5baee6543677913858df40a3b072baf177d3730d86af39bb6eb4521fd5f9741e

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Size

408KB
MD5

66f8593370eb098a83db693a9b0cd144
SHA1

e2e28df949e36dec249c98b5cef8c6f1035954b3
SHA256

5baee6543677913858df40a3b072baf177d3730d86af39bb6eb4521fd5f9741e
SHA512

f72dd4f4aa28a3fa434b1ac2189b6d63be45ac633e5393efc15479ec612f6b2cff7952b6211ef9000d1a7b13091ae054671b88405bd203a7d38cfacde72ad9c5
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}\stubpath = "C:\\Windows\\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe"	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53566E27-8D93-4106-A9CF-A27680777B05}\stubpath = "C:\\Windows\\{53566E27-8D93-4106-A9CF-A27680777B05}.exe"	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}\stubpath = "C:\\Windows\\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe"	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}\stubpath = "C:\\Windows\\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe"	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{252D3475-E8BC-4547-AB45-60D13D4A928A}\stubpath = "C:\\Windows\\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe"	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}\stubpath = "C:\\Windows\\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe"	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}\stubpath = "C:\\Windows\\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe"	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{252D3475-E8BC-4547-AB45-60D13D4A928A}	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}\stubpath = "C:\\Windows\\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe"	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}\stubpath = "C:\\Windows\\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe"	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53566E27-8D93-4106-A9CF-A27680777B05}	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}\stubpath = "C:\\Windows\\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe"	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}\stubpath = "C:\\Windows\\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe"	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe

Executes dropped EXE 11 IoCs

pid	Process
4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
4004	{53566E27-8D93-4106-A9CF-A27680777B05}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
File created	C:\Windows\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
File created	C:\Windows\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
File created	C:\Windows\{53566E27-8D93-4106-A9CF-A27680777B05}.exe	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
File created	C:\Windows\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
File created	C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
File created	C:\Windows\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
File created	C:\Windows\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
File created	C:\Windows\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
File created	C:\Windows\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
File created	C:\Windows\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
Token: SeIncBasePriorityPrivilege	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
Token: SeIncBasePriorityPrivilege	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
Token: SeIncBasePriorityPrivilege	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
Token: SeIncBasePriorityPrivilege	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
Token: SeIncBasePriorityPrivilege	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
Token: SeIncBasePriorityPrivilege	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
Token: SeIncBasePriorityPrivilege	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
Token: SeIncBasePriorityPrivilege	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
Token: SeIncBasePriorityPrivilege	5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4856	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	88
PID 4600 wrote to memory of 4856	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	88
PID 4600 wrote to memory of 4856	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	88
PID 4600 wrote to memory of 3616	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	89
PID 4600 wrote to memory of 3616	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	89
PID 4600 wrote to memory of 3616	4600	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	89
PID 4856 wrote to memory of 3344	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	90
PID 4856 wrote to memory of 3344	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	90
PID 4856 wrote to memory of 3344	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	90
PID 4856 wrote to memory of 1564	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	91
PID 4856 wrote to memory of 1564	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	91
PID 4856 wrote to memory of 1564	4856	{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe	91
PID 3344 wrote to memory of 3204	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	94
PID 3344 wrote to memory of 3204	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	94
PID 3344 wrote to memory of 3204	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	94
PID 3344 wrote to memory of 2712	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	93
PID 3344 wrote to memory of 2712	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	93
PID 3344 wrote to memory of 2712	3344	{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe	93
PID 3204 wrote to memory of 4824	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	95
PID 3204 wrote to memory of 4824	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	95
PID 3204 wrote to memory of 4824	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	95
PID 3204 wrote to memory of 4940	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	96
PID 3204 wrote to memory of 4940	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	96
PID 3204 wrote to memory of 4940	3204	{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe	96
PID 4824 wrote to memory of 4196	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	97
PID 4824 wrote to memory of 4196	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	97
PID 4824 wrote to memory of 4196	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	97
PID 4824 wrote to memory of 864	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	98
PID 4824 wrote to memory of 864	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	98
PID 4824 wrote to memory of 864	4824	{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe	98
PID 4196 wrote to memory of 5068	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	99
PID 4196 wrote to memory of 5068	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	99
PID 4196 wrote to memory of 5068	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	99
PID 4196 wrote to memory of 2540	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	100
PID 4196 wrote to memory of 2540	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	100
PID 4196 wrote to memory of 2540	4196	{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe	100
PID 5068 wrote to memory of 3844	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	101
PID 5068 wrote to memory of 3844	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	101
PID 5068 wrote to memory of 3844	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	101
PID 5068 wrote to memory of 1584	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	102
PID 5068 wrote to memory of 1584	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	102
PID 5068 wrote to memory of 1584	5068	{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe	102
PID 3844 wrote to memory of 3672	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	103
PID 3844 wrote to memory of 3672	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	103
PID 3844 wrote to memory of 3672	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	103
PID 3844 wrote to memory of 4356	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	104
PID 3844 wrote to memory of 4356	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	104
PID 3844 wrote to memory of 4356	3844	{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe	104
PID 3672 wrote to memory of 4324	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	105
PID 3672 wrote to memory of 4324	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	105
PID 3672 wrote to memory of 4324	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	105
PID 3672 wrote to memory of 3720	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	106
PID 3672 wrote to memory of 3720	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	106
PID 3672 wrote to memory of 3720	3672	{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe	106
PID 4324 wrote to memory of 5064	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	107
PID 4324 wrote to memory of 5064	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	107
PID 4324 wrote to memory of 5064	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	107
PID 4324 wrote to memory of 4244	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	108
PID 4324 wrote to memory of 4244	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	108
PID 4324 wrote to memory of 4244	4324	{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe	108
PID 5064 wrote to memory of 4004	5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe	109
PID 5064 wrote to memory of 4004	5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe	109
PID 5064 wrote to memory of 4004	5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe	109
PID 5064 wrote to memory of 4716	5064	{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe	110

C:\Users\Admin\AppData\Local\Temp\66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
  C:\Windows\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
    C:\Windows\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D986~1.EXE > nul
      4⤵
      PID:2712
  - - C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
      C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
        
        C:\Windows\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
        
        C:\Windows\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
        
        C:\Windows\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
        
        C:\Windows\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
        
        C:\Windows\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
        
        C:\Windows\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
        
        C:\Windows\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{53566E27-8D93-4106-A9CF-A27680777B05}.exe
        
        C:\Windows\{53566E27-8D93-4106-A9CF-A27680777B05}.exe
        12⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CD8F~1.EXE > nul
        12⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71EEB~1.EXE > nul
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{252D3~1.EXE > nul
        10⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DFC~1.EXE > nul
        9⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CDF0~1.EXE > nul
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22CBB~1.EXE > nul
        7⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92893~1.EXE > nul
        6⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF19~1.EXE > nul
        5⤵
        
        PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B682~1.EXE > nul
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66F859~1.EXE > nul
  2⤵
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe

Filesize
408KB

MD5
9177afe53368d8879a8bd309fa561cf7

SHA1
c3ac7953821d219969841f6661586d3bdeddf011

SHA256
012ede08d30d3d488b6fa8bf198a6ea73c075f436d9136aff2fdee77f8f2ad1d

SHA512
d53c99fb6ba716aabe2614ec46301a381f2be505cbfaf275cabad66c9d30db41692c8e14f83d868527c5c05c490da6eecf0d148d68516948d193e71c157040b8

Download Submit
C:\Windows\{22CBB187-2500-4d0b-BC1D-FADB71FF98D8}.exe

Filesize
408KB

MD5
9177afe53368d8879a8bd309fa561cf7

SHA1
c3ac7953821d219969841f6661586d3bdeddf011

SHA256
012ede08d30d3d488b6fa8bf198a6ea73c075f436d9136aff2fdee77f8f2ad1d

SHA512
d53c99fb6ba716aabe2614ec46301a381f2be505cbfaf275cabad66c9d30db41692c8e14f83d868527c5c05c490da6eecf0d148d68516948d193e71c157040b8

Download Submit
C:\Windows\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe

Filesize
408KB

MD5
37d7ddeada48f4113b64073107c05b74

SHA1
737b0a5de6d5959b8cf98db958f5531f44682329

SHA256
49bd933d3a4400a869ebd444d3b2e17f26f3c0a6c7524d899d34af330b437077

SHA512
d366f45c0e93faa715bda0209033df7f3941108e623caaedebf101e785e1fc6cf76810f6b2d405ab633ad1cfe9ecc51cfaaba2b4f79d1b40e1a1619c8cf32f3d

Download Submit
C:\Windows\{252D3475-E8BC-4547-AB45-60D13D4A928A}.exe

Filesize
408KB

MD5
37d7ddeada48f4113b64073107c05b74

SHA1
737b0a5de6d5959b8cf98db958f5531f44682329

SHA256
49bd933d3a4400a869ebd444d3b2e17f26f3c0a6c7524d899d34af330b437077

SHA512
d366f45c0e93faa715bda0209033df7f3941108e623caaedebf101e785e1fc6cf76810f6b2d405ab633ad1cfe9ecc51cfaaba2b4f79d1b40e1a1619c8cf32f3d

Download Submit
C:\Windows\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe

Filesize
408KB

MD5
7645ebf4b1e4fcf7cb11fed14f41d7cd

SHA1
b8dd8eb2008fcc5609e9d30524afbce10516ac0a

SHA256
48f337ae8873b9a3bc4366557c53980e28298f873aed2e7e1c3297cfbb33b7d7

SHA512
af6b43e414f601fe42ec27278ee44f3533c6b8883022ca37df2df78a827a4215c2f8b0484d733c5523c1e187485faf1bfc4626be9d542d5ebe14413efcf64822

Download Submit
C:\Windows\{2B6820C3-513B-46ee-9EBD-B102FC8AE9EB}.exe

Filesize
408KB

MD5
7645ebf4b1e4fcf7cb11fed14f41d7cd

SHA1
b8dd8eb2008fcc5609e9d30524afbce10516ac0a

SHA256
48f337ae8873b9a3bc4366557c53980e28298f873aed2e7e1c3297cfbb33b7d7

SHA512
af6b43e414f601fe42ec27278ee44f3533c6b8883022ca37df2df78a827a4215c2f8b0484d733c5523c1e187485faf1bfc4626be9d542d5ebe14413efcf64822

Download Submit
C:\Windows\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe

Filesize
408KB

MD5
bcf0aa57a9fd55d9f5ed52cfe10551a3

SHA1
ed2aa460c1fec57d41bdddd8acd59f132db38536

SHA256
dc33fc55a50099c90fae4a1c3f163acf223f784fde3e817a09fb82a1383ac310

SHA512
c18c5bfde8480c0c07ee9ac46e1be7b604821f038e7a66c09664221440966713297601ad3d10cd34a3ae9d6468dbb136a77bfed10dc67f9e6760417f3b3d8011

Download Submit
C:\Windows\{2CDF09D9-18F2-4d89-A5B1-4533C8722E12}.exe

Filesize
408KB

MD5
bcf0aa57a9fd55d9f5ed52cfe10551a3

SHA1
ed2aa460c1fec57d41bdddd8acd59f132db38536

SHA256
dc33fc55a50099c90fae4a1c3f163acf223f784fde3e817a09fb82a1383ac310

SHA512
c18c5bfde8480c0c07ee9ac46e1be7b604821f038e7a66c09664221440966713297601ad3d10cd34a3ae9d6468dbb136a77bfed10dc67f9e6760417f3b3d8011

Download Submit
C:\Windows\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe

Filesize
408KB

MD5
62a17151e5214a51cb30e850087fdefd

SHA1
bcbcbef8c8057545b8481c4bb11da2d4c6e8cb39

SHA256
92f484d2cb2bcdf4a11945fa98b5ceb09a8e506ad82600f0f1b35d6cb7e1a19d

SHA512
8de380c0b92b9ac61c8a632a930c2fadf1fdc6b1b4ccf751bdf17af051d0fb33f838c039f9a551d279229be388630b6b7dce9e9bccd75c131d4a894175d03823

Download Submit
C:\Windows\{2D986A80-A839-4c39-85A5-F95AB80FC9E0}.exe

Filesize
408KB

MD5
62a17151e5214a51cb30e850087fdefd

SHA1
bcbcbef8c8057545b8481c4bb11da2d4c6e8cb39

SHA256
92f484d2cb2bcdf4a11945fa98b5ceb09a8e506ad82600f0f1b35d6cb7e1a19d

SHA512
8de380c0b92b9ac61c8a632a930c2fadf1fdc6b1b4ccf751bdf17af051d0fb33f838c039f9a551d279229be388630b6b7dce9e9bccd75c131d4a894175d03823

Download Submit
C:\Windows\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe

Filesize
408KB

MD5
5cbc8cf9d3d51c3ab98afc8b92d0d308

SHA1
1e006f0e1e17ddb59d579d9bd79ac0f1e0927d84

SHA256
0068ccb5c71801ddad446a1ed567577d0a3e372aa9970ca410223340d9ccc95b

SHA512
b83ece324bf446bb66bb99bdb89db1fe63be902bcbb31fa4f13a0ee3faf8bb9632671556de3b3098d41deba1b981646713bfb708bdb2ac4c8c39034ae0fae456

Download Submit
C:\Windows\{46DFC7D9-F556-46cb-97FB-26EEC06ACA69}.exe

Filesize
408KB

MD5
5cbc8cf9d3d51c3ab98afc8b92d0d308

SHA1
1e006f0e1e17ddb59d579d9bd79ac0f1e0927d84

SHA256
0068ccb5c71801ddad446a1ed567577d0a3e372aa9970ca410223340d9ccc95b

SHA512
b83ece324bf446bb66bb99bdb89db1fe63be902bcbb31fa4f13a0ee3faf8bb9632671556de3b3098d41deba1b981646713bfb708bdb2ac4c8c39034ae0fae456

Download Submit
C:\Windows\{53566E27-8D93-4106-A9CF-A27680777B05}.exe

Filesize
408KB

MD5
85592cfc49d43fa04d650779ddd50db6

SHA1
e77e82fc6700423e6f968616addad96616dab189

SHA256
55c4b9bb5143b423c8049d205f31a908375daa7662226040bcfa58d1cfa0ae0c

SHA512
9236e2b6f6c251dffe21a7ec745bd6e0cb68676d0af25187709819032be50627ec886cf6e59208940dccaf46d2077a52f9defc93d03ca24e8bb28c762e20a9b0

Download Submit
C:\Windows\{53566E27-8D93-4106-A9CF-A27680777B05}.exe

Filesize
408KB

MD5
85592cfc49d43fa04d650779ddd50db6

SHA1
e77e82fc6700423e6f968616addad96616dab189

SHA256
55c4b9bb5143b423c8049d205f31a908375daa7662226040bcfa58d1cfa0ae0c

SHA512
9236e2b6f6c251dffe21a7ec745bd6e0cb68676d0af25187709819032be50627ec886cf6e59208940dccaf46d2077a52f9defc93d03ca24e8bb28c762e20a9b0

Download Submit
C:\Windows\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe

Filesize
408KB

MD5
a07ce06e4ad7616b3219473ac33436ec

SHA1
042f1be6b2c4c624d7546167cd11f37609aa4007

SHA256
5f1e38febc6a9718f1baa6e68a85cabb5e37360bafad39bae28194fa53d4d6b0

SHA512
7ec33a17601191209280c0def0cfaf728034dcf18af1fca215d0e09cd05ff48858992095f5fcbe5fc8eb501359192eb8414f7be763f0a79afc9441782f37c912

Download Submit
C:\Windows\{6CD8FDF2-972B-4080-9F23-D4495D25D90A}.exe

Filesize
408KB

MD5
a07ce06e4ad7616b3219473ac33436ec

SHA1
042f1be6b2c4c624d7546167cd11f37609aa4007

SHA256
5f1e38febc6a9718f1baa6e68a85cabb5e37360bafad39bae28194fa53d4d6b0

SHA512
7ec33a17601191209280c0def0cfaf728034dcf18af1fca215d0e09cd05ff48858992095f5fcbe5fc8eb501359192eb8414f7be763f0a79afc9441782f37c912

Download Submit
C:\Windows\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe

Filesize
408KB

MD5
2acfaa55c8d82fefc977ef1e1ecd80a8

SHA1
02e203e2a9a2699e6c1368a8b276cdc692398eab

SHA256
0cc406f6a27b07f7c6b9c798567ce33b8166f35978a9a5ceb5b32f32199b4a03

SHA512
11ce8403380c3086c82ac21fe60eaf2bfb6304907cbec5d131e7120b0ed98b28df59ac28c8d200c6d715c10cd20d4d6c2eb9e17c87a5dcd3dc49c196bf9120da

Download Submit
C:\Windows\{71EEB066-FFE7-4b14-BC8C-7671BBFB0C74}.exe

Filesize
408KB

MD5
2acfaa55c8d82fefc977ef1e1ecd80a8

SHA1
02e203e2a9a2699e6c1368a8b276cdc692398eab

SHA256
0cc406f6a27b07f7c6b9c798567ce33b8166f35978a9a5ceb5b32f32199b4a03

SHA512
11ce8403380c3086c82ac21fe60eaf2bfb6304907cbec5d131e7120b0ed98b28df59ac28c8d200c6d715c10cd20d4d6c2eb9e17c87a5dcd3dc49c196bf9120da

Download Submit
C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe

Filesize
408KB

MD5
5d0f76599f4cb2243bc7f3424d147e44

SHA1
395e2d15545479f161f871d0bb34fbf08165f767

SHA256
2707c59edd402a89a1699a225cf33af45ca9cdb1215dcb9c4a99c8a240090ad7

SHA512
44b6cf842b54e2987fccf14934a4b83176c19b97ef261afe2790f6c48c4c614dbb1d85b6d4b2411df89d656b3ad2002f3574defb255b00bb95731e32f907cf67

Download Submit
C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe

Filesize
408KB

MD5
5d0f76599f4cb2243bc7f3424d147e44

SHA1
395e2d15545479f161f871d0bb34fbf08165f767

SHA256
2707c59edd402a89a1699a225cf33af45ca9cdb1215dcb9c4a99c8a240090ad7

SHA512
44b6cf842b54e2987fccf14934a4b83176c19b97ef261afe2790f6c48c4c614dbb1d85b6d4b2411df89d656b3ad2002f3574defb255b00bb95731e32f907cf67

Download Submit
C:\Windows\{7EF19D0B-0C58-4e67-8DA1-BAE9F2F33178}.exe

Filesize
408KB

MD5
5d0f76599f4cb2243bc7f3424d147e44

SHA1
395e2d15545479f161f871d0bb34fbf08165f767

SHA256
2707c59edd402a89a1699a225cf33af45ca9cdb1215dcb9c4a99c8a240090ad7

SHA512
44b6cf842b54e2987fccf14934a4b83176c19b97ef261afe2790f6c48c4c614dbb1d85b6d4b2411df89d656b3ad2002f3574defb255b00bb95731e32f907cf67

Download Submit
C:\Windows\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe

Filesize
408KB

MD5
18e69e7bb7a0e80b11e6699ed6a634b8

SHA1
bbb062dfe8e017e15133a865d69ff0c965881662

SHA256
2ab294177bc20eb1980ea0dfeef3a26b4429790fbe0ba5ca7cb965faacf82ec0

SHA512
7100c925e360b45ef77438069942f4cc4646705091fe52e11fb1d9c1290c359a0829bd1d498b873c9b54eca864ea73dc727bae49f1993ba0af435dbcb70ea40b

Download Submit
C:\Windows\{92893700-5C4F-4bd6-B6EF-6F2FB5F79338}.exe

Filesize
408KB

MD5
18e69e7bb7a0e80b11e6699ed6a634b8

SHA1
bbb062dfe8e017e15133a865d69ff0c965881662

SHA256
2ab294177bc20eb1980ea0dfeef3a26b4429790fbe0ba5ca7cb965faacf82ec0

SHA512
7100c925e360b45ef77438069942f4cc4646705091fe52e11fb1d9c1290c359a0829bd1d498b873c9b54eca864ea73dc727bae49f1993ba0af435dbcb70ea40b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads