d84598cf75d9e6e532c45adf612f278948374b79b916364faff4aef1beef611b

Analysis

max time kernel
163s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
Size

216KB
MD5

25094715150b656de14553c301e77d97
SHA1

cbf90de71eebda620e2c3fb82d376bae4a4c64f4
SHA256

d84598cf75d9e6e532c45adf612f278948374b79b916364faff4aef1beef611b
SHA512

5b3b3c5a1a1162754d4f3552e05becef90ad036254c2393b261ee5021708e1663a10d04d88374ea812344354a768c7e3a39e46b73bff3ca58c16b7a1a602bb11
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}\stubpath = "C:\\Windows\\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe"	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8538E637-1344-40f9-AD2C-678232922556}\stubpath = "C:\\Windows\\{8538E637-1344-40f9-AD2C-678232922556}.exe"	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F41F85F4-1839-4242-8094-BA1F6518BA9C}\stubpath = "C:\\Windows\\{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe"	{8538E637-1344-40f9-AD2C-678232922556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4C152FF-35EA-4c6d-9121-34723BBD982E}\stubpath = "C:\\Windows\\{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe"	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D390C52-5B59-4d43-B19E-94275DC93502}	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}\stubpath = "C:\\Windows\\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe"	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4C152FF-35EA-4c6d-9121-34723BBD982E}	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8538E637-1344-40f9-AD2C-678232922556}	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F41F85F4-1839-4242-8094-BA1F6518BA9C}	{8538E637-1344-40f9-AD2C-678232922556}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A887F2-E1DC-4197-ACE9-B8E64086909D}	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A887F2-E1DC-4197-ACE9-B8E64086909D}\stubpath = "C:\\Windows\\{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe"	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D390C52-5B59-4d43-B19E-94275DC93502}\stubpath = "C:\\Windows\\{3D390C52-5B59-4d43-B19E-94275DC93502}.exe"	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}\stubpath = "C:\\Windows\\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe"	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}\stubpath = "C:\\Windows\\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe"	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe

Executes dropped EXE 9 IoCs

pid	Process
2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
1132	{8538E637-1344-40f9-AD2C-678232922556}.exe
3916	{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
File created	C:\Windows\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
File created	C:\Windows\{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
File created	C:\Windows\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
File created	C:\Windows\{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
File created	C:\Windows\{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
File created	C:\Windows\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
File created	C:\Windows\{8538E637-1344-40f9-AD2C-678232922556}.exe	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
File created	C:\Windows\{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe	{8538E637-1344-40f9-AD2C-678232922556}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
Token: SeIncBasePriorityPrivilege	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
Token: SeIncBasePriorityPrivilege	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
Token: SeIncBasePriorityPrivilege	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
Token: SeIncBasePriorityPrivilege	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
Token: SeIncBasePriorityPrivilege	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
Token: SeIncBasePriorityPrivilege	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
Token: SeIncBasePriorityPrivilege	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2368	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	95
PID 5064 wrote to memory of 2368	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	95
PID 5064 wrote to memory of 2368	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	95
PID 5064 wrote to memory of 4152	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	96
PID 5064 wrote to memory of 4152	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	96
PID 5064 wrote to memory of 4152	5064	2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe	96
PID 2368 wrote to memory of 3780	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	98
PID 2368 wrote to memory of 3780	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	98
PID 2368 wrote to memory of 3780	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	98
PID 2368 wrote to memory of 4500	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	99
PID 2368 wrote to memory of 4500	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	99
PID 2368 wrote to memory of 4500	2368	{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe	99
PID 3780 wrote to memory of 3760	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	101
PID 3780 wrote to memory of 3760	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	101
PID 3780 wrote to memory of 3760	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	101
PID 3780 wrote to memory of 3732	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	100
PID 3780 wrote to memory of 3732	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	100
PID 3780 wrote to memory of 3732	3780	{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe	100
PID 3760 wrote to memory of 4512	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	103
PID 3760 wrote to memory of 4512	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	103
PID 3760 wrote to memory of 4512	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	103
PID 3760 wrote to memory of 2120	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	104
PID 3760 wrote to memory of 2120	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	104
PID 3760 wrote to memory of 2120	3760	{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe	104
PID 4512 wrote to memory of 4420	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	105
PID 4512 wrote to memory of 4420	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	105
PID 4512 wrote to memory of 4420	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	105
PID 4512 wrote to memory of 468	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	106
PID 4512 wrote to memory of 468	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	106
PID 4512 wrote to memory of 468	4512	{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe	106
PID 4420 wrote to memory of 2716	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	110
PID 4420 wrote to memory of 2716	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	110
PID 4420 wrote to memory of 2716	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	110
PID 4420 wrote to memory of 3916	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	111
PID 4420 wrote to memory of 3916	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	111
PID 4420 wrote to memory of 3916	4420	{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe	111
PID 2716 wrote to memory of 3852	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	117
PID 2716 wrote to memory of 3852	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	117
PID 2716 wrote to memory of 3852	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	117
PID 2716 wrote to memory of 1840	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	118
PID 2716 wrote to memory of 1840	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	118
PID 2716 wrote to memory of 1840	2716	{3D390C52-5B59-4d43-B19E-94275DC93502}.exe	118
PID 3852 wrote to memory of 1132	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	122
PID 3852 wrote to memory of 1132	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	122
PID 3852 wrote to memory of 1132	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	122
PID 3852 wrote to memory of 2576	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	123
PID 3852 wrote to memory of 2576	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	123
PID 3852 wrote to memory of 2576	3852	{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe	123
PID 1132 wrote to memory of 3916	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	128
PID 1132 wrote to memory of 3916	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	128
PID 1132 wrote to memory of 3916	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	128
PID 1132 wrote to memory of 1908	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	129
PID 1132 wrote to memory of 1908	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	129
PID 1132 wrote to memory of 1908	1132	{8538E637-1344-40f9-AD2C-678232922556}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_25094715150b656de14553c301e77d97_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
  C:\Windows\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
    C:\Windows\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34D03~1.EXE > nul
      4⤵
      PID:3732
  - - C:\Windows\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
      C:\Windows\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
        
        C:\Windows\{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
        
        C:\Windows\{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
        
        C:\Windows\{3D390C52-5B59-4d43-B19E-94275DC93502}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
        
        C:\Windows\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{8538E637-1344-40f9-AD2C-678232922556}.exe
        
        C:\Windows\{8538E637-1344-40f9-AD2C-678232922556}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe
        
        C:\Windows\{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe
        10⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8538E~1.EXE > nul
        10⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4937B~1.EXE > nul
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D390~1.EXE > nul
        8⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82A88~1.EXE > nul
        7⤵
        
        PID:3916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C15~1.EXE > nul
        6⤵
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3CF1~1.EXE > nul
        5⤵
        
        PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83F3A~1.EXE > nul
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34D038C7-CDD8-4900-867A-E6EE8543E0B3}.exe

Filesize
216KB

MD5
daae9a2b261c305f6ad54049adfc5240

SHA1
82ea8e08cc482a730f8ee611d808dabe2b362bd6

SHA256
96de4f28a9b62a4ca7afca4d0af67918834097ebf9b7e582f09758d158dcf8a5

SHA512
cccfd965446805a9a0435ed8e218bfa28c0e71decd3a771078cba84e7062821ae7d11de53bb832f478953c631664e5b4ac24e002d70d06908bd90e6fd8d8e20d

Download Submit
C:\Windows\{3D390C52-5B59-4d43-B19E-94275DC93502}.exe

Filesize
216KB

MD5
2c614b38ae099b3f51c4658daa43706f

SHA1
dc13fcce1f17a8867d42b1fdedeb03281abdf192

SHA256
9736c4eafcac45f3e2fec9ae8f0b5c61b50eaa6ee6a55fd4d8cca0fbdecdc3f8

SHA512
7e5276cfeb78467b128c239e8e0b60db0b98d55b97f5d1692f4020937af64bb7ad64bd0d6df8a5d98748cee9ccc8786be7682531f5d698efd0ddf303b92325fb

Download Submit
C:\Windows\{4937B9A7-8EAA-409b-9E7E-7FAD844E417A}.exe

Filesize
216KB

MD5
5ac47f8985f905a7d5919d4370eb3a54

SHA1
0333e8750870a8b39eb94bbb3939252d04391e5d

SHA256
b7d8970db9d6c34fb0ca96a3c73a97c8fa40f59e6fc728d0d92c829402423bf7

SHA512
c92a4ce820cdc391725c38b54fa0dc65e8f5962eee2de405f1b67fa8512a16e628069976e4218ccc62071d3dd7e270bb45ac9946210d2af4a5f03d31d9d19e31

Download Submit
C:\Windows\{82A887F2-E1DC-4197-ACE9-B8E64086909D}.exe

Filesize
216KB

MD5
c9296b79195631c0efd6ed925bf7ae5f

SHA1
b5fe778b85b95e0db1945c78042d95f4b8cfe9c0

SHA256
a115d45edb8b1fd665f5aa784de21fbcf62bd659441753c636344bcddba8ee3e

SHA512
d9bd3ab960bd7949e2dd12e8e6ccdd006d460381aed9900d03b3153eaf5625bb149b80858d18165b8abdfcce3751156bfb59c9675330da89888c6041608cd1b7

Download Submit
C:\Windows\{83F3A6DC-7F51-4ca3-B51E-47A9E1E3B556}.exe

Filesize
216KB

MD5
0941146a5c07ab2f984dd09a696817cb

SHA1
71eb186aeb255a55a36296585e87aa7fb2395537

SHA256
be97ab27fd5933a9db8f74900b3403919b38d57fb63f3334c5718d0275c7551c

SHA512
611fa8d3f59624f8b09efba5848f606ece0b7c09bbec5d74dbdf20997e306102d9710c5527da5535a2a76d1740c0605e3ba660b7e2969fb2f7e8bc510d84c2c5

Download Submit
C:\Windows\{8538E637-1344-40f9-AD2C-678232922556}.exe

Filesize
216KB

MD5
67ca733423df8d63620c1378067e75f3

SHA1
5887097e110b009e6bc2459205356866e3e3138e

SHA256
c090aa232866fe11c640deaa60ebec1419eb6617859d89d0a1ad03b499cc0b94

SHA512
505afb628791ad60bf114b6da2dbb3026af46c9815deb653c81a6d9e825debca329c14d9d8a338752b2a8960b54483c66365fbfaaf73eccb7b0b0c785b029eb2

Download Submit
C:\Windows\{C4C152FF-35EA-4c6d-9121-34723BBD982E}.exe

Filesize
216KB

MD5
cf342000b921ec2b080eec05edf9451f

SHA1
1ad7a13e28b8b757cc9305b16c73659e520f9b81

SHA256
f502229a64cb5d60e01b726d179abe78fdb57c3a4ba39458e4ff1089499448fa

SHA512
1415585dcf74bc8cf2747a44179b5c54a8ca4d8f71a1f0ac477f2be892ca0019db3ec375c7d758be692b1d75fee6ae045c9120d634f55da9be0501e8e17f7c6b

Download Submit
C:\Windows\{F3CF1CE3-33E2-4cd1-B9BC-2EC524333E15}.exe

Filesize
216KB

MD5
64c8138e9247f15e0236c950e78e6e74

SHA1
117e9fd09b26d7a402d8d514f9b7287fd0853fce

SHA256
39c543b97f44ac1ec18a9eed859c0ee7a71a15d928c97262d779d1c568b874f2

SHA512
9e0a4af14d48ffce4749515aab822f87becd18a5b3945fc784c10697fc85ca7227e077d288309e63c0b23dead683069e96cfe75e3c02a1b5dfdf85623264d4b6

Download Submit
C:\Windows\{F41F85F4-1839-4242-8094-BA1F6518BA9C}.exe

Filesize
216KB

MD5
e9194f1ba6e6c179b9cbe11dd3f8ca04

SHA1
c952b37229feeb6ef49b91e4e0198f360de326b9

SHA256
4d8beaa7fb7ca926f1ed0e3828cd9c96aadb4726102347932a2e6d9385512711

SHA512
2e0debbc142a3ba4b5ab4d40c3fd0daba3bb962e038cd79bac7e256daa333846f7e98ceddc145a3a183688decd071e2fb0ff79eaec7313404ee130ea4d33da3a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads