3b95b3ed262c1834e05c646e1d22d794ee8cde6522e9652a1e832a469d91125d

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 07:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Size

372KB
MD5

366355a38eaf93a3694a6cf496e6faea
SHA1

5ef7e0f8ba850ff05497b7989d6ee95b11849319
SHA256

3b95b3ed262c1834e05c646e1d22d794ee8cde6522e9652a1e832a469d91125d
SHA512

84cb5fc8cadf65be642c7def7b832bc1aaf22d3abd4bba5067f6cafc1f043a1be0c39902b4e8d8983d84a5e8b2daa79dfb1f3f3d64b1675d9f63e22480a2a6eb
SSDEEP

3072:CEGh0oAlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGSlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}	{11603772-41C7-4a35-BFFE-9625C464F991}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}\stubpath = "C:\\Windows\\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe"	{11603772-41C7-4a35-BFFE-9625C464F991}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC68950D-619B-4226-ADE2-D3790E692B91}	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4193B845-5D19-4692-B67B-59F38A4190C1}	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163B477E-FD04-4d87-B9AA-C670E8D4C790}	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8699212D-A1A5-4cca-96CE-F197FA8170C9}	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BEADAF-FC52-453b-9C43-52E854816494}\stubpath = "C:\\Windows\\{53BEADAF-FC52-453b-9C43-52E854816494}.exe"	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11603772-41C7-4a35-BFFE-9625C464F991}\stubpath = "C:\\Windows\\{11603772-41C7-4a35-BFFE-9625C464F991}.exe"	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92EADE9-9872-44b3-AB96-63D71BB1C474}\stubpath = "C:\\Windows\\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe"	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}\stubpath = "C:\\Windows\\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe"	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163B477E-FD04-4d87-B9AA-C670E8D4C790}\stubpath = "C:\\Windows\\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe"	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DC5F5E-645D-4102-9241-88A7F3BD430B}	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}\stubpath = "C:\\Windows\\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe"	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DC5F5E-645D-4102-9241-88A7F3BD430B}\stubpath = "C:\\Windows\\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe"	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BEADAF-FC52-453b-9C43-52E854816494}	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11603772-41C7-4a35-BFFE-9625C464F991}	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8699212D-A1A5-4cca-96CE-F197FA8170C9}\stubpath = "C:\\Windows\\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe"	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92EADE9-9872-44b3-AB96-63D71BB1C474}	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC68950D-619B-4226-ADE2-D3790E692B91}\stubpath = "C:\\Windows\\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe"	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4193B845-5D19-4692-B67B-59F38A4190C1}\stubpath = "C:\\Windows\\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe"	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}\stubpath = "C:\\Windows\\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe"	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
1080	{11603772-41C7-4a35-BFFE-9625C464F991}.exe
5028	{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
File created	C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
File created	C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
File created	C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
File created	C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
File created	C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
File created	C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
File created	C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
File created	C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
File created	C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
File created	C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
File created	C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe	{11603772-41C7-4a35-BFFE-9625C464F991}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11603772-41C7-4a35-BFFE-9625C464F991}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
Token: SeIncBasePriorityPrivilege	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
Token: SeIncBasePriorityPrivilege	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
Token: SeIncBasePriorityPrivilege	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
Token: SeIncBasePriorityPrivilege	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
Token: SeIncBasePriorityPrivilege	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
Token: SeIncBasePriorityPrivilege	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
Token: SeIncBasePriorityPrivilege	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
Token: SeIncBasePriorityPrivilege	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
Token: SeIncBasePriorityPrivilege	4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe
Token: SeIncBasePriorityPrivilege	1080	{11603772-41C7-4a35-BFFE-9625C464F991}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4276	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	89
PID 4788 wrote to memory of 4276	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	89
PID 4788 wrote to memory of 4276	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	89
PID 4788 wrote to memory of 1436	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	90
PID 4788 wrote to memory of 1436	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	90
PID 4788 wrote to memory of 1436	4788	2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe	90
PID 4276 wrote to memory of 4592	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	91
PID 4276 wrote to memory of 4592	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	91
PID 4276 wrote to memory of 4592	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	91
PID 4276 wrote to memory of 3568	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	92
PID 4276 wrote to memory of 3568	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	92
PID 4276 wrote to memory of 3568	4276	{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe	92
PID 4592 wrote to memory of 1248	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	96
PID 4592 wrote to memory of 1248	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	96
PID 4592 wrote to memory of 1248	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	96
PID 4592 wrote to memory of 1652	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	97
PID 4592 wrote to memory of 1652	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	97
PID 4592 wrote to memory of 1652	4592	{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe	97
PID 1248 wrote to memory of 5016	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	98
PID 1248 wrote to memory of 5016	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	98
PID 1248 wrote to memory of 5016	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	98
PID 1248 wrote to memory of 3216	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	99
PID 1248 wrote to memory of 3216	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	99
PID 1248 wrote to memory of 3216	1248	{EC68950D-619B-4226-ADE2-D3790E692B91}.exe	99
PID 5016 wrote to memory of 1928	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	100
PID 5016 wrote to memory of 1928	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	100
PID 5016 wrote to memory of 1928	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	100
PID 5016 wrote to memory of 5088	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	101
PID 5016 wrote to memory of 5088	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	101
PID 5016 wrote to memory of 5088	5016	{4193B845-5D19-4692-B67B-59F38A4190C1}.exe	101
PID 1928 wrote to memory of 5116	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	102
PID 1928 wrote to memory of 5116	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	102
PID 1928 wrote to memory of 5116	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	102
PID 1928 wrote to memory of 3580	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	103
PID 1928 wrote to memory of 3580	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	103
PID 1928 wrote to memory of 3580	1928	{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe	103
PID 5116 wrote to memory of 4772	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	104
PID 5116 wrote to memory of 4772	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	104
PID 5116 wrote to memory of 4772	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	104
PID 5116 wrote to memory of 716	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	105
PID 5116 wrote to memory of 716	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	105
PID 5116 wrote to memory of 716	5116	{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe	105
PID 4772 wrote to memory of 1916	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	106
PID 4772 wrote to memory of 1916	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	106
PID 4772 wrote to memory of 1916	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	106
PID 4772 wrote to memory of 2976	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	107
PID 4772 wrote to memory of 2976	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	107
PID 4772 wrote to memory of 2976	4772	{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe	107
PID 1916 wrote to memory of 2904	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	108
PID 1916 wrote to memory of 2904	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	108
PID 1916 wrote to memory of 2904	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	108
PID 1916 wrote to memory of 4368	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	109
PID 1916 wrote to memory of 4368	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	109
PID 1916 wrote to memory of 4368	1916	{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe	109
PID 2904 wrote to memory of 4040	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	110
PID 2904 wrote to memory of 4040	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	110
PID 2904 wrote to memory of 4040	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	110
PID 2904 wrote to memory of 2744	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	111
PID 2904 wrote to memory of 2744	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	111
PID 2904 wrote to memory of 2744	2904	{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe	111
PID 4040 wrote to memory of 1080	4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe	112
PID 4040 wrote to memory of 1080	4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe	112
PID 4040 wrote to memory of 1080	4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe	112
PID 4040 wrote to memory of 4064	4040	{53BEADAF-FC52-453b-9C43-52E854816494}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
  C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
    C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
      C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
        
        C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
        
        C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
        
        C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
        
        C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
        
        C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
        
        C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe
        
        C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe
        
        C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
        
        C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11603~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BEA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86992~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22DC5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7730~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD0E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163B4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4193B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC689~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10983~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E92EA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1436

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0008524EEE6A6F77110D469DEF8A6EB2; domain=.bing.com; expires=Sun, 31-Aug-2025 07:45:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A6B40632DA70431B93FF3EE6F002B2CE Ref B: LON04EDGE1017 Ref C: 2024-08-06T07:45:26Z
date: Tue, 06 Aug 2024 07:45:25 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0008524EEE6A6F77110D469DEF8A6EB2

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=RMTJhUkaSHkCj1sgwdimxLyzhgMaUHpefP-thLH6ASw; domain=.bing.com; expires=Sun, 31-Aug-2025 07:45:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C6724E3A87B54AF8B096D7C2EC88FD63 Ref B: LON04EDGE1017 Ref C: 2024-08-06T07:45:26Z
date: Tue, 06 Aug 2024 07:45:25 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0008524EEE6A6F77110D469DEF8A6EB2; MSPTC=RMTJhUkaSHkCj1sgwdimxLyzhgMaUHpefP-thLH6ASw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B78584AA70649A58D8A5F6B8ECEEADB Ref B: LON04EDGE1017 Ref C: 2024-08-06T07:45:26Z
date: Tue, 06 Aug 2024 07:45:25 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

Remote address:

92.123.142.139:443

Request

GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0008524EEE6A6F77110D469DEF8A6EB2; MSPTC=RMTJhUkaSHkCj1sgwdimxLyzhgMaUHpefP-thLH6ASw
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 5773
date: Tue, 06 Aug 2024 07:45:27 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.678e7b5c.1722930327.5a910a9d
DNS

139.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.142.123.92.in-addr.arpa

IN PTR

Response

139.142.123.92.in-addr.arpa

IN PTR

a92-123-142-139deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=962efe66efd44cdcae4bc530bab9017b&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

HTTP Response

204
92.123.142.139:443

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

tls, http2

1.7kB
11.2kB
21
17

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

139.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

139.142.123.92.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe

Filesize
372KB

MD5
3d0c4925fbe91d401d8040cab15f8ccd

SHA1
0499995a3b25c1e66d2f8d1e952a2d04fe318c2b

SHA256
6854fc53b7ac4672706c31df0b0bb9636783191368c991331e814a90f46b29f4

SHA512
4e417a3372005880559c37474023daab043297a1c0a6934f858763db47b592dc259733065d119cb401374781cf2e03ba541dd1443724d93ebb92bc53fd620f99

Download Submit
C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe

Filesize
372KB

MD5
de0e239ac55d2c997e395534751dc710

SHA1
8b541db7140eaf023bd5ee39f838f0aa6a91b758

SHA256
484a29f42f4de55c38e2bf3bb398a1ccfda5b1c59271348b217ce498e4ca823d

SHA512
373e8dfec333675147b019986ee8f00d6e95a9ee4c386487e5c77eb9f6c82115da62ab74f588fda019b96f7327a0e9e79a0041f7cedf743ab60412810c025ad1

Download Submit
C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe

Filesize
372KB

MD5
a46cc43e3893b7536c1596df2532a98f

SHA1
c930d6760778a6a3d3002623d699e3eae1812434

SHA256
fb75e16328528603f35a406a1fdc4012eeacce3daf9fdc92cbaddce56dd7b005

SHA512
b344ac2a579fdfedd0c5f1c1c6b474354679c104c8aff05cfc9cb2d721823d4ee90e4f7a66581b4b4a60e5e38a930384bed3515dd9b8c832031a0a5815bc9ece

Download Submit
C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe

Filesize
372KB

MD5
843a874e15b82c30a6142601f4d75b75

SHA1
d589a0022dbf4560ecc5cc16528c218f0b4ed79f

SHA256
adbc218a8dd4f581fc65593a94d1a32f4936c7eb0710e19541f27b59c2db2266

SHA512
63453cb8fb42fd7c58459039fa7fb45146c8d783366605cfea1a818b4f048bbc234f20f7dc13681add279b01406b34d849b8c251873ebcf0cf499fc9f014670c

Download Submit
C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe

Filesize
372KB

MD5
38c1e95ef5d46391a73c3bda7f6bab1b

SHA1
e3a9657a44c34eab8cbc621e8e3515afc768a0a3

SHA256
1796d8a1681e17165b1bb41f94bdf50f6e1c95dfa13465708c7d73a6da9e7e9f

SHA512
e7633db94bdea4caea193e6cd9c1fcb363f333c723a644c68c13a54edc61dfa8e0aa86d4b195e3731b67af8ed1612c55fc5e356fdc322a0a4aa37c3752237c26

Download Submit
C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe

Filesize
372KB

MD5
907c89477028afd653585ab27b5da45a

SHA1
0296579be917812360074f33f13f53ae5fd59146

SHA256
1d54c3a846e7fc24db4f2c49fddb07a2009fc716cb8569541a9a58a0e1403476

SHA512
7606865c8dda571b4b199425159485da502981dfd6ebeb5008b6c39d0974a9abec920a747815088fe16445bbaaaaf4b3c501af8ab4aebef03475eff1818fc1bb

Download Submit
C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe

Filesize
372KB

MD5
c99b9d2f80e34b400327f32f95c0d3bb

SHA1
38e68990fee8d207c708061f8cbac96a4595a96c

SHA256
33f1b6aca4aec15465ad1a8dada6d7141411e9bb56e289d58dfc2a071a7118df

SHA512
0916f1df30d411a908c1f846e6b21368442bba08cbde486d2fd9409f4b57019e73859a6e71250492e8681040d1b48db961eec9ee5082e54f5281ca3e260987f3

Download Submit
C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe

Filesize
372KB

MD5
faab78440830991f210cc027dcf52ed9

SHA1
b7ba65966bb23bf3f576dc2c34071619f3e88ec8

SHA256
d45ab1f72fb97225e96f2e2c15ebec1b2974a056bdbea1784187c02f4f3685d4

SHA512
62ee485db643122a08c11cf0a126cf91137fdf5c7764c357904bf99aecd184670e7b966dc37a5de8c99b9d7bfcf07cd2c198783e6c9132d83e80a637e3b38600

Download Submit
C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe

Filesize
372KB

MD5
5bdc15a7e69d56f523570ca7e25a9061

SHA1
125696df58dcc3a4af42c57e395953260aca89a2

SHA256
3fc68f7cda2b845f2526a840967224c7af18ae997df7297b3c380edbfc9b1fbf

SHA512
c8bb4fcad9a3e9591ec4231b48f8be8447c342ddad08c4013a6280c11828d79034acacf9cfc898dfa8882cc78832fb2c32312110caec52e460fff73c2ca8cafc

Download Submit
C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe

Filesize
372KB

MD5
39ba93efbd3ec35df66b16f1d932a0d9

SHA1
decef24ef68d7963585b90b3f7afc8941f425676

SHA256
82de4d50936ac3f43f2dff27c893ae5a37c223df2a207b50d1fa8ed19f0b3640

SHA512
3abb8b36792a2cbd3a60871f77cb0767d1bd8533b66888f509f8060afd42e290254ed5da634aa379a993db441af8d163c156add17d0310b649d90755c38bcc39

Download Submit
C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe

Filesize
372KB

MD5
b04ddf7b10e39c1a64ba855e83962732

SHA1
6701c686b5339e6e8204998f09a8e45e1e104f68

SHA256
0d4b5a3572d8eb0424f675418233ee0d9383f795988fbc4c8bdb9add686288d5

SHA512
884d41a360fb106856902c9abc368f0b54601a9e6c06f125678af8b8c167b6619c37dab7612e9cbf01bd53236b36ab7e8a43fbe31f5de6bd997cc30a72539535

Download Submit
C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe

Filesize
372KB

MD5
41d23b4a8a3545ef36cfa426ec1b97ea

SHA1
b0486d622f9e26906f89716e076a7c1c043e9bf2

SHA256
3371fc71dbab9e3aba3722dfebc2bd43306a7b0eb84d43e9473ebf22a5bfadb2

SHA512
f00f098a66cac9e1ab21768816a7d0f1dff9261070dbce47f6a5ba6a505c43597318412f5ae92858153c44d5e3c887fde377d032217fbb5ef1a58426237fac52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.