b821f2c5e9bdadee29d8f6b021503e2ce0d6785f5c78a9d9749bdfea06515e17

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
Size

372KB
MD5

52eef4e9af398f26952eee5944331a32
SHA1

b6a6ed63ae02efc88757f63416d34741c9156ca0
SHA256

b821f2c5e9bdadee29d8f6b021503e2ce0d6785f5c78a9d9749bdfea06515e17
SHA512

36dbc71389b5c3b968bfe65ceb7c9444b10728590a008d34fe04443da7ff42d160fcf77c89ad50a0462977757b8f5e42b7b22688c7c88a59a128a196cf945482
SSDEEP

3072:CEGh0onlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}\stubpath = "C:\\Windows\\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe"	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65B00D8-4641-455d-BE79-D2275D190DCE}	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}	{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{003766EB-5C96-45ff-AFF7-26EE6AB13361}\stubpath = "C:\\Windows\\{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe"	{C7583578-7214-474a-B5F9-76E847927479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6533CEA-6AFE-4002-B834-E776F75A92F9}\stubpath = "C:\\Windows\\{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe"	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}	{2683DCC9-1271-4073-B952-180509581952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}\stubpath = "C:\\Windows\\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe"	{2683DCC9-1271-4073-B952-180509581952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}	{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7583578-7214-474a-B5F9-76E847927479}	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{003766EB-5C96-45ff-AFF7-26EE6AB13361}	{C7583578-7214-474a-B5F9-76E847927479}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2683DCC9-1271-4073-B952-180509581952}\stubpath = "C:\\Windows\\{2683DCC9-1271-4073-B952-180509581952}.exe"	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}\stubpath = "C:\\Windows\\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe"	{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}\stubpath = "C:\\Windows\\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe"	{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35E81139-7781-48e0-A4C7-57CE1528B2B6}	{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35E81139-7781-48e0-A4C7-57CE1528B2B6}\stubpath = "C:\\Windows\\{35E81139-7781-48e0-A4C7-57CE1528B2B6}.exe"	{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6533CEA-6AFE-4002-B834-E776F75A92F9}	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65B00D8-4641-455d-BE79-D2275D190DCE}\stubpath = "C:\\Windows\\{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe"	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}	{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2683DCC9-1271-4073-B952-180509581952}	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}\stubpath = "C:\\Windows\\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe"	{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7583578-7214-474a-B5F9-76E847927479}\stubpath = "C:\\Windows\\{C7583578-7214-474a-B5F9-76E847927479}.exe"	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}\stubpath = "C:\\Windows\\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe"	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2676	{C7583578-7214-474a-B5F9-76E847927479}.exe
2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
1600	{2683DCC9-1271-4073-B952-180509581952}.exe
1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
1860	{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
2564	{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
2084	{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
2292	{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
File created	C:\Windows\{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	{C7583578-7214-474a-B5F9-76E847927479}.exe
File created	C:\Windows\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
File created	C:\Windows\{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
File created	C:\Windows\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	{2683DCC9-1271-4073-B952-180509581952}.exe
File created	C:\Windows\{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
File created	C:\Windows\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe	{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
File created	C:\Windows\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
File created	C:\Windows\{2683DCC9-1271-4073-B952-180509581952}.exe	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
File created	C:\Windows\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe	{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
File created	C:\Windows\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe	{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
File created	C:\Windows\{35E81139-7781-48e0-A4C7-57CE1528B2B6}.exe	{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe
Token: SeIncBasePriorityPrivilege	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
Token: SeIncBasePriorityPrivilege	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
Token: SeIncBasePriorityPrivilege	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
Token: SeIncBasePriorityPrivilege	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
Token: SeIncBasePriorityPrivilege	1600	{2683DCC9-1271-4073-B952-180509581952}.exe
Token: SeIncBasePriorityPrivilege	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
Token: SeIncBasePriorityPrivilege	1860	{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
Token: SeIncBasePriorityPrivilege	2564	{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
Token: SeIncBasePriorityPrivilege	2084	{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
Token: SeIncBasePriorityPrivilege	2292	{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2676	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	31
PID 2608 wrote to memory of 2676	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	31
PID 2608 wrote to memory of 2676	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	31
PID 2608 wrote to memory of 2676	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	31
PID 2608 wrote to memory of 2772	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	30
PID 2608 wrote to memory of 2772	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	30
PID 2608 wrote to memory of 2772	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	30
PID 2608 wrote to memory of 2772	2608	2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe	30
PID 2676 wrote to memory of 2748	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	32
PID 2676 wrote to memory of 2748	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	32
PID 2676 wrote to memory of 2748	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	32
PID 2676 wrote to memory of 2748	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	32
PID 2676 wrote to memory of 2580	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	33
PID 2676 wrote to memory of 2580	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	33
PID 2676 wrote to memory of 2580	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	33
PID 2676 wrote to memory of 2580	2676	{C7583578-7214-474a-B5F9-76E847927479}.exe	33
PID 2748 wrote to memory of 3052	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	34
PID 2748 wrote to memory of 3052	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	34
PID 2748 wrote to memory of 3052	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	34
PID 2748 wrote to memory of 3052	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	34
PID 2748 wrote to memory of 2424	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	35
PID 2748 wrote to memory of 2424	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	35
PID 2748 wrote to memory of 2424	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	35
PID 2748 wrote to memory of 2424	2748	{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe	35
PID 3052 wrote to memory of 672	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	36
PID 3052 wrote to memory of 672	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	36
PID 3052 wrote to memory of 672	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	36
PID 3052 wrote to memory of 672	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	36
PID 3052 wrote to memory of 584	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	37
PID 3052 wrote to memory of 584	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	37
PID 3052 wrote to memory of 584	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	37
PID 3052 wrote to memory of 584	3052	{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe	37
PID 672 wrote to memory of 1652	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	38
PID 672 wrote to memory of 1652	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	38
PID 672 wrote to memory of 1652	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	38
PID 672 wrote to memory of 1652	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	38
PID 672 wrote to memory of 2888	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	39
PID 672 wrote to memory of 2888	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	39
PID 672 wrote to memory of 2888	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	39
PID 672 wrote to memory of 2888	672	{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe	39
PID 1652 wrote to memory of 1600	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	40
PID 1652 wrote to memory of 1600	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	40
PID 1652 wrote to memory of 1600	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	40
PID 1652 wrote to memory of 1600	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	40
PID 1652 wrote to memory of 2132	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	41
PID 1652 wrote to memory of 2132	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	41
PID 1652 wrote to memory of 2132	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	41
PID 1652 wrote to memory of 2132	1652	{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe	41
PID 1600 wrote to memory of 1636	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	42
PID 1600 wrote to memory of 1636	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	42
PID 1600 wrote to memory of 1636	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	42
PID 1600 wrote to memory of 1636	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	42
PID 1600 wrote to memory of 2440	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	43
PID 1600 wrote to memory of 2440	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	43
PID 1600 wrote to memory of 2440	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	43
PID 1600 wrote to memory of 2440	1600	{2683DCC9-1271-4073-B952-180509581952}.exe	43
PID 1636 wrote to memory of 1860	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	45
PID 1636 wrote to memory of 1860	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	45
PID 1636 wrote to memory of 1860	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	45
PID 1636 wrote to memory of 1860	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	45
PID 1636 wrote to memory of 2720	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	44
PID 1636 wrote to memory of 2720	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	44
PID 1636 wrote to memory of 2720	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	44
PID 1636 wrote to memory of 2720	1636	{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_52eef4e9af398f26952eee5944331a32_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2772
- C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe
  C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
    C:\Windows\{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
      C:\Windows\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
        
        C:\Windows\{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\Windows\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
        
        C:\Windows\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{2683DCC9-1271-4073-B952-180509581952}.exe
        
        C:\Windows\{2683DCC9-1271-4073-B952-180509581952}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
        
        C:\Windows\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74B88~1.EXE > nul
        9⤵
        
        PID:2720
        
        C:\Windows\{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
        
        C:\Windows\{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
        
        C:\Windows\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
        
        C:\Windows\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{016C3~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe
        
        C:\Windows\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FDE~1.EXE > nul
        13⤵
        
        PID:1572
        
        C:\Windows\{35E81139-7781-48e0-A4C7-57CE1528B2B6}.exe
        
        C:\Windows\{35E81139-7781-48e0-A4C7-57CE1528B2B6}.exe
        13⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A07E~1.EXE > nul
        11⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E65B0~1.EXE > nul
        10⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2683D~1.EXE > nul
        8⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EF08~1.EXE > nul
        7⤵
        
        PID:2132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6533~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6D56~1.EXE > nul
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{00376~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7583~1.EXE > nul
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{003766EB-5C96-45ff-AFF7-26EE6AB13361}.exe

Filesize
372KB

MD5
fc230599c0cb884937dc44dfc79445a0

SHA1
943c66519037d46279bb711cb281c605bc4e868e

SHA256
9c396902344427e5e2f8df308eaf9a54ea5ee7ddc187bcb63748cc143182951f

SHA512
f8ce68b2ff02caca9f6484bc6e4cd4f1cd4e90b4fc135278a75b769cae447f94282a437a712bbbeb8de3e5561ac896b41b223c6b3ec4095803281971d2c8e375

