a596a07b4267546df1ba44838821d2dd9c7cf5021903e909e3ef67c5ec9e71f5

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 09:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Size

372KB
MD5

66d841cb558a577f644125b0730ae334
SHA1

e514eeeab9312646e93c2b5b49689cb4cf950c96
SHA256

a596a07b4267546df1ba44838821d2dd9c7cf5021903e909e3ef67c5ec9e71f5
SHA512

6640ba9e169aa63a433812f2bead08db9a23eaa29cdfc924f5e9f3262db1c18c8923e5b6786114d0e1578efc40fcbd3c09c8f68ce2b76088909d16f2d57b086f
SSDEEP

3072:CEGh0o5mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D829B7-A722-4fe3-939E-E24E41D23B73}\stubpath = "C:\\Windows\\{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe"	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}\stubpath = "C:\\Windows\\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe"	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A95E31-FF09-410b-8F85-286454A3034F}	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73657238-4B94-43c5-902C-74CFF451E9EB}	{98A95E31-FF09-410b-8F85-286454A3034F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D829B7-A722-4fe3-939E-E24E41D23B73}	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}\stubpath = "C:\\Windows\\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe"	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60871F20-93E2-4151-85E0-27100EACCAD7}\stubpath = "C:\\Windows\\{60871F20-93E2-4151-85E0-27100EACCAD7}.exe"	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D44EB584-F47F-4939-BD0C-C3F010E6887D}	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF2543B-1818-4211-B6C6-1363D1210695}	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF2543B-1818-4211-B6C6-1363D1210695}\stubpath = "C:\\Windows\\{5AF2543B-1818-4211-B6C6-1363D1210695}.exe"	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73657238-4B94-43c5-902C-74CFF451E9EB}\stubpath = "C:\\Windows\\{73657238-4B94-43c5-902C-74CFF451E9EB}.exe"	{98A95E31-FF09-410b-8F85-286454A3034F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}\stubpath = "C:\\Windows\\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe"	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D44EB584-F47F-4939-BD0C-C3F010E6887D}\stubpath = "C:\\Windows\\{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe"	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4B0AF2D-89BF-4b86-B720-063E54D67272}\stubpath = "C:\\Windows\\{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe"	{5AF2543B-1818-4211-B6C6-1363D1210695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A95E31-FF09-410b-8F85-286454A3034F}\stubpath = "C:\\Windows\\{98A95E31-FF09-410b-8F85-286454A3034F}.exe"	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60871F20-93E2-4151-85E0-27100EACCAD7}	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4B0AF2D-89BF-4b86-B720-063E54D67272}	{5AF2543B-1818-4211-B6C6-1363D1210695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}\stubpath = "C:\\Windows\\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe"	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}\stubpath = "C:\\Windows\\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe"	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe

Executes dropped EXE 12 IoCs

pid	Process
1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe
2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
3776	{5AF2543B-1818-4211-B6C6-1363D1210695}.exe
224	{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{98A95E31-FF09-410b-8F85-286454A3034F}.exe	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
File created	C:\Windows\{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	{98A95E31-FF09-410b-8F85-286454A3034F}.exe
File created	C:\Windows\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
File created	C:\Windows\{5AF2543B-1818-4211-B6C6-1363D1210695}.exe	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
File created	C:\Windows\{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
File created	C:\Windows\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
File created	C:\Windows\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
File created	C:\Windows\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
File created	C:\Windows\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
File created	C:\Windows\{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
File created	C:\Windows\{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
File created	C:\Windows\{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe	{5AF2543B-1818-4211-B6C6-1363D1210695}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe
Token: SeIncBasePriorityPrivilege	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
Token: SeIncBasePriorityPrivilege	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
Token: SeIncBasePriorityPrivilege	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
Token: SeIncBasePriorityPrivilege	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
Token: SeIncBasePriorityPrivilege	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
Token: SeIncBasePriorityPrivilege	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
Token: SeIncBasePriorityPrivilege	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
Token: SeIncBasePriorityPrivilege	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
Token: SeIncBasePriorityPrivilege	972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
Token: SeIncBasePriorityPrivilege	3776	{5AF2543B-1818-4211-B6C6-1363D1210695}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1680	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	86
PID 4240 wrote to memory of 1680	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	86
PID 4240 wrote to memory of 1680	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	86
PID 4240 wrote to memory of 5000	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	87
PID 4240 wrote to memory of 5000	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	87
PID 4240 wrote to memory of 5000	4240	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	87
PID 1680 wrote to memory of 2540	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	88
PID 1680 wrote to memory of 2540	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	88
PID 1680 wrote to memory of 2540	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	88
PID 1680 wrote to memory of 5060	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	89
PID 1680 wrote to memory of 5060	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	89
PID 1680 wrote to memory of 5060	1680	{98A95E31-FF09-410b-8F85-286454A3034F}.exe	89
PID 2540 wrote to memory of 3460	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	93
PID 2540 wrote to memory of 3460	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	93
PID 2540 wrote to memory of 3460	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	93
PID 2540 wrote to memory of 3532	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	94
PID 2540 wrote to memory of 3532	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	94
PID 2540 wrote to memory of 3532	2540	{73657238-4B94-43c5-902C-74CFF451E9EB}.exe	94
PID 3460 wrote to memory of 408	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	95
PID 3460 wrote to memory of 408	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	95
PID 3460 wrote to memory of 408	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	95
PID 3460 wrote to memory of 1512	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	96
PID 3460 wrote to memory of 1512	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	96
PID 3460 wrote to memory of 1512	3460	{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe	96
PID 408 wrote to memory of 1928	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	97
PID 408 wrote to memory of 1928	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	97
PID 408 wrote to memory of 1928	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	97
PID 408 wrote to memory of 1916	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	98
PID 408 wrote to memory of 1916	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	98
PID 408 wrote to memory of 1916	408	{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe	98
PID 1928 wrote to memory of 1800	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	99
PID 1928 wrote to memory of 1800	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	99
PID 1928 wrote to memory of 1800	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	99
PID 1928 wrote to memory of 4204	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	100
PID 1928 wrote to memory of 4204	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	100
PID 1928 wrote to memory of 4204	1928	{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe	100
PID 1800 wrote to memory of 1432	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	101
PID 1800 wrote to memory of 1432	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	101
PID 1800 wrote to memory of 1432	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	101
PID 1800 wrote to memory of 2944	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	102
PID 1800 wrote to memory of 2944	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	102
PID 1800 wrote to memory of 2944	1800	{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe	102
PID 1432 wrote to memory of 884	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	103
PID 1432 wrote to memory of 884	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	103
PID 1432 wrote to memory of 884	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	103
PID 1432 wrote to memory of 1552	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	104
PID 1432 wrote to memory of 1552	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	104
PID 1432 wrote to memory of 1552	1432	{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe	104
PID 884 wrote to memory of 468	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	105
PID 884 wrote to memory of 468	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	105
PID 884 wrote to memory of 468	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	105
PID 884 wrote to memory of 3548	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	106
PID 884 wrote to memory of 3548	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	106
PID 884 wrote to memory of 3548	884	{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe	106
PID 468 wrote to memory of 972	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	107
PID 468 wrote to memory of 972	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	107
PID 468 wrote to memory of 972	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	107
PID 468 wrote to memory of 448	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	108
PID 468 wrote to memory of 448	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	108
PID 468 wrote to memory of 448	468	{60871F20-93E2-4151-85E0-27100EACCAD7}.exe	108
PID 972 wrote to memory of 3776	972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe	109
PID 972 wrote to memory of 3776	972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe	109
PID 972 wrote to memory of 3776	972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe	109
PID 972 wrote to memory of 1188	972	{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{98A95E31-FF09-410b-8F85-286454A3034F}.exe
  C:\Windows\{98A95E31-FF09-410b-8F85-286454A3034F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
    C:\Windows\{73657238-4B94-43c5-902C-74CFF451E9EB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
      C:\Windows\{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
        
        C:\Windows\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
        
        C:\Windows\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
        
        C:\Windows\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
        
        C:\Windows\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
        
        C:\Windows\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
        
        C:\Windows\{60871F20-93E2-4151-85E0-27100EACCAD7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
        
        C:\Windows\{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{5AF2543B-1818-4211-B6C6-1363D1210695}.exe
        
        C:\Windows\{5AF2543B-1818-4211-B6C6-1363D1210695}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe
        
        C:\Windows\{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe
        13⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AF25~1.EXE > nul
        13⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D44EB~1.EXE > nul
        12⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60871~1.EXE > nul
        11⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EF2F~1.EXE > nul
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B9E1~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1CE2~1.EXE > nul
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBE8E~1.EXE > nul
        7⤵
        
        PID:4204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96B6E~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D82~1.EXE > nul
        5⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73657~1.EXE > nul
      4⤵
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{98A95~1.EXE > nul
    3⤵
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5000

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06D829B7-A722-4fe3-939E-E24E41D23B73}.exe

Filesize
372KB

MD5
476039230be5771ff339b66dfd500734

SHA1
bad9b76085f7afe023510a8985335d59930e2bfb

SHA256
bdcc25c3a8ecefc3232008292cab5cddab11a5b034a5ccb2a6c9e07b685cf58b

SHA512
5e9754c6e741e5cee38c088f0ae4ff0214c4eceb1bfea943f8f942308613fb2667d4a2852e791b1e927e3963b7af9b80666db5a1149a9b5a903349bc0d4596e3

Download Submit
C:\Windows\{4EF2F50D-F15C-47e4-BC3D-E3B11429641E}.exe

Filesize
372KB

MD5
3bc984ef0d508dc142e01a423a48ede6

SHA1
94052ea72b494b0f9e2c2aab35af3ba9af9c4f55

SHA256
425d5993d3c1d1f8c1cc59ba4e833c9a9ba6b67466ed8ee889a83ea16b0f2f50

SHA512
7c457b8dacee6f2dae2d6374734950aa51cefe1df0b7fc7a40fd3d16d4a0e9b5b84b32ba3316b5be58b2a15eec3dc20e896ee827cdcccd6f27da03707d13b0b9

Download Submit
C:\Windows\{5AF2543B-1818-4211-B6C6-1363D1210695}.exe

Filesize
372KB

MD5
ba387ac8db6f030c2521da96a9f99a68

SHA1
7ff936b14b59fba844f2d75704bb571b39efe2ee

SHA256
1c63a61a986d7ba6ee863aac01f7b34f4e22e9284c772caffa4080cc3dad2267

SHA512
f4e517f491f11cf50bcee233045b9629ea2753ff2beffd21a340a617fb032624a88fdda58a964984772a5eee18f6f95d82e1f72e3522dd60ddb7d2e5b9f8e109

Download Submit
C:\Windows\{5B9E17D2-13AB-429e-B8E2-8DDF7A1B150C}.exe

Filesize
372KB

MD5
7081429768f107f3699f9319f85640a2

SHA1
0db7426fae29e10a00b623b90771e0be199e31dd

SHA256
d49b41131ba83e723b5e3b09f6cc57d65156898dfb3f909e1a8d5fa33ed38871

SHA512
9c55ee2e2a770d9680dc339d5d8baa30016af0cdb1a9411eea101962ee5571c1d001dd9cbf016863fc32238eb9f80cd364ea8c1c806575a098b01454184be234

Download Submit
C:\Windows\{60871F20-93E2-4151-85E0-27100EACCAD7}.exe

Filesize
372KB

MD5
dea341b9b22b9aa49d430ddabd3334c3

SHA1
675de381f61ae2a6e3cc7cb1e428469338a55ac3

SHA256
5d4ccc6ed61d63d6d933680fd26c09f32e46513d54d216d41df203552200ed07

SHA512
95e5ee17b2829393bcbf3c9650ba730d9821fb91d27440125dd166f60b021bc56b892e68769d69b251ced69f8fa99d149335c1a81fbbe5919741bf97ad8a28b1

Download Submit
C:\Windows\{73657238-4B94-43c5-902C-74CFF451E9EB}.exe

Filesize
372KB

MD5
ee37a70852a0118001accc461a41e4e0

SHA1
5c3a85cda5b6b9de93491e9f2fdb0f76a8a77ed7

SHA256
709a2b3191b787899a095891855283387886678a23094a9a14e6676f4d3a34a0

SHA512
a7ac27a062c80a81ebb2b110417a49eb01fed25b1157fed033b785c17bb047d4d0013029cec127f3e179658f5bb36784f1977b828b57cc619b7ee013a2efa934

Download Submit
C:\Windows\{96B6E878-15E3-44bd-B524-85BC3BB8B3D5}.exe

Filesize
372KB

MD5
3c453b53116b8b8ea3ff004b207ab281

SHA1
c950c3c19dda46ffde4c498bd1286f1367361ae9

SHA256
2d3b9ea90e26b5859e6e987bddfcf8ca03d69c8bb061ba9afd7582bf7176f3e8

SHA512
543882dc7c5a1a859e6956d6c3f330608b732a000e74df239ef0fa1056be1582e8b71f0c98f350ffe4e34c38ec93f6b793fad7e24206c28c662221df90d64646

Download Submit
C:\Windows\{98A95E31-FF09-410b-8F85-286454A3034F}.exe

Filesize
372KB

MD5
d7792ff7464096b7d83d4f3201f6b9cd

SHA1
9bd09fa97d99ab063692b8f542a0dbef90f3d51f

SHA256
2503965f855cd65a1884618d039550d6189b1c95dae24b252b40c58567affcac

SHA512
6779446c18faf301b16d2fe198e6188f7f02ac3ff989bace298fc9c1f0b36f0736078d54da03d2010fab32ef19bbc708b0a89aa4f17cf16b779b37e78b4fa004

Download Submit
C:\Windows\{D1CE24E7-4367-4a25-A0E0-BAB88D8FF364}.exe

Filesize
372KB

MD5
3b4cd3ef0950de83cacad45781cdc1f1

SHA1
4758453ceb31d7d0c2b20052a238c6582812a7e7

SHA256
3f8c21d77b8ca07b700351da2cb287932a3745899943cc5a90f7863ca05cb31c

SHA512
8e812613cddfb27c12a3ed4699a7efa806bbf059fc25caedce11bd69a48b788de1b18484fd2d11876754fd0e4dfcdf334a9f40d095a9e693b2e611f7ea79d94e

Download Submit
C:\Windows\{D44EB584-F47F-4939-BD0C-C3F010E6887D}.exe

Filesize
372KB

MD5
0e477f198e23fa9743499023c765497d

SHA1
8a38855be85780b6f342231e3f7e1fe0bdd61fd6

SHA256
b0f8f6bcfeefe79829cf527455d47575e5c3fad68d2500b1fa41659b233f6f87

SHA512
d4bab9223c763a895fd8b515c66b1dc13f6bd39131419b4a2f3a067e79f06119e35a4394f2585cabacf1fd121efb93a96ce54131f250d3a0eecde95a66dff1ce

Download Submit
C:\Windows\{EBE8EB60-E2A0-4b3f-83CA-FB249592784F}.exe

Filesize
372KB

MD5
9f7f3e79479a4c14ba6debf962464c82

SHA1
bc705c721f004df9fc6ac30e68d7be319496fafc

SHA256
85662141d3949489608f68d6df9453f2c4dee6518518c2843def7c2a7d2ff778

SHA512
577df1f1b5fe90de8700e80cf97003eef89a7f4f267e8cc45c89cb792d249883d71e3a9a5b52e180ccc2da165b050b8d4d809c97021bc2302aff1dba7080e489

Download Submit
C:\Windows\{F4B0AF2D-89BF-4b86-B720-063E54D67272}.exe

Filesize
372KB

MD5
f75b5ea7159aeef7d6c6426d3f613543

SHA1
974907fd84805b40a3d4af34194c16e53e7ec15d

SHA256
9c838b937686f4a795192f17aac45b31d4a232b269440d76fec253cc8e90a589

SHA512
ecdc2d8ee73abbabd18fef6fae24ee4b39d9a60b2b62875f560dc00a95316015ef92e82d61bd7f08f44a7309c6bfe56314c38cd31016fc0c19817bab726fc51b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.