e510a63fb1c50aededcced2325670522ed891d7fcfde862ccef3d83f54f1db5f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Size

192KB
MD5

75fb0ac38426f258484d85c02ae477d4
SHA1

a1b381dc966cc7c4ddae380a87d5857388c8e91f
SHA256

e510a63fb1c50aededcced2325670522ed891d7fcfde862ccef3d83f54f1db5f
SHA512

193cdec3db916ffd55e0a5a0f45df659918c08b83a6c0867e2ba50fdf43f69d82efe53b709124039a9133bfe9c07b0fb03096d83951b195f36369fd334508ce7
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64A3386-207B-4f59-A32C-B967A55A0457}\stubpath = "C:\\Windows\\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe"	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC141688-1D3A-4d4f-B561-11E538284826}	{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}\stubpath = "C:\\Windows\\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe"	{BC141688-1D3A-4d4f-B561-11E538284826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5599651C-5EC0-45f1-BD31-9D2D123069A5}\stubpath = "C:\\Windows\\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe"	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}\stubpath = "C:\\Windows\\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe"	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}\stubpath = "C:\\Windows\\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe"	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}\stubpath = "C:\\Windows\\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe"	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64A3386-207B-4f59-A32C-B967A55A0457}	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}	{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5599651C-5EC0-45f1-BD31-9D2D123069A5}	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}\stubpath = "C:\\Windows\\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe"	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC141688-1D3A-4d4f-B561-11E538284826}\stubpath = "C:\\Windows\\{BC141688-1D3A-4d4f-B561-11E538284826}.exe"	{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}	{BC141688-1D3A-4d4f-B561-11E538284826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51943C5A-5421-4ac8-A864-EA11089B6781}	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51943C5A-5421-4ac8-A864-EA11089B6781}\stubpath = "C:\\Windows\\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe"	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}\stubpath = "C:\\Windows\\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe"	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}\stubpath = "C:\\Windows\\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe"	{D64A3386-207B-4f59-A32C-B967A55A0457}.exe

Deletes itself 1 IoCs

pid	Process
1060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
2000	{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
1668	{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
3016	{BC141688-1D3A-4d4f-B561-11E538284826}.exe
2256	{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
File created	C:\Windows\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
File created	C:\Windows\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe	{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
File created	C:\Windows\{BC141688-1D3A-4d4f-B561-11E538284826}.exe	{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
File created	C:\Windows\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe	{BC141688-1D3A-4d4f-B561-11E538284826}.exe
File created	C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
File created	C:\Windows\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
File created	C:\Windows\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
File created	C:\Windows\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
File created	C:\Windows\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
File created	C:\Windows\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
Token: SeIncBasePriorityPrivilege	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
Token: SeIncBasePriorityPrivilege	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
Token: SeIncBasePriorityPrivilege	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
Token: SeIncBasePriorityPrivilege	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
Token: SeIncBasePriorityPrivilege	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
Token: SeIncBasePriorityPrivilege	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
Token: SeIncBasePriorityPrivilege	2000	{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
Token: SeIncBasePriorityPrivilege	1668	{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
Token: SeIncBasePriorityPrivilege	3016	{BC141688-1D3A-4d4f-B561-11E538284826}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2880	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	28
PID 2776 wrote to memory of 2880	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	28
PID 2776 wrote to memory of 2880	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	28
PID 2776 wrote to memory of 2880	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	28
PID 2776 wrote to memory of 1060	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	29
PID 2776 wrote to memory of 1060	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	29
PID 2776 wrote to memory of 1060	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	29
PID 2776 wrote to memory of 1060	2776	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	29
PID 2880 wrote to memory of 2936	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	32
PID 2880 wrote to memory of 2936	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	32
PID 2880 wrote to memory of 2936	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	32
PID 2880 wrote to memory of 2936	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	32
PID 2880 wrote to memory of 2088	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	33
PID 2880 wrote to memory of 2088	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	33
PID 2880 wrote to memory of 2088	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	33
PID 2880 wrote to memory of 2088	2880	{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe	33
PID 2936 wrote to memory of 1732	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	34
PID 2936 wrote to memory of 1732	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	34
PID 2936 wrote to memory of 1732	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	34
PID 2936 wrote to memory of 1732	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	34
PID 2936 wrote to memory of 2736	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	35
PID 2936 wrote to memory of 2736	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	35
PID 2936 wrote to memory of 2736	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	35
PID 2936 wrote to memory of 2736	2936	{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe	35
PID 1732 wrote to memory of 2868	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	36
PID 1732 wrote to memory of 2868	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	36
PID 1732 wrote to memory of 2868	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	36
PID 1732 wrote to memory of 2868	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	36
PID 1732 wrote to memory of 2980	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	37
PID 1732 wrote to memory of 2980	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	37
PID 1732 wrote to memory of 2980	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	37
PID 1732 wrote to memory of 2980	1732	{51943C5A-5421-4ac8-A864-EA11089B6781}.exe	37
PID 2868 wrote to memory of 2728	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	38
PID 2868 wrote to memory of 2728	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	38
PID 2868 wrote to memory of 2728	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	38
PID 2868 wrote to memory of 2728	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	38
PID 2868 wrote to memory of 2816	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	39
PID 2868 wrote to memory of 2816	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	39
PID 2868 wrote to memory of 2816	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	39
PID 2868 wrote to memory of 2816	2868	{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe	39
PID 2728 wrote to memory of 1728	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	40
PID 2728 wrote to memory of 1728	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	40
PID 2728 wrote to memory of 1728	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	40
PID 2728 wrote to memory of 1728	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	40
PID 2728 wrote to memory of 2192	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	41
PID 2728 wrote to memory of 2192	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	41
PID 2728 wrote to memory of 2192	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	41
PID 2728 wrote to memory of 2192	2728	{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe	41
PID 1728 wrote to memory of 576	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	42
PID 1728 wrote to memory of 576	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	42
PID 1728 wrote to memory of 576	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	42
PID 1728 wrote to memory of 576	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	42
PID 1728 wrote to memory of 932	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	43
PID 1728 wrote to memory of 932	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	43
PID 1728 wrote to memory of 932	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	43
PID 1728 wrote to memory of 932	1728	{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe	43
PID 576 wrote to memory of 2000	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	44
PID 576 wrote to memory of 2000	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	44
PID 576 wrote to memory of 2000	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	44
PID 576 wrote to memory of 2000	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	44
PID 576 wrote to memory of 988	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	45
PID 576 wrote to memory of 988	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	45
PID 576 wrote to memory of 988	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	45
PID 576 wrote to memory of 988	576	{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe	45

C:\Users\Admin\AppData\Local\Temp\75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
  C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
    C:\Windows\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
      C:\Windows\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
        
        C:\Windows\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
        
        C:\Windows\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
        
        C:\Windows\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
        
        C:\Windows\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
        
        C:\Windows\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
        
        C:\Windows\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{606C3~1.EXE > nul
        11⤵
        
        PID:3044
        
        C:\Windows\{BC141688-1D3A-4d4f-B561-11E538284826}.exe
        
        C:\Windows\{BC141688-1D3A-4d4f-B561-11E538284826}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe
        
        C:\Windows\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC141~1.EXE > nul
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64A3~1.EXE > nul
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A17E~1.EXE > nul
        9⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCFAC~1.EXE > nul
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F75~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9206C~1.EXE > nul
        6⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51943~1.EXE > nul
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1D7A3~1.EXE > nul
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{55996~1.EXE > nul
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\75FB0A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe

Filesize
192KB

MD5
3ca7ba1eb181e71bdd6d524d2e35f342

SHA1
c5fbd6eeb5fbeac4dd2b1a480391cce76c4c7fb0

SHA256
20078257e45cfe2d45a79a7842a524f6545ffaeb946b2bb4c5e45ee609445bb8

SHA512
06b19df851abc1f30e51ac72044a9d05d6f2f8f6a884f6a7ebcfad362a0c90f4210dd7abf5809ac582790a0ce09d77ac9771a938d8b12077a17b16f36502a621

Download Submit
C:\Windows\{17F75FDE-D721-4ea2-8CC2-6C31B82CD79D}.exe

Filesize
192KB

MD5
3ca7ba1eb181e71bdd6d524d2e35f342

SHA1
c5fbd6eeb5fbeac4dd2b1a480391cce76c4c7fb0

SHA256
20078257e45cfe2d45a79a7842a524f6545ffaeb946b2bb4c5e45ee609445bb8

SHA512
06b19df851abc1f30e51ac72044a9d05d6f2f8f6a884f6a7ebcfad362a0c90f4210dd7abf5809ac582790a0ce09d77ac9771a938d8b12077a17b16f36502a621

Download Submit
C:\Windows\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe

Filesize
192KB

MD5
3c7e7d22ae4ddf586f74fcd39c6edb55

SHA1
de6e934b858d2f2bd0c87fa1a0210d54d681b596

SHA256
f1d875c8e5c3274eac048af7159667ce09630c6f8c3a02241dc11c5991c6c046

SHA512
16d4baf44982c47b9cf7e8997adcdd572229d90d264fe281e7102acaf88eee1756e1b8d574cc0a78cbe1f6732da86f818fede6147741bdc303dca0bc1bbb3999

Download Submit
C:\Windows\{1A17E392-DCD5-47cf-BEDE-581E09A241CD}.exe

Filesize
192KB

MD5
3c7e7d22ae4ddf586f74fcd39c6edb55

SHA1
de6e934b858d2f2bd0c87fa1a0210d54d681b596

SHA256
f1d875c8e5c3274eac048af7159667ce09630c6f8c3a02241dc11c5991c6c046

SHA512
16d4baf44982c47b9cf7e8997adcdd572229d90d264fe281e7102acaf88eee1756e1b8d574cc0a78cbe1f6732da86f818fede6147741bdc303dca0bc1bbb3999

Download Submit
C:\Windows\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe

Filesize
192KB

MD5
184369fe71b7a26ab3eada130390a35f

SHA1
f0547332e8f2c4523a227615d254e7c982bb281a

SHA256
63a46f4e6a78afd4ecff04972a0331ee9a902617eca9d858ee05b752ba5fc0c5

SHA512
d98749bcff3ddf7760bf6fd131604817b8ab8038b0862e26c165be7864251f05f94eac12ccd29bb3c1275682fa7606eeac8809f2109c5240e106edf7c38a77c5

Download Submit
C:\Windows\{1D7A3491-A41B-4de7-BFDF-7D78ABA27086}.exe

Filesize
192KB

MD5
184369fe71b7a26ab3eada130390a35f

SHA1
f0547332e8f2c4523a227615d254e7c982bb281a

SHA256
63a46f4e6a78afd4ecff04972a0331ee9a902617eca9d858ee05b752ba5fc0c5

SHA512
d98749bcff3ddf7760bf6fd131604817b8ab8038b0862e26c165be7864251f05f94eac12ccd29bb3c1275682fa7606eeac8809f2109c5240e106edf7c38a77c5

Download Submit
C:\Windows\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe

Filesize
192KB

MD5
415db57dbf4309851a1f7116c01ed62c

SHA1
f2ccfc5ba4d85b30dc5dd69bf4217aaaf8b32bb9

SHA256
9434ec07f2915d1c9cfb2bb7d41eb7151c2ff89aa0ae0822c981b0f5237c8e99

SHA512
a98e2dc59da9da80edc01810d9ab0ec578b847ba77db35bd9505292f5e8eee558efa5354d6ab0ea99c438637ada9cfff138096ad540a9c19578020696094605c

Download Submit
C:\Windows\{51943C5A-5421-4ac8-A864-EA11089B6781}.exe

Filesize
192KB

MD5
415db57dbf4309851a1f7116c01ed62c

SHA1
f2ccfc5ba4d85b30dc5dd69bf4217aaaf8b32bb9

SHA256
9434ec07f2915d1c9cfb2bb7d41eb7151c2ff89aa0ae0822c981b0f5237c8e99

SHA512
a98e2dc59da9da80edc01810d9ab0ec578b847ba77db35bd9505292f5e8eee558efa5354d6ab0ea99c438637ada9cfff138096ad540a9c19578020696094605c

Download Submit
C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe

Filesize
192KB

MD5
e12200c4b0eafb5bc4d9e549d5feeda5

SHA1
3c7274771d77dfa09ca9fa8524cd084c3036aa1c

SHA256
6cc042fa777a673442c4d9e91f3c01a913417b0defb513d6c880d69891d563a1

SHA512
03f503acb43c2127fd2c582900dffb826c788f92bc4eb7872c176fe791bb91f918f3fd062c4732a7b4f34e2de3c21b6a9816b47dadddd9bea1bcb9088c457f01

Download Submit
C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe

Filesize
192KB

MD5
e12200c4b0eafb5bc4d9e549d5feeda5

SHA1
3c7274771d77dfa09ca9fa8524cd084c3036aa1c

SHA256
6cc042fa777a673442c4d9e91f3c01a913417b0defb513d6c880d69891d563a1

SHA512
03f503acb43c2127fd2c582900dffb826c788f92bc4eb7872c176fe791bb91f918f3fd062c4732a7b4f34e2de3c21b6a9816b47dadddd9bea1bcb9088c457f01

Download Submit
C:\Windows\{5599651C-5EC0-45f1-BD31-9D2D123069A5}.exe

Filesize
192KB

MD5
e12200c4b0eafb5bc4d9e549d5feeda5

SHA1
3c7274771d77dfa09ca9fa8524cd084c3036aa1c

SHA256
6cc042fa777a673442c4d9e91f3c01a913417b0defb513d6c880d69891d563a1

SHA512
03f503acb43c2127fd2c582900dffb826c788f92bc4eb7872c176fe791bb91f918f3fd062c4732a7b4f34e2de3c21b6a9816b47dadddd9bea1bcb9088c457f01

Download Submit
C:\Windows\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe

Filesize
192KB

MD5
0f5d659e4b17c282d75921669c1b6e57

SHA1
47de62d7b985a78cf3d00e2698290921571c0e9c

SHA256
50b84c02efee599b4a145383a667d0a817c7b382121aed5cdd0979706ed36760

SHA512
0501af538d26362f7624f11bca0d015d13a2508dd33538af18a92af1ddecdf6483e7c10722e3984f81752f0c8a34544ae2109425b7603bc083688f8d5e3fd72e

Download Submit
C:\Windows\{606C314D-CBBC-41eb-8CE6-95AF35CA48D4}.exe

Filesize
192KB

MD5
0f5d659e4b17c282d75921669c1b6e57

SHA1
47de62d7b985a78cf3d00e2698290921571c0e9c

SHA256
50b84c02efee599b4a145383a667d0a817c7b382121aed5cdd0979706ed36760

SHA512
0501af538d26362f7624f11bca0d015d13a2508dd33538af18a92af1ddecdf6483e7c10722e3984f81752f0c8a34544ae2109425b7603bc083688f8d5e3fd72e

Download Submit
C:\Windows\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe

Filesize
192KB

MD5
dcd2193a1738bd254dc8477f89ca95b4

SHA1
4aa6bed3b3af0b553a68ea655073783f2d7eb40d

SHA256
73c070eff085d092eab02d36b74da2513dc2b7efddc42d51b85ab3ae893a1ae3

SHA512
b1ba8bcbca18b400040e9297b28ff7bec30bfeaf1d79bdd661694fac6a600202a869991f7b137077086facc59a156340c793130fa745608ca0c450fb94516b7b

Download Submit
C:\Windows\{9206C936-C8B7-4ab9-BB91-EAE2461224DA}.exe

Filesize
192KB

MD5
dcd2193a1738bd254dc8477f89ca95b4

SHA1
4aa6bed3b3af0b553a68ea655073783f2d7eb40d

SHA256
73c070eff085d092eab02d36b74da2513dc2b7efddc42d51b85ab3ae893a1ae3

SHA512
b1ba8bcbca18b400040e9297b28ff7bec30bfeaf1d79bdd661694fac6a600202a869991f7b137077086facc59a156340c793130fa745608ca0c450fb94516b7b

Download Submit
C:\Windows\{BC141688-1D3A-4d4f-B561-11E538284826}.exe

Filesize
192KB

MD5
c3aacfc6f363884da95153605ee7cd75

SHA1
cc2cf9a1a73b1c96a64a1d44e1d6218e9a21b115

SHA256
0ca1be21a862336196988eff8b3d372b62f88604ff756094732f980370701ab6

SHA512
d85f204eafe6a6fc2600728916b1d821ac829f68c887d3c36f9fd3e06dfccdb4556325212d1da567b9475dc9e9ec87c8d6453ecae5835d54c3fd3c15ffdf0db2

Download Submit
C:\Windows\{BC141688-1D3A-4d4f-B561-11E538284826}.exe

Filesize
192KB

MD5
c3aacfc6f363884da95153605ee7cd75

SHA1
cc2cf9a1a73b1c96a64a1d44e1d6218e9a21b115

SHA256
0ca1be21a862336196988eff8b3d372b62f88604ff756094732f980370701ab6

SHA512
d85f204eafe6a6fc2600728916b1d821ac829f68c887d3c36f9fd3e06dfccdb4556325212d1da567b9475dc9e9ec87c8d6453ecae5835d54c3fd3c15ffdf0db2

Download Submit
C:\Windows\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe

Filesize
192KB

MD5
52481985d444db170cf4afd1d38804cc

SHA1
bbecce8ff983a5eb4785d08ad949c7797fd9b06c

SHA256
1b7e465100570ef28935df799d6542ed22dadc76cdcd5051e99afa98f77edd16

SHA512
6dafb2dc070821d881740baee034727d2ec19e72f53234bac8659cc677efaeaf3cb7c4d9ea837cd6e1e192cf1e29f2fd86413639c3dee8c10a08e89e8f66c82f

Download Submit
C:\Windows\{CCFACCEA-40C3-4f93-B11E-1F7820EBCBA0}.exe

Filesize
192KB

MD5
52481985d444db170cf4afd1d38804cc

SHA1
bbecce8ff983a5eb4785d08ad949c7797fd9b06c

SHA256
1b7e465100570ef28935df799d6542ed22dadc76cdcd5051e99afa98f77edd16

SHA512
6dafb2dc070821d881740baee034727d2ec19e72f53234bac8659cc677efaeaf3cb7c4d9ea837cd6e1e192cf1e29f2fd86413639c3dee8c10a08e89e8f66c82f

Download Submit
C:\Windows\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe

Filesize
192KB

MD5
5581c10c2ce71b33efb9a2da4eea1523

SHA1
15c13e9bb219ae5f06969d3e4d0935b65c29b95e

SHA256
e8283da2d3545ff40c4ef99da2d9b258c71113c29573ab7205d338ea5b768924

SHA512
6c6022a83b5584a51159e319eda05062b9180098baeb264962b3edbffd6ccc894284245817d3428f86b4b78f8c766eef4cb61cc8518591c012d0fd58678a5892

Download Submit
C:\Windows\{D64A3386-207B-4f59-A32C-B967A55A0457}.exe

Filesize
192KB

MD5
5581c10c2ce71b33efb9a2da4eea1523

SHA1
15c13e9bb219ae5f06969d3e4d0935b65c29b95e

SHA256
e8283da2d3545ff40c4ef99da2d9b258c71113c29573ab7205d338ea5b768924

SHA512
6c6022a83b5584a51159e319eda05062b9180098baeb264962b3edbffd6ccc894284245817d3428f86b4b78f8c766eef4cb61cc8518591c012d0fd58678a5892

Download Submit
C:\Windows\{ED898D3B-BBB3-4e60-9541-290B70FBEE3A}.exe

Filesize
192KB

MD5
d23c7412c569083f084aca2ad9ec7e8a

SHA1
cb58f9016fdc82ff24f690c5b255ccb07aeb0389

SHA256
8a61f066adc96d44662fd0925ea5351401bdbc4055b940e5e55c678e991ef479

SHA512
b6c552568145707793a8f7057937ecfeb55754c90443d22448e76505c060a227f28643185962abd685632d1c3dc5dc5b2c11573a69888e9acbf0c80d9487aa8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads