6e5be2176f90b497e850f9ca8894e246d5672217e92fbf47ca3247b9d2d590e9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
Size

168KB
MD5

2056bb5886e2df4eda0c8885b44beb95
SHA1

954bf1d2d3a4bc3db59788b1f7f68d0ce871b06e
SHA256

6e5be2176f90b497e850f9ca8894e246d5672217e92fbf47ca3247b9d2d590e9
SHA512

9c8c9aa0b1214f350b66ee0a4633cef3a2315c698a0647eaeacbae467b092ce3d5c4aaf5c513ea17be21158feef3900acccbe8faabf354cceeb547ec31e02c57
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F52D868-B627-48c3-B40D-D4E0680DE56A}\stubpath = "C:\\Windows\\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe"	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB50377B-DC03-44d8-900C-8EDC2F56C868}\stubpath = "C:\\Windows\\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe"	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A314B035-9BE2-4731-B536-D949E821D0A5}\stubpath = "C:\\Windows\\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe"	{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}\stubpath = "C:\\Windows\\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe"	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}\stubpath = "C:\\Windows\\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe"	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}\stubpath = "C:\\Windows\\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe"	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}\stubpath = "C:\\Windows\\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe"	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F52D868-B627-48c3-B40D-D4E0680DE56A}	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1290073A-8E7F-4c49-B55C-6642F12F62B5}\stubpath = "C:\\Windows\\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe"	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}\stubpath = "C:\\Windows\\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe"	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}\stubpath = "C:\\Windows\\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe"	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A314B035-9BE2-4731-B536-D949E821D0A5}	{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}\stubpath = "C:\\Windows\\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe"	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB50377B-DC03-44d8-900C-8EDC2F56C868}	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1290073A-8E7F-4c49-B55C-6642F12F62B5}	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}\stubpath = "C:\\Windows\\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe"	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe

Executes dropped EXE 12 IoCs

pid	Process
5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
3976	{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
1912	{A314B035-9BE2-4731-B536-D949E821D0A5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
File created	C:\Windows\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
File created	C:\Windows\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
File created	C:\Windows\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
File created	C:\Windows\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
File created	C:\Windows\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
File created	C:\Windows\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
File created	C:\Windows\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
File created	C:\Windows\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
File created	C:\Windows\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe	{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
File created	C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
File created	C:\Windows\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
Token: SeIncBasePriorityPrivilege	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
Token: SeIncBasePriorityPrivilege	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
Token: SeIncBasePriorityPrivilege	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
Token: SeIncBasePriorityPrivilege	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
Token: SeIncBasePriorityPrivilege	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
Token: SeIncBasePriorityPrivilege	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
Token: SeIncBasePriorityPrivilege	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
Token: SeIncBasePriorityPrivilege	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
Token: SeIncBasePriorityPrivilege	1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
Token: SeIncBasePriorityPrivilege	3976	{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 5052	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	90
PID 2592 wrote to memory of 5052	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	90
PID 2592 wrote to memory of 5052	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	90
PID 2592 wrote to memory of 5084	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	91
PID 2592 wrote to memory of 5084	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	91
PID 2592 wrote to memory of 5084	2592	2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe	91
PID 5052 wrote to memory of 4984	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	92
PID 5052 wrote to memory of 4984	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	92
PID 5052 wrote to memory of 4984	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	92
PID 5052 wrote to memory of 4132	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	93
PID 5052 wrote to memory of 4132	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	93
PID 5052 wrote to memory of 4132	5052	{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe	93
PID 4984 wrote to memory of 4960	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	96
PID 4984 wrote to memory of 4960	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	96
PID 4984 wrote to memory of 4960	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	96
PID 4984 wrote to memory of 4524	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	95
PID 4984 wrote to memory of 4524	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	95
PID 4984 wrote to memory of 4524	4984	{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe	95
PID 4960 wrote to memory of 2212	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	97
PID 4960 wrote to memory of 2212	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	97
PID 4960 wrote to memory of 2212	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	97
PID 4960 wrote to memory of 3412	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	98
PID 4960 wrote to memory of 3412	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	98
PID 4960 wrote to memory of 3412	4960	{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe	98
PID 2212 wrote to memory of 2020	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	99
PID 2212 wrote to memory of 2020	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	99
PID 2212 wrote to memory of 2020	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	99
PID 2212 wrote to memory of 5068	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	100
PID 2212 wrote to memory of 5068	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	100
PID 2212 wrote to memory of 5068	2212	{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe	100
PID 2020 wrote to memory of 4940	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	101
PID 2020 wrote to memory of 4940	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	101
PID 2020 wrote to memory of 4940	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	101
PID 2020 wrote to memory of 3856	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	102
PID 2020 wrote to memory of 3856	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	102
PID 2020 wrote to memory of 3856	2020	{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe	102
PID 4940 wrote to memory of 4356	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	103
PID 4940 wrote to memory of 4356	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	103
PID 4940 wrote to memory of 4356	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	103
PID 4940 wrote to memory of 4296	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	104
PID 4940 wrote to memory of 4296	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	104
PID 4940 wrote to memory of 4296	4940	{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe	104
PID 4356 wrote to memory of 4816	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	105
PID 4356 wrote to memory of 4816	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	105
PID 4356 wrote to memory of 4816	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	105
PID 4356 wrote to memory of 4100	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	106
PID 4356 wrote to memory of 4100	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	106
PID 4356 wrote to memory of 4100	4356	{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe	106
PID 4816 wrote to memory of 764	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	107
PID 4816 wrote to memory of 764	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	107
PID 4816 wrote to memory of 764	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	107
PID 4816 wrote to memory of 604	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	108
PID 4816 wrote to memory of 604	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	108
PID 4816 wrote to memory of 604	4816	{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe	108
PID 764 wrote to memory of 1204	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	109
PID 764 wrote to memory of 1204	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	109
PID 764 wrote to memory of 1204	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	109
PID 764 wrote to memory of 1348	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	110
PID 764 wrote to memory of 1348	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	110
PID 764 wrote to memory of 1348	764	{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe	110
PID 1204 wrote to memory of 3976	1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe	111
PID 1204 wrote to memory of 3976	1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe	111
PID 1204 wrote to memory of 3976	1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe	111
PID 1204 wrote to memory of 916	1204	{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe	112

C:\Users\Admin\AppData\Local\Temp\2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2056bb5886e2df4eda0c8885b44beb95_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
  C:\Windows\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
    C:\Windows\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F52D~1.EXE > nul
      4⤵
      PID:4524
  - - C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
      C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
        
        C:\Windows\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
        
        C:\Windows\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
        
        C:\Windows\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
        
        C:\Windows\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
        
        C:\Windows\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
        
        C:\Windows\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
        
        C:\Windows\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
        
        C:\Windows\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe
        
        C:\Windows\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe
        13⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB503~1.EXE > nul
        13⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12EFD~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FC0~1.EXE > nul
        11⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95BC5~1.EXE > nul
        10⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D5CB~1.EXE > nul
        9⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C462~1.EXE > nul
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E63EF~1.EXE > nul
        7⤵
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F40C~1.EXE > nul
        6⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12900~1.EXE > nul
        5⤵
        
        PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F68~1.EXE > nul
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2056BB~1.EXE > nul
  2⤵
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe

Filesize
168KB

MD5
3f3bc6e4fc83351f7cbdf7a03d79d7d8

SHA1
35da2aabf3f4cf76434018d9492b7af106ed839a

SHA256
6017c1fb9003c0224c2cdce15437c1baa028cd14cc8bdf227c6d57dde199117c

SHA512
9567a566d9a485e3756d1e6da5ac0e98aa83be062b87791dab9054f8f1f046c1ebd0a9b0a55c34c399086dfeae14e2218e0037e0e1784f058cfebd137c3dea17

Download Submit
C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe

Filesize
168KB

MD5
3f3bc6e4fc83351f7cbdf7a03d79d7d8

SHA1
35da2aabf3f4cf76434018d9492b7af106ed839a

SHA256
6017c1fb9003c0224c2cdce15437c1baa028cd14cc8bdf227c6d57dde199117c

SHA512
9567a566d9a485e3756d1e6da5ac0e98aa83be062b87791dab9054f8f1f046c1ebd0a9b0a55c34c399086dfeae14e2218e0037e0e1784f058cfebd137c3dea17

Download Submit
C:\Windows\{1290073A-8E7F-4c49-B55C-6642F12F62B5}.exe

Filesize
168KB

MD5
3f3bc6e4fc83351f7cbdf7a03d79d7d8

SHA1
35da2aabf3f4cf76434018d9492b7af106ed839a

SHA256
6017c1fb9003c0224c2cdce15437c1baa028cd14cc8bdf227c6d57dde199117c

SHA512
9567a566d9a485e3756d1e6da5ac0e98aa83be062b87791dab9054f8f1f046c1ebd0a9b0a55c34c399086dfeae14e2218e0037e0e1784f058cfebd137c3dea17

Download Submit
C:\Windows\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe

Filesize
168KB

MD5
6973f722cf766ac26e66c4909c2ff2bc

SHA1
41c98d60f97b5a18627d5d739686213a252777ac

SHA256
f907c8fa2252e6085d7626ec6a63920cf857bfa17e05d31fe0bd15b7403835c2

SHA512
7dc63212668465cee45fbd64f7f995fd6a9e47d1e43aa03ca11615906ea4006764f7048bd0d75ceb7fc6afec7e6264bd80943b747f88f75df621c4ee97ebe50e

Download Submit
C:\Windows\{12EFD9F3-6C47-468a-81BB-D6DA317A9DA3}.exe

Filesize
168KB

MD5
6973f722cf766ac26e66c4909c2ff2bc

SHA1
41c98d60f97b5a18627d5d739686213a252777ac

SHA256
f907c8fa2252e6085d7626ec6a63920cf857bfa17e05d31fe0bd15b7403835c2

SHA512
7dc63212668465cee45fbd64f7f995fd6a9e47d1e43aa03ca11615906ea4006764f7048bd0d75ceb7fc6afec7e6264bd80943b747f88f75df621c4ee97ebe50e

Download Submit
C:\Windows\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe

Filesize
168KB

MD5
f1439d9f02caf07457b19382ac665ce0

SHA1
5b88338ce70f25f10e35494c618e638fe79e41c6

SHA256
51cea8552cfa9b91f25662256711e50fd5f063410fcdb7c2adf0db0559dd0c8b

SHA512
549d6025938a5093236aec9120c7303c9c9dd3eaf1818053e41bc90142adc32aef973fbe4cc572e48f8aa55a3b897b309390c0eac47cbfd9cb4f96823ca75361

Download Submit
C:\Windows\{2D5CBE4A-4A77-4b36-9FB9-08949E085117}.exe

Filesize
168KB

MD5
f1439d9f02caf07457b19382ac665ce0

SHA1
5b88338ce70f25f10e35494c618e638fe79e41c6

SHA256
51cea8552cfa9b91f25662256711e50fd5f063410fcdb7c2adf0db0559dd0c8b

SHA512
549d6025938a5093236aec9120c7303c9c9dd3eaf1818053e41bc90142adc32aef973fbe4cc572e48f8aa55a3b897b309390c0eac47cbfd9cb4f96823ca75361

Download Submit
C:\Windows\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe

Filesize
168KB

MD5
f2169705e6362555a1ba706c31c241b7

SHA1
97a02a9bf43d8577e085a9cf94dd7b84b64c6de9

SHA256
915ba502d8fb09bc50f4b6e5e2c05b21b799b4e2af9dfebdebd7a104f47a51dd

SHA512
9a2b673b0287fc3922166f672ec6dbb2885bffd2e36ea8c1804b6f1bf2eeb18818a00e0117f7e2e7a6dac96c1f4152e0711ef22cf560c723c1bad251e61952c5

Download Submit
C:\Windows\{3F52D868-B627-48c3-B40D-D4E0680DE56A}.exe

Filesize
168KB

MD5
f2169705e6362555a1ba706c31c241b7

SHA1
97a02a9bf43d8577e085a9cf94dd7b84b64c6de9

SHA256
915ba502d8fb09bc50f4b6e5e2c05b21b799b4e2af9dfebdebd7a104f47a51dd

SHA512
9a2b673b0287fc3922166f672ec6dbb2885bffd2e36ea8c1804b6f1bf2eeb18818a00e0117f7e2e7a6dac96c1f4152e0711ef22cf560c723c1bad251e61952c5

Download Submit
C:\Windows\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe

Filesize
168KB

MD5
d9813dde9de2d74de15f627378f6e594

SHA1
b440e9182133d4eecc33914a4d5d0dc62b81e196

SHA256
6e3b01239cae5503c15d2900928fb1abf63d5593fae6c796764c5156a99f0ae3

SHA512
4d9925c6633ce1483d29627eddad82eb78e5bee4c3a95c9ddca60a7bf33dfec75e42af5a8a109e86d2c56262f63624a311ee7e2773627953eacb561239d9a217

Download Submit
C:\Windows\{4C462A07-471A-4d8b-91DD-67FB01CB09B3}.exe

Filesize
168KB

MD5
d9813dde9de2d74de15f627378f6e594

SHA1
b440e9182133d4eecc33914a4d5d0dc62b81e196

SHA256
6e3b01239cae5503c15d2900928fb1abf63d5593fae6c796764c5156a99f0ae3

SHA512
4d9925c6633ce1483d29627eddad82eb78e5bee4c3a95c9ddca60a7bf33dfec75e42af5a8a109e86d2c56262f63624a311ee7e2773627953eacb561239d9a217

Download Submit
C:\Windows\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe

Filesize
168KB

MD5
5e5b166dd54b6276ce1113e874bf1f17

SHA1
8a333e78c5f57419082a80da80b01802978ae570

SHA256
b8d038e48698a96bae9f8ee6b1e8c1ed3a84b5791b3da758f76028613c72be24

SHA512
c105129674c1d63a0d7d04822a59429e7f6d7efc5111f70b62ba971d2f6f5b4d3f1d9ecb76624c8d2976ce5190a3d23633b169ac4c27d4b0239ff13689752905

Download Submit
C:\Windows\{8F40C1E0-D1CE-446e-A7C0-944D409D1DE7}.exe

Filesize
168KB

MD5
5e5b166dd54b6276ce1113e874bf1f17

SHA1
8a333e78c5f57419082a80da80b01802978ae570

SHA256
b8d038e48698a96bae9f8ee6b1e8c1ed3a84b5791b3da758f76028613c72be24

SHA512
c105129674c1d63a0d7d04822a59429e7f6d7efc5111f70b62ba971d2f6f5b4d3f1d9ecb76624c8d2976ce5190a3d23633b169ac4c27d4b0239ff13689752905

Download Submit
C:\Windows\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe

Filesize
168KB

MD5
36eae415f70098aeaea45b13bc555b46

SHA1
087242e8b1fcea0b59a9d5c96b3f741b4e3e003e

SHA256
45e8b77621c7ddadabf116ddbde2bfd20bbb70e76993ad61fcf2fe745bb507d1

SHA512
46311e4001359b7c70148a56bb025b9eacd21e463a67e995c71a73d91cd425c35e4c74efbe56ccf50dcc7c9d6ffef4f2da80e35b99a77745fc3172d1f16b113c

Download Submit
C:\Windows\{95BC5A7A-C3CB-44da-8A0E-7BF99C1605A9}.exe

Filesize
168KB

MD5
36eae415f70098aeaea45b13bc555b46

SHA1
087242e8b1fcea0b59a9d5c96b3f741b4e3e003e

SHA256
45e8b77621c7ddadabf116ddbde2bfd20bbb70e76993ad61fcf2fe745bb507d1

SHA512
46311e4001359b7c70148a56bb025b9eacd21e463a67e995c71a73d91cd425c35e4c74efbe56ccf50dcc7c9d6ffef4f2da80e35b99a77745fc3172d1f16b113c

Download Submit
C:\Windows\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe

Filesize
168KB

MD5
6a569e5ec1a24930f8cde942dcc1e44b

SHA1
3e3ad8232e92948ffa008d64387bf9b3fd0ea534

SHA256
14396e19a6dd81709e98e71f13b530bae1b4af68be80523867cab6bd7a9cdb18

SHA512
47d009d70f8d907ed7ff58ab1d3602d381dd212f871047120cdab587b9532caf4379f67718e7bd4b9b93eba727723d12297cfd87c8d7b5356b3d4d59d6d18223

Download Submit
C:\Windows\{A314B035-9BE2-4731-B536-D949E821D0A5}.exe

Filesize
168KB

MD5
6a569e5ec1a24930f8cde942dcc1e44b

SHA1
3e3ad8232e92948ffa008d64387bf9b3fd0ea534

SHA256
14396e19a6dd81709e98e71f13b530bae1b4af68be80523867cab6bd7a9cdb18

SHA512
47d009d70f8d907ed7ff58ab1d3602d381dd212f871047120cdab587b9532caf4379f67718e7bd4b9b93eba727723d12297cfd87c8d7b5356b3d4d59d6d18223

Download Submit
C:\Windows\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe

Filesize
168KB

MD5
c3e643bddb3e3892823d558ff54d1cc8

SHA1
b898cd678ffbc6315cb6932071e0ee5056d7b4ed

SHA256
0a47decd049ea65414573ef4e0abd3c9accf244f7574eda4ac6af536135cecbc

SHA512
8cc5deee73fc16b8ed6d81ba518c153e0003c2e2f7d878cdb452a2e26676c963b705922d8f8e3571447a934fcaf788effd023211c68983bb6251c6fec6bf335e

Download Submit
C:\Windows\{A6F68BCD-5D03-41c6-8DCB-D045625ED5D5}.exe

Filesize
168KB

MD5
c3e643bddb3e3892823d558ff54d1cc8

SHA1
b898cd678ffbc6315cb6932071e0ee5056d7b4ed

SHA256
0a47decd049ea65414573ef4e0abd3c9accf244f7574eda4ac6af536135cecbc

SHA512
8cc5deee73fc16b8ed6d81ba518c153e0003c2e2f7d878cdb452a2e26676c963b705922d8f8e3571447a934fcaf788effd023211c68983bb6251c6fec6bf335e

Download Submit
C:\Windows\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe

Filesize
168KB

MD5
1fd9029325884b13f21768defbe26965

SHA1
850ccd7bb11c482b1da93583f376a1b57ffef994

SHA256
eb6aa3cec82246d46f398c20aae1e1c99c53ce17b027fd47ebd1fe8c9a9a3c4c

SHA512
ee9c4b3d035e3a72d9bf08abdfe5036591fa85eabcf56354057b6f75be98c18913b935538504961782b652574a647e0b3dd5306c42d910b95104962244b76221

Download Submit
C:\Windows\{C6FC093C-3DDB-46d2-B243-C8C3A09D2510}.exe

Filesize
168KB

MD5
1fd9029325884b13f21768defbe26965

SHA1
850ccd7bb11c482b1da93583f376a1b57ffef994

SHA256
eb6aa3cec82246d46f398c20aae1e1c99c53ce17b027fd47ebd1fe8c9a9a3c4c

SHA512
ee9c4b3d035e3a72d9bf08abdfe5036591fa85eabcf56354057b6f75be98c18913b935538504961782b652574a647e0b3dd5306c42d910b95104962244b76221

Download Submit
C:\Windows\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe

Filesize
168KB

MD5
998c35ba4a9ab7428f677bf1e559239d

SHA1
7980ae22312758970f313e0270e3f68223b583c0

SHA256
ea1bad460b23b428a0b538e5e8fccfcebbd545cc64b90a540f648e69df56855d

SHA512
8a7e81014fb1f3257c233198f866286f1a6ae742889c1d09cf8e4618dc9500a5e42bc581101136c383ade096340ff6746bb4f162803687505108ee61c276c040

Download Submit
C:\Windows\{DB50377B-DC03-44d8-900C-8EDC2F56C868}.exe

Filesize
168KB

MD5
998c35ba4a9ab7428f677bf1e559239d

SHA1
7980ae22312758970f313e0270e3f68223b583c0

SHA256
ea1bad460b23b428a0b538e5e8fccfcebbd545cc64b90a540f648e69df56855d

SHA512
8a7e81014fb1f3257c233198f866286f1a6ae742889c1d09cf8e4618dc9500a5e42bc581101136c383ade096340ff6746bb4f162803687505108ee61c276c040

Download Submit
C:\Windows\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe

Filesize
168KB

MD5
bedc79b4c7b665c2150f24604885b6a6

SHA1
4c42a17b4b06683bd60ed42baed9b007ee6bac27

SHA256
3c5ec84c832e2aab284ce24ae915af3060770e20cfb802cd080a22728e5f2660

SHA512
4d1c6f0ba8473d63a5db3ff9abd9091de9e85ddd4ebadbd2843dfcf9208e5b3d61a09c1ed6bdcc582b218f7223ad3ea56778b4117589755004dbffea1fc93efc

Download Submit
C:\Windows\{E63EF671-EEA6-41b5-9EAF-2D64C28B4ECB}.exe

Filesize
168KB

MD5
bedc79b4c7b665c2150f24604885b6a6

SHA1
4c42a17b4b06683bd60ed42baed9b007ee6bac27

SHA256
3c5ec84c832e2aab284ce24ae915af3060770e20cfb802cd080a22728e5f2660

SHA512
4d1c6f0ba8473d63a5db3ff9abd9091de9e85ddd4ebadbd2843dfcf9208e5b3d61a09c1ed6bdcc582b218f7223ad3ea56778b4117589755004dbffea1fc93efc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads