86A8-532E764053D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747} {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}\stubpath = "C:\\Windows\\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe" {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D} 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F} {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}\stubpath = "C:\\Windows\\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe" {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}\stubpath = "C:\\Windows\\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe" {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962A767F-57F4-482d-86A8-532E764053D1}\stubpath = "C:\\Windows\\{962A767F-57F4-482d-86A8-532E764053D1}.exe" {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}\stubpath = "C:\\Windows\\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe" {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B962E929-D87D-4fa2-8417-2F922E5991DE}\stubpath = "C:\\Windows\\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe" {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}\stubpath = "C:\\Windows\\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe" {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe -
Executes dropped EXE 11 IoCs
pid Process 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe 1760 {4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe File created C:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe File created C:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe File created C:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe File created C:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe File created C:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe File created C:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe File created C:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe File created C:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe File created C:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exe {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe File created C:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe {962A767F-57F4-482d-86A8-532E764053D1}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe Token: SeIncBasePriorityPrivilege 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe Token: SeIncBasePriorityPrivilege 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe Token: SeIncBasePriorityPrivilege 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe Token: SeIncBasePriorityPrivilege 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe Token: SeIncBasePriorityPrivilege 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe Token: SeIncBasePriorityPrivilege 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe Token: SeIncBasePriorityPrivilege 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe Token: SeIncBasePriorityPrivilege 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe Token: SeIncBasePriorityPrivilege 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe Token: SeIncBasePriorityPrivilege 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 4044 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 89 PID 2008 wrote to memory of 4044 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 89 PID 2008 wrote to memory of 4044 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 89 PID 2008 wrote to memory of 3228 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 90 PID 2008 wrote to memory of 3228 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 90 PID 2008 wrote to memory of 3228 2008 2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe 90 PID 4044 wrote to memory of 812 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 99 PID 4044 wrote to memory of 812 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 99 PID 4044 wrote to memory of 812 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 99 PID 4044 wrote to memory of 3608 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 100 PID 4044 wrote to memory of 3608 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 100 PID 4044 wrote to memory of 3608 4044 {1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe 100 PID 812 wrote to memory of 3472 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 101 PID 812 wrote to memory of 3472 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 101 PID 812 wrote to memory of 3472 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 101 PID 812 wrote to memory of 4524 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 102 PID 812 wrote to memory of 4524 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 102 PID 812 wrote to memory of 4524 812 {9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe 102 PID 3472 wrote to memory of 5024 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 103 PID 3472 wrote to memory of 5024 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 103 PID 3472 wrote to memory of 5024 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 103 PID 3472 wrote to memory of 2416 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 104 PID 3472 wrote to memory of 2416 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 104 PID 3472 wrote to memory of 2416 3472 {67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe 104 PID 5024 wrote to memory of 804 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 105 PID 5024 wrote to memory of 804 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 105 PID 5024 wrote to memory of 804 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 105 PID 5024 wrote to memory of 232 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 106 PID 5024 wrote to memory of 232 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 106 PID 5024 wrote to memory of 232 5024 {B962E929-D87D-4fa2-8417-2F922E5991DE}.exe 106 PID 804 wrote to memory of 4556 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 107 PID 804 wrote to memory of 4556 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 107 PID 804 wrote to memory of 4556 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 107 PID 804 wrote to memory of 3960 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 108 PID 804 wrote to memory of 3960 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 108 PID 804 wrote to memory of 3960 804 {CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe 108 PID 4556 wrote to memory of 1340 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 109 PID 4556 wrote to memory of 1340 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 109 PID 4556 wrote to memory of 1340 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 109 PID 4556 wrote to memory of 4928 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 110 PID 4556 wrote to memory of 4928 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 110 PID 4556 wrote to memory of 4928 4556 {ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe 110 PID 1340 wrote to memory of 1984 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 111 PID 1340 wrote to memory of 1984 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 111 PID 1340 wrote to memory of 1984 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 111 PID 1340 wrote to memory of 3156 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 112 PID 1340 wrote to memory of 3156 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 112 PID 1340 wrote to memory of 3156 1340 {9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe 112 PID 1984 wrote to memory of 3600 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 113 PID 1984 wrote to memory of 3600 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 113 PID 1984 wrote to memory of 3600 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 113 PID 1984 wrote to memory of 4380 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 114 PID 1984 wrote to memory of 4380 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 114 PID 1984 wrote to memory of 4380 1984 {0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe 114 PID 3600 wrote to memory of 3108 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 115 PID 3600 wrote to memory of 3108 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 115 PID 3600 wrote to memory of 3108 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 115 PID 3600 wrote to memory of 2008 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 116 PID 3600 wrote to memory of 2008 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 116 PID 3600 wrote to memory of 2008 3600 {962A767F-57F4-482d-86A8-532E764053D1}.exe 116 PID 3108 wrote to memory of 1760 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe 117 PID 3108 wrote to memory of 1760 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe 117 PID 3108 wrote to memory of 1760 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe 117 PID 3108 wrote to memory of 3608 3108 {19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exeC:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exeC:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exeC:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exeC:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exeC:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exeC:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exeC:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exeC:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exeC:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exeC:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exeC:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe12⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19D7A~1.EXE > nul12⤵PID:3608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{962A7~1.EXE > nul11⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F2CB~1.EXE > nul10⤵PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C238~1.EXE > nul9⤵PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ABDA1~1.EXE > nul8⤵PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFACB~1.EXE > nul7⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B962E~1.EXE > nul6⤵PID:232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{67EAA~1.EXE > nul5⤵PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DFDA~1.EXE > nul4⤵PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1498D~1.EXE > nul3⤵PID:3608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD55c7f63a4eb985d118a92dab446bec139
SHA12bb07108fe5b69b96c2d5cadbba647889a78076f
SHA2562ff59dfd8e34aae2f2eb4f2921b873e6ebccfc238573b824c46367ff5faa6d63
SHA512979e79f78ff5e378437732467d79c9a8714d301036855ec838e880d7a965fdb84ec059f2a75316e4ae97aff2644453fe7f48c026b3e03cfe7bfeb993745766ea
-
Filesize
168KB
MD504b8ab2968d4b33b2bc940c1918141f2
SHA13901c2f344973e7dc1da78253a0d4c75b18fde56
SHA25649ab269a7d4ca5f3af525252a82d86d75b7dfa5bce09c219689a63cd10328ff0
SHA51294ae286a4e920d5178349bf78019255f47211b8a5a8516c5e26685480daa96628ff9e394a3d5f231017ebf92d5ebe45a46057fe634449feb8ea0b76c94464614
-
Filesize
168KB
MD549f487763d9d74f7022b5846fa3ffde6
SHA193a615333525d7eb111573960cc3fe2d1f25e8ad
SHA256670f0e2198e80142fbab8b050791dddfa3fc66d5f6d34fc36c497c4a32ed5993
SHA512ecd779179d1d59736624d0efc90c2f6e79c237147f4d5a610c8ceaf02eb6393b5cbe160fa13be0308749fa4157e1c640f8ce8cc000443e2ae4f3d92cbfadb348
-
Filesize
168KB
MD5ca20851455ac1d699b439482df8a97da
SHA1b43fdce22682e8e0ad731cb37d805938b2bf395d
SHA256b9fbc83214a3fd35497d0d471dae05cacbeb54fcc23d4a0d78cad05a0eed35c0
SHA512252d1b163342db411c055c21ebc296d76c35dd8ce18753b2aa76afb5f1b1a19fdec30d390118dde7e13167d023b0896b90424d1a12bc9c024d85411108f609b2
-
Filesize
168KB
MD5ebc16e03c1fcc23d2bea45e3a5da7909
SHA14eec56b3db24f21465ac8232997e45a7c980b68d
SHA2565de45a8c3069c0a9745c33ede6a11af55604f8b64f3b7a679cf6e925f935f2db
SHA512fb8d542741f1133be6b8ee4047e83c946d50c6da8664edbb983839dc30e218af48c46e6edb92560185c1464977560eb59b58387f25e71a29b20d834b0155ebf4
-
Filesize
168KB
MD5e940294304353c9ed3f25169f766b6cd
SHA11e913fbf5cf17b45abd212afc324dff8b3c0eac7
SHA2560fe268abcb7c56e1e63b6f324e2f5b08910302a9f26b2b605545946bbf238c17
SHA5123157f49fa96fd17a4d2a0e9806c7d187fbc623170515c412508037d8f340c650ba5feaf4d9fab4ebdfa4e2540a28e9fb197d7e0d73f9448a8e685e6405b11d72
-
Filesize
168KB
MD56d8a1d3b4f205dd523f3f2b8826c4a2a
SHA13f2faac7d1137a1c622c907693569d06684895e9
SHA256a28879395229265a6777b3aaaab859b412b262bc8a7a959e29b0b4046d94e473
SHA512a5e188303b4d2a6d5cccb1fc0cc316cf526ebba3f4b4e27f0059d5eb7e63fa7294b14f9edc04916acefbcb3d8c7d0e88b5836b0842f22d080169756820816662
-
Filesize
168KB
MD5b0300be7b6883bea12af49a01a98a15c
SHA194ad95cf09f93d2fcc3490996c29b6112373dafe
SHA25687b2d783a7aaf0069277eef0bfe726f56263c0d5dd361f2eea24ffcefd03b766
SHA512961c46b6a37f09e9200af3f7723c3ac73c49a71dc2f567041a4858bd0efc96ffd77b8d33e94a0dff357bd0f20a366794b1807fdc89e857ce94de3ccdd1e7b4ec
-
Filesize
168KB
MD5707b0115e8e6288da9bb20d14b3e3c4d
SHA1ede39849418085a7eee1ef2339e88387fc108765
SHA2561e0347b1ebeb63dc454bba392846afbf20bb41df9a213e3882b8444414f0d25e
SHA51223d4bfdc5eb1c64241c5245266a8eeb4b806b855ab1bae2dde754239f6213477361a3f2e20940fec7a294c0ff5d56234ed7508d4157cea8d5312ee02546d3077
-
Filesize
168KB
MD5ebb128339cb02cd6f183f0e221d9170f
SHA18f5841f800b216f48a4d05c64175041194caedb5
SHA256e3fbe5723c2e04d22c4f3e3997456ae868721f358fee321c6e999e4a0adc9722
SHA512a1ceca48f0cc0cab034eaf77fd04cc99d134066c7515a0b446032fdbc914566dfab8f5e99018c9f2d562c49145ba51508835e94ece013b10297582a113def00e
-
Filesize
168KB
MD58f6e4326d5f1f1f9e71378f210df3e94
SHA146fdffcaea2f31f7f628fe8181b48e6ec0c53be0
SHA256b40739a35a0c27039f782ee1f00d88e96a1fa4fe6f104afc860b2393182ef600
SHA512c7cdd2cc27c7c485f5adc9cbcdf9684b414224cca4871a6c69916554e5fce2f64862a1bc9656e9e440e6b174f9b0acfb42bfcf9b6e5430ac6a46c51ddbfcb5e5