Download Submit
C:\Windows\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe

Filesize
318KB

MD5
aa4b9b4d7a88429bcb41e7bbda17b201

SHA1
cc37b37d85c25540eed3bfa41d00d5d464f297c2

SHA256
c42b29515d4e55eb63ac1b5c20dcd82bd03e2c31bf01affaaaf8c65816b8bfd2

SHA512
1846b4ca3f6a2f0230e0bb84970d59c15bcf5289051db01be0c42001114f4d8199d7721d32bf4deb429c0571908e62aa8f6f564de946cb090f8be2a883398bfc

Download Submit
C:\Windows\{016C3A00-FBC3-4dbb-AD22-E4A9DA6BE2FF}.exe

Filesize
372KB

MD5
d1b93c7797ae6b47befd6c644aa1fb80

SHA1
de9f94f45ff98d1b0f30d3d0689ede6957e96165

SHA256
f9b851052b6d27731bb35074d94e5e384200e6bbbd6d4a16d99824099f4c84b2

SHA512
7c20ce1cf0379a0ab697ef821bb8ed5175a6fdd292abcaaf5dd8b9b0f1abf6ed3787b89c2905027aa4539cf121793ff48cd8c590c57595627e88407b9afe6a29

Download Submit
C:\Windows\{1A07E319-2B4B-40af-A408-3E5E5569C2B1}.exe

Filesize
372KB

MD5
1d6c459722636fee865a615e9bf18f99

SHA1
7e369e0ffc5f2655c6b63783a5b30674a9555d01

SHA256
8905095d31cea581af128bb0b210de8553c333e303730953601265bcc90f7172

SHA512
644fe34c6f2a7362a8a9b0b2d1600cde76999130437a43eb960b234dbc2ddc00492865f31074f41762a8e5a70ebdeccf9eb5257ebb899493fe9c02aeba20957a

Download Submit
C:\Windows\{2683DCC9-1271-4073-B952-180509581952}.exe

Filesize
372KB

MD5
f685d3b7f40445b9f741aed64b3e6ce9

SHA1
d142c264eff769d25dfabeb22972bd4eb8dbf3c3

SHA256
46a65cb018abf17de5d840ac2d3e59d33c01a7be38bd6423f013ebeccd2c83fb

SHA512
724df8aae70b424ebc3adc93dc9f055b1e1eaec6cacd78085a62e2c7fa9abaed02856acda0930f017b15b891f9da8169e48d9db1c5b4b31a8a7c47022d25bf0e

Download Submit
C:\Windows\{35E81139-7781-48e0-A4C7-57CE1528B2B6}.exe

Filesize
372KB

MD5
4e02a39675e9c792a2b7b0927dc32c87

SHA1
e3658cdb02dfb09199c8a2347f81f0cfffdf90ee

SHA256
6628b11cde7579259669cb9c490442957d6af2d3e9b13c4cdaaf965b2ddb2b5c

SHA512
7c6017148700b74bffe96661a45281ae9b4ffbffb65ed554367f1bcbb71a4af6c60521e11ba2ae32dd2ff2b35121ef48b5fe63740f79235bf0e8e6f7da339069

Download Submit
C:\Windows\{74B88033-9A92-4d86-ABE7-8E81FF773C5D}.exe

Filesize
372KB

MD5
275174535f32a83620446ce9353f0d92

SHA1
fa6ef550dd6199f9f088ef3cd3a5e42836cd80e4

SHA256
938dfe215712ea63d94c36d6366a31620ad2eed9c2f1ff0aa3159c92c6cfe2f9

SHA512
901018ec4ddab513ef6b7f7bc2d937f821de72b278088f3057e45e585128598f38d5410fd8536eb343d47d3f9685ce574570da4612ed594d5dbce8f3aed6c4a9

Download Submit
C:\Windows\{8EF082C2-AED5-4bbc-B876-936BB61F26C6}.exe

Filesize
372KB

MD5
974cfe631287eca54c19af35a68566fa

SHA1
79149d58b1d2c57765dd02de15785df2e32b4d5b

SHA256
82bd90e78eb1f84aba76e035d00f1a1ecd90dc9f06247c42281c2baa3a61d590

SHA512
204fdc8ba9fb1085f3d90fadd03b0b299ad3b099af0f4618eea17a765dcc288454f6eb51f553ca4137f4422521b1dd348c1fdb86dd6c19cbeb37e882f4b0854b

Download Submit
C:\Windows\{C6533CEA-6AFE-4002-B834-E776F75A92F9}.exe

Filesize
372KB

MD5
c8afd94b6bc4a2e5aaf6679e852fed5e

SHA1
f541112946c8927bcd26b1eaffe55cb95c1de68d

SHA256
53114387fdb4c867f7a735f0a104b331438536a6260ac79c014ea66f19d543c1

SHA512
c10c2eaa639eb64cbe2dba43388e145f7ed5eb9eb2e8c5cc4fb67cbc2558036f6b076dba4dc6e48220f9dd67d2edcfa4171966da6fd1cedabc92aa47d706dd22

Download Submit
C:\Windows\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe

Filesize
194KB

MD5
f6cf0db7f41c4ba94fd93b8b1fa3261f

SHA1
ef88cc1f6a829a39e14ee0b05ebf805035a872c8

SHA256
20f54728f6d97d86f42103ff58292302b3ef28b3d305343bcbf9144433d4d718

SHA512
448caa5e5768d4ca1a58e2ebfeea1df1e5f71edee50682cfff46d081b8d76d1d525805208540fd66bc9d2ec7ac3dc720eb5ac95cf1ede5973f6faf36a3845f7e

Download Submit
C:\Windows\{C6FDE4E8-D797-47d6-8423-5DF0B1968217}.exe

Filesize
372KB

MD5
85f7f59cc0570cd6b3511e4247c72a66

SHA1
b090e6148612379bccbf8c8205f70d4ae7c0bb7e

SHA256
ed259963510de9c1ee3d2dd1c711cf595b1c44bccc7b6ca71fdf7d128bbcf6a3

SHA512
43aaafbdb5017dc734c5445c6bd5e36e57798b7bc1fa91e8a48744e85c4968e65bec4b21d3e6be2b408d4b4de1efea3ce8b146b6de49b4a3bb96a035c34c7f42

Download Submit
C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe

Filesize
156KB

MD5
c1dfa5eb9002c4d0e0f881cc91d06083

SHA1
acc96134467fb15a5f2d70dc72f0ef8fcc6822ba

SHA256
36890789de548de9f6bd19e5d6094f7a455a5c2053dd5f80b7380fd1859e986f

SHA512
7da771d2ca83c3ce22e35e85ec93559f439e2625c0d4bc7499da6e76f3cb1b28886d861cdc0cb507baf695cbd51b42e7d8345e5f5bf9c091ce1519be45968d8e

Download Submit
C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe

Filesize
190KB

MD5
27bcc5dacd75441a56ed441e88dbf756

SHA1
e83ffdd361f52150549bc4b1ecdc7ea43eedf674

SHA256
cd99e49cd539ee41080d3bbeaf4a73e054c09ef33904fe890f7ab373cb0a9f2d

SHA512
40e7eee4eb7f8bd8517d99c7eb8422d3f33cb37fba48653624469e82a37caf650cf0214487990e7efa2cb6f65c446069601ec5d284604a1b7a0acc1378f491a6

Download Submit
C:\Windows\{C7583578-7214-474a-B5F9-76E847927479}.exe

Filesize
372KB

MD5
a8539057c891c8a0f8ecf1c0596b25de

SHA1
e6f0ae008a4ad3b338f72a7af0697db244af0954

SHA256
338567ba5cbbad6f0fce26e6b67157af87688f92ca5762f0a9a9908dfdba332c

SHA512
7a28d094fc9ac1e8449d3ec8d40beabda189f7c8965df2324fabb12a1c6a5f4019b9a1805650c5b5d2e66be29f1c3ce193f8b150d7f582e18dd29934bfd30966

Download Submit
C:\Windows\{D6D56CBC-E1AA-40c8-B9D0-D16357DF95DB}.exe

Filesize
372KB

MD5
98e984718c0d4828bb941c439e5d2896

SHA1
e2857246e1bd2dd2c3c050ba9918baae52387598

SHA256
5db7aca0ed8d0d6b1c126829b744f3f8d3055dbf0b6df576dcf48da7f389866a

SHA512
c45f21744638729a2b27a58437e33e56901dedc056b7ade7c985f72ee775b5450de25047ccf6dc594caea3b98b8ec1d69a4233103b778263109c3711348c31bc

Download Submit
C:\Windows\{E65B00D8-4641-455d-BE79-D2275D190DCE}.exe

Filesize
372KB

MD5
1e24499e24960449bc5923a28aca255f

SHA1
b70e9201c9e07722bf68a66ce4b50dcb21c203e8

SHA256
84133cc31eed18119753efcb88b9970454581e5a255dd065f0b988d0640c9799

SHA512
0b9c835286681dc6cf8b1043413eca6e76a5b0e9205765b67aa894cd952adbd8fc78e6418a1f18886f6ae3c53129848fdf4b753e8c28b3688d4005d477739d25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads