Analysis Overview
SHA256
40507eb7b0a1f356c0ec6ba2c1f929a532372056521de7225b2a15492b345954
Threat Level: Likely malicious
The file 2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:43
Reported
2024-11-11 12:45
Platform
win7-20241010-en
Max time kernel
144s
Max time network
119s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0331152C-DC56-4c09-A85D-F529CE6208C6}\stubpath = "C:\\Windows\\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe" | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58919C5-A991-4ae5-AE4B-6A43954DAC36} | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}\stubpath = "C:\\Windows\\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe" | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA346E0A-5652-475c-9E65-8742861CB8EE}\stubpath = "C:\\Windows\\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe" | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497E3998-64CD-4587-9AA8-EC72A6BEB98B} | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B91B28F-F964-49d4-8404-B1F323EB372C}\stubpath = "C:\\Windows\\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0331152C-DC56-4c09-A85D-F529CE6208C6} | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446} | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}\stubpath = "C:\\Windows\\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe" | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90} | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}\stubpath = "C:\\Windows\\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe" | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B91B28F-F964-49d4-8404-B1F323EB372C} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EC927-37ED-41df-9878-CB2B79422A7F}\stubpath = "C:\\Windows\\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe" | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA346E0A-5652-475c-9E65-8742861CB8EE} | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}\stubpath = "C:\\Windows\\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe" | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25} | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}\stubpath = "C:\\Windows\\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe" | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EC927-37ED-41df-9878-CB2B79422A7F} | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}\stubpath = "C:\\Windows\\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe" | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321} | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}\stubpath = "C:\\Windows\\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe" | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6} | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | N/A |
| N/A | N/A | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | N/A |
| N/A | N/A | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | N/A |
| N/A | N/A | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | N/A |
| N/A | N/A | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | N/A |
| N/A | N/A | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | N/A |
| N/A | N/A | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | N/A |
| N/A | N/A | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | N/A |
| N/A | N/A | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | N/A |
| N/A | N/A | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | N/A |
| N/A | N/A | C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | N/A |
| File created | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | N/A |
| File created | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | N/A |
| File created | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | N/A |
| File created | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | N/A |
| File created | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | N/A |
| File created | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | N/A |
| File created | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | N/A |
| File created | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | N/A |
| File created | C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | N/A |
| File created | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"
C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B91B~1.EXE > nul
C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F66AF~1.EXE > nul
C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{572EC~1.EXE > nul
C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{03311~1.EXE > nul
C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40DA1~1.EXE > nul
C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5891~1.EXE > nul
C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA346~1.EXE > nul
C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe
C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AE5E2~1.EXE > nul
C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe
C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F13~1.EXE > nul
C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe
C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D55~1.EXE > nul
Network
Files
C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
| MD5 | 04ec101e38f8fec701eb0bdcc9413f41 |
| SHA1 | d49d98e3246e1c7e76ccb2ddee4fb5be26bba295 |
| SHA256 | e576a81cfbbbe6c5795e914320566e26a80b54dd239dfcc01528d597842a050a |
| SHA512 | cec7a6c911c17290e5911de4a3e0da182aa30173ea68f6a0f8f0f6eab770b6b1936475a00f0b74240014be321e48e6391f59b1e8fa389eba4fe0e2c9b0d6993c |
C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
| MD5 | 69f1782d69c43874b836106256580d8d |
| SHA1 | 36b6ca7c5fb52fc41a52d0d72f0f463cd30e9c8a |
| SHA256 | 84225a5a7c5be128faa3f9711769263ed3ed0fa329c65433c3a13f246ce260f1 |
| SHA512 | 5c73a9f7d4db4fa61ca7a60cb3282a506117fcc463a1d6ac9903437fdb13fee4e72ab51f7397d7dab408cdc2d7c230b90274f6abac5993d55e2dac5fc0bdaff4 |
C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
| MD5 | 766d81870b1ee78ecd99f4aae9f51baf |
| SHA1 | da9d2850769ee6b053760ce6332f53f3efd3efeb |
| SHA256 | 24c31eeafa6074b222571bfa8bdb77fcc563fee383787d001cb7c6482b06a705 |
| SHA512 | 03f06d48aabeb2ccadd33ab96fcee001d3760bc1781fac82dfd8107b83c069e27c1832a20a181289f6b5ff35d833be59c739f2a820ce964976e95b4a5e63fb88 |
C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
| MD5 | cb5b27210a17f1538254f799656f3acb |
| SHA1 | 213ab9e72238990602a3ada9ca0d78eb28f843c1 |
| SHA256 | 5c16661c0115f6b313709d5bfa316325b2ed15bcfc7e347c8718021df49a7c23 |
| SHA512 | 9d6f9700138edd8ade3f14950a342cced606a2bc2f109bd165d8ac31507156d80bfe00307d7b5744eafe7125fff20f75da6e17031c464ec74cafb71a72d23e8c |
C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
| MD5 | 1e9778b6139115dedffbd092659c39a6 |
| SHA1 | 9c987d09cb6f4e97aeb72ea45153c1c6cafa1177 |
| SHA256 | fe11101b9ed157bcdc73f3a83ae4a8b65fd05d003eddbace207a7e99b60df798 |
| SHA512 | 4fb8de359448e228a72dd865d816afca6eb45bd96a615bbb9e95074a522c3cd78d377329aca6b0147a8a32491ecd76eab020f9daee24c95115588e4416a545b5 |
C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
| MD5 | 41de478c4dad2bcad326620909ad985d |
| SHA1 | 3c188ec8f40ca96b03a22fae3b038f30806bbeaa |
| SHA256 | 81eb614f09cf0ecd869e227c25284749e219ff182caa708b127c415732a05b6c |
| SHA512 | f35d87636f0e3e1760a8399a3816bd658239a9130d7f836c1810a42999c06cc31a5bdb68763b9b466b509881ede6d36602c6778bc81fdb0cd31bb00755451ce0 |
C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
| MD5 | 8b71e3b87e186294341ef851c503a013 |
| SHA1 | 08e77dde06db7c85b7f3758ca92d20f1cbcfce42 |
| SHA256 | b77bed368a19b357b2aaca0d2e25b6d38823d34e875a4e1400dbc0d2fe39a504 |
| SHA512 | e6a13185db70e95ca91b7a9b644e32d8032784e5125945ff58c0bd1a71d1e9af118dff57d468eea4ff4c59f9fcf1c621c67215670bd7a137f207ba4dfc0641ad |
C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
| MD5 | e547944a4eeb5ee8230079eb4ab0fb4f |
| SHA1 | 618e8ff49d8f88361963d819a828a905b83ddd31 |
| SHA256 | 526b472ac0f4fe8cf54fc971f4aff726cb11d42d0b37eca43dd5e8a304909f26 |
| SHA512 | 299a7664d95669635312716b2afddb9da631fa41606d645f1cb5b61f7e4bd53ee682d5a666431450a22031d8aeb9ef76facf9e5701c6200ff82373d1372b895f |
C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe
| MD5 | 0e9d673d21f198e687658f44fd2cbb2c |
| SHA1 | d722e28c69abe82d2726fecd1db9fa190c6ce694 |
| SHA256 | 19f04c2ffec3630985d428846459f191a28c5550eb552718869ed9863a924ed0 |
| SHA512 | 5cbfb7d2b03e52652deb8a41110407186f7433ab0f7a89f94fda34f0632109f6a5d4c836466ef504ba37af99aeb4f687a49fc59928ce124aab90a1a58151bb84 |
C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe
| MD5 | 91a3328dca484d5875d1f106a7dfff68 |
| SHA1 | 9efeb1b9d96dc8fa1afa560318f534b7750cce42 |
| SHA256 | 72b3969f1c47b8f0ae945950aa5e984250394598863f3b69996a474a0d86f77a |
| SHA512 | d7b54d98b39436b7336fd168a017d35184837c7e137f87bc34ed701edd904664fa0d046de05d6e54c3069f66f79cacb537f7a26fccc553f4a0ccb2e0ea51cd91 |
C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe
| MD5 | f5317eb339d41efaab4eb172af7f6f0f |
| SHA1 | 84c4cae1aae26132844eed869d86ca4e36fb6ee5 |
| SHA256 | a9f0230d0a065fe2a156541564164e24f5f185fb7f717ec0b08534d32411165a |
| SHA512 | ac120edced0f0215ef0c01ff8e75d8ad3599cb3781c078d6a503f1c17e0ef2aeedf4b02a24f3b697290cdb491c2be002bc8cc14329ef5a41392ca73f46491ff1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:43
Reported
2024-11-11 12:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291} | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868374E0-B72B-46f6-AD1A-6EE92E2F1576} | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}\stubpath = "C:\\Windows\\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe" | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039} | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0046C1-BF71-4c5e-A3C9-628C2D945324} | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}\stubpath = "C:\\Windows\\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe" | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD} | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}\stubpath = "C:\\Windows\\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe" | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}\stubpath = "C:\\Windows\\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe" | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878BE408-F760-4d67-8C0F-3A330BCECFF4} | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}\stubpath = "C:\\Windows\\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe" | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9311B3F2-18B6-47f3-BCE6-BC77702D1474} | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F10C79F-D8B0-4766-9908-F422407669E0} | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}\stubpath = "C:\\Windows\\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe" | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C42456DF-92E3-43d5-82A2-4A566729012E}\stubpath = "C:\\Windows\\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe" | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8} | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}\stubpath = "C:\\Windows\\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe" | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49FA3E5-76FB-43e1-A484-926FAE2654C4} | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}\stubpath = "C:\\Windows\\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe" | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}\stubpath = "C:\\Windows\\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C42456DF-92E3-43d5-82A2-4A566729012E} | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878BE408-F760-4d67-8C0F-3A330BCECFF4}\stubpath = "C:\\Windows\\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe" | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F10C79F-D8B0-4766-9908-F422407669E0}\stubpath = "C:\\Windows\\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe" | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | N/A |
| N/A | N/A | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | N/A |
| N/A | N/A | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | N/A |
| N/A | N/A | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | N/A |
| N/A | N/A | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | N/A |
| N/A | N/A | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | N/A |
| N/A | N/A | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | N/A |
| N/A | N/A | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | N/A |
| N/A | N/A | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | N/A |
| N/A | N/A | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | N/A |
| N/A | N/A | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | N/A |
| N/A | N/A | C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | N/A |
| File created | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | N/A |
| File created | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | N/A |
| File created | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | N/A |
| File created | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | N/A |
| File created | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | N/A |
| File created | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | N/A |
| File created | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | N/A |
| File created | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | N/A |
| File created | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | N/A |
| File created | C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | N/A |
| File created | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"
C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53A25~1.EXE > nul
C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86837~1.EXE > nul
C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{244F5~1.EXE > nul
C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF004~1.EXE > nul
C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C4245~1.EXE > nul
C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{13D14~1.EXE > nul
C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA976~1.EXE > nul
C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA9FC~1.EXE > nul
C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{878BE~1.EXE > nul
C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E49FA~1.EXE > nul
C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe
C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9311B~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
| MD5 | a5fe928a6fa1487aa488e4dd644b9146 |
| SHA1 | c722f17ce960305889c3db0f80ec58680ff45c9e |
| SHA256 | 22bbaea91c1ff0134219e088e9ef55a22f2a101726aad73ac1a1e5a0801e7311 |
| SHA512 | d1694d3a8652cc35a93474a653a86da75df391e618bbaeab869ad5d478a6159b66c15220127bc72c8b754f1a9028a71e12fd130fc943dc98cab4b51d44492dd6 |
C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
| MD5 | b79f1c1a15e4cadfe88671af90e2596d |
| SHA1 | e0a42c56785b1c11fa40d7ba960bbeaf52c7de40 |
| SHA256 | 648c3426bf79600526c04b7a59d5987cb6a23e79a63653302241935f808ab09f |
| SHA512 | 06e949c23063c556bd3037cf2963df7e639724a8607aa4379acf11c42882b880e1eb34a174ea8ab00828011fc5118b30e1b50e7bf1d6073141ee12789fb1c15d |
C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
| MD5 | cc669b43bcb572c9a403ded9877ec536 |
| SHA1 | d30e60f41683ded4acfd9b0c3b45872990e6b4a5 |
| SHA256 | a29467c0e1621bd1013e7a757063ba07b6e4873af17e7dc87fddc5145143ff45 |
| SHA512 | 6d2bcd07993416de7eead03ea464d874e60b994067329650affb10653c33e2cfa1794937ee0f42045a6fa52cce83ea3cb995d553fd7c565b7b3c478314dcf2e4 |
C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
| MD5 | f661c9b8c099218b9337765eb14e4b5d |
| SHA1 | c627229ae03460c4b2af026621e06aeb82b1328b |
| SHA256 | 48673a59963fa487614bc123a120cd0482bf88034ae07589314dc2123184b12d |
| SHA512 | beed715656cc1173c0778e39b56305e46114d88db599a231ff2bddeb12a74ea9bcf465177e2b117c6836cbd0b601428a9305ac292f12a73907debabf1ce44b83 |
C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
| MD5 | 43a7abd1b1a81720976aa2fbcf0241f3 |
| SHA1 | 96e9bac0d4c5534025f13f4afc82d832358e4ac5 |
| SHA256 | b81944ec6e13d313cbe96a3388c5d4c50b0bad7ec97fdda700622e883cb6b4e1 |
| SHA512 | dc3e827ad928d9a6761ef1dfbc191fddda2994b342305f093fa7413f28dc529f0d977388bd381da1ef3668d105b5df5a6519bf3fcb14ed6fafe2af8096832560 |
C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
| MD5 | 10b67c62ede82145a594c3488327c850 |
| SHA1 | 8bb4de283c6fc9ae00a10749e98fbdf91453877d |
| SHA256 | ffd249e4465ad68088f2dbce99956cec7bc29130e22e321c48c6d75d268882e9 |
| SHA512 | 37bb15662c5c725990a8c0825f4f8f5787c2ae7745c483404b022230fc926c07db3702882e0dc3671fe9f7ffde4923a51c1aab35c2941a6bf51e18f1965bff4d |
C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
| MD5 | 763f70ea3e1997963929fcfadcc6521f |
| SHA1 | 05202142747344fc0cc7e7e348ea91f052699d20 |
| SHA256 | 96b4053930a224b2c4060b58236efa626fc5cbb999d14fdc379f021f443836a7 |
| SHA512 | 5beb960f515dcc4bbc8a4450e7a7a0b7eff4d5ed50b77a73f68b8f8f5ccccd4388ee3eff41dbc75fc8a055f1adf8f7ad7d9e7d7ba5d81e584f060c681914b6b7 |
C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
| MD5 | efea0f72b95e9c4f795ac6a1b53bb1f6 |
| SHA1 | 65aef5e637b82945be99a35edec5dda6f6a023b5 |
| SHA256 | 7acc5b12d0f2d29922bfdd889598b879d3fb7d1b879cc58fdf24952f5465f041 |
| SHA512 | c0f2e75ea45ca9862502501be1a1644aff9ad26a381a441f3c2b619a4f001136d2b819743f35d4b02fe613899f8af4d444c3f63688d1ed913c27d81fed4b1ee1 |
C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
| MD5 | a0be458fe550dde8af658dcb18232754 |
| SHA1 | 316fc24b49353d3e75f958ebb900d61105f5432f |
| SHA256 | baa3809a11fae278ca090e41db4a7dfb036c7d759e0ce5d77a82841319987903 |
| SHA512 | 2f3a3bb4a37a1ef696612745536c1d759aa7f250a8220e26c3438911021ff33c43fb3510d29efd3db9fb2a61e2128fc8341d36e223b8f66b093ef489d98d01ca |
C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
| MD5 | 994f6459a8f3dffdd93e53e67452e224 |
| SHA1 | 8fc67c284651f2a3d43f5028c016cb230699315d |
| SHA256 | 08608ccad2214aba8bbfd883b4520b390f497ed5846187a2306a422e2e7402b1 |
| SHA512 | b01c6ab89f99d8604c428bd88eb0602f60c90db3dbde65d8bbdc54e717608a570901727823ca2e2e89ffd437fc3264c9c0d5e86ce74a8474b503c8f18680476a |
C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
| MD5 | 65a84e765ebdffbcd1dc81b93e0885ca |
| SHA1 | 44a066fdfa2350e4767f3fd9a9a720e061891c40 |
| SHA256 | 600a8265c0d5aa8efe7041c0f8eaef27a10bb75c90abfb5a743efa9c2dd0546b |
| SHA512 | 9edff44e8547ab2a6ea6d8bba1e4be52c60f12f3e0ab7a05665cacc3731b01e2378626dfa796eddc2e44ade3cf164c2b0372e935fba392453356035a062ae6ed |
C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe
| MD5 | c509ab48268e9e24c59708b0c0ea509b |
| SHA1 | d32c8518655ca2d4b8c0420cf1e871f128378fbe |
| SHA256 | 2a0c362f203aa6971b4b93d27d9815e180baf79413f6cb00298e72bed59b0e57 |
| SHA512 | 255bff85bd075bf5802c41f837267cfbbac7dd03784706a048da92f964275547cdaceeb3dd03727c365cbd74cda0a0c2981d3b70f0a467221cde94c89f0e9656 |