c30c69ad7b8cf413c33b33619e05d435799c2526af61cbbaa22c1776e91e4f78

Analysis

max time kernel
156s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
Size

408KB
MD5

22a1cd2624f0edf3452af50f006f75e0
SHA1

4d7ff73c751596a36094e333638629a9adfd9172
SHA256

c30c69ad7b8cf413c33b33619e05d435799c2526af61cbbaa22c1776e91e4f78
SHA512

edaaf532681b64193d89c15703a9407094ec184d54a78a5665074bb53068d8d5690c03017fe02243f59d5f592799be57c9aa0c6b2af74c57a8a711bc4b5e84fa
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B91EB8F-343D-4f4b-A160-32C045733F9E}\stubpath = "C:\\Windows\\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe"	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}	{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}\stubpath = "C:\\Windows\\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe"	{0056D646-5242-44b3-B66D-658863CFF240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}\stubpath = "C:\\Windows\\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe"	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871D95AE-877D-49e7-969C-770DA6C585C0}\stubpath = "C:\\Windows\\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe"	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}\stubpath = "C:\\Windows\\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe"	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB8F53D2-5FCE-404e-A517-887F436EE069}\stubpath = "C:\\Windows\\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe"	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0056D646-5242-44b3-B66D-658863CFF240}\stubpath = "C:\\Windows\\{0056D646-5242-44b3-B66D-658863CFF240}.exe"	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB8F53D2-5FCE-404e-A517-887F436EE069}	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B91EB8F-343D-4f4b-A160-32C045733F9E}	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}\stubpath = "C:\\Windows\\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe"	{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}\stubpath = "C:\\Windows\\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe"	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0056D646-5242-44b3-B66D-658863CFF240}	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}	{0056D646-5242-44b3-B66D-658863CFF240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}\stubpath = "C:\\Windows\\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe"	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871D95AE-877D-49e7-969C-770DA6C585C0}	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}\stubpath = "C:\\Windows\\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe"	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}\stubpath = "C:\\Windows\\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe"	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe

Executes dropped EXE 12 IoCs

pid	Process
4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe
2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
2992	{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
696	{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
File created	C:\Windows\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe	{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
File created	C:\Windows\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
File created	C:\Windows\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
File created	C:\Windows\{0056D646-5242-44b3-B66D-658863CFF240}.exe	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
File created	C:\Windows\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	{0056D646-5242-44b3-B66D-658863CFF240}.exe
File created	C:\Windows\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
File created	C:\Windows\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
File created	C:\Windows\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
File created	C:\Windows\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
File created	C:\Windows\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
File created	C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
Token: SeIncBasePriorityPrivilege	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
Token: SeIncBasePriorityPrivilege	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
Token: SeIncBasePriorityPrivilege	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe
Token: SeIncBasePriorityPrivilege	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
Token: SeIncBasePriorityPrivilege	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
Token: SeIncBasePriorityPrivilege	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
Token: SeIncBasePriorityPrivilege	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
Token: SeIncBasePriorityPrivilege	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
Token: SeIncBasePriorityPrivilege	3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
Token: SeIncBasePriorityPrivilege	2992	{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 4100	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	86
PID 684 wrote to memory of 4100	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	86
PID 684 wrote to memory of 4100	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	86
PID 684 wrote to memory of 4632	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	87
PID 684 wrote to memory of 4632	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	87
PID 684 wrote to memory of 4632	684	22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe	87
PID 4100 wrote to memory of 2152	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	91
PID 4100 wrote to memory of 2152	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	91
PID 4100 wrote to memory of 2152	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	91
PID 4100 wrote to memory of 2988	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	92
PID 4100 wrote to memory of 2988	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	92
PID 4100 wrote to memory of 2988	4100	{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe	92
PID 2152 wrote to memory of 2132	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	93
PID 2152 wrote to memory of 2132	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	93
PID 2152 wrote to memory of 2132	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	93
PID 2152 wrote to memory of 1656	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	94
PID 2152 wrote to memory of 1656	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	94
PID 2152 wrote to memory of 1656	2152	{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe	94
PID 2132 wrote to memory of 3384	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	95
PID 2132 wrote to memory of 3384	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	95
PID 2132 wrote to memory of 3384	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	95
PID 2132 wrote to memory of 1920	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	96
PID 2132 wrote to memory of 1920	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	96
PID 2132 wrote to memory of 1920	2132	{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe	96
PID 3384 wrote to memory of 2484	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	97
PID 3384 wrote to memory of 2484	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	97
PID 3384 wrote to memory of 2484	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	97
PID 3384 wrote to memory of 2352	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	98
PID 3384 wrote to memory of 2352	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	98
PID 3384 wrote to memory of 2352	3384	{0056D646-5242-44b3-B66D-658863CFF240}.exe	98
PID 2484 wrote to memory of 3596	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	99
PID 2484 wrote to memory of 3596	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	99
PID 2484 wrote to memory of 3596	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	99
PID 2484 wrote to memory of 5084	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	100
PID 2484 wrote to memory of 5084	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	100
PID 2484 wrote to memory of 5084	2484	{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe	100
PID 3596 wrote to memory of 2116	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	101
PID 3596 wrote to memory of 2116	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	101
PID 3596 wrote to memory of 2116	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	101
PID 3596 wrote to memory of 804	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	102
PID 3596 wrote to memory of 804	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	102
PID 3596 wrote to memory of 804	3596	{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe	102
PID 2116 wrote to memory of 2436	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	103
PID 2116 wrote to memory of 2436	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	103
PID 2116 wrote to memory of 2436	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	103
PID 2116 wrote to memory of 3216	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	104
PID 2116 wrote to memory of 3216	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	104
PID 2116 wrote to memory of 3216	2116	{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe	104
PID 2436 wrote to memory of 1412	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	105
PID 2436 wrote to memory of 1412	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	105
PID 2436 wrote to memory of 1412	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	105
PID 2436 wrote to memory of 4904	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	106
PID 2436 wrote to memory of 4904	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	106
PID 2436 wrote to memory of 4904	2436	{871D95AE-877D-49e7-969C-770DA6C585C0}.exe	106
PID 1412 wrote to memory of 3460	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	107
PID 1412 wrote to memory of 3460	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	107
PID 1412 wrote to memory of 3460	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	107
PID 1412 wrote to memory of 1660	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	108
PID 1412 wrote to memory of 1660	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	108
PID 1412 wrote to memory of 1660	1412	{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe	108
PID 3460 wrote to memory of 2992	3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe	109
PID 3460 wrote to memory of 2992	3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe	109
PID 3460 wrote to memory of 2992	3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe	109
PID 3460 wrote to memory of 872	3460	{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe	110

C:\Users\Admin\AppData\Local\Temp\22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\22a1cd2624f0edf3452af50f006f75e0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
  C:\Windows\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
    C:\Windows\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
      C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\{0056D646-5242-44b3-B66D-658863CFF240}.exe
        
        C:\Windows\{0056D646-5242-44b3-B66D-658863CFF240}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
      - C:\Windows\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
        
        C:\Windows\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
        
        C:\Windows\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
        
        C:\Windows\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
        
        C:\Windows\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
        
        C:\Windows\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
        
        C:\Windows\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
        
        C:\Windows\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe
        
        C:\Windows\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe
        13⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A391E~1.EXE > nul
        13⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{401AC~1.EXE > nul
        12⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B91E~1.EXE > nul
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{871D9~1.EXE > nul
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE66D~1.EXE > nul
        9⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2AD1~1.EXE > nul
        8⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A7EE~1.EXE > nul
        7⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0056D~1.EXE > nul
        6⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8F5~1.EXE > nul
        5⤵
        
        PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4AD5~1.EXE > nul
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9AF2F~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22A1CD~1.EXE > nul
  2⤵
  PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0056D646-5242-44b3-B66D-658863CFF240}.exe

Filesize
408KB

MD5
e5c79d97bfe5a45ff68b196a16409c06

SHA1
9c876e45e252fb7edba83976e40c4f170430c58b

SHA256
83261b99ebb7ed9d663901d1c31518335de49e49d68686019e0ee26bf45cd777

SHA512
0d573ebd0dcffc158a80f5ef11e172106b9ade604a98d2c0b73eb9c42e231174b1053d407a76372034ace91536df7140cbbb2bd2d2d8009bc0fcaa1481cd0ffd

Download Submit
C:\Windows\{0056D646-5242-44b3-B66D-658863CFF240}.exe

Filesize
408KB

MD5
e5c79d97bfe5a45ff68b196a16409c06

SHA1
9c876e45e252fb7edba83976e40c4f170430c58b

SHA256
83261b99ebb7ed9d663901d1c31518335de49e49d68686019e0ee26bf45cd777

SHA512
0d573ebd0dcffc158a80f5ef11e172106b9ade604a98d2c0b73eb9c42e231174b1053d407a76372034ace91536df7140cbbb2bd2d2d8009bc0fcaa1481cd0ffd

