Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05-01-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
-
Size
380KB
-
MD5
d79161d8be763949d02a1200640b507a
-
SHA1
13d49858e50a26a76ee9783fa484a720656d553a
-
SHA256
50360290803234c43c2cd6c009befa31c17d11a6ad7dfb4b26eae8880fbdb8ed
-
SHA512
b73155e49cc9a4b3f945d7a2efd9adf099252cfe5da4b220b26fe71208b2cf61b45fb2fa003c73291d452097d2840a7974ce3bda2c0c1e84aec3b3346b6c84bf
-
SSDEEP
3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}\stubpath = "C:\\Windows\\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe" {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}\stubpath = "C:\\Windows\\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe" {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}\stubpath = "C:\\Windows\\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe" {65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}\stubpath = "C:\\Windows\\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe" {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95} {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFEEBB71-FBED-4abf-B480-0151A6C27564}\stubpath = "C:\\Windows\\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe" {DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B19D41-999D-4749-9B80-D39C90AA7AC8}\stubpath = "C:\\Windows\\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe" 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D} {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B224AA4-A413-4111-A7FF-137BB53F4E14}\stubpath = "C:\\Windows\\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe" {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9} {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD} {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E791280-0797-4270-B356-A0D7336359CD} {CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B19D41-999D-4749-9B80-D39C90AA7AC8} 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}\stubpath = "C:\\Windows\\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe" {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}\stubpath = "C:\\Windows\\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe" {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}\stubpath = "C:\\Windows\\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe" {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFEEBB71-FBED-4abf-B480-0151A6C27564} {DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E791280-0797-4270-B356-A0D7336359CD}\stubpath = "C:\\Windows\\{7E791280-0797-4270-B356-A0D7336359CD}.exe" {CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9} {7E791280-0797-4270-B356-A0D7336359CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}\stubpath = "C:\\Windows\\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe" {7E791280-0797-4270-B356-A0D7336359CD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C6D0AC8-363D-454d-90AA-6724DD043C6E} {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01CCD14-B7AC-49b1-A438-BB3390E70E03} {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B224AA4-A413-4111-A7FF-137BB53F4E14} {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1} {65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe -
Deletes itself 1 IoCs
pid Process 2028 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 2772 {DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe 2372 {CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe 2252 {7E791280-0797-4270-B356-A0D7336359CD}.exe 2392 {65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe 2456 {26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe File created C:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe {7E791280-0797-4270-B356-A0D7336359CD}.exe File created C:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe {65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe File created C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe File created C:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe File created C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe File created C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe File created C:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exe {CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe File created C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe File created C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe File created C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe File created C:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe {DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe Token: SeIncBasePriorityPrivilege 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe Token: SeIncBasePriorityPrivilege 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe Token: SeIncBasePriorityPrivilege 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe Token: SeIncBasePriorityPrivilege 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe Token: SeIncBasePriorityPrivilege 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe Token: SeIncBasePriorityPrivilege 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe Token: SeIncBasePriorityPrivilege 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe Token: SeIncBasePriorityPrivilege 2772 {DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe Token: SeIncBasePriorityPrivilege 2372 {CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe Token: SeIncBasePriorityPrivilege 2252 {7E791280-0797-4270-B356-A0D7336359CD}.exe Token: SeIncBasePriorityPrivilege 2392 {65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2672 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 29 PID 2164 wrote to memory of 2672 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 29 PID 2164 wrote to memory of 2672 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 29 PID 2164 wrote to memory of 2672 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 29 PID 2164 wrote to memory of 2028 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 28 PID 2164 wrote to memory of 2028 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 28 PID 2164 wrote to memory of 2028 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 28 PID 2164 wrote to memory of 2028 2164 2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe 28 PID 2672 wrote to memory of 2340 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 31 PID 2672 wrote to memory of 2340 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 31 PID 2672 wrote to memory of 2340 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 31 PID 2672 wrote to memory of 2340 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 31 PID 2672 wrote to memory of 2812 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 30 PID 2672 wrote to memory of 2812 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 30 PID 2672 wrote to memory of 2812 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 30 PID 2672 wrote to memory of 2812 2672 {30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe 30 PID 2340 wrote to memory of 2656 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 35 PID 2340 wrote to memory of 2656 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 35 PID 2340 wrote to memory of 2656 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 35 PID 2340 wrote to memory of 2656 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 35 PID 2340 wrote to memory of 1964 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 34 PID 2340 wrote to memory of 1964 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 34 PID 2340 wrote to memory of 1964 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 34 PID 2340 wrote to memory of 1964 2340 {5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe 34 PID 2656 wrote to memory of 1908 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 36 PID 2656 wrote to memory of 1908 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 36 PID 2656 wrote to memory of 1908 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 36 PID 2656 wrote to memory of 1908 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 36 PID 2656 wrote to memory of 2920 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 37 PID 2656 wrote to memory of 2920 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 37 PID 2656 wrote to memory of 2920 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 37 PID 2656 wrote to memory of 2920 2656 {DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe 37 PID 1908 wrote to memory of 2968 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 38 PID 1908 wrote to memory of 2968 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 38 PID 1908 wrote to memory of 2968 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 38 PID 1908 wrote to memory of 2968 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 38 PID 1908 wrote to memory of 1356 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 39 PID 1908 wrote to memory of 1356 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 39 PID 1908 wrote to memory of 1356 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 39 PID 1908 wrote to memory of 1356 1908 {C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe 39 PID 2968 wrote to memory of 276 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 40 PID 2968 wrote to memory of 276 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 40 PID 2968 wrote to memory of 276 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 40 PID 2968 wrote to memory of 276 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 40 PID 2968 wrote to memory of 1692 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 41 PID 2968 wrote to memory of 1692 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 41 PID 2968 wrote to memory of 1692 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 41 PID 2968 wrote to memory of 1692 2968 {3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe 41 PID 276 wrote to memory of 1520 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 43 PID 276 wrote to memory of 1520 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 43 PID 276 wrote to memory of 1520 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 43 PID 276 wrote to memory of 1520 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 43 PID 276 wrote to memory of 576 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 42 PID 276 wrote to memory of 576 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 42 PID 276 wrote to memory of 576 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 42 PID 276 wrote to memory of 576 276 {B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe 42 PID 1520 wrote to memory of 2772 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 44 PID 1520 wrote to memory of 2772 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 44 PID 1520 wrote to memory of 2772 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 44 PID 1520 wrote to memory of 2772 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 44 PID 1520 wrote to memory of 1304 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 45 PID 1520 wrote to memory of 1304 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 45 PID 1520 wrote to memory of 1304 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 45 PID 1520 wrote to memory of 1304 1520 {2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2028
-
-
C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exeC:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30B19~1.EXE > nul3⤵PID:2812
-
-
C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exeC:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5C6D0~1.EXE > nul4⤵PID:1964
-
-
C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exeC:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exeC:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exeC:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exeC:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B93AF~1.EXE > nul8⤵PID:576
-
-
C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exeC:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exeC:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exeC:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exeC:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exeC:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65361~1.EXE > nul13⤵PID:2484
-
-
C:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exeC:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe13⤵
- Executes dropped EXE
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E791~1.EXE > nul12⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFEEB~1.EXE > nul11⤵PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DECD8~1.EXE > nul10⤵PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DB30~1.EXE > nul9⤵PID:1304
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B224~1.EXE > nul7⤵PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C01CC~1.EXE > nul6⤵PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF491~1.EXE > nul5⤵PID:2920
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD54a8b60b4529f028d16f3feba0ffc57de
SHA166dcdb3ef4b88ffe503c8857561c65bf6e94bc43
SHA256d98528785a894012339e86ff0e73925e0b016ea8e48b8ef86d4c998126eab55f
SHA5127c9634cc212e1bc3ee70724ff47248121a1afc9a6fdf5257072a10c4b2596b097006694cccaaa024a93507478304c0d88427a4093944d38701ee71872c7fa189
-
Filesize
346KB
MD52a7eddbb5b15af895c070f08138daea8
SHA1f16a4b6a130cde9c491e6f3585e99bf58040897a
SHA256124cfdbec809c5a8a5e2357bdd417aa10fd2a366b5a7b934e14f75958fcf98e1
SHA512423ee1d6a00de4bb91384b6a18261ce44dac9b0d0ba0cf052b1b4819a769d8293cf21aa6267b7b6a0c46951efed2d452c7fdfd8d20a4f380f4eb5361c05688e5
-
Filesize
380KB
MD5e83b6b60fbda1895df7396261a401088
SHA148d3cae2f0de7f204e6793b0358fc5e0b499e713
SHA256ba9e59ed101620227d66385b48998f2080413e7f20a41282317def360d2086ec
SHA512197bdcf9844bd399bc63ac97920ba9e087dd53f0d95429fdef3370fbd0fe0b4f9121dddd968fc476a4980cb83d42ec5a78337407d0f577f5e919463dca977be2
-
Filesize
3KB
MD5dffe52d098c09c52571ddd3f86c90bdf
SHA19fe7335ab3edb7d41b9a29b1dd5585eb168df630
SHA256a97f3f2be2f3f86bc4cc7dba43e2dc946f3c7fa320e3d4f1778ce455b00930a9
SHA5120c6662c3d2d0e17a7bbfe0bc26b5f810c6cc965e528c110bf6182b716c01f9e4fe53757dc7309bf892c1caf5a96265db9d191bf2462b5c6d48f6abb11ba69ec4
-
Filesize
12KB
MD5474487c5d82bd5abbd66d1edd34cd82b
SHA1c770dc6a35e62fd6ab95e0bfc38325e66b975e5c
SHA25617a4113ca4dd52b2a00c0dece32a52a40c538bb66819dc746b4b3759c1743bfa
SHA5120c6307d68f44172ad2d4ee96a471eac31dde98eac92bb1b46349a5af0e1060a6fbe45032cbca26deff5560a5cd4c343825373b019bb1dbd7c4d500951418d199
-
Filesize
1KB
MD50469c37c06779c374b10516f746e54cd
SHA1a554cdfb5bfe2fdbef5626dff44175a0a14c9aa7
SHA25642a50b9c0cdee18b6513ca0684fe36d5108fee23b4202466ba22f5312f2c43b5
SHA5128116e597ca3fc7d7b801424a1b37533ade4fbe62b33f7045e6eaeb6b03275c7e981498b4e237230262e157aed9d257faadb6ba1586191f0ebb8d87f292cf4ce0
-
Filesize
380KB
MD53db569563a15b652212d494d5b29d59e
SHA1b303a714c55da14ed73954b712289e4a75c79f45
SHA256e827116202bcd555b2845cf07306669066e167e9deca6b3bc8f32798362d2d57
SHA512a16abc32d69eafd7f80cb4407da6286acf10be488dc5aef3e822db251dab53538d022f2bb6e03fc6f28dbf210fbdbcf5fcbf3a7d4db15ee3f9a7ada37ffd0030
-
Filesize
295KB
MD5705d4fc540f7f8bd37c86fe60db29ef6
SHA1d8aa426e9a4bbdb74e8f144487ab4f3f87dad0a9
SHA256569a97100b3d19f0fd6deae1ffee7d591f4f0918de32348e550940903d19fa18
SHA5126e6d761a3a64455af85016b59f1623da42a966e2d4b117deed0e80d2b3f5f10a439eec8fc90299fd64a64d8bbaf0ae7eafe28a1a09b6ee3da87a223aceecde0a
-
Filesize
33KB
MD5c7152e6dbcb8d0e0103fa0ab857026d9
SHA1d43f3f3db1c109d2b21ba5107bb6137807b9a057
SHA256c45631613d2ae4aa483b466e8c3044209f1567b0fb6e04b975942bebacfb689c
SHA512940838d56321795761bfb7a4beddf655ab782fb8a340a54c1684c37ab2492589174669d78f51b43d7d0c43699b1c546516bcc1b0e7492b65485d188f3c12249f
-
Filesize
20KB
MD5bdfb9406da80a97474a5594d4acb03ca
SHA191ac779375347ce9cbfa2181e07ecf961bf87f23
SHA256e488d7d797697ead5fe1a0f58a9be859bcc2c4fa4a0fe6c0b9ff4b38118685f5
SHA512938fc5e893850aaabd76dbeceb3b259d307908c5e525e8e8ad32d54d9df9574000e8852d31d4f727dd5529c0c2bbf762b3617f817b618f8613cbbf6b8349071e
-
Filesize
380KB
MD562640385c688e5bde68d1a29bffdf949
SHA1c2d810d46be72b9dc81d0eeaf68982b885ceaa7d
SHA2563844b469e0fc772d0d3f4d8841b8d0fc223542a6594ef5b32ad5b7b3d664f48f
SHA5124408fc3d29407ec7cb17b3385ddf4b1ff06478843ef7df370a33f55ef6bb60e1826534d7ecf91213cc2b69c5a97d51f02e8e172f85301777f6d45e39cc7994c3
-
Filesize
380KB
MD5b9530276dba257e87bab0a949fadd3ed
SHA17b7520154492a40dd0fa7aa58b74a95aae99925d
SHA2566b6b7bdd30451f15f4919044347e9f950b7e95a3ccc9ec7c731980d1ee1fe9bf
SHA512d7732f78e153fa0f98815220559619b5d9dc4b3ac36880291f735517fefb5779ef5e5b6d9d52359934e3389f5e5cfca1179c372b5bb27628b7b64122f0b284bf
-
Filesize
153KB
MD5781a42e16cfa68b358d9562fe9ee943d
SHA17dfd50f9ed568a883ad477033ba95c7c7308db89
SHA256086fca1de4421f4987e3893af945a9fe5434ed31304e3fa1edc3ac4e95fade0c
SHA512d5ac1757e54f9407d8b00b3962e762b691b58bccf164ee5c644e378735fbee13e03aead63967a5736748b256e985a1e5ed2fb993da3c6e64a8da1caca898edf7
-
Filesize
380KB
MD5661a86a3a840f5a17f8f3a24e58d3f5c
SHA15524a4ed16a7c17629885c5c3e4e749fcd8d94ee
SHA25678624fdb1704b1a31fc98bb5ba4c00e1ee96e57857e8c1980b41ddb1858c3461
SHA5127ca5e4f07178b3e3f435b22254844047a428f6f3d2188e385b07ebc13177da0d8bd296f5196086dcb87d9f76f159ca150166391a8cddb5f5f4cadd246cc9abc2
-
Filesize
380KB
MD54499b626976da77ee9121f55394ef63f
SHA1b71a69b31af0224ce4ca4303ec0f52a2dd3a03e4
SHA256124e695d11a40e3089f58e29d09cfcecd611b6145279dd3e8353b44fb4897ecf
SHA512c1d515a226548043ad23b43672f98426e8c797eed8a5e193b4fda5950c58b0148e193ff0df82caeda73a26b7568be69052425f056de602e5c16d0aa719ba8732
-
Filesize
380KB
MD598bcbd2e953c392e449cc39713cc57e7
SHA13c7520d6303cb8dd5710fdcbe5230cc0a38451fa
SHA256028a54b83b5c253a64ece263c5f02e5fe1d310941fbac9125ca337f5a45488d8
SHA512d92c57da2cea6cd8bd26a158a08c313aac7b319f5b24d416ba5e2e0012c462ff0b10a551b7b1d6def59a2943649cadbe30bb19a4454488cc4ec7abbe706dda7d
-
Filesize
380KB
MD533018838d2f0d4e08f81c4461aad750d
SHA125801bbe756f49e7938146a042fa40fb1a352bff
SHA256a00d0d22c2ba33570e79595099ee936978c56bec6894b2cefb9a6635ead6208f
SHA51245c03d19f2b299cc60aa58fe5f1cd664afeb25f6346a8c3ff607e9abca534576603d188d29099b240633a6df12d513a6544ccb8591d78126d11b3977d8cf5c25
-
Filesize
43KB
MD52fc7285b9fa334107b454095bea93e09
SHA1bd201fef1f94f89a7df2574ff17ec912319c79c9
SHA256c81bea898fdbbfcec83bdea8d8e72aa086ef5d3926a7095378d9e073467f238e
SHA512f644c5abe2c64ea68320567559c8063c78709b3b0f9bba8e924da72fcd44a150724073135ef7a9e8b15eee543ab29335cb2d6d7b6dacd67e3d8782915b4eb16b
-
Filesize
380KB
MD549c9a9e6115efe33fb8242a9e3490ea4
SHA167e6a986b262c3d926b8d70f3379b06b13a80f42
SHA256cc9a89783fcaad4d60916d13fafed30fcc83fbe78490738c53c67c28e2bc88e1
SHA5124dd4f28bf1a8e9326dcc9ec2866c295dd455dd9f1b9f3f658faff6dcc529787976fa2e5f61ee8390bc89b84772d55cc9c27f76268afa6a118579c5026348269a