7c6de846eef4c8c1bb9d5ab70d211c8c33dd11f16c065eac07b71dc4b8486375

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
Size

344KB
MD5

fe7a49f5929d36ef4f87c148f0f6daca
SHA1

cf4ad50f765af6e3993d2785b3befac36239883c
SHA256

7c6de846eef4c8c1bb9d5ab70d211c8c33dd11f16c065eac07b71dc4b8486375
SHA512

7b18ac35c17fdd45708477e290382d01556cb83f51d7607fe8df92f56c0c81441f5312c0b0b4c0077ccf0ca40c2b4f2264c24bca78293bfc60824d6c10ba6739
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE6CB08-BA8A-4270-BF96-D25374903094}\stubpath = "C:\\Windows\\{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe"	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}\stubpath = "C:\\Windows\\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe"	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16827976-F6B7-4144-BBCD-BBED9712488F}\stubpath = "C:\\Windows\\{16827976-F6B7-4144-BBCD-BBED9712488F}.exe"	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}\stubpath = "C:\\Windows\\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe"	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF2F33D4-6459-4f31-B931-54223D7862CE}\stubpath = "C:\\Windows\\{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe"	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F776896-576A-4332-A9BD-920C58013DAD}	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE11AE21-DA2B-4633-B256-443CA7D3515E}	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE6CB08-BA8A-4270-BF96-D25374903094}	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF2F33D4-6459-4f31-B931-54223D7862CE}	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}\stubpath = "C:\\Windows\\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe"	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA27D57-638E-41b3-B20D-44D10B99BD07}	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F776896-576A-4332-A9BD-920C58013DAD}\stubpath = "C:\\Windows\\{5F776896-576A-4332-A9BD-920C58013DAD}.exe"	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7440B82E-E64A-40a9-9346-C093C20B9C9C}	{5F776896-576A-4332-A9BD-920C58013DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7440B82E-E64A-40a9-9346-C093C20B9C9C}\stubpath = "C:\\Windows\\{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe"	{5F776896-576A-4332-A9BD-920C58013DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE11AE21-DA2B-4633-B256-443CA7D3515E}\stubpath = "C:\\Windows\\{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe"	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB29202E-8803-4709-ADF4-AB172FC1FA91}	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB29202E-8803-4709-ADF4-AB172FC1FA91}\stubpath = "C:\\Windows\\{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe"	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16827976-F6B7-4144-BBCD-BBED9712488F}	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA27D57-638E-41b3-B20D-44D10B99BD07}\stubpath = "C:\\Windows\\{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe"	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7873791-E3E1-4b84-876C-4CABB66CAB53}	{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7873791-E3E1-4b84-876C-4CABB66CAB53}\stubpath = "C:\\Windows\\{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe"	{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe
2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
1352	{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe
1412	{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
File created	C:\Windows\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
File created	C:\Windows\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
File created	C:\Windows\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
File created	C:\Windows\{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
File created	C:\Windows\{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe	{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe
File created	C:\Windows\{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
File created	C:\Windows\{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
File created	C:\Windows\{5F776896-576A-4332-A9BD-920C58013DAD}.exe	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
File created	C:\Windows\{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe	{5F776896-576A-4332-A9BD-920C58013DAD}.exe
File created	C:\Windows\{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
File created	C:\Windows\{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
Token: SeIncBasePriorityPrivilege	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
Token: SeIncBasePriorityPrivilege	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
Token: SeIncBasePriorityPrivilege	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
Token: SeIncBasePriorityPrivilege	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
Token: SeIncBasePriorityPrivilege	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
Token: SeIncBasePriorityPrivilege	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
Token: SeIncBasePriorityPrivilege	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
Token: SeIncBasePriorityPrivilege	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe
Token: SeIncBasePriorityPrivilege	2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
Token: SeIncBasePriorityPrivilege	1352	{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4616	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	93
PID 3864 wrote to memory of 4616	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	93
PID 3864 wrote to memory of 4616	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	93
PID 3864 wrote to memory of 5028	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	92
PID 3864 wrote to memory of 5028	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	92
PID 3864 wrote to memory of 5028	3864	2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe	92
PID 4616 wrote to memory of 4408	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	97
PID 4616 wrote to memory of 4408	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	97
PID 4616 wrote to memory of 4408	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	97
PID 4616 wrote to memory of 1632	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	96
PID 4616 wrote to memory of 1632	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	96
PID 4616 wrote to memory of 1632	4616	{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe	96
PID 4408 wrote to memory of 4788	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	101
PID 4408 wrote to memory of 4788	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	101
PID 4408 wrote to memory of 4788	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	101
PID 4408 wrote to memory of 4700	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	100
PID 4408 wrote to memory of 4700	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	100
PID 4408 wrote to memory of 4700	4408	{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe	100
PID 4788 wrote to memory of 840	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	103
PID 4788 wrote to memory of 840	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	103
PID 4788 wrote to memory of 840	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	103
PID 4788 wrote to memory of 4360	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	104
PID 4788 wrote to memory of 4360	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	104
PID 4788 wrote to memory of 4360	4788	{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe	104
PID 840 wrote to memory of 3736	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	105
PID 840 wrote to memory of 3736	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	105
PID 840 wrote to memory of 3736	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	105
PID 840 wrote to memory of 4728	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	106
PID 840 wrote to memory of 4728	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	106
PID 840 wrote to memory of 4728	840	{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe	106
PID 3736 wrote to memory of 1140	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	108
PID 3736 wrote to memory of 1140	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	108
PID 3736 wrote to memory of 1140	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	108
PID 3736 wrote to memory of 2092	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	109
PID 3736 wrote to memory of 2092	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	109
PID 3736 wrote to memory of 2092	3736	{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe	109
PID 1140 wrote to memory of 3268	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	110
PID 1140 wrote to memory of 3268	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	110
PID 1140 wrote to memory of 3268	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	110
PID 1140 wrote to memory of 4560	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	111
PID 1140 wrote to memory of 4560	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	111
PID 1140 wrote to memory of 4560	1140	{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe	111
PID 3268 wrote to memory of 4092	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	112
PID 3268 wrote to memory of 4092	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	112
PID 3268 wrote to memory of 4092	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	112
PID 3268 wrote to memory of 2452	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	113
PID 3268 wrote to memory of 2452	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	113
PID 3268 wrote to memory of 2452	3268	{16827976-F6B7-4144-BBCD-BBED9712488F}.exe	113
PID 4092 wrote to memory of 2552	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	117
PID 4092 wrote to memory of 2552	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	117
PID 4092 wrote to memory of 2552	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	117
PID 4092 wrote to memory of 3628	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	118
PID 4092 wrote to memory of 3628	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	118
PID 4092 wrote to memory of 3628	4092	{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe	118
PID 2552 wrote to memory of 2760	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	119
PID 2552 wrote to memory of 2760	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	119
PID 2552 wrote to memory of 2760	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	119
PID 2552 wrote to memory of 3504	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	120
PID 2552 wrote to memory of 3504	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	120
PID 2552 wrote to memory of 3504	2552	{5F776896-576A-4332-A9BD-920C58013DAD}.exe	120
PID 2760 wrote to memory of 1352	2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe	126
PID 2760 wrote to memory of 1352	2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe	126
PID 2760 wrote to memory of 1352	2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe	126
PID 2760 wrote to memory of 3980	2760	{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_fe7a49f5929d36ef4f87c148f0f6daca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5028
- C:\Windows\{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
  C:\Windows\{3DE6CB08-BA8A-4270-BF96-D25374903094}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE6C~1.EXE > nul
    3⤵
    PID:1632
- - C:\Windows\{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
    C:\Windows\{AB29202E-8803-4709-ADF4-AB172FC1FA91}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB292~1.EXE > nul
      4⤵
      PID:4700
  - - C:\Windows\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
      C:\Windows\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
        
        C:\Windows\{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
        
        C:\Windows\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
        
        C:\Windows\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
        
        C:\Windows\{16827976-F6B7-4144-BBCD-BBED9712488F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
        
        C:\Windows\{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{5F776896-576A-4332-A9BD-920C58013DAD}.exe
        
        C:\Windows\{5F776896-576A-4332-A9BD-920C58013DAD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
        
        C:\Windows\{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe
        
        C:\Windows\{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe
        
        C:\Windows\{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe
        13⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE11A~1.EXE > nul
        13⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7440B~1.EXE > nul
        12⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F776~1.EXE > nul
        11⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA27~1.EXE > nul
        10⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16827~1.EXE > nul
        9⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE69A~1.EXE > nul
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{605CE~1.EXE > nul
        7⤵
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF2F3~1.EXE > nul
        6⤵
        
        PID:4728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D887~1.EXE > nul
        5⤵
        
        PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16827976-F6B7-4144-BBCD-BBED9712488F}.exe

Filesize
344KB

MD5
61949fd6d9a5e6c0b2ed4f12743854c3

SHA1
42389cdd5d3913dba664a8af0e562416d78d659f

SHA256
f2449d6ff96e66c8e64a6ad3867fc6e3b2c6e5e8926e50af700012ecdfc0e3e9

SHA512
80f52bedd66b7b8c0df2f8a793c6a56a8e8662c36417ae1bf78b38bba341fdcc94bf822d6a0a1cf4340898f61529fea594aefaad88fbc4de2c47c4da87b66b92

Download Submit
C:\Windows\{2D8879AA-041E-4479-A77C-3A00ED5FBB6E}.exe

Filesize
344KB

MD5
6fc2986b09b0397de86452c7d330a18b

SHA1
24b787fde500fd0ad0141355008b75497e2077cc

SHA256
3892226c582b282913ac3306a51330ce860c36f155496ad00001ba0e773c5b7e

SHA512
fe85189ece455bcb562cfc83293e96e39a5618c51b73c6eb094842f1bb60e2a4c183295007266aecfee5128c32635a2ba339b4ac687461bcb92017c380e6f639

Download Submit
C:\Windows\{5F776896-576A-4332-A9BD-920C58013DAD}.exe

Filesize
344KB

MD5
924406500bdcd3a677f80f306572c961

SHA1
a0a747bf6b124541d0e2c40878793afe34288fc6

SHA256
f0ec8e1c95a09c4f9660d6f763fe875dff16cf2c8130977e31a23d552ae19911

SHA512
052380a161bc38aee2e92fde2d6014e2b3c157be16269421ec673a45f55e9574103ef5021eabc05b7f524146fd846da4a892fe472177dfd87f05b1c2aa4abceb

Download Submit
C:\Windows\{605CED0B-4D1E-48f2-BA97-D3A762CEEDF1}.exe

Filesize
344KB

MD5
bb34424013467d2c07a9a82d48df44e7

SHA1
4a57c491d1c9057d1466e0257f66e176d0a40220

SHA256
354089c87d7ef57503305924e50ad85d87d4469d880c9313a57fac9498ffd57c

SHA512
421249e806b4aae7c8281560f61bce2d9b41a19b37ec76c636d950014f2b665c42c8e335ab4534b7c1d2be9dda7de431a29a7c77266f428bd768539a8efe85f4

Download Submit
C:\Windows\{7440B82E-E64A-40a9-9346-C093C20B9C9C}.exe

Filesize
344KB

MD5
e0ac0dd99339d1a1c884f92bfd7d19d8

SHA1
45eacaefbbd48bb0217f50de442a87fe2090a565

SHA256
21b0e5ff5794bb87cef922c267ee806475a30c31562ae4873ce973c27b38739a

SHA512
e76f13105091deb7ecf259d3dffa1a6d6bbca3aa453705114902053e5773b42e57db05b1dc77c0242acc443b8be671a77804a7bc3adf67b20a9900e064ac8a58

Download Submit
C:\Windows\{7DA27D57-638E-41b3-B20D-44D10B99BD07}.exe

Filesize
344KB

MD5
d71418518b4f13430613db36b9549c2a

SHA1
1cee69c0647ecf245d357f1cfb7abf304a8dceff

SHA256
b5611100b68c567b05de35b3b7e3a65750e99f7aa1a7b2fafbbae9249c65ddb2

SHA512
d56f2a933ea2f5d4fd0ddab155a292922e8bda261e426bf81847cdcd78aefa607472c63e6554b19fc10c9e4d8b7f2fa342a7d17e97dc16eaa939934c69c3faf8

Download Submit
C:\Windows\{AE69A131-D3E6-4ca7-88B8-E356FFDF3807}.exe

Filesize
344KB

MD5
763e76643a4d720b33af7d950770d9ed

SHA1
985a536a853fe0b5f303cef8b44a5409371f2eb6

SHA256
0182a0a84310454c9cc60a8bdef615a7b6fb83aaefdb42ba51e95327b5d23531

SHA512
60018fc9287775be9d581606a5dbfc0e70b6594880ec0fe6696e0aa68c3b61ac8b80c106077ac4b82fa0dca35808df1014d98c33e2e21b574fcb0507251d4f09

Download Submit
C:\Windows\{BE11AE21-DA2B-4633-B256-443CA7D3515E}.exe

Filesize
344KB

MD5
ec9e74f4389803e51a0d6a59923b4b51

SHA1
c425b95e4cfd6b7a1991489aaee698fa6c995932

SHA256
1d5b2eafd77640ba8570ce8d3fd0d86874c45664fe22e20180d2965f86fcd302

SHA512
3d119be36785e4234de249faa6680647f132c675b10dd925235687a35b1edc68e50f02cffffd01546999129859bcfac51585c2548c6f39555b5f617dcf62591e

Download Submit
C:\Windows\{BF2F33D4-6459-4f31-B931-54223D7862CE}.exe

Filesize
344KB

MD5
0dcea3c80a8aad5e7f35974826d95fb9

SHA1
a19131962e053455278822400b77f956eaf71662

SHA256
ec091ed258aadd69b16be3ccb927cad7cbbb87e744b2e7ec7c25d878633ba731

SHA512
970fc678dddf34e103885ead926a3553500b71e855c4144f153566270a3354f1d02fe4e42cc3bbda7772f7ae9c8b86eb084c34bfee315212d7f59c30e4ee873f

Download Submit
C:\Windows\{D7873791-E3E1-4b84-876C-4CABB66CAB53}.exe

Filesize
344KB

MD5
70a75766ba7d98c2b2104a2c72e3310e

SHA1
e4d9ca03e3038bbd271d7552564f1e40de439e31

SHA256
e0f78aea8befc12845e35ab566b0ba8ff96d3777ec844cde7c4a1f0cad6e7bfd

SHA512
41692b7848232f6bd755a827efeea5228ded2417f1995a278e1f2221fe43f655643917c4e27d90e168bb644d016af6554ba7cfb0f35a859c456de8d72885de0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads