Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe
Resource
win10v2004-20240704-en
General
-
Target
2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe
-
Size
192KB
-
MD5
bbd2ad36aa1b9adf5f31332454266a77
-
SHA1
cff894d7680556127fe6dbe464379cdeefeadff7
-
SHA256
83eb37dbccf3f2c7998b6f691bc6f9b26c0e746ae2d67ad0378b20aae86e1db0
-
SHA512
a9b982b2ab11a7089bb2ab7fc3ab0d06d506368796ad7da70d6e2bca54626188419ca5c90a865cac92e3bc121722af47be4e459dbd6b9fbe83d12d19b38ef671
-
SSDEEP
1536:1EGh0orLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o/l1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7} {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}\stubpath = "C:\\Windows\\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe" {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17} {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E1E047-694B-4d06-B37C-32849774422A}\stubpath = "C:\\Windows\\{97E1E047-694B-4d06-B37C-32849774422A}.exe" {A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}\stubpath = "C:\\Windows\\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe" 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB14747-CCBA-4f00-9594-55D9EF9325A5} {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}\stubpath = "C:\\Windows\\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe" {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B2A8849-268D-422e-A151-5C700A80A12C}\stubpath = "C:\\Windows\\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe" {97E1E047-694B-4d06-B37C-32849774422A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B2A8849-268D-422e-A151-5C700A80A12C} {97E1E047-694B-4d06-B37C-32849774422A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2} 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CAC947D-9D0C-4769-BB93-084A732F0D3D} {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7440503-E93F-42e3-803E-8DD8E80803F0} {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7440503-E93F-42e3-803E-8DD8E80803F0}\stubpath = "C:\\Windows\\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe" {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545} {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E1E047-694B-4d06-B37C-32849774422A} {A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}\stubpath = "C:\\Windows\\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe" {21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}\stubpath = "C:\\Windows\\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe" {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}\stubpath = "C:\\Windows\\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe" {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}\stubpath = "C:\\Windows\\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe" {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD} {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}\stubpath = "C:\\Windows\\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe" {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66A9645-A3BA-4709-B7E0-775806AAEFD2} {21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe -
Deletes itself 1 IoCs
pid Process 2836 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 1948 {21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe 832 {A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe 2896 {97E1E047-694B-4d06-B37C-32849774422A}.exe 300 {5B2A8849-268D-422e-A151-5C700A80A12C}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe {97E1E047-694B-4d06-B37C-32849774422A}.exe File created C:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe File created C:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe File created C:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe File created C:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe File created C:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe {21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe File created C:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe File created C:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe File created C:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe File created C:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe File created C:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exe {A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe Token: SeIncBasePriorityPrivilege 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe Token: SeIncBasePriorityPrivilege 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe Token: SeIncBasePriorityPrivilege 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe Token: SeIncBasePriorityPrivilege 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe Token: SeIncBasePriorityPrivilege 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe Token: SeIncBasePriorityPrivilege 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe Token: SeIncBasePriorityPrivilege 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe Token: SeIncBasePriorityPrivilege 1948 {21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe Token: SeIncBasePriorityPrivilege 832 {A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe Token: SeIncBasePriorityPrivilege 2896 {97E1E047-694B-4d06-B37C-32849774422A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1920 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 30 PID 3064 wrote to memory of 1920 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 30 PID 3064 wrote to memory of 1920 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 30 PID 3064 wrote to memory of 1920 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 30 PID 3064 wrote to memory of 2836 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 31 PID 3064 wrote to memory of 2836 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 31 PID 3064 wrote to memory of 2836 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 31 PID 3064 wrote to memory of 2836 3064 2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe 31 PID 1920 wrote to memory of 1652 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 32 PID 1920 wrote to memory of 1652 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 32 PID 1920 wrote to memory of 1652 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 32 PID 1920 wrote to memory of 1652 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 32 PID 1920 wrote to memory of 544 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 33 PID 1920 wrote to memory of 544 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 33 PID 1920 wrote to memory of 544 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 33 PID 1920 wrote to memory of 544 1920 {30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe 33 PID 1652 wrote to memory of 2624 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 34 PID 1652 wrote to memory of 2624 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 34 PID 1652 wrote to memory of 2624 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 34 PID 1652 wrote to memory of 2624 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 34 PID 1652 wrote to memory of 2672 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 35 PID 1652 wrote to memory of 2672 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 35 PID 1652 wrote to memory of 2672 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 35 PID 1652 wrote to memory of 2672 1652 {9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe 35 PID 2624 wrote to memory of 2640 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 36 PID 2624 wrote to memory of 2640 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 36 PID 2624 wrote to memory of 2640 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 36 PID 2624 wrote to memory of 2640 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 36 PID 2624 wrote to memory of 2764 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 37 PID 2624 wrote to memory of 2764 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 37 PID 2624 wrote to memory of 2764 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 37 PID 2624 wrote to memory of 2764 2624 {B7440503-E93F-42e3-803E-8DD8E80803F0}.exe 37 PID 2640 wrote to memory of 2556 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 38 PID 2640 wrote to memory of 2556 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 38 PID 2640 wrote to memory of 2556 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 38 PID 2640 wrote to memory of 2556 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 38 PID 2640 wrote to memory of 1960 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 39 PID 2640 wrote to memory of 1960 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 39 PID 2640 wrote to memory of 1960 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 39 PID 2640 wrote to memory of 1960 2640 {2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe 39 PID 2556 wrote to memory of 2560 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 40 PID 2556 wrote to memory of 2560 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 40 PID 2556 wrote to memory of 2560 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 40 PID 2556 wrote to memory of 2560 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 40 PID 2556 wrote to memory of 3012 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 41 PID 2556 wrote to memory of 3012 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 41 PID 2556 wrote to memory of 3012 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 41 PID 2556 wrote to memory of 3012 2556 {D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe 41 PID 2560 wrote to memory of 1400 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 42 PID 2560 wrote to memory of 1400 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 42 PID 2560 wrote to memory of 1400 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 42 PID 2560 wrote to memory of 1400 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 42 PID 2560 wrote to memory of 2052 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 43 PID 2560 wrote to memory of 2052 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 43 PID 2560 wrote to memory of 2052 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 43 PID 2560 wrote to memory of 2052 2560 {E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe 43 PID 1400 wrote to memory of 1948 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 44 PID 1400 wrote to memory of 1948 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 44 PID 1400 wrote to memory of 1948 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 44 PID 1400 wrote to memory of 1948 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 44 PID 1400 wrote to memory of 2236 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 45 PID 1400 wrote to memory of 2236 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 45 PID 1400 wrote to memory of 2236 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 45 PID 1400 wrote to memory of 2236 1400 {7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exeC:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exeC:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exeC:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exeC:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exeC:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exeC:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exeC:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exeC:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exeC:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exeC:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exeC:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe12⤵
- Executes dropped EXE
PID:300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{97E1E~1.EXE > nul12⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A66A9~1.EXE > nul11⤵PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{21A4D~1.EXE > nul10⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D546~1.EXE > nul9⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9FE3~1.EXE > nul8⤵PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6E71~1.EXE > nul7⤵PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DB14~1.EXE > nul6⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7440~1.EXE > nul5⤵PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9CAC9~1.EXE > nul4⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30AD2~1.EXE > nul3⤵PID:544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD55b21ba87f6582625127569e086b2c7bb
SHA1a543a892aa7b7301c976c2e2f718166d17207691
SHA2566e1a79222b1b3d3be649f3eb8d6c3e1e1b298c23d280666c7c13daed14e6714b
SHA5126e40f743802764722a86493b4c3c66229b1cafcb40a04b2a25ca13a4b2049e159732ff70364bf4092890689385bf5be8643fe1dc5dc52d5287883b7d13159158
-
Filesize
192KB
MD548659820d69a164f0ec1c194e6866cad
SHA1844454fd7bfc72a740777b913025eee262b01219
SHA25659f5f4591dc1e06772183d73b40134c30e431b7cce24495cac98effe910866a2
SHA51265a022cf4c2d465b5fbf9714f427b02cbdf5bdcf8936517c58527e55d764879344925460ad85e05c4dcf522aacd25e44362c4fd45ffabe1d2e471faf01b1dfa8
-
Filesize
192KB
MD52a337f6806382d1a1d741264cfd2b2b8
SHA14d01f822cc4fca72445d26f38364b66011ccb8a7
SHA256d48b0e5821c6eb3ebe48366e731fe4033fd33a896fbc5cbb670258378e863a47
SHA5125dae009470b23855291aa4d50ba5bd65489c0deb9a1f5145d286b23335a3f86db633a5c053dff9ce98462eff43d7b9ad11fd7fbe1fccfc4f2143de4b790b86b6
-
Filesize
192KB
MD592190948b3838598a96ce8e2bd5dcf0b
SHA166574fcb2ea6d84baf85d86ba23b743c4d568490
SHA25685dab2d9c7db051754c55cbde8f97f841cd242a5bb05a542c87d1f2d6ea15a0a
SHA512ba5e6aaab3a0949c2bd66e966bfb6163ccfcd4762e6eba465743236a83e860721e76cfcf505d39fe351bae79cef0c28d0a6b256d9bc442504a2c42ed70cb06d0
-
Filesize
192KB
MD5736247567f906649edb52dab914d4d1b
SHA1ba0881ab39b43969bed1f30b3e29fd7e0ba85992
SHA2564a6aaa16751f687e5d006239ea0f9f73084f117c2e72e569b2187f8ff0874bcf
SHA5129c9e2ea0a02d19686538e2b48babce974115d2817c1b6c783c19754e68e2e2018348a912a9d14d65e315c9ad586668a70f96e64b40bb883674ca84b27c1b427a
-
Filesize
192KB
MD5bacd2c06de73badf4cc7ae5fd8c29249
SHA17bf60b105d26636f150ccbfc794f6baabe5e5620
SHA2567c06bb807e9d243b55d3e93f2e198b9f5249927468eb8577c23063c422b59132
SHA512e70981e728413d6d44b7e94e2b949f01785a342d7fb5e64bf04f57a456ccb192baf0003d2c5310d396672adc635249e760d496d05c5461cd59f8d7c1b0c98f0c
-
Filesize
192KB
MD5ee590592260638ca3a2eafc6224c5a4f
SHA1a349dd677eda52b1395db024f6b7ebe925bf4161
SHA25616295746f7477c2bdd60de99cfa8b012ce852e889bb5092b07027609bded7369
SHA512491b7b00aaee0c32c2ec449bfe65b9544abae855703d55e56b0209f3f429cd69b37160a1db4153a1490568bfd77b4e1733c21c1915269fc59eb405c88c412c44
-
Filesize
192KB
MD595cc0a79736dd3ab19a30c6a8d7b191d
SHA1be1d22f33c0ee5c236288a055b916ab72d77d382
SHA25654ed3b2ae1ff31053e99503e1d104ceeb4a1cc12dc85ee62565be4b93e8d6bb7
SHA5126dfbcd1086a4dfc95b11d1fd217dfe70a433f4ffbe7df588d94801e41dd24f8a31a291a251b75b606938e628dac35451c1fa4c2e9f50ba4e91ba30674fe97e79
-
Filesize
192KB
MD56499e08342fdf0146bfdfc4e540af249
SHA165a49b01c02c0b4027d21d61d04418fda0f02a43
SHA256118fd50ee030a68b35055fc74ff3df792a483acad4a897d45ed5b54f0ea39bae
SHA5120b97a4431ee78b518b55e05385347608258d0bf096b7b6146f5bb919afb10e88dde88fbca0528a958d4c41639e185b092fbe6a8a921b69ffec35f0b173fb83dc
-
Filesize
192KB
MD502455616e73bfe7f5c27283aa26c39c6
SHA1aece9eac49a33bf4ef9e7600da43458b0f0af71d
SHA256ba323632cdabf116c750cdb714316379fb57f28e1a3a03ce101f01f2d087a4b7
SHA5126d0987fc92ef20fc3ac3a0d618ea67cbbec795bd01ef1a299b08812b865cfca669dde706ef2ce24605812cf632c3d29ab31cb1004cc4be22a3055072ced5ac6a
-
Filesize
192KB
MD59b3207a97a02f05a998978a257c51285
SHA1813bcd09d1fd8c768e2dc0fa779c04f8ba4c3691
SHA256929e2d7d7f1406508ffecf84fc2253f8ea772889dc276775aecb80da3a6b9577
SHA512c6056d3ff465d8d8fff00b49f50a6cc739b3d3f1f3ad1467ad584485aa852fff4b8bba7f9241d1af1686f489fe7858144d401fcc78713cea26896335186e8834