Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
-
Size
168KB
-
MD5
7ad159816e5e1b401a70f0c9ca3f4b07
-
SHA1
d95d8f2aadaf3afb86740a04d14dfd68ce06cbd1
-
SHA256
eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3
-
SHA512
1618b23f7ff4b3f41be7982b0256177324a4c212328d5ead5af0ead8e1bac4e962fcd7e8ea0dcfb4ddffff2720dcbb612042ffa13c6b02171f460f2fd5b41e11
-
SSDEEP
1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c000000012245-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00280000000139c9-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00120000000055a2-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012245-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00130000000055a2-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012245-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00140000000055a2-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012245-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00150000000055a2-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012245-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00160000000055a2-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87} {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6420383-AB6A-4459-9096-2E40920878A7}\stubpath = "C:\\Windows\\{E6420383-AB6A-4459-9096-2E40920878A7}.exe" {FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}\stubpath = "C:\\Windows\\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe" {E6420383-AB6A-4459-9096-2E40920878A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}\stubpath = "C:\\Windows\\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe" {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64038816-6A41-410c-830D-3310D11BCF74} {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D45D587-C400-4b07-9134-FCC176FC66A3} {64038816-6A41-410c-830D-3310D11BCF74}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D45D587-C400-4b07-9134-FCC176FC66A3}\stubpath = "C:\\Windows\\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe" {64038816-6A41-410c-830D-3310D11BCF74}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F} {E6420383-AB6A-4459-9096-2E40920878A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A} {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}\stubpath = "C:\\Windows\\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe" {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF432A0C-D213-4d50-BB60-63F4C97E296E} {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF432A0C-D213-4d50-BB60-63F4C97E296E}\stubpath = "C:\\Windows\\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe" {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA} {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64038816-6A41-410c-830D-3310D11BCF74}\stubpath = "C:\\Windows\\{64038816-6A41-410c-830D-3310D11BCF74}.exe" {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}\stubpath = "C:\\Windows\\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe" {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6420383-AB6A-4459-9096-2E40920878A7} {FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E27CE6-1188-420c-AEF7-6047D39942AE} {3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E27CE6-1188-420c-AEF7-6047D39942AE}\stubpath = "C:\\Windows\\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe" {3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5} 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}\stubpath = "C:\\Windows\\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe" 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}\stubpath = "C:\\Windows\\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe" {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02} {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe -
Deletes itself 1 IoCs
pid Process 2384 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 1128 {FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe 2280 {E6420383-AB6A-4459-9096-2E40920878A7}.exe 2804 {3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe 2956 {15E27CE6-1188-420c-AEF7-6047D39942AE}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe File created C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe {E6420383-AB6A-4459-9096-2E40920878A7}.exe File created C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe File created C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe {64038816-6A41-410c-830D-3310D11BCF74}.exe File created C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe File created C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe File created C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe {FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe File created C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe {3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe File created C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe File created C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe File created C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe Token: SeIncBasePriorityPrivilege 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe Token: SeIncBasePriorityPrivilege 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe Token: SeIncBasePriorityPrivilege 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe Token: SeIncBasePriorityPrivilege 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe Token: SeIncBasePriorityPrivilege 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe Token: SeIncBasePriorityPrivilege 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe Token: SeIncBasePriorityPrivilege 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe Token: SeIncBasePriorityPrivilege 1128 {FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe Token: SeIncBasePriorityPrivilege 2280 {E6420383-AB6A-4459-9096-2E40920878A7}.exe Token: SeIncBasePriorityPrivilege 2804 {3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2608 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 28 PID 2460 wrote to memory of 2608 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 28 PID 2460 wrote to memory of 2608 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 28 PID 2460 wrote to memory of 2608 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 28 PID 2460 wrote to memory of 2384 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 29 PID 2460 wrote to memory of 2384 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 29 PID 2460 wrote to memory of 2384 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 29 PID 2460 wrote to memory of 2384 2460 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 29 PID 2608 wrote to memory of 2472 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 32 PID 2608 wrote to memory of 2472 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 32 PID 2608 wrote to memory of 2472 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 32 PID 2608 wrote to memory of 2472 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 32 PID 2608 wrote to memory of 2852 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 33 PID 2608 wrote to memory of 2852 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 33 PID 2608 wrote to memory of 2852 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 33 PID 2608 wrote to memory of 2852 2608 {8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe 33 PID 2472 wrote to memory of 2660 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 34 PID 2472 wrote to memory of 2660 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 34 PID 2472 wrote to memory of 2660 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 34 PID 2472 wrote to memory of 2660 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 34 PID 2472 wrote to memory of 600 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 35 PID 2472 wrote to memory of 600 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 35 PID 2472 wrote to memory of 600 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 35 PID 2472 wrote to memory of 600 2472 {7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe 35 PID 2660 wrote to memory of 2716 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 36 PID 2660 wrote to memory of 2716 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 36 PID 2660 wrote to memory of 2716 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 36 PID 2660 wrote to memory of 2716 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 36 PID 2660 wrote to memory of 2584 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 37 PID 2660 wrote to memory of 2584 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 37 PID 2660 wrote to memory of 2584 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 37 PID 2660 wrote to memory of 2584 2660 {51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe 37 PID 2716 wrote to memory of 1656 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 38 PID 2716 wrote to memory of 1656 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 38 PID 2716 wrote to memory of 1656 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 38 PID 2716 wrote to memory of 1656 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 38 PID 2716 wrote to memory of 1624 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 39 PID 2716 wrote to memory of 1624 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 39 PID 2716 wrote to memory of 1624 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 39 PID 2716 wrote to memory of 1624 2716 {64038816-6A41-410c-830D-3310D11BCF74}.exe 39 PID 1656 wrote to memory of 948 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 40 PID 1656 wrote to memory of 948 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 40 PID 1656 wrote to memory of 948 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 40 PID 1656 wrote to memory of 948 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 40 PID 1656 wrote to memory of 1780 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 41 PID 1656 wrote to memory of 1780 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 41 PID 1656 wrote to memory of 1780 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 41 PID 1656 wrote to memory of 1780 1656 {0D45D587-C400-4b07-9134-FCC176FC66A3}.exe 41 PID 948 wrote to memory of 1608 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 42 PID 948 wrote to memory of 1608 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 42 PID 948 wrote to memory of 1608 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 42 PID 948 wrote to memory of 1608 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 42 PID 948 wrote to memory of 1456 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 43 PID 948 wrote to memory of 1456 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 43 PID 948 wrote to memory of 1456 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 43 PID 948 wrote to memory of 1456 948 {9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe 43 PID 1608 wrote to memory of 1128 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 44 PID 1608 wrote to memory of 1128 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 44 PID 1608 wrote to memory of 1128 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 44 PID 1608 wrote to memory of 1128 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 44 PID 1608 wrote to memory of 1440 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 45 PID 1608 wrote to memory of 1440 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 45 PID 1608 wrote to memory of 1440 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 45 PID 1608 wrote to memory of 1440 1608 {A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exeC:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exeC:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exeC:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exeC:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exeC:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exeC:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exeC:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exeC:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exeC:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exeC:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exeC:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe12⤵
- Executes dropped EXE
PID:2956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3FFFD~1.EXE > nul12⤵PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6420~1.EXE > nul11⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FF432~1.EXE > nul10⤵PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A26BE~1.EXE > nul9⤵PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9E609~1.EXE > nul8⤵PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D45D~1.EXE > nul7⤵PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64038~1.EXE > nul6⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{51A55~1.EXE > nul5⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D93E~1.EXE > nul4⤵PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8470E~1.EXE > nul3⤵PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5c5ccbc5ee89aea588b524d942ee03a2f
SHA18781e754a25ca036f3b349296bb01c8021f4b236
SHA256886cd89cf2969aa13236b1bc3402815f762d5a621e0e13fef184267ada09606f
SHA51276c5bb2d51d1c839f86e9d6dd3909ba08c47d1b88cb5dcee145c6f2b4de59ec0b288cbc91e2037ddc3b3a60cd266b409721b61b1ae5617ebe154a8ce36d9093c
-
Filesize
168KB
MD57a3ff86e790b353c3a26167391dd4817
SHA129e40afecb7c11d759b51f62ee778a48b93b9a5f
SHA256125d2c028bc0492cf44ab4c1c88219fb0dd4f55e96b1c48f808c47dc3e81970b
SHA5124d745518f64bc10d0defe3c252ea1aa869df28901fd7e369446aa03658aa88afc61518fd2eae3d58307c18b93bd66660a4ff163003e48ba29084565f32e06414
-
Filesize
168KB
MD580381f9ac50e64ab0493c081315b6eb9
SHA13bcf1b50614b62d89cab23b3a2b808f3a6bf09b7
SHA25621190f29e8894cc0e71e4ddca2a56e4897c977d05052d1e987cdfc58ce53ec83
SHA512f4c96620c3a0928d021e2a780ff53a563479725bbe32ea712dafacd7de509fc171567e008c6298776095e5c978979737c25f92ebb3237decf66047ea0a9057c9
-
Filesize
168KB
MD5ecb1a9eb50098d769eb13c67a7511256
SHA1337e7f7804c208048d47a1e8a7ae12b29ea42e66
SHA256d2422ada1c1385300f8a878db5b8ed31d8985aa69a438e308475527b24b7fce9
SHA5124b0f32ad0aada592fcc5ee22ac3997c2f47b1792ce9c8ddbba8da55b814c5bedd15f28092942eff62048fbc7bee8ae78d496ac0ced34572027e72b5eddfce86c
-
Filesize
168KB
MD59fbc6ccae42d24ac96aa3d4fc68eeaf3
SHA112166e5ccf5f6132c8e6469d432b2e5c9487bc21
SHA256f79ddc955e9741e0f8ecc11057a82a6fdb99ba494b716d249c47551811d81241
SHA5123295b8d4a0562344c6acb5dbb66597813ddd3d2a9ec7d7adbeaf330c052118258e2afd14cb00209099fcbcce20fb7135e76308855af712c978af577a0d9b2ea5
-
Filesize
168KB
MD565f7c2942d872112124195b593d9433d
SHA19c07dbb1e374a0e37284ccabecf294d0ff02a168
SHA2569051c6af65f837a55ca1f54fd651933e0b04c4ea119180c4d8312c64bae64560
SHA5123ff17a6b09e4597eaf7e8830f83bcafdf88dbf2efdb69a9f00e2fcc0def078ae9824659392c31b12f7caa4ddfcb0ce8b7503366ed082004e7d7e36e0207b6e37
-
Filesize
168KB
MD5f4a8e845859d14c6ffadf3779ef2e731
SHA1fb67091e6b293fe97b01448f1ea676b81b6e92c8
SHA2561b74d76ddd26a36b6b04fa1305068177cb74621e6996ced4e3b442bb4b0813bc
SHA512584e1956516c4635fd3377a5046db617d5c96af7dd8b30fe70dcdd984927d42778d8515bbdfa1c349d61801507b760b06b04d08bc11f9e067533008ff1f33881
-
Filesize
168KB
MD5a1273f46227b4e757098b20c35cb53c3
SHA1801a04bf7de8115408d0215c166e11868886c1cd
SHA25673e9c6b778f01d11e6bfb30a846fd51af219466d130627239d579012c9f2f37a
SHA512ed36743e618cec74b651d38b6c42cf65fde3d14c5a4c8af1cd7180009f6a40d56e876a68e42a9f701da1ca5de0fe994fa3b9b1e42c3a7332717f21c0f8f09957
-
Filesize
168KB
MD56350e1b5b1ae3574fafaf564160ebc70
SHA1250c3862efb21834c3ecaf47e8566e75b41dbbb1
SHA256cf05edbe421a3bbee08f6f146eb384a605c42adf8a764d109de1b9a69aedebe0
SHA5124174a8b9670875ce4a7b791f2333b8dfb68ecfb27ac440034d8778d240297ccc6838599d3946b7cdba57a7e74e6dc711f0c89c887ed5953e4120e330ce1f4592
-
Filesize
168KB
MD52e706ee3fd9da98ba0ef0e2bbede2b92
SHA108fd3cd7c6cba9c60534093c9b1d6061341ca470
SHA256e30c37b886079a605c55ffc78468e498024b539ac856b23d55cd5c11ae8881c0
SHA512e9b9778864b62583e69bd965de358dc38a260da7fa1ba08594ae77dd42c4d6c3f07fef3707cd92df59b0f4919b3b5c8a24fe0f7c7b51185412467f2a7be1e59f
-
Filesize
168KB
MD545437f355196faf835ea5416c7db2c51
SHA1fd2d5d061f49e625713c32eb96020ea7e3c7f01a
SHA2561d23b586fc15cc5c57e3fb8e4877786605874abb3b989953611f3e8c5b6cbc88
SHA5122215a8bdfce6197cf5e26d97316190669fb1de000edd2505392089b845dbecf62b0227700c8573f6f0daf5843b7bcf1bce61db1c70128742c13b8fe00394b625