cb960a313bccb74580745f31c7800bfbe10a23adb3653bf743b71a1d92c6ccb7

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
Size

192KB
MD5

70da0ccb202d92cf1b11650472010a6e
SHA1

d7e9f85138c063ff1e05e628a19bb855094529b6
SHA256

cb960a313bccb74580745f31c7800bfbe10a23adb3653bf743b71a1d92c6ccb7
SHA512

b9bb789cfbdf8a92fbfc50a74a6dcad91cb9a2d85cd547fb960709deddaabf6ebdca77dde10137de6f2b1ca30baef761373da80144562012476bf5a66251642d
SSDEEP

1536:1EGh0ouLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oSl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}	{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5895524F-460C-40e6-A417-8D6482F045E1}	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96BF710-61D4-4742-A66F-2E34AC02226B}	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CDD5BF-76D5-4752-9B98-F09C356EF493}	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}\stubpath = "C:\\Windows\\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe"	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}\stubpath = "C:\\Windows\\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe"	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}\stubpath = "C:\\Windows\\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe"	{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96BF710-61D4-4742-A66F-2E34AC02226B}\stubpath = "C:\\Windows\\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe"	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CDD5BF-76D5-4752-9B98-F09C356EF493}\stubpath = "C:\\Windows\\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe"	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4980CF5-FAED-42c2-8724-03115E67FCE1}\stubpath = "C:\\Windows\\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe"	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA185E05-9C27-4c61-8857-79BF1A009CE5}	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461EE2D9-2364-4f53-B74B-0C0946E4D166}	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5895524F-460C-40e6-A417-8D6482F045E1}\stubpath = "C:\\Windows\\{5895524F-460C-40e6-A417-8D6482F045E1}.exe"	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}\stubpath = "C:\\Windows\\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe"	{5895524F-460C-40e6-A417-8D6482F045E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}\stubpath = "C:\\Windows\\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe"	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA185E05-9C27-4c61-8857-79BF1A009CE5}\stubpath = "C:\\Windows\\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe"	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461EE2D9-2364-4f53-B74B-0C0946E4D166}\stubpath = "C:\\Windows\\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe"	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}\stubpath = "C:\\Windows\\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe"	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}	{5895524F-460C-40e6-A417-8D6482F045E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4980CF5-FAED-42c2-8724-03115E67FCE1}	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe

Executes dropped EXE 12 IoCs

pid	Process
3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe
4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
4996	{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
1780	{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
File created	C:\Windows\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
File created	C:\Windows\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
File created	C:\Windows\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
File created	C:\Windows\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
File created	C:\Windows\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe	{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
File created	C:\Windows\{5895524F-460C-40e6-A417-8D6482F045E1}.exe	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
File created	C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	{5895524F-460C-40e6-A417-8D6482F045E1}.exe
File created	C:\Windows\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
File created	C:\Windows\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
File created	C:\Windows\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
File created	C:\Windows\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
Token: SeIncBasePriorityPrivilege	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe
Token: SeIncBasePriorityPrivilege	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
Token: SeIncBasePriorityPrivilege	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
Token: SeIncBasePriorityPrivilege	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
Token: SeIncBasePriorityPrivilege	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
Token: SeIncBasePriorityPrivilege	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
Token: SeIncBasePriorityPrivilege	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
Token: SeIncBasePriorityPrivilege	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
Token: SeIncBasePriorityPrivilege	456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
Token: SeIncBasePriorityPrivilege	4996	{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3024	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	88
PID 4516 wrote to memory of 3024	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	88
PID 4516 wrote to memory of 3024	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	88
PID 4516 wrote to memory of 928	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	89
PID 4516 wrote to memory of 928	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	89
PID 4516 wrote to memory of 928	4516	70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe	89
PID 3024 wrote to memory of 3396	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	90
PID 3024 wrote to memory of 3396	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	90
PID 3024 wrote to memory of 3396	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	90
PID 3024 wrote to memory of 2456	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	91
PID 3024 wrote to memory of 2456	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	91
PID 3024 wrote to memory of 2456	3024	{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe	91
PID 3396 wrote to memory of 4920	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	93
PID 3396 wrote to memory of 4920	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	93
PID 3396 wrote to memory of 4920	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	93
PID 3396 wrote to memory of 2476	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	94
PID 3396 wrote to memory of 2476	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	94
PID 3396 wrote to memory of 2476	3396	{5895524F-460C-40e6-A417-8D6482F045E1}.exe	94
PID 4920 wrote to memory of 2316	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	95
PID 4920 wrote to memory of 2316	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	95
PID 4920 wrote to memory of 2316	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	95
PID 4920 wrote to memory of 4848	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	96
PID 4920 wrote to memory of 4848	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	96
PID 4920 wrote to memory of 4848	4920	{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe	96
PID 2316 wrote to memory of 2196	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	97
PID 2316 wrote to memory of 2196	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	97
PID 2316 wrote to memory of 2196	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	97
PID 2316 wrote to memory of 2572	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	98
PID 2316 wrote to memory of 2572	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	98
PID 2316 wrote to memory of 2572	2316	{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe	98
PID 2196 wrote to memory of 2052	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	99
PID 2196 wrote to memory of 2052	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	99
PID 2196 wrote to memory of 2052	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	99
PID 2196 wrote to memory of 3684	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	100
PID 2196 wrote to memory of 3684	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	100
PID 2196 wrote to memory of 3684	2196	{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe	100
PID 2052 wrote to memory of 1996	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	101
PID 2052 wrote to memory of 1996	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	101
PID 2052 wrote to memory of 1996	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	101
PID 2052 wrote to memory of 2384	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	102
PID 2052 wrote to memory of 2384	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	102
PID 2052 wrote to memory of 2384	2052	{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe	102
PID 1996 wrote to memory of 4196	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	103
PID 1996 wrote to memory of 4196	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	103
PID 1996 wrote to memory of 4196	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	103
PID 1996 wrote to memory of 764	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	104
PID 1996 wrote to memory of 764	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	104
PID 1996 wrote to memory of 764	1996	{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe	104
PID 4196 wrote to memory of 3624	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	105
PID 4196 wrote to memory of 3624	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	105
PID 4196 wrote to memory of 3624	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	105
PID 4196 wrote to memory of 1844	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	106
PID 4196 wrote to memory of 1844	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	106
PID 4196 wrote to memory of 1844	4196	{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe	106
PID 3624 wrote to memory of 456	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	107
PID 3624 wrote to memory of 456	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	107
PID 3624 wrote to memory of 456	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	107
PID 3624 wrote to memory of 2156	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	108
PID 3624 wrote to memory of 2156	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	108
PID 3624 wrote to memory of 2156	3624	{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe	108
PID 456 wrote to memory of 4996	456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe	109
PID 456 wrote to memory of 4996	456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe	109
PID 456 wrote to memory of 4996	456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe	109
PID 456 wrote to memory of 1056	456	{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe	110

C:\Users\Admin\AppData\Local\Temp\70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70da0ccb202d92cf1b11650472010a6e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
  C:\Windows\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\{5895524F-460C-40e6-A417-8D6482F045E1}.exe
    C:\Windows\{5895524F-460C-40e6-A417-8D6482F045E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
      C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
        
        C:\Windows\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
        
        C:\Windows\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
        
        C:\Windows\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
        
        C:\Windows\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
        
        C:\Windows\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
        
        C:\Windows\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
        
        C:\Windows\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
        
        C:\Windows\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe
        
        C:\Windows\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe
        13⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{461EE~1.EXE > nul
        13⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC4C~1.EXE > nul
        12⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19314~1.EXE > nul
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA185~1.EXE > nul
        10⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4980~1.EXE > nul
        9⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAD9~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05CDD~1.EXE > nul
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C96BF~1.EXE > nul
        6⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3500~1.EXE > nul
        5⤵
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58955~1.EXE > nul
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9DD~1.EXE > nul
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70DA0C~1.EXE > nul
  2⤵
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe

Filesize
192KB

MD5
3ee22e7d326039be7012a7eacd6fe869

SHA1
9261f7350d3ac4c2e19457f5f2cd45b0bd005904

SHA256
9f92001d4ebb1bcc2c0f3bee595b9739f9adf54db566f67f0c2415f24f599812

SHA512
af2b1b5becae2d95b8ac88d3248cf463288b779efc84fa778e8ad75146c0f480157af54c9d8f1de0500fae017ef617c83d3b50b8fd677b3c97fc920c1c41b181

Download Submit
C:\Windows\{05CDD5BF-76D5-4752-9B98-F09C356EF493}.exe

Filesize
192KB

MD5
3ee22e7d326039be7012a7eacd6fe869

SHA1
9261f7350d3ac4c2e19457f5f2cd45b0bd005904

SHA256
9f92001d4ebb1bcc2c0f3bee595b9739f9adf54db566f67f0c2415f24f599812

SHA512
af2b1b5becae2d95b8ac88d3248cf463288b779efc84fa778e8ad75146c0f480157af54c9d8f1de0500fae017ef617c83d3b50b8fd677b3c97fc920c1c41b181

Download Submit
C:\Windows\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe

Filesize
192KB

MD5
1a2fc2fde4c789e9ed2815c00061c2a1

SHA1
e33fec4031db81b1e20d40b7ca9ab8760850e888

SHA256
443e25c9e8a5b1e6b705766aed5c687cc5049abf72b9432aca9372706ebde552

SHA512
55fba9b50832b3d013c1ebedfe206d9159a79b5b1543e16f013cb205fdbfcbcf701895ca9364d8d0976377387a2a85511314772f691d51e7b51c5717b5da0678

Download Submit
C:\Windows\{19314767-6FAE-409a-AE6B-756F2D5CC5C4}.exe

Filesize
192KB

MD5
1a2fc2fde4c789e9ed2815c00061c2a1

SHA1
e33fec4031db81b1e20d40b7ca9ab8760850e888

SHA256
443e25c9e8a5b1e6b705766aed5c687cc5049abf72b9432aca9372706ebde552

SHA512
55fba9b50832b3d013c1ebedfe206d9159a79b5b1543e16f013cb205fdbfcbcf701895ca9364d8d0976377387a2a85511314772f691d51e7b51c5717b5da0678

Download Submit
C:\Windows\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe

Filesize
192KB

MD5
ce006114a4ac6103c58a0e29c82d59d3

SHA1
0210bceb3821848372e8d200c88464de8f197324

SHA256
d53511d54fa4ff097f6124e1f85634522975ea596627742f0fcc6b3614514f91

SHA512
65b0de4fd9d6a2607d9a28560c4a5de3f0194817a23e616b6856ea4a320eb9aa55f58e26c7b46bb7c0a84a8270297b6c07131ec3c759ccd89afae5de54ff46da

Download Submit
C:\Windows\{461EE2D9-2364-4f53-B74B-0C0946E4D166}.exe

Filesize
192KB

MD5
ce006114a4ac6103c58a0e29c82d59d3

SHA1
0210bceb3821848372e8d200c88464de8f197324

SHA256
d53511d54fa4ff097f6124e1f85634522975ea596627742f0fcc6b3614514f91

SHA512
65b0de4fd9d6a2607d9a28560c4a5de3f0194817a23e616b6856ea4a320eb9aa55f58e26c7b46bb7c0a84a8270297b6c07131ec3c759ccd89afae5de54ff46da

Download Submit
C:\Windows\{5895524F-460C-40e6-A417-8D6482F045E1}.exe

Filesize
192KB

MD5
6eba9b3eba31e5fdf9d26d0fb286c04b

SHA1
4e1bb59d42b729e4037864edac6b6c759e1263c1

SHA256
94c45574c26ae10bbb78301b7b685ea78d5553a692dcefad909fc7bf647f8c3a

SHA512
641791a7cb38b253587e19d2c0307a5dde3c211d0b7ed6d7e7a71afac494bf5b436495030c04befb9e7141d9034139aa203f346fc83088db5388aeec44509cb0

Download Submit
C:\Windows\{5895524F-460C-40e6-A417-8D6482F045E1}.exe

Filesize
192KB

MD5
6eba9b3eba31e5fdf9d26d0fb286c04b

SHA1
4e1bb59d42b729e4037864edac6b6c759e1263c1

SHA256
94c45574c26ae10bbb78301b7b685ea78d5553a692dcefad909fc7bf647f8c3a

SHA512
641791a7cb38b253587e19d2c0307a5dde3c211d0b7ed6d7e7a71afac494bf5b436495030c04befb9e7141d9034139aa203f346fc83088db5388aeec44509cb0

Download Submit
C:\Windows\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe

Filesize
192KB

MD5
dc0ce679940eeae3b45735a2db4e7431

SHA1
e761cfb98685d15889546e2149516ff3a2700f22

SHA256
a5f9ab1069d97e65ed7c526e794b6df7a34c08827530d74539089a6cd28f90d0

SHA512
72a55c9ec8f91f86fcbc19b859c1639e0679cdbde01fd223798306480c6ab9ebce74770097efe37fa0e14865c77747f618106e08eabbcf8b797098fdc57333d8

Download Submit
C:\Windows\{6E9DD0DF-B752-4edd-BAD6-B22A1CD22005}.exe

Filesize
192KB

MD5
dc0ce679940eeae3b45735a2db4e7431

SHA1
e761cfb98685d15889546e2149516ff3a2700f22

SHA256
a5f9ab1069d97e65ed7c526e794b6df7a34c08827530d74539089a6cd28f90d0

SHA512
72a55c9ec8f91f86fcbc19b859c1639e0679cdbde01fd223798306480c6ab9ebce74770097efe37fa0e14865c77747f618106e08eabbcf8b797098fdc57333d8

Download Submit
C:\Windows\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe

Filesize
192KB

MD5
fc1ba4bfd53b73537ea1858452729aa4

SHA1
b840cd03ffc736fb2afc4e29fc3fe79f8cb94dac

SHA256
d672d3671c0bd6f4ba93a6329ad70d6bf4e4dd530dac22c2328e084c18dc44c0

SHA512
190fb72796c50106bf53af75883f0fd802a6e168756c22f1e87ac1177a0582a04aef1dc6e000b1ba9f6206ed01dc4232cb02a1d94df75efdc5395d7869df2789

Download Submit
C:\Windows\{7AC4CD8F-097E-413e-9C0C-2FEB5E694805}.exe

Filesize
192KB

MD5
fc1ba4bfd53b73537ea1858452729aa4

SHA1
b840cd03ffc736fb2afc4e29fc3fe79f8cb94dac

SHA256
d672d3671c0bd6f4ba93a6329ad70d6bf4e4dd530dac22c2328e084c18dc44c0

SHA512
190fb72796c50106bf53af75883f0fd802a6e168756c22f1e87ac1177a0582a04aef1dc6e000b1ba9f6206ed01dc4232cb02a1d94df75efdc5395d7869df2789

Download Submit
C:\Windows\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe

Filesize
192KB

MD5
280aacf8abfad911b6042833694472f9

SHA1
4f3e4eb6feb0573af2dfd26b9b08d548199b2dfb

SHA256
20c71a0b87ccc6e37823436f9353ce8f8035326c4299e0e7298c0eecd1d4b968

SHA512
8854d0fe6153cc6b71fc29e393bdda263b70d384b1b4cf4e75f0600bc2d0e433e53673c8caac9e37ac6b14bdcb8c1f3c111a314a2c85a221026edcff30e9a432

Download Submit
C:\Windows\{9FAD9EB0-2BC5-4993-A7E0-263CBC35154E}.exe

Filesize
192KB

MD5
280aacf8abfad911b6042833694472f9

SHA1
4f3e4eb6feb0573af2dfd26b9b08d548199b2dfb

SHA256
20c71a0b87ccc6e37823436f9353ce8f8035326c4299e0e7298c0eecd1d4b968

SHA512
8854d0fe6153cc6b71fc29e393bdda263b70d384b1b4cf4e75f0600bc2d0e433e53673c8caac9e37ac6b14bdcb8c1f3c111a314a2c85a221026edcff30e9a432

Download Submit
C:\Windows\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe

Filesize
192KB

MD5
d1935e34999e1fd0cc6defd738870049

SHA1
6264d0a2c6289034d4bb2a50e34077e09c3f3dd9

SHA256
8a086ac74e603b2a70c46db739192e41f85692fa0f91ee69f42722fd46fa95dc

SHA512
8cf37400fac6bf3d35172e935e75809e3f77633154bf1609d491b780865ebe2af7f9309009bf3f48b407a51ffbf147e9cdf9446ced6e878c7b416d23277a07c3

Download Submit
C:\Windows\{A4980CF5-FAED-42c2-8724-03115E67FCE1}.exe

Filesize
192KB

MD5
d1935e34999e1fd0cc6defd738870049

SHA1
6264d0a2c6289034d4bb2a50e34077e09c3f3dd9

SHA256
8a086ac74e603b2a70c46db739192e41f85692fa0f91ee69f42722fd46fa95dc

SHA512
8cf37400fac6bf3d35172e935e75809e3f77633154bf1609d491b780865ebe2af7f9309009bf3f48b407a51ffbf147e9cdf9446ced6e878c7b416d23277a07c3

Download Submit
C:\Windows\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe

Filesize
192KB

MD5
5f01690a9a1c89266105e8b855952b9f

SHA1
d12a368c0075a519f989b4a9b8ec908f557208c2

SHA256
ce033ba52f5e72007fa43721f762047346f70cf9542bf0dc51af43a0e5fba36a

SHA512
23528df6a0d6eff298c4fd3055231e755497d5de49b88921c57d62b0daff6686674df7be9c091f0575d95d77366b39220b294b25118685f3afce27c5518c69e6

Download Submit
C:\Windows\{C96BF710-61D4-4742-A66F-2E34AC02226B}.exe

Filesize
192KB

MD5
5f01690a9a1c89266105e8b855952b9f

SHA1
d12a368c0075a519f989b4a9b8ec908f557208c2

SHA256
ce033ba52f5e72007fa43721f762047346f70cf9542bf0dc51af43a0e5fba36a

SHA512
23528df6a0d6eff298c4fd3055231e755497d5de49b88921c57d62b0daff6686674df7be9c091f0575d95d77366b39220b294b25118685f3afce27c5518c69e6

Download Submit
C:\Windows\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe

Filesize
192KB

MD5
031c9b3531ffafb6065f01993dd97bff

SHA1
c8210fc0758656c1bea70aefe0e8ff33df2dc2b7

SHA256
394719f447d674d8f180c7649a05d07989d8a53a57a500bb1ce305ffe1bf8666

SHA512
f043b80838859f4e792839930e30e917c6af2b5bfcebc27e9706a09981f47504b7e8b199a9b34a2095093f53fa1e094cd707a92d39094134e686b1cbfe86e8a1

Download Submit
C:\Windows\{CA185E05-9C27-4c61-8857-79BF1A009CE5}.exe

Filesize
192KB

MD5
031c9b3531ffafb6065f01993dd97bff

SHA1
c8210fc0758656c1bea70aefe0e8ff33df2dc2b7

SHA256
394719f447d674d8f180c7649a05d07989d8a53a57a500bb1ce305ffe1bf8666

SHA512
f043b80838859f4e792839930e30e917c6af2b5bfcebc27e9706a09981f47504b7e8b199a9b34a2095093f53fa1e094cd707a92d39094134e686b1cbfe86e8a1

Download Submit
C:\Windows\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe

Filesize
192KB

MD5
a602171a80d022bf386b9062fcc9cbb7

SHA1
c6f623be666a9cda16fbc5884b38964fbea73dab

SHA256
5c1b07cfb04a032306841f38cfdb7d03831618130ac6f0bb27813f5b4b24b5bc

SHA512
77279789c71da4eb4c3eb43d40c0328d279aedb83678e2ea8f7bb36c33dcd31a8725e3de74352de93343c9e4b8a742d47e474c6f0c815598898361620dbadd03

Download Submit
C:\Windows\{D10D2A56-AD2A-4a25-9EDD-42134D43D4BD}.exe

Filesize
192KB

MD5
a602171a80d022bf386b9062fcc9cbb7

SHA1
c6f623be666a9cda16fbc5884b38964fbea73dab

SHA256
5c1b07cfb04a032306841f38cfdb7d03831618130ac6f0bb27813f5b4b24b5bc

SHA512
77279789c71da4eb4c3eb43d40c0328d279aedb83678e2ea8f7bb36c33dcd31a8725e3de74352de93343c9e4b8a742d47e474c6f0c815598898361620dbadd03

Download Submit
C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe

Filesize
192KB

MD5
54e2aab0d40f6f22e2715d7a842e03b4

SHA1
bc9bced19c7098a317a6daeb8b933a1b1e12dc96

SHA256
435bb0438015fa1abe4866967acb93e7bc29f75f28c80be185f90aa82e9d8a1c

SHA512
cd8da0e70e554b6ccab71164dd5721d4d3bfc4d89f1f584e4c521bb0b05dbbeddcb5bf118feeb1372f0ce2e3e94d3081d6cb5d544ac39bec861f239784ae8dce

Download Submit
C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe

Filesize
192KB

MD5
54e2aab0d40f6f22e2715d7a842e03b4

SHA1
bc9bced19c7098a317a6daeb8b933a1b1e12dc96

SHA256
435bb0438015fa1abe4866967acb93e7bc29f75f28c80be185f90aa82e9d8a1c

SHA512
cd8da0e70e554b6ccab71164dd5721d4d3bfc4d89f1f584e4c521bb0b05dbbeddcb5bf118feeb1372f0ce2e3e94d3081d6cb5d544ac39bec861f239784ae8dce

Download Submit
C:\Windows\{F3500AC0-889C-41cf-A6DA-FDA44F0BB080}.exe

Filesize
192KB

MD5
54e2aab0d40f6f22e2715d7a842e03b4

SHA1
bc9bced19c7098a317a6daeb8b933a1b1e12dc96

SHA256
435bb0438015fa1abe4866967acb93e7bc29f75f28c80be185f90aa82e9d8a1c

SHA512
cd8da0e70e554b6ccab71164dd5721d4d3bfc4d89f1f584e4c521bb0b05dbbeddcb5bf118feeb1372f0ce2e3e94d3081d6cb5d544ac39bec861f239784ae8dce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads