Analysis Overview
SHA256
4a48929724328ee8677fc684521ac46170736cc5709b8ed8c93639b63b7a3221
Threat Level: Likely malicious
The file 2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:42
Reported
2024-11-11 12:44
Platform
win7-20240708-en
Max time kernel
144s
Max time network
118s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}\stubpath = "C:\\Windows\\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe" | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF65B684-6575-4140-9B89-F9A9BC5327A0} | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF65B684-6575-4140-9B89-F9A9BC5327A0}\stubpath = "C:\\Windows\\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe" | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}\stubpath = "C:\\Windows\\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe" | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3FF16B-1BED-41e1-AC05-E9325467928F} | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B256B3-1282-4591-90BF-DC5B25B43566}\stubpath = "C:\\Windows\\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe" | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AE92257-FA3F-4587-A077-4DABB37890C6}\stubpath = "C:\\Windows\\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}\stubpath = "C:\\Windows\\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe" | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14377D86-DB16-4a6e-AD30-65A69AB09080}\stubpath = "C:\\Windows\\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe" | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B256B3-1282-4591-90BF-DC5B25B43566} | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F290B57B-7618-47ae-8A2F-CF68503A6C5A} | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33} | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AE92257-FA3F-4587-A077-4DABB37890C6} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B} | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796C8D47-9B19-4119-924E-227694DAB253} | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606FC2D7-1A81-4339-9AD7-C86A005FACC5} | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94F053A-B870-41bd-87CE-2619A3ACF841} | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94F053A-B870-41bd-87CE-2619A3ACF841}\stubpath = "C:\\Windows\\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe" | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796C8D47-9B19-4119-924E-227694DAB253}\stubpath = "C:\\Windows\\{796C8D47-9B19-4119-924E-227694DAB253}.exe" | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14377D86-DB16-4a6e-AD30-65A69AB09080} | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3FF16B-1BED-41e1-AC05-E9325467928F}\stubpath = "C:\\Windows\\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe" | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}\stubpath = "C:\\Windows\\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe" | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | N/A |
| N/A | N/A | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | N/A |
| N/A | N/A | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | N/A |
| N/A | N/A | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | N/A |
| N/A | N/A | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | N/A |
| N/A | N/A | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | N/A |
| N/A | N/A | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | N/A |
| N/A | N/A | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | N/A |
| N/A | N/A | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | N/A |
| N/A | N/A | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | N/A |
| N/A | N/A | C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | N/A |
| File created | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | N/A |
| File created | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | N/A |
| File created | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | N/A |
| File created | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | N/A |
| File created | C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | N/A |
| File created | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| File created | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | N/A |
| File created | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | N/A |
| File created | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | N/A |
| File created | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"
C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE92~1.EXE > nul
C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB9C~1.EXE > nul
C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{796C8~1.EXE > nul
C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{14377~1.EXE > nul
C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF65B~1.EXE > nul
C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{606FC~1.EXE > nul
C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55B25~1.EXE > nul
C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe
C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3FF~1.EXE > nul
C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe
C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F290B~1.EXE > nul
C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe
C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DB9~1.EXE > nul
Network
Files
C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
| MD5 | bca09a04488c9095bcf81346238c6448 |
| SHA1 | 271b0346908efc6d7ca23484e761d9d8b2575ff6 |
| SHA256 | ae049c09ca770905c40984c3023b7a067f85d0550b0f230ee71b6b3149ae1d0e |
| SHA512 | eefb59c21930d60408ff38531298c87118564a2a91388790e2c5a5c6439b15234745b5b2c6c4dd79ec7728d36201560e8c8cc4a906cedb10c89952717c199db0 |
C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
| MD5 | 5416d13828c44f8e133da27552325c5f |
| SHA1 | 4c37f35b749313aaa44eda861a9bcd9faf600dc5 |
| SHA256 | 52b79c619630519a4dbeff9795ec1fc7fda9449f103e0d62bcebb07d4a27e035 |
| SHA512 | c7dd3b7f15773e780d097a4fcfe0e4edcb83d40a5cc48caa1946923ac5a9ad09bc2dd14737715df25ac1191a7f3ce5e37697286dbf17bbe7bc3848cc06fa9ef1 |
C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
| MD5 | 1f93b1bf643fc8e0e96a4cec4383cbba |
| SHA1 | 78c67c388c4fd0dae076f71ad7222bc0d675006b |
| SHA256 | 5ceab7eb11e6ed19722720b68baee53684ea7f3d77fdedb013ab01b31c72bae8 |
| SHA512 | 0fd2ab2a197087ba5d6d25f1fabe2612f04b63f3c4388c9e13acb2d410020dc0a16c59fa0f9c291bfca42efdc00984be21aa1a1effe82ccaf98dbd32c594f9de |
C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
| MD5 | 1403d6aed1dcbac9f30862f1a970f830 |
| SHA1 | b28e3d698712a7c07b4503247b8c183d2d9cbecd |
| SHA256 | 958e51b8e4ec236976b146fbdbe346e3c10454b11b39975beda297e2487bfb7a |
| SHA512 | 2bdc9fa7ab728ed8a9c0ecf5ee2a2b24f65117d3e5469566758b654f3c93f2ff82080c0ad387d5ad4e6abb17a7579a8f05fbe8f5ab2c92dd3ffae3806d209a14 |
C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
| MD5 | 49cc8444c9123809c1e883c4bc98d35f |
| SHA1 | 7598c67f632105c21448ec67d26de6cdf6e303d3 |
| SHA256 | 9bb111a0f7b57139803e1f24dfe5f261237bf59be35b9ed1f76ffe9079bcd03b |
| SHA512 | 3864f3ce816d4c40bdfd09706f7047080c5e960c777b2de48caa303489d070e7f6d486f9a5c662a5aa4a6ba4b332225df0823a67a364fc432c2d713053ee8ba2 |
C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
| MD5 | 70143e7d65f3bb665b9f7846effb7465 |
| SHA1 | b308b13aed7d8bc501f9cce2ced1a631d3114ce0 |
| SHA256 | a01ad3801c7609199defce3ff2f53ae065c71a2a74896ca8eefbb1f563c4d88b |
| SHA512 | 39ad95bffdece4e90a0a3743eec6e03888df18ada4a1411010cc25aca550a5ddc854751cb3f5331c69c43adc929cf602cb6126f179537db021fd3dc4563533c0 |
C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
| MD5 | bcac83820bc73c1545a451ae82521b97 |
| SHA1 | 7853c4c5cbd3a4f59dbc4f825ab5925f969826d9 |
| SHA256 | 56e619336549d5c39ac59e36df1821d35ab35aca831c4d0f176c6c7b9c136fb2 |
| SHA512 | db9ee101bef3106289f069df86f037812bd88fedc29e661f2bb60c005e1e31cad206915e0c89721f2e7c602974c5937257df4e57906169cb02107756b0520689 |
C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
| MD5 | 21d9cd09165e0349848705c8f2987b66 |
| SHA1 | b86d6047a6c05b55a68d851352f8c1812c5c54d6 |
| SHA256 | 6ab0b53a95837771a3baf7b469f28bf2f71d6226f002a810f9c8456f6f4b8c89 |
| SHA512 | 8191193cb939514deddaac8f08f0f66eb109cd9f4d7bffb91361c328e9bffbb9ef4df1bc2faa8d9d6f4b782448e8f400c054799b01809f0e5d51bf7da183449b |
C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe
| MD5 | 00d0bc8a0ebc4f0d36885812ad6ce852 |
| SHA1 | b7adeb5fe6b1541539710a399f470e4b1c70e8c5 |
| SHA256 | e1615d06ece6464761409bc40a1c6e719ca96324e739337d5bb56a88c45b6ea7 |
| SHA512 | 7dea87ab27612d1b60c5d1b7dc9ee17f1f6e8b0eb08861b68c2342535efdb2ccb69ac404c7f0293b78f3b53300748bdbe5fff0809da4ba2228da607eed0c36b5 |
C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe
| MD5 | fa613e81f22ca4bc250b67c8f507b170 |
| SHA1 | 8869802ae36dc9a2bf5dde5bd30189d43d6d781e |
| SHA256 | 95ca8acf6622f92cfee8a20544063b7fd9c35f8cae0b84e1dd666c50bd352159 |
| SHA512 | 3012f9c5e2054de169ff096ee486401f7dc5eea2ec7aa517484bb4f9bca538002b78bb055515f1c2cd20cba18dfa1bfe585c91896188b679b01f6ee36764f19c |
C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe
| MD5 | c392e3a717c8d4684cad4a365112f391 |
| SHA1 | ebb558053aa1deccc2445e0df85fb55e1f1d2243 |
| SHA256 | 2bc6c6c2077668db32808b77f02bfe6bacbd18870af1890fc19aa786b7478eb1 |
| SHA512 | cff7ca76ed93af6690defd2a135895470a02dc54aa2dfffa5acf44e3adc90840212d00b2225f258fde43062807bfd877d40578365d7523bc3316a64c0cedb9f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:42
Reported
2024-11-11 12:44
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7200C66A-9611-4fd4-92AC-D6F953068154} | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5FFF31-0489-4464-ABC8-14BE941605B0} | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584552A-6947-4112-9F02-51B30C3BF7F4} | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}\stubpath = "C:\\Windows\\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe" | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584552A-6947-4112-9F02-51B30C3BF7F4}\stubpath = "C:\\Windows\\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe" | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BF5C3-B2EE-4721-9B31-5D2F25435377} | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7200C66A-9611-4fd4-92AC-D6F953068154}\stubpath = "C:\\Windows\\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe" | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5FFF31-0489-4464-ABC8-14BE941605B0}\stubpath = "C:\\Windows\\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe" | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}\stubpath = "C:\\Windows\\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe" | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2386F7A9-CAE8-463e-95E4-6939A73B9B56} | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0D8C0D5-8651-4675-A480-BA42DB925116} | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BF5C3-B2EE-4721-9B31-5D2F25435377}\stubpath = "C:\\Windows\\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe" | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}\stubpath = "C:\\Windows\\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe" | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1414401-1A74-4741-A46E-16BF2C9340CC} | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E8E9FA-8F87-45df-8F09-E3647D191255} | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E8E9FA-8F87-45df-8F09-E3647D191255}\stubpath = "C:\\Windows\\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe" | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6636970E-D32D-4f62-A14C-D6AF0AF45887} | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6636970E-D32D-4f62-A14C-D6AF0AF45887}\stubpath = "C:\\Windows\\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe" | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0D8C0D5-8651-4675-A480-BA42DB925116}\stubpath = "C:\\Windows\\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe" | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15AED68C-706F-4642-985A-421C499C0CF0} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15AED68C-706F-4642-985A-421C499C0CF0}\stubpath = "C:\\Windows\\{15AED68C-706F-4642-985A-421C499C0CF0}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D8646B-E52D-4e65-8F01-63D7B19A28AD} | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1414401-1A74-4741-A46E-16BF2C9340CC}\stubpath = "C:\\Windows\\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe" | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3} | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | N/A |
| N/A | N/A | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | N/A |
| N/A | N/A | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | N/A |
| N/A | N/A | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | N/A |
| N/A | N/A | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | N/A |
| N/A | N/A | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | N/A |
| N/A | N/A | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | N/A |
| N/A | N/A | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | N/A |
| N/A | N/A | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | N/A |
| N/A | N/A | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | N/A |
| N/A | N/A | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | N/A |
| N/A | N/A | C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| File created | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | N/A |
| File created | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | N/A |
| File created | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | N/A |
| File created | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | N/A |
| File created | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | N/A |
| File created | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | N/A |
| File created | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | N/A |
| File created | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | N/A |
| File created | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | N/A |
| File created | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | N/A |
| File created | C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"
C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15AED~1.EXE > nul
C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{134BF~1.EXE > nul
C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04D86~1.EXE > nul
C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1414~1.EXE > nul
C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E8E~1.EXE > nul
C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7200C~1.EXE > nul
C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F5FF~1.EXE > nul
C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2386F~1.EXE > nul
C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66369~1.EXE > nul
C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5845~1.EXE > nul
C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe
C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D8C~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
| MD5 | dc2f6595c2db3711dfe7159849a7a754 |
| SHA1 | 618ed178fddd7969e4b14e2490975ee12719b426 |
| SHA256 | 265f13d29e3012ea815f8921f252801687f95cf5d5664c2ad2460ac66e6b310b |
| SHA512 | 62233032d06916d889b7fd503f52616e4e753575714f94b79e93354bae3f4b99c1e84b2cde176b2c658de0173b2f045fefc941b405612f406823c8a2d99336c5 |
C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
| MD5 | 6ca3b3bfaaad3e73dabfaed83026ce8d |
| SHA1 | cc15943fcbc79d6beb7919278053eaf6fbe27ad5 |
| SHA256 | ebb92a7e60d47bef14f18def7736bc45072e694ce815f3b065af1da4dc5f265e |
| SHA512 | c44fb0a6d5c56e8bcb6a5eb0c0ad2f75236a7ffc44f994eb91fb5f83805897091e6044aff84bf0345d410c9f6b85288aa9c1ba561642984bc3ad6f0706df63c2 |
C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
| MD5 | 9e7bc48d5b4e9326cea37f6d9a7998b2 |
| SHA1 | bf00098ca4a11f8d86a9c6a38602fa389cea0154 |
| SHA256 | 9fcd1baa419fb21dd393525b6210bbf18eb729b9f0bd90a574737a7ad164218b |
| SHA512 | 1a5f5e60d6ba411117924257b3f28bb415f4750c154fa87678eda77cf0f2de0421bbe37d669f1a3887c653a87ddf9a6bc15e5bc1b33e44a0e59c0ca34902d909 |
C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
| MD5 | d698fbf3eaf027dc30843f3078255ad4 |
| SHA1 | 04475b6edfd9b5ad32828a6f98a6139ea9160ffb |
| SHA256 | 8a1b5569276a4f0d4b90b6e68e80694271a53ace54a366206cdf0dd4652a8bb9 |
| SHA512 | 1e04f2d5ac704b43ecb671e5ea4823a1fbfb10d364aec3da7ecff7c52b5e8c8999cad2ee4c675b461694ecf4a9152e61256f60021236b470cf20e2e25cfeb2f4 |
C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
| MD5 | 0b42727e029e3888bbdcf7c65439a4cd |
| SHA1 | 6001d901b4ad1c457fb9f9e2c87f93198704b130 |
| SHA256 | 0a6e8233ba8ef9af3fc0c0efda3b93398bde67c44351d08415cf745d1a0c2157 |
| SHA512 | b026aa3c6a9cc33bc185bcf0bcf79bcc92e9c261e8aa1e74b1b1e7966bf155393b4a9ceb973a5cd1d871235863d1333268987f715f3383ef65844f7a04997107 |
C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
| MD5 | f68802c0bf898ae3b5eca5c4d7602036 |
| SHA1 | d6187d452f8c6bec091800977527dc97f89051f0 |
| SHA256 | c8108e29d1311a0c4d775a11c56a05761e2fad62da748eb94a1a3b2c571c986e |
| SHA512 | 5a1c20b547827cba7ad3ed0d01162edfd5992574a64b0833079fb0ab4c45e1d0ed0b9fe85e1299de51019656cc289a44ecd13069cf6e115fefaf1d39a7b1e1cb |
C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
| MD5 | ac52a568817dc0817f5037759ffd159e |
| SHA1 | 669645029ce83d79f2ed82bc1bf93a94cc34f651 |
| SHA256 | a3a31b55bf8a9dc5a55fca61aa54e2d5645246adeb38e1e3e13321b75a093687 |
| SHA512 | 9e7f7d56df5c2ad4a7bf1e5011727f7b0ddcb4e11cc5ec6b22cc264af2c0b2a6c6ca307079662bad3cfc1ff6bca7d7850226fe14647333a1e5b52ad30daf654e |
C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
| MD5 | ed2cec9513b1511dab66ae979f9f0a23 |
| SHA1 | 7629b25baef5a5c6d226a77b0a5d568884341f99 |
| SHA256 | ee816043538cd03107e0f535db19c8f7cb460cea4da186cd224508471ee7d9bc |
| SHA512 | d9f4cfafadc7a99c16a61bfd751c48c8de2f13995414139ea2bf173f7e7ca1f863a3c1577608458c2371b846b1f7e252c0235bdb40647f5a055a29c789b5a6eb |
C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
| MD5 | 432c886ca8fdd602325536a7d9bd84fc |
| SHA1 | 977ac8303a4a3c8c760f27ebd8d5882c4be50f9d |
| SHA256 | a982ff23066622738ce662b73cfa60987823001e79de77969c26110f00f06684 |
| SHA512 | 882bebbef8092111ec748bf1e79974aeb4084b0a3434d429e2659fd53eff7986f43aae8656ee3d13cd6e99e1dc6493c143627a05a52f0a83c41473a0768b4b57 |
C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
| MD5 | 74cbddc0780f773c694bbbdacb525710 |
| SHA1 | c5003e2da13bd864e93ac324e9a3c412f0148033 |
| SHA256 | 6b78723dacff327c897aa908197265e72f445bd39d4cbf21cfc3c2abf8327e84 |
| SHA512 | 631acb516bb201ab81290f8a23149f550082057d779ade3512d7783cf645387e83c86bc048fc3474a15724f30a2bd7b495391dbfb3de3eaec282e50d769abfad |
C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
| MD5 | 263228e1ca7d0bffb609e0c9921011f4 |
| SHA1 | 81795f93f18914c460169e08d816ef1e3ba41259 |
| SHA256 | ee52174130f713f18afe0a05fa317cb59bad4cdba80a8a7bd299b33b578e19e0 |
| SHA512 | 1403830a6583a5d18731c3b179625972c09d79c754a2f41983df1113dded1917dafadaae65e9d40abadfec94ca5fe6d41a7184ee38c70d8330da88e0f830a2ee |
C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe
| MD5 | 9a96e31d57bd6166b88ef0435d13405f |
| SHA1 | 57e67f318a315ef24196ab353a17a471483723d4 |
| SHA256 | ee7a0d4e6e03fbbd8979ebfbb50c0e85451de5b0fe7f383b7a7e49ec9bde74d3 |
| SHA512 | 7d9d44414eb469f09b32971c3ef395a7c5d2ac59cdc05cdb2da0c39747e138be7ffd462d9b9d813673a989d67f05cd8285a87c9b718728f3d8562ca0e2faeda5 |