Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2023 14:22
Static task
static1
Behavioral task
behavioral1
Sample
4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe
-
Size
372KB
-
MD5
4406a6cba9e4fcc6cf9f80d5bec8142a
-
SHA1
9b75b374b0c7bfcb1152ec51be4d3b8020c4a154
-
SHA256
30ad7eaf391668aba732c8dd2be4107ef02906213ba48f8c7d85b6d15b89d45c
-
SHA512
481147e747335fd1a1863f260d3f1f4d3729ca07a8e2fe227cd0e4488e3d9d0f2069aba52bc61365eb6b7911794b393d2a00216fe25a8e89707579ce79bf63fa
-
SSDEEP
3072:CEGh0oDmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGol/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F86094B-82E7-4fc7-991D-8EE9523F0533} {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7} {47E28525-B7D5-4543-B302-774FDF353878}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}\stubpath = "C:\\Windows\\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe" {47E28525-B7D5-4543-B302-774FDF353878}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E} 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B76922-C5E6-497f-94B8-317C40EB2F4E}\stubpath = "C:\\Windows\\{D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe" {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C08623-C4C6-4ccc-9356-90257A86DF4E}\stubpath = "C:\\Windows\\{C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe" {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD} {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}\stubpath = "C:\\Windows\\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe" {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC1D8E4-7790-46a1-A8AA-B3893126C872} {1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C08623-C4C6-4ccc-9356-90257A86DF4E} {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873}\stubpath = "C:\\Windows\\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe" {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C} {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE}\stubpath = "C:\\Windows\\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe" {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873} {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAB84F9-2FBD-463f-B19E-A1023F87B748} {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}\stubpath = "C:\\Windows\\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe" {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F86094B-82E7-4fc7-991D-8EE9523F0533}\stubpath = "C:\\Windows\\{0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe" {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E}\stubpath = "C:\\Windows\\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe" 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B76922-C5E6-497f-94B8-317C40EB2F4E} {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE} {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47E28525-B7D5-4543-B302-774FDF353878} {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAB84F9-2FBD-463f-B19E-A1023F87B748}\stubpath = "C:\\Windows\\{1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe" {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47E28525-B7D5-4543-B302-774FDF353878}\stubpath = "C:\\Windows\\{47E28525-B7D5-4543-B302-774FDF353878}.exe" {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC1D8E4-7790-46a1-A8AA-B3893126C872}\stubpath = "C:\\Windows\\{CEC1D8E4-7790-46a1-A8AA-B3893126C872}.exe" {1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe -
Executes dropped EXE 12 IoCs
pid Process 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe 1928 {1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe 4844 {CEC1D8E4-7790-46a1-A8AA-B3893126C872}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{47E28525-B7D5-4543-B302-774FDF353878}.exe {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe File created C:\Windows\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe {47E28525-B7D5-4543-B302-774FDF353878}.exe File created C:\Windows\{C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe File created C:\Windows\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe File created C:\Windows\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe File created C:\Windows\{1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe File created C:\Windows\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe File created C:\Windows\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe File created C:\Windows\{D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe File created C:\Windows\{0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe File created C:\Windows\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe File created C:\Windows\{CEC1D8E4-7790-46a1-A8AA-B3893126C872}.exe {1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe Token: SeIncBasePriorityPrivilege 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe Token: SeIncBasePriorityPrivilege 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe Token: SeIncBasePriorityPrivilege 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe Token: SeIncBasePriorityPrivilege 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe Token: SeIncBasePriorityPrivilege 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe Token: SeIncBasePriorityPrivilege 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe Token: SeIncBasePriorityPrivilege 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe Token: SeIncBasePriorityPrivilege 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe Token: SeIncBasePriorityPrivilege 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe Token: SeIncBasePriorityPrivilege 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe Token: SeIncBasePriorityPrivilege 1928 {1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 3772 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 89 PID 3316 wrote to memory of 3772 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 89 PID 3316 wrote to memory of 3772 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 89 PID 3316 wrote to memory of 520 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 90 PID 3316 wrote to memory of 520 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 90 PID 3316 wrote to memory of 520 3316 4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe 90 PID 3772 wrote to memory of 1428 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 91 PID 3772 wrote to memory of 1428 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 91 PID 3772 wrote to memory of 1428 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 91 PID 3772 wrote to memory of 4376 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 92 PID 3772 wrote to memory of 4376 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 92 PID 3772 wrote to memory of 4376 3772 {34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe 92 PID 1428 wrote to memory of 3632 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 94 PID 1428 wrote to memory of 3632 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 94 PID 1428 wrote to memory of 3632 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 94 PID 1428 wrote to memory of 2544 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 95 PID 1428 wrote to memory of 2544 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 95 PID 1428 wrote to memory of 2544 1428 {D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe 95 PID 3632 wrote to memory of 4972 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 96 PID 3632 wrote to memory of 4972 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 96 PID 3632 wrote to memory of 4972 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 96 PID 3632 wrote to memory of 3180 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 97 PID 3632 wrote to memory of 3180 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 97 PID 3632 wrote to memory of 3180 3632 {C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe 97 PID 4972 wrote to memory of 3932 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 98 PID 4972 wrote to memory of 3932 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 98 PID 4972 wrote to memory of 3932 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 98 PID 4972 wrote to memory of 556 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 99 PID 4972 wrote to memory of 556 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 99 PID 4972 wrote to memory of 556 4972 {052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe 99 PID 3932 wrote to memory of 4264 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 100 PID 3932 wrote to memory of 4264 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 100 PID 3932 wrote to memory of 4264 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 100 PID 3932 wrote to memory of 1744 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 101 PID 3932 wrote to memory of 1744 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 101 PID 3932 wrote to memory of 1744 3932 {09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe 101 PID 4264 wrote to memory of 3488 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 102 PID 4264 wrote to memory of 3488 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 102 PID 4264 wrote to memory of 3488 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 102 PID 4264 wrote to memory of 5092 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 103 PID 4264 wrote to memory of 5092 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 103 PID 4264 wrote to memory of 5092 4264 {1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe 103 PID 3488 wrote to memory of 1596 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 104 PID 3488 wrote to memory of 1596 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 104 PID 3488 wrote to memory of 1596 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 104 PID 3488 wrote to memory of 3540 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 105 PID 3488 wrote to memory of 3540 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 105 PID 3488 wrote to memory of 3540 3488 {C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe 105 PID 1596 wrote to memory of 4508 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 106 PID 1596 wrote to memory of 4508 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 106 PID 1596 wrote to memory of 4508 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 106 PID 1596 wrote to memory of 4580 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 107 PID 1596 wrote to memory of 4580 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 107 PID 1596 wrote to memory of 4580 1596 {0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe 107 PID 4508 wrote to memory of 8 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 108 PID 4508 wrote to memory of 8 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 108 PID 4508 wrote to memory of 8 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 108 PID 4508 wrote to memory of 516 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 109 PID 4508 wrote to memory of 516 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 109 PID 4508 wrote to memory of 516 4508 {47E28525-B7D5-4543-B302-774FDF353878}.exe 109 PID 8 wrote to memory of 1928 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe 110 PID 8 wrote to memory of 1928 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe 110 PID 8 wrote to memory of 1928 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe 110 PID 8 wrote to memory of 4204 8 {92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe"C:\Users\Admin\AppData\Local\Temp\4406a6cba9e4fcc6cf9f80d5bec8142a_goldeneye_JC.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exeC:\Windows\{34A80FC9-23AE-4c4d-B3F7-3308D41D529E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\{D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exeC:\Windows\{D3B76922-C5E6-497f-94B8-317C40EB2F4E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\{C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exeC:\Windows\{C7C08623-C4C6-4ccc-9356-90257A86DF4E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exeC:\Windows\{052879D3-54BE-4a22-9B64-F29AA2E5E4FE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exeC:\Windows\{09D8591B-5E1F-49bb-980A-8C2DBDA5A873}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\{1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exeC:\Windows\{1DAB84F9-2FBD-463f-B19E-A1023F87B748}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exeC:\Windows\{C180B3EF-A94B-4a0f-91DD-C792FA2B3F2C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\{0F86094B-82E7-4fc7-991D-8EE9523F0533}.exeC:\Windows\{0F86094B-82E7-4fc7-991D-8EE9523F0533}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\{47E28525-B7D5-4543-B302-774FDF353878}.exeC:\Windows\{47E28525-B7D5-4543-B302-774FDF353878}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exeC:\Windows\{92DC9BF6-BAF0-456c-BBEB-56C32CB951A7}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exeC:\Windows\{1FE53475-2D9E-43f3-9C24-D5778A7BA2DD}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1FE53~1.EXE > nul13⤵PID:4192
-
-
C:\Windows\{CEC1D8E4-7790-46a1-A8AA-B3893126C872}.exeC:\Windows\{CEC1D8E4-7790-46a1-A8AA-B3893126C872}.exe13⤵
- Executes dropped EXE
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{92DC9~1.EXE > nul12⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47E28~1.EXE > nul11⤵PID:516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F860~1.EXE > nul10⤵PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C180B~1.EXE > nul9⤵PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DAB8~1.EXE > nul8⤵PID:5092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{09D85~1.EXE > nul7⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05287~1.EXE > nul6⤵PID:556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C7C08~1.EXE > nul5⤵PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3B76~1.EXE > nul4⤵PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34A80~1.EXE > nul3⤵PID:4376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4406A6~1.EXE > nul2⤵PID:520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD57dbc1d22ff795d3544f6dc172d2d5d52
SHA14313d7840ca31a0d3eec66f595bc8c922918d1d5
SHA256d047fb2349fe918bc1080080ff831dfbfa391df2e8f420aaea5fded18a84431b
SHA5128bb913ba59ca7f4c2aa27736bed79a0d1790b0aa39f8ac6fe8873409982e3c503bb2491af2c9582ccc7f80f760cd354e9069545a9e545ce1a4d2a1978c3a52c9
-
Filesize
372KB
MD57dbc1d22ff795d3544f6dc172d2d5d52
SHA14313d7840ca31a0d3eec66f595bc8c922918d1d5
SHA256d047fb2349fe918bc1080080ff831dfbfa391df2e8f420aaea5fded18a84431b
SHA5128bb913ba59ca7f4c2aa27736bed79a0d1790b0aa39f8ac6fe8873409982e3c503bb2491af2c9582ccc7f80f760cd354e9069545a9e545ce1a4d2a1978c3a52c9
-
Filesize
372KB
MD5dbc5d6eb1e79dbb239139e8c8e0d0e93
SHA1f3398fe154a31013832b1c5f7b5864e5ce9ca76c
SHA256cb6ffea523aaf3d47bcb1b10db605281a826f4bec8ae185fe79b1a87605f8af5
SHA51230b5fe53720554917dd5b4cbad4010b2acc3447ce1e190129a9b50f512ba57cd2b7740edd44b8b2e51f9f7621de551c2d1287bd2a80710e382ad405893caff3e
-
Filesize
372KB
MD5dbc5d6eb1e79dbb239139e8c8e0d0e93
SHA1f3398fe154a31013832b1c5f7b5864e5ce9ca76c
SHA256cb6ffea523aaf3d47bcb1b10db605281a826f4bec8ae185fe79b1a87605f8af5
SHA51230b5fe53720554917dd5b4cbad4010b2acc3447ce1e190129a9b50f512ba57cd2b7740edd44b8b2e51f9f7621de551c2d1287bd2a80710e382ad405893caff3e
-
Filesize
372KB
MD51b3b9a7d9fb62abed07c9affc947b8cc
SHA137323be7e19c4cd756b1e99b576ff60f791d51dc
SHA25630b2e3c5024c49b01f3ab311730fecb35825784bf19288ecd3c7ee438b42fa31
SHA5123814247f3091841811c03f35e8021ab7680ec4b182d319c37cfc7a7010f51a9756b89da9c5ebe798877b90273ebf8f27975e3fe32ddcd6a7e0d29a68d825bfad
-
Filesize
372KB
MD51b3b9a7d9fb62abed07c9affc947b8cc
SHA137323be7e19c4cd756b1e99b576ff60f791d51dc
SHA25630b2e3c5024c49b01f3ab311730fecb35825784bf19288ecd3c7ee438b42fa31
SHA5123814247f3091841811c03f35e8021ab7680ec4b182d319c37cfc7a7010f51a9756b89da9c5ebe798877b90273ebf8f27975e3fe32ddcd6a7e0d29a68d825bfad
-
Filesize
372KB
MD5a9cf3efb6f2f0edb28c405b6931f87e6
SHA18ff7658c459561437055588b422a32535e3e75d7
SHA256ee017ceac57c00c641eb9ffd7d94c1b6a710d42e42e61b25a0abe50eaf8b68ed
SHA51270e87365ba7e0f6b1c1368a3caa6e32e83518a191835135b890ccc187c3ef11bb34aff839a5b61c04cfdd45210894764b7a77b2b23f3fe9c076454fee65d7bb2
-
Filesize
372KB
MD5a9cf3efb6f2f0edb28c405b6931f87e6
SHA18ff7658c459561437055588b422a32535e3e75d7
SHA256ee017ceac57c00c641eb9ffd7d94c1b6a710d42e42e61b25a0abe50eaf8b68ed
SHA51270e87365ba7e0f6b1c1368a3caa6e32e83518a191835135b890ccc187c3ef11bb34aff839a5b61c04cfdd45210894764b7a77b2b23f3fe9c076454fee65d7bb2
-
Filesize
372KB
MD5d83d0c851f67c78d1dc75f4bc47b125d
SHA10defb5435c4ae7fa248bfa361d4482bc11a312c8
SHA256361f468efb90af3e82ddd6591b61d161c367f5c5f78c94ca5c68e9587530ac76
SHA512c8fbd821078d8e2a8c0f2df1174002723c185dbb5bb8f0e0ad6e61489ffe47db8df48dac9987c4b919ea0c92b716a152abd685d063771a0833e25bbcb848a354
-
Filesize
372KB
MD5d83d0c851f67c78d1dc75f4bc47b125d
SHA10defb5435c4ae7fa248bfa361d4482bc11a312c8
SHA256361f468efb90af3e82ddd6591b61d161c367f5c5f78c94ca5c68e9587530ac76
SHA512c8fbd821078d8e2a8c0f2df1174002723c185dbb5bb8f0e0ad6e61489ffe47db8df48dac9987c4b919ea0c92b716a152abd685d063771a0833e25bbcb848a354
-
Filesize
372KB
MD52be9fdb98d378b4a1b3bb973d8909614
SHA158eec220150eff9bcfefe1fe174d2202899fc795
SHA256a0d036562756d1a93ee6bbb6a64561a7ec667a6923b3e043fe93727647aee2c0
SHA5125f9bf0367fe4458d3c250fd87bc88a3bdcb21637f8b598a3dbacaba81a8d05cbaeabbee9704049676413e538f6656da2a7f23ae60eddd9aa10488fbfc714c7a9
-
Filesize
372KB
MD52be9fdb98d378b4a1b3bb973d8909614
SHA158eec220150eff9bcfefe1fe174d2202899fc795
SHA256a0d036562756d1a93ee6bbb6a64561a7ec667a6923b3e043fe93727647aee2c0
SHA5125f9bf0367fe4458d3c250fd87bc88a3bdcb21637f8b598a3dbacaba81a8d05cbaeabbee9704049676413e538f6656da2a7f23ae60eddd9aa10488fbfc714c7a9
-
Filesize
372KB
MD5f560286d035cc6f667a2805df6426f37
SHA1cc020a7fa2933dd0200e6de2e6bae8815daa1f2c
SHA25688e2060f093203fb1e582d2dda0c3c80ea887c90aa2bcbd8a1ed44770733e8c6
SHA5122252efeade65ceca20bcc03663927db1d4ef98ad09f385799efb0d89228507fc4dd6d20ee4760fdc37520d7f90bc5fda558592930ba57c51b3dd42eedd034996
-
Filesize
372KB
MD5f560286d035cc6f667a2805df6426f37
SHA1cc020a7fa2933dd0200e6de2e6bae8815daa1f2c
SHA25688e2060f093203fb1e582d2dda0c3c80ea887c90aa2bcbd8a1ed44770733e8c6
SHA5122252efeade65ceca20bcc03663927db1d4ef98ad09f385799efb0d89228507fc4dd6d20ee4760fdc37520d7f90bc5fda558592930ba57c51b3dd42eedd034996
-
Filesize
372KB
MD52331d1ea290df667134e6023ed80e9a0
SHA180c705c3c77be0ab0343adda30796d4274bab6bd
SHA256130b2984fe2cc1adacd7b27e7e3805817d10c4eb082bbcf58287edb3d2d3597d
SHA512d55686f8e13e74bcdfba0e35af9bc2293e18235683717e8cdbe96efdd92a9d5150346f23b1d326fcd3933d3309cddfd9441d65f1490c99e72cee4b63b6a6147e
-
Filesize
372KB
MD52331d1ea290df667134e6023ed80e9a0
SHA180c705c3c77be0ab0343adda30796d4274bab6bd
SHA256130b2984fe2cc1adacd7b27e7e3805817d10c4eb082bbcf58287edb3d2d3597d
SHA512d55686f8e13e74bcdfba0e35af9bc2293e18235683717e8cdbe96efdd92a9d5150346f23b1d326fcd3933d3309cddfd9441d65f1490c99e72cee4b63b6a6147e
-
Filesize
372KB
MD57094f0a45175ab6963a914449ac224ff
SHA1364f63743f10fd581041fb587e90258864265d4e
SHA2562b6a1ca03266238687733c383e65c6d32202c5a4f7975631d66d7b7fff131022
SHA5121e9109f21a6cf73e684d5ace1b0c4e3c5306283601dac35b4c52dd3140dd371bc67a83b2900187069ede436f96d2023b77bae1bdc83d3b316c0d98f04529c097
-
Filesize
372KB
MD57094f0a45175ab6963a914449ac224ff
SHA1364f63743f10fd581041fb587e90258864265d4e
SHA2562b6a1ca03266238687733c383e65c6d32202c5a4f7975631d66d7b7fff131022
SHA5121e9109f21a6cf73e684d5ace1b0c4e3c5306283601dac35b4c52dd3140dd371bc67a83b2900187069ede436f96d2023b77bae1bdc83d3b316c0d98f04529c097
-
Filesize
372KB
MD5b5be05eebc1ac3de26975549c6b1452d
SHA171b82a3765700d7ac04fd6cc5aaa8398865a09a6
SHA256b5a198565a8c8e1d3c75b9c63c001b37df87ae79388cbff1291da4b5bfeaf6f4
SHA512709bf5c4dcb00e716a3e8585cc74a85a6443c9d1a0996731fcff5113cd4d20e119759148aa7ecdaf66273c43aa5c27c99bc9a94b543f0ac52496d9968770b794
-
Filesize
372KB
MD5b5be05eebc1ac3de26975549c6b1452d
SHA171b82a3765700d7ac04fd6cc5aaa8398865a09a6
SHA256b5a198565a8c8e1d3c75b9c63c001b37df87ae79388cbff1291da4b5bfeaf6f4
SHA512709bf5c4dcb00e716a3e8585cc74a85a6443c9d1a0996731fcff5113cd4d20e119759148aa7ecdaf66273c43aa5c27c99bc9a94b543f0ac52496d9968770b794
-
Filesize
372KB
MD5b5be05eebc1ac3de26975549c6b1452d
SHA171b82a3765700d7ac04fd6cc5aaa8398865a09a6
SHA256b5a198565a8c8e1d3c75b9c63c001b37df87ae79388cbff1291da4b5bfeaf6f4
SHA512709bf5c4dcb00e716a3e8585cc74a85a6443c9d1a0996731fcff5113cd4d20e119759148aa7ecdaf66273c43aa5c27c99bc9a94b543f0ac52496d9968770b794
-
Filesize
372KB
MD55870376aed23dcef49a5206f2723fc45
SHA174724a21a08c2555b92d2c6a40ce8bd5530571dd
SHA256fe46d1a5e3bd99b58c8cd42b306de97d158b886cee0387c4ecf60561e2eb89df
SHA512445b51cfb5659360ad3a9af0f21785dfc0a9a5caed9f82157f9071d9c0504a8059d6fced7ba96d7ceed96373681c7817064778acd07ff4c4f6d037e4d824ee84
-
Filesize
372KB
MD55870376aed23dcef49a5206f2723fc45
SHA174724a21a08c2555b92d2c6a40ce8bd5530571dd
SHA256fe46d1a5e3bd99b58c8cd42b306de97d158b886cee0387c4ecf60561e2eb89df
SHA512445b51cfb5659360ad3a9af0f21785dfc0a9a5caed9f82157f9071d9c0504a8059d6fced7ba96d7ceed96373681c7817064778acd07ff4c4f6d037e4d824ee84
-
Filesize
372KB
MD5e977bb2d62634dcd18febfde8f152ae4
SHA172fd9b30185f83b67a899e933d782076e3ee4276
SHA256a6c2b100544772a33d5ec10e2b4014aec26059c929e8373c52fb4e43fc214c4c
SHA512221b9cde6bee1c452d219121fb959984cdf0e6bc06d547e4478d0d90a57831559a7c7f8b72e5a727058f3c3ee7d4e4b93d44c1c0883d5d6d9b7e7c64c92f581a
-
Filesize
372KB
MD5e977bb2d62634dcd18febfde8f152ae4
SHA172fd9b30185f83b67a899e933d782076e3ee4276
SHA256a6c2b100544772a33d5ec10e2b4014aec26059c929e8373c52fb4e43fc214c4c
SHA512221b9cde6bee1c452d219121fb959984cdf0e6bc06d547e4478d0d90a57831559a7c7f8b72e5a727058f3c3ee7d4e4b93d44c1c0883d5d6d9b7e7c64c92f581a