Download Submit
C:\Windows\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe

Filesize
408KB

MD5
b64f1adbbd41c727ebfd9f558eb6b7c4

SHA1
78513c2d5bf954ce82f785936b852992b22f4315

SHA256
b8803e8e10644a9a9fe5f52d17db58170524f13d6b2504523011bb924b2dede5

SHA512
12b6fac933d9a94c9b6df5fed39aa21b94d6277e871a79a3c7fccf56ec41b39b8d4371c03e7b3808bb47255d81475493f7291b3208f14118f7dd1e02f5784e9c

Download Submit
C:\Windows\{1A7EE3FC-A59E-4018-AAFA-5C0FF8A934C9}.exe

Filesize
408KB

MD5
b64f1adbbd41c727ebfd9f558eb6b7c4

SHA1
78513c2d5bf954ce82f785936b852992b22f4315

SHA256
b8803e8e10644a9a9fe5f52d17db58170524f13d6b2504523011bb924b2dede5

SHA512
12b6fac933d9a94c9b6df5fed39aa21b94d6277e871a79a3c7fccf56ec41b39b8d4371c03e7b3808bb47255d81475493f7291b3208f14118f7dd1e02f5784e9c

Download Submit
C:\Windows\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe

Filesize
408KB

MD5
f8e9d0d75df39a30ae22f61b82cc89fc

SHA1
fbe5a49e8026619ed736cd8f626707c1a79c1ea0

SHA256
e00de5c359ccf38145d66d65b7edfa8136e1d5eda99240bf1b420ab357c9fa79

SHA512
374738b7eb7f38d6079212f574c89ea51600807837ee9e879720ad5e941b816847a5d51b70d4b79bd3e429e84f7b34d1e4403d3d3f68eb514189b9637267871b

Download Submit
C:\Windows\{33ABE730-A657-49c3-B83E-CF3F3DF3230E}.exe

Filesize
408KB

MD5
f8e9d0d75df39a30ae22f61b82cc89fc

SHA1
fbe5a49e8026619ed736cd8f626707c1a79c1ea0

SHA256
e00de5c359ccf38145d66d65b7edfa8136e1d5eda99240bf1b420ab357c9fa79

SHA512
374738b7eb7f38d6079212f574c89ea51600807837ee9e879720ad5e941b816847a5d51b70d4b79bd3e429e84f7b34d1e4403d3d3f68eb514189b9637267871b

Download Submit
C:\Windows\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe

Filesize
408KB

MD5
561c7711dcb105b32e19e0ce1f0c08e7

SHA1
0cfca59afe501a8eed7844b255bdadc63268d691

SHA256
5fd0b8c6f0f367fed663701c95df070368234112d52cabf572903536c1f80c8e

SHA512
f2ddf83c83887d50609db907231a8c311f74adb281dbd10c0afbdbcc7f032e79c8bf8f3fcd7b20286fc6eb0708094fcbfe670f2ff560059258349a0d9fa39866

Download Submit
C:\Windows\{401AC5C6-F41C-4aaa-818E-5F3F56AA6073}.exe

Filesize
408KB

MD5
561c7711dcb105b32e19e0ce1f0c08e7

SHA1
0cfca59afe501a8eed7844b255bdadc63268d691

SHA256
5fd0b8c6f0f367fed663701c95df070368234112d52cabf572903536c1f80c8e

SHA512
f2ddf83c83887d50609db907231a8c311f74adb281dbd10c0afbdbcc7f032e79c8bf8f3fcd7b20286fc6eb0708094fcbfe670f2ff560059258349a0d9fa39866

Download Submit
C:\Windows\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe

Filesize
408KB

MD5
be1cd0530f72d78106647e6c7abc8878

SHA1
bd5fa56af592eeb586e81a19701eb3b97e97cc62

SHA256
b748cf689f5f84e5148472c83445af25c11908a8930c6cb5f969e2a053ba2f81

SHA512
2238285762720264e297c07af9fd33071a4d2f2962ef39b89edf252bce6c5f59452aff77ccb2f5109037f05728485b90da7c3395e5512daebd9715610ec6c83a

Download Submit
C:\Windows\{5B91EB8F-343D-4f4b-A160-32C045733F9E}.exe

Filesize
408KB

MD5
be1cd0530f72d78106647e6c7abc8878

SHA1
bd5fa56af592eeb586e81a19701eb3b97e97cc62

SHA256
b748cf689f5f84e5148472c83445af25c11908a8930c6cb5f969e2a053ba2f81

SHA512
2238285762720264e297c07af9fd33071a4d2f2962ef39b89edf252bce6c5f59452aff77ccb2f5109037f05728485b90da7c3395e5512daebd9715610ec6c83a

Download Submit
C:\Windows\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe

Filesize
408KB

MD5
a0b17fc7ee1a1b3dee0151608f88df7a

SHA1
d7b9d5dcda36f9cfbf3ab074191104657e51bc5e

SHA256
e0d2b1e1569509e1eeb330f5f21dc4224c6845d95722679405db447202025a57

SHA512
75ce2e710a237032c1b6a3aea452d7f48b68ce87e696fbc0245a591dfc89fc63533d8b70164c0676d15ca74229b47dbb5c52b96392a764b0079b127590f28d89

Download Submit
C:\Windows\{871D95AE-877D-49e7-969C-770DA6C585C0}.exe

Filesize
408KB

MD5
a0b17fc7ee1a1b3dee0151608f88df7a

SHA1
d7b9d5dcda36f9cfbf3ab074191104657e51bc5e

SHA256
e0d2b1e1569509e1eeb330f5f21dc4224c6845d95722679405db447202025a57

SHA512
75ce2e710a237032c1b6a3aea452d7f48b68ce87e696fbc0245a591dfc89fc63533d8b70164c0676d15ca74229b47dbb5c52b96392a764b0079b127590f28d89

Download Submit
C:\Windows\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe

Filesize
408KB

MD5
874df0f9a47eb4ecdbd9511877958f4f

SHA1
02bcc20cc438922b3c756cb8e4a06a0e3e4afa79

SHA256
692618f030d9d151cc25ffd2c83a273c594db0bf6c9526346c9653f22a5da860

SHA512
58405ebf3f1f9be92df88fb057b1c9cf5adc74f6d773142deb353f8f72b828e502932c942eb5a7126692c39703055eb3e302a7b0c130fbc49cbc5855a5f9bf83

Download Submit
C:\Windows\{9AF2FF20-2732-4f23-95BE-69F310EC6F3B}.exe

Filesize
408KB

MD5
874df0f9a47eb4ecdbd9511877958f4f

SHA1
02bcc20cc438922b3c756cb8e4a06a0e3e4afa79

SHA256
692618f030d9d151cc25ffd2c83a273c594db0bf6c9526346c9653f22a5da860

SHA512
58405ebf3f1f9be92df88fb057b1c9cf5adc74f6d773142deb353f8f72b828e502932c942eb5a7126692c39703055eb3e302a7b0c130fbc49cbc5855a5f9bf83

Download Submit
C:\Windows\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe

Filesize
408KB

MD5
e6fe7f9898e91abe64de6728498c5469

SHA1
c0f5d5139c24ea2869cb573a9a89ec590d882c25

SHA256
c426a5c203c7c968b599bdb5eedc18281f033046b6542ee5eb453aee94025379

SHA512
7ec727b6276e03323dc036e3d4a24d1b67a91c93709891fbb81382d213e55d2339f25e0da88baf4d2fc2e2d4353f1f7015cddca941a75df68bda193931794d9e

Download Submit
C:\Windows\{A391EBE8-F9F7-4c43-84EF-0B803C4F2735}.exe

Filesize
408KB

MD5
e6fe7f9898e91abe64de6728498c5469

SHA1
c0f5d5139c24ea2869cb573a9a89ec590d882c25

SHA256
c426a5c203c7c968b599bdb5eedc18281f033046b6542ee5eb453aee94025379

SHA512
7ec727b6276e03323dc036e3d4a24d1b67a91c93709891fbb81382d213e55d2339f25e0da88baf4d2fc2e2d4353f1f7015cddca941a75df68bda193931794d9e

Download Submit
C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe

Filesize
408KB

MD5
be7cea9dbd4ef3aa6444d35e1de476b7

SHA1
dc215817ffbe99c0503c67cd3e25fca5af898200

SHA256
204ec620bcf366d8b68b3e38b517b11eb545aceb71da8bd1f56152005459ad5d

SHA512
7ed5430e5981f3f5e8fdc3166d7ac5aede0c899414f26b34fe27c01855fff64960eb61e16e80f8caeb03ea7be0ae3e8b722a3787be5039298f4389a7a910226c

Download Submit
C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe

Filesize
408KB

MD5
be7cea9dbd4ef3aa6444d35e1de476b7

SHA1
dc215817ffbe99c0503c67cd3e25fca5af898200

SHA256
204ec620bcf366d8b68b3e38b517b11eb545aceb71da8bd1f56152005459ad5d

SHA512
7ed5430e5981f3f5e8fdc3166d7ac5aede0c899414f26b34fe27c01855fff64960eb61e16e80f8caeb03ea7be0ae3e8b722a3787be5039298f4389a7a910226c

Download Submit
C:\Windows\{BB8F53D2-5FCE-404e-A517-887F436EE069}.exe

Filesize
408KB

MD5
be7cea9dbd4ef3aa6444d35e1de476b7

SHA1
dc215817ffbe99c0503c67cd3e25fca5af898200

SHA256
204ec620bcf366d8b68b3e38b517b11eb545aceb71da8bd1f56152005459ad5d

SHA512
7ed5430e5981f3f5e8fdc3166d7ac5aede0c899414f26b34fe27c01855fff64960eb61e16e80f8caeb03ea7be0ae3e8b722a3787be5039298f4389a7a910226c

Download Submit
C:\Windows\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe

Filesize
408KB

MD5
0419a88781a3ab5da1353f630071151c

SHA1
9fecc6f213e1d7ee801a7cfebd50f107792f6be6

SHA256
7fe84c5035a7d255fa0ec2367c1ef6e3415b42465bae6f3eb65443784536b678

SHA512
6c58360ac2f686f7dc608218d6c6b9ad1b64617fdcb32093e72f0f302ce38431d62738bf306bcaa036a60fe51e9fe908f1c4c30fd0a9f008a2215818cd9fac9a

Download Submit
C:\Windows\{E4AD543C-1238-40b4-AB19-C810C7AD2E8E}.exe

Filesize
408KB

MD5
0419a88781a3ab5da1353f630071151c

SHA1
9fecc6f213e1d7ee801a7cfebd50f107792f6be6

SHA256
7fe84c5035a7d255fa0ec2367c1ef6e3415b42465bae6f3eb65443784536b678

SHA512
6c58360ac2f686f7dc608218d6c6b9ad1b64617fdcb32093e72f0f302ce38431d62738bf306bcaa036a60fe51e9fe908f1c4c30fd0a9f008a2215818cd9fac9a

Download Submit
C:\Windows\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe

Filesize
408KB

MD5
b113cb4eb767f460a6ebc1ac74989236

SHA1
a0eb78813a30d2d0929a3e2244096d6d0fd96879

SHA256
7fda9b8d34e20cbe76bd6c799af88330242daf73e27119b58b52bfcf658eca4b

SHA512
0c3533fc3f0623549e53a6fa9190629289eb88e89aebbc6141523900e2d36e6e85a66712946b0147d4fbb021475576a5eb22fdf590f944943de8f09b31a48578

Download Submit
C:\Windows\{EE66DE1A-BE36-4d3a-8270-FE56CE28A7D0}.exe

Filesize
408KB

MD5
b113cb4eb767f460a6ebc1ac74989236

SHA1
a0eb78813a30d2d0929a3e2244096d6d0fd96879

SHA256
7fda9b8d34e20cbe76bd6c799af88330242daf73e27119b58b52bfcf658eca4b

SHA512
0c3533fc3f0623549e53a6fa9190629289eb88e89aebbc6141523900e2d36e6e85a66712946b0147d4fbb021475576a5eb22fdf590f944943de8f09b31a48578

Download Submit
C:\Windows\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe

Filesize
408KB

MD5
b7978a89a7842a32e8d49a35e1bd1801

SHA1
4273a4c8d80273f239afba3ffc7b6f6f32bfe16e

SHA256
a208d63c9621066193bec61ed34578c1d4a17f5c46ba595e4dca0b566c3c2b90

SHA512
1de20608dc1e4971ab0eefb2c1b689eb6965553b72f752d0cdc36ce67dfadb57261faeb86936aaa3ed2a856412ae52be1a5e7bbac7606f3344f76413a7eee358

Download Submit
C:\Windows\{F2AD1D01-0FD8-49a8-B34B-F56A09DD065F}.exe

Filesize
408KB

MD5
b7978a89a7842a32e8d49a35e1bd1801

SHA1
4273a4c8d80273f239afba3ffc7b6f6f32bfe16e

SHA256
a208d63c9621066193bec61ed34578c1d4a17f5c46ba595e4dca0b566c3c2b90

SHA512
1de20608dc1e4971ab0eefb2c1b689eb6965553b72f752d0cdc36ce67dfadb57261faeb86936aaa3ed2a856412ae52be1a5e7bbac7606f3344f76413a7eee358

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads