b8ac347b2d8740f39d636c21c9b375a8d0005d22acf9c5263fde62b521017cf4

Analysis

max time kernel
207s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
Size

408KB
MD5

d30e9d727e8c25cd0b4b0ce64144977a
SHA1

a5dd3a9dd2ba36fb23b9c4ce01db184965c14662
SHA256

b8ac347b2d8740f39d636c21c9b375a8d0005d22acf9c5263fde62b521017cf4
SHA512

6be0cab6e7d2299ce83b17afad97d5acbe963b2e77bb96c12d01b62937ea7aa3c45f8947ca38f3f79853ae59fd4832e26ec6b85883f8b5f88c244f955df024b0
SSDEEP

3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}\stubpath = "C:\\Windows\\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe"	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}\stubpath = "C:\\Windows\\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe"	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4874D84B-8D67-4384-940B-B047C3F2C5B3}\stubpath = "C:\\Windows\\{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe"	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}\stubpath = "C:\\Windows\\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe"	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DE9660-1048-4e86-B69E-D4A291ACA316}	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DE9660-1048-4e86-B69E-D4A291ACA316}\stubpath = "C:\\Windows\\{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe"	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}\stubpath = "C:\\Windows\\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe"	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}\stubpath = "C:\\Windows\\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe"	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3324139-3D33-42db-930F-E654AC68EA32}	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}\stubpath = "C:\\Windows\\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe"	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4874D84B-8D67-4384-940B-B047C3F2C5B3}	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3324139-3D33-42db-930F-E654AC68EA32}\stubpath = "C:\\Windows\\{F3324139-3D33-42db-930F-E654AC68EA32}.exe"	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe

Executes dropped EXE 9 IoCs

pid	Process
4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
2008	{F3324139-3D33-42db-930F-E654AC68EA32}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
File created	C:\Windows\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
File created	C:\Windows\{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
File created	C:\Windows\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
File created	C:\Windows\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
File created	C:\Windows\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
File created	C:\Windows\{F3324139-3D33-42db-930F-E654AC68EA32}.exe	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
File created	C:\Windows\{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
File created	C:\Windows\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
Token: SeIncBasePriorityPrivilege	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
Token: SeIncBasePriorityPrivilege	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
Token: SeIncBasePriorityPrivilege	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
Token: SeIncBasePriorityPrivilege	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
Token: SeIncBasePriorityPrivilege	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
Token: SeIncBasePriorityPrivilege	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
Token: SeIncBasePriorityPrivilege	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4756	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	90
PID 2132 wrote to memory of 4756	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	90
PID 2132 wrote to memory of 4756	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	90
PID 2132 wrote to memory of 1264	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	91
PID 2132 wrote to memory of 1264	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	91
PID 2132 wrote to memory of 1264	2132	2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe	91
PID 4756 wrote to memory of 3988	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	95
PID 4756 wrote to memory of 3988	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	95
PID 4756 wrote to memory of 3988	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	95
PID 4756 wrote to memory of 2432	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	97
PID 4756 wrote to memory of 2432	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	97
PID 4756 wrote to memory of 2432	4756	{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe	97
PID 3988 wrote to memory of 5092	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	99
PID 3988 wrote to memory of 5092	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	99
PID 3988 wrote to memory of 5092	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	99
PID 3988 wrote to memory of 4396	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	100
PID 3988 wrote to memory of 4396	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	100
PID 3988 wrote to memory of 4396	3988	{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe	100
PID 5092 wrote to memory of 2840	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	102
PID 5092 wrote to memory of 2840	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	102
PID 5092 wrote to memory of 2840	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	102
PID 5092 wrote to memory of 3360	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	103
PID 5092 wrote to memory of 3360	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	103
PID 5092 wrote to memory of 3360	5092	{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe	103
PID 2840 wrote to memory of 5116	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	106
PID 2840 wrote to memory of 5116	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	106
PID 2840 wrote to memory of 5116	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	106
PID 2840 wrote to memory of 60	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	107
PID 2840 wrote to memory of 60	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	107
PID 2840 wrote to memory of 60	2840	{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe	107
PID 5116 wrote to memory of 3776	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	109
PID 5116 wrote to memory of 3776	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	109
PID 5116 wrote to memory of 3776	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	109
PID 5116 wrote to memory of 640	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	110
PID 5116 wrote to memory of 640	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	110
PID 5116 wrote to memory of 640	5116	{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe	110
PID 3776 wrote to memory of 1736	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	112
PID 3776 wrote to memory of 1736	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	112
PID 3776 wrote to memory of 1736	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	112
PID 3776 wrote to memory of 4516	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	113
PID 3776 wrote to memory of 4516	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	113
PID 3776 wrote to memory of 4516	3776	{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe	113
PID 1736 wrote to memory of 1772	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	116
PID 1736 wrote to memory of 1772	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	116
PID 1736 wrote to memory of 1772	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	116
PID 1736 wrote to memory of 2660	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	117
PID 1736 wrote to memory of 2660	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	117
PID 1736 wrote to memory of 2660	1736	{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe	117
PID 1772 wrote to memory of 2008	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	119
PID 1772 wrote to memory of 2008	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	119
PID 1772 wrote to memory of 2008	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	119
PID 1772 wrote to memory of 848	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	120
PID 1772 wrote to memory of 848	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	120
PID 1772 wrote to memory of 848	1772	{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_d30e9d727e8c25cd0b4b0ce64144977a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
  C:\Windows\{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
    C:\Windows\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
      C:\Windows\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
        
        C:\Windows\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
        
        C:\Windows\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
        
        C:\Windows\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
        
        C:\Windows\{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
        
        C:\Windows\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{F3324139-3D33-42db-930F-E654AC68EA32}.exe
        
        C:\Windows\{F3324139-3D33-42db-930F-E654AC68EA32}.exe
        10⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F29B4~1.EXE > nul
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4874D~1.EXE > nul
        9⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D736C~1.EXE > nul
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{608EC~1.EXE > nul
        7⤵
        
        PID:640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F26BB~1.EXE > nul
        6⤵
        
        PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E98F~1.EXE > nul
        5⤵
        
        PID:3360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A501~1.EXE > nul
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DE9~1.EXE > nul
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A501275-47BE-4297-AEB0-444DD3A0CBF0}.exe

Filesize
408KB

MD5
a5939a49851cffd7c4fa8d9d842c3b73

SHA1
1d878cf4408baa5bf058446abc5a382639695d56

SHA256
712b822a344bd03068593974cf9b1491f36deab76f091f7186dc76b0c7161a97

SHA512
ad37417626297159598295739a99556d63950fa57d00375d23a2feab2c52a132f7d88205c92c216c11251e6849ba47b5b14062b992176b9d6a180b28834c4132

Download Submit
C:\Windows\{4874D84B-8D67-4384-940B-B047C3F2C5B3}.exe

Filesize
408KB

MD5
f0db47e2885e0dc84926bdf772fcd981

SHA1
2f7b3766eeea1f44075e1d7bcc0f280087a94314

SHA256
dc9e81005701b1d16f3a760e212306fc1b3fa79ab80dc811c31217557d15d167

SHA512
6eef15b1e571c289f419b4b2e84d3ad2327add1800f147ccd3091b6404df6cf606819d72e23b8d31327ac04acd5a143425bc98ded6d2b211781d901acc528bb2

Download Submit
C:\Windows\{608ECE04-75D0-4b49-9009-0DBFB06B29BE}.exe

Filesize
408KB

MD5
85f6e443ad93ee15efa167a2bdb2aaa0

SHA1
8ecb4bf293b4074795fbb6ed54cc9fbe9ee6f3d1

SHA256
45ad31ca4e9caf1180036c08a13d522bad5e04a121507d1c229179ffdea7b3cd

SHA512
a0c24f31ea3c7e98a424322551e7322bbcb4d6891eb273777c69cd0afe39f31fa4e4d9986007c6a30703e0a8cb4e0499051967c9da973cda284ad2d3447f2e81

Download Submit
C:\Windows\{9E98F625-7E50-4124-9AB8-93A627E1AA3B}.exe

Filesize
408KB

MD5
6a908eb31a507310408739d1a74831e5

SHA1
d8ffa89e3406e67ba0dc5a8cd55d57bd9429f8a4

SHA256
e6345d7dfb9946e53c1f4311eb3d4615e607626fd8242f16a71fa83a5ba265cd

SHA512
2cd7e661ebddab84cd1a78127c92b0c4b96eec9ec133c9380bac3f089425e44b6dacc9062164537b6b5a4da0c28c9be071b9cd52338d24da2e5606b206c18d54

Download Submit
C:\Windows\{B5DE9660-1048-4e86-B69E-D4A291ACA316}.exe

Filesize
408KB

MD5
40def7e07076d7f73713f0c717634383

SHA1
abedf55bf96d6fafa230ed789d172eea05da90e6

SHA256
112765bef0366296cce1ddf9bccae94bfedd92d48c3bf54b8c215e7cdab81a02

SHA512
240f5b4a544e34160b3f1ecee5651b4955164e5d4c845736511f2a6296f7c45eee962c7f1c5b99d6ed991588c4f288686b7b3f5f29e44af10d3bd5afbf0ced05

Download Submit
C:\Windows\{D736CA26-AD1E-4e3b-A96D-9EF33920028A}.exe

Filesize
408KB

MD5
ab57c41c2f12829eecbefe5bba7bb9a6

SHA1
6b48f25d15e08bb563d11fc87b71933f5b4308cf

SHA256
23fcbe5a34f8e6b1dc1b33087855085520482c7b094a1de18d0666916865408a

SHA512
fbfc1cf20ab10b12a05be5481af4c3fe2454d3522e9b29a846b623923a2a9c63e66d6957fb73e111ffb55ad5f2de360867b9f7df1650a8957267ad4f005a3f7b

Download Submit
C:\Windows\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe

Filesize
335KB

MD5
c48a34564ed4c8b8de0cfa1cc759f858

SHA1
6cfceb54203726e39122dbbceff8b443faacb0e5

SHA256
39b8dc4fed2c1c60935fb05be3d238bd0a863b02075bf3a7181b0783a3560fbd

SHA512
445cab12bd0f4549a5b43581c00dbdcdb1756e697454c7efee94e7480aabe054fb1ea0658d6cd37eb1b90f3ae3f5b19a9b5948177b84ff27206d15a0aec34ecb

Download Submit
C:\Windows\{F26BB6DE-7A9B-4775-8AE5-456710E972F5}.exe

Filesize
366KB

MD5
08df39ed3fbdbe5aac2966b6ad200aa2

SHA1
51586de1e7202b7ca43bf4de9afcf4600c7ac379

SHA256
8f8ca3a88d40220211927853b6d23e13621a24ce948f83790da8524b382ace61

SHA512
c7c376698d033b7c5fcfaaa5836f53378182a5ddb822384a97d2f4f474e5c177c481a8f7e48568e6efca22e64a0315c8429b48125182e41ea8af4f6def84ab80

Download Submit
C:\Windows\{F29B49BE-9997-4e23-A1FB-CE12148E2C5A}.exe

Filesize
408KB

MD5
e94bdee84b2bde5d6d3a49e37e687485

SHA1
91d9bfa0a291a70a412f1fd6dbc605a74e0db8c8

SHA256
45596102a2fa6b7e0376bebaef17b0edb85eaf57ed55adc1678553b4f8f7e8d4

SHA512
9cd67a899f6e8f5907ce2b6983d48dc183bbbdba96d5bd806e50a0d5d5fc0abba326eb940525d01a0b2bd9d749ca7cdb4209a252ddde98f7debc887836ad5b43

Download Submit
C:\Windows\{F3324139-3D33-42db-930F-E654AC68EA32}.exe

Filesize
408KB

MD5
5483ab1ae5e2cd9eab2bf712c3cb23e4

SHA1
b9a192e320cf1f78a17012ce5699870c09677524

SHA256
c63d359bf2f9f65ac3649595100da186001e299b5b4885a463a21c48d4c8b9b2

SHA512
584e8d9198a2640935f137529adfb57be6fc5f738fef5aef5bb83b33bd7a161055c0190ecfb477fc26e1573226f5a3a4d17bb296625a8ba2ba0ae2a06fca4ee1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads