Analysis Overview
SHA256
f711cdf4fc3db9a50331351e83f1d438c3b079b9c760b8dc6519e864ec46b336
Threat Level: Likely malicious
The file 2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:43
Reported
2024-11-11 12:45
Platform
win7-20241023-en
Max time kernel
144s
Max time network
118s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}\stubpath = "C:\\Windows\\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe" | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31ECB143-D330-49a9-9FBB-BE3F696A4C39} | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}\stubpath = "C:\\Windows\\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe" | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B} | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C95BE21-6B74-4fc8-A591-927B7F7E9689} | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}\stubpath = "C:\\Windows\\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe" | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}\stubpath = "C:\\Windows\\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe" | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}\stubpath = "C:\\Windows\\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe" | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F21DD83-522C-4ac2-B750-A1787D7FC107}\stubpath = "C:\\Windows\\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe" | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}\stubpath = "C:\\Windows\\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe" | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58} | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}\stubpath = "C:\\Windows\\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}\stubpath = "C:\\Windows\\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe" | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA} | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EBDF79-BA35-4253-B978-BC8ADBF552E9} | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B} | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}\stubpath = "C:\\Windows\\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe" | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}\stubpath = "C:\\Windows\\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe" | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F21DD83-522C-4ac2-B750-A1787D7FC107} | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F} | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03} | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | N/A |
| N/A | N/A | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | N/A |
| N/A | N/A | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | N/A |
| N/A | N/A | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | N/A |
| N/A | N/A | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | N/A |
| N/A | N/A | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | N/A |
| N/A | N/A | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | N/A |
| N/A | N/A | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | N/A |
| N/A | N/A | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | N/A |
| N/A | N/A | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | N/A |
| N/A | N/A | C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| File created | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | N/A |
| File created | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | N/A |
| File created | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | N/A |
| File created | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | N/A |
| File created | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | N/A |
| File created | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | N/A |
| File created | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | N/A |
| File created | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | N/A |
| File created | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | N/A |
| File created | C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"
C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF38D~1.EXE > nul
C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31ECB~1.EXE > nul
C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AA4CC~1.EXE > nul
C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2C95B~1.EXE > nul
C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{510C9~1.EXE > nul
C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{38EBD~1.EXE > nul
C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F21D~1.EXE > nul
C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe
C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC68C~1.EXE > nul
C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe
C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFF7~1.EXE > nul
C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe
C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1AFA~1.EXE > nul
Network
Files
C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
| MD5 | c85a3dada99e8921b643a5ca449b3340 |
| SHA1 | 5427425ebebe617a5f42c18802bc3fd0c72fc1b9 |
| SHA256 | d9694d46aa896ca12fb864dfff0cdbf2c81c7f7a7b2a4197c11e935feaedf559 |
| SHA512 | 3464c7115a5a84205417628c62567af542c9475a3afb75b008143eeb84d48dab8f35ae10cb7a3042f49424bb1cdb3e1f90e4c8d874705368f547ebd8920ec426 |
C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
| MD5 | 4c727bcbbc47dbdc39dfae9da51424db |
| SHA1 | 24466598da4748424d5a04a9978b00291c41140a |
| SHA256 | 96ba8da68a9f04552323403b1237b478cf46709ecd6e03725c740829f3727fba |
| SHA512 | b3c843dd303b860c195da2930e737750dde768ffea79c0ea8cdaa21c1c608b2dabf3b1e56d598be89d0c5202aeb538c2bce19c858bb3c460c4f8335467062e31 |
C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
| MD5 | ea6231bcd3dd0a9f04ffe953533adf6d |
| SHA1 | eb70bee521f0159a92c2d1d10d9c7f85a83d394b |
| SHA256 | d86fe5ad44fc1f1ad01f46d8ffa4ab11a0a5e52022ec9b5cc9ad4075632d669b |
| SHA512 | f519a213908b3fea8655a11bcd8013c8e1bf4d55ea56d3fc5ad9a9eedcc4875ae93dac119a592e7408ac25b68d73ecb8ab0924c238909b413da78c8f5e4fe654 |
C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
| MD5 | 7fe08b46dc5cacc221e3f9153bd61a12 |
| SHA1 | 97a8d409a0be3801149235de3a0e695cc55e3c2c |
| SHA256 | 42138d716456810ba12e926376ad0dd9eda9c388528b7b11822056ab9faa0f07 |
| SHA512 | dc05d3e41c23aa30cb787e89c3d99cdbe6a451f11f77249df04ca12eb23ea2b271ada26e206e9d1d9f342aa2eda56ed40eb7ba1213095e9dc990e7a84a2aa1f6 |
C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
| MD5 | 4396980222310da34f3413edd0a3c4db |
| SHA1 | f504a201f36375bbb993086e611021bfc588c897 |
| SHA256 | e77b7c8f5d6ecb8e6f5db5dd3ccc8069b62cbf19eeff03f3e47f1634a378ecb2 |
| SHA512 | fbf26afaffc9f6d3fae0150f733191cf098984f5da4ee4070e835bc11e277f8d5c59221a88fcf30023fc456bb1b1f8c07890a3193266ab22167f60f46003d9d9 |
C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
| MD5 | 597baf289fdd68cfa93afe905520979a |
| SHA1 | 19636d1be5a1def8b8bfb0f30343fd32e36d4201 |
| SHA256 | 1a2f70f5ecc08f6bcf3b9ff3968c3839f47f026c45b59b91800fef01dc038dfe |
| SHA512 | 76e5e49c4d7d241b7fa18d679f122b595cf82b0bf78f6362883b43824fca3e9edb9d64eb6e903bd024e0bde9a6ed08fc8612c085855428ebe57b77ae60b8df7b |
C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
| MD5 | 7aaeee498c07a4aa7a9dfdd6d5c19e80 |
| SHA1 | 33442c4052b2d9e19af2987d2658c5831f1881da |
| SHA256 | 2d590f2b629c0abea1908bb441b90645d78260d38114fa1194e8299fd674550a |
| SHA512 | 9e28f296c52b3958aaacf2c84c0f999710017c27e81d3975a89d3d02e835f3a05c834a9f9a9c2e3dc35c685dfae4bfab443bf4de64cbe6d76de514d6a56010ed |
C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
| MD5 | 801647ec5470f469ecb3a96a3c544054 |
| SHA1 | 0e13f809e2b73d8589013fa3f74f134ca1d7ee53 |
| SHA256 | c5ea27b1dc37cc09ec573b44fdef3e19e11149601ad6906f9bb063b984c764ca |
| SHA512 | 691580307a25667c163e2ea8e01bec09538758e6fad7e6f9f79b84155d2c2438c23c8d716ee3a4d62187c6d8b016a67fe970c71e93775e63de5dc305c153d99f |
C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe
| MD5 | 1ec4227e3b6ec722e163f904c27f0254 |
| SHA1 | 21d8887c5b20698853939c07c8a00211b2c17217 |
| SHA256 | e56a5247df994a8569d7df62fc55220cbf71ebeab2e5ece863b8c98fb314a392 |
| SHA512 | 7c6626087f2065ebdec34e35c7fc95d2fd3ec6735459af13121e20c06c3fb2d72f7fe6327b70051583e8530cc40f5642a0785f1324327931347e759b6d03244d |
C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe
| MD5 | 6cf95bd69ca99003c1295a67f390075a |
| SHA1 | 16baa9dc0f4ee96bb1d1c4866da319c6b791e69b |
| SHA256 | f9aaafe72d2d6eff64ebf057922e715d54a2c326046d682114f08d364a7ae865 |
| SHA512 | c21085b2b1f283f45824555b3e9b41bc9d6daa0e6aef4be072673cff82a4816f15d35dff3f0455c9b51c162d9b83f6e1e8abcfca179b7ccd289385afb5dd1d8a |
C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe
| MD5 | 81addc9035ca5064815a28f5a31b0098 |
| SHA1 | e27182d53f3c0fea9e0053ca91542118985d9039 |
| SHA256 | 60de1f97429ae8d214be6fe4ec2e484da3c20e1f7cfdc9b955761659a3006f8d |
| SHA512 | 1faa5dccf511f91f7f974a6e34c18f24b919a51dd108887f3a12d184236c42c367011dc5af991888aeea950bd98e56e7b2db0011ce0f7c8ffedb5372675f4f21 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:43
Reported
2024-11-11 12:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4} | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B435D10-597F-41de-808F-737E03450630} | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC319AB4-3585-4d24-A17A-29A4043B283D}\stubpath = "C:\\Windows\\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe" | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE} | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}\stubpath = "C:\\Windows\\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe" | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977} | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}\stubpath = "C:\\Windows\\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe" | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EA515-D7B7-4306-9E84-167A57BEFCEC} | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}\stubpath = "C:\\Windows\\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe" | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6111A5C8-C18E-4b18-93EB-CCB8509E2420} | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{402B78B7-13E2-4e1f-8484-2AB388AC4618} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{402B78B7-13E2-4e1f-8484-2AB388AC4618}\stubpath = "C:\\Windows\\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC539198-109A-47dd-B4B2-05062F4E33BB} | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC539198-109A-47dd-B4B2-05062F4E33BB}\stubpath = "C:\\Windows\\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe" | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}\stubpath = "C:\\Windows\\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe" | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B435D10-597F-41de-808F-737E03450630}\stubpath = "C:\\Windows\\{3B435D10-597F-41de-808F-737E03450630}.exe" | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC319AB4-3585-4d24-A17A-29A4043B283D} | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}\stubpath = "C:\\Windows\\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe" | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{344804A8-35F5-4360-9A01-9FD696AA0CBC} | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}\stubpath = "C:\\Windows\\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe" | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8} | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}\stubpath = "C:\\Windows\\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe" | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8} | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{344804A8-35F5-4360-9A01-9FD696AA0CBC}\stubpath = "C:\\Windows\\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe" | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | N/A |
| N/A | N/A | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | N/A |
| N/A | N/A | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | N/A |
| N/A | N/A | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | N/A |
| N/A | N/A | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | N/A |
| N/A | N/A | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | N/A |
| N/A | N/A | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | N/A |
| N/A | N/A | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | N/A |
| N/A | N/A | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | N/A |
| N/A | N/A | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | N/A |
| N/A | N/A | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | N/A |
| N/A | N/A | C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| File created | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | N/A |
| File created | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | N/A |
| File created | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | N/A |
| File created | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | N/A |
| File created | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | N/A |
| File created | C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | N/A |
| File created | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | N/A |
| File created | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | N/A |
| File created | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | N/A |
| File created | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | N/A |
| File created | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"
C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{402B7~1.EXE > nul
C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CC539~1.EXE > nul
C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2538~1.EXE > nul
C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4877~1.EXE > nul
C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D15EA~1.EXE > nul
C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6111A~1.EXE > nul
C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3B435~1.EXE > nul
C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC319~1.EXE > nul
C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC72~1.EXE > nul
C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC34~1.EXE > nul
C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe
C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85285~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
| MD5 | 1d863cafdeb51ea13aa969db906fc33b |
| SHA1 | d6027a57016c05ab9cd7c8693050fec90908afb1 |
| SHA256 | 4b17d98e850d03bce897418e4a0480bbe8c62d10fce211e2aea655e4868af716 |
| SHA512 | e23edb70c7766a5af2878a0868dda245239cfb03539f290513e2d717af950fe4c1f2096395835c347845b1bb78216084bd6d5f304fbd32bb2271fd28332230b0 |
C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
| MD5 | 3ade4803cc43d9c0a25a2ccc22268393 |
| SHA1 | 42cb1cef3acd55a58653e89885e38120e8ce4d10 |
| SHA256 | b268f9e16f423bb6c203f661a3fdba7853a7eeba55ad4de4c1a84f5fcdffb645 |
| SHA512 | 2434d033f24c457ad481035b5e3168eed5b133c59034815559da3a5e7efb56ea1f7f9bca5278acd6c67dff133b45019457d3564f7bf85b6e3c8306bb2fecc00c |
C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
| MD5 | d4cc2fdc073accabd2ed854bf9cfd375 |
| SHA1 | 78540a7a2d16c86c17d88ddeeba151504b37910c |
| SHA256 | d5456b048c3dcb9a84fd1de0b273ff3b2a1704199d490e5ca9ab683225b54d72 |
| SHA512 | a80823436f80c18fd4f01b1b301765518e42ab434941521980fbc8f28104cb8f3a6bedf8a8397afad958ea016664652558cd88e7f9ca803ce774aebadf486128 |
C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
| MD5 | 96b25bfbca3850c1656c3a340a9fe239 |
| SHA1 | dcc36db98bdb0e070f0aafdff3878dce2ee48e23 |
| SHA256 | 9c5fe6ea9be1f9346b109e9d3115c7c37b48410a29c7ebe413c2873c12beadef |
| SHA512 | 2bb4d480c6c51720b30d41260c25de318a52212be6c6f821e03bd0c40e7e62b5ee42a845238ac184e02e8fcf74d5ebd074dbc3785b204e8f8194b2580fb9e8e9 |
C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
| MD5 | c5908290269d9a78b8fed53d8a622c6a |
| SHA1 | efd962729852b079e641279c60b0667f5496def6 |
| SHA256 | bae224d632b5dece3ae82ab3a537ef2f319b10277251b92fc500d49cc2facc91 |
| SHA512 | de95666d4ea5f3768ccf33cc03e0ea8524ae899ccb29ada3fbba7a05877077ba8fe4369d226201cbff665ef5514481d6a45cbc2808e07a561a0c966f697b2916 |
C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
| MD5 | 8a8a0da1a36d15c6962af4cc34459669 |
| SHA1 | 558967cf3eefca94c9cd5c3adc784fab988180fa |
| SHA256 | 591ab84b20549d394e898d11c6174d06fd55684c6aaedee5f3a4eab440d3ece2 |
| SHA512 | 85964431f521e5a3377e19cb2a4f8e2db06d019e4f87e4f514d537a8a6650408c2ebbc19564c1a26f7f49337f0365be7676d22901a19393a55d615691525e42b |
C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
| MD5 | aae55b43b6ab447d23833cdf7cbfc8da |
| SHA1 | 2ca5c9786926a0be4a902065fb8c07f5939ff4cb |
| SHA256 | 4ed07d94129acdd77359fc7f5d385202aa1be897656a9eb882562bd0cd0690d3 |
| SHA512 | 36d4794295150b05c50c43c5a189037541b88aa2eaad7d1833f23ceb4bf8b742e232c5539bea4f47ae665b95a7ded4d004367fb6906039ea9978e9f495d863da |
C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
| MD5 | 16f1cc8949e37efedaa4315435ff72b9 |
| SHA1 | cb9e8082ddf8f41552c92dc100095343fdef6f07 |
| SHA256 | 4b671eca279f9ae53c424cd03e2b11d353d690be01ce3815675fe694d605fe37 |
| SHA512 | 7cd32b9e8cf464879156fc75b3a2ddb45243d89bd66b3f98eea24a26982282e3d3fa8919b18406eb99a2a4641cc4b91e46dcd50f5a2d885c2c3cccf6122758ae |
C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
| MD5 | cf3a8b2c05668fb5cb4a9cbd37ce8a98 |
| SHA1 | 42827ef4b0c6c931fe8133d0e4a5e9962cae732f |
| SHA256 | 4abb211cf0b473ec16d7bfca1fe0d001c5bc74222bb3be02c83c0dd9eb7c8a9e |
| SHA512 | 4786f255fa12d970d0eb1411c6d8b18f81bef1e39590b19ace2d33602a2b3e5c14c3c83768a464e74f28b640ed663ef4b960bf4ac8c4f1ec2c29a046d6bb68b3 |
C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
| MD5 | febad1e3dc4f2a3df740cc9fdc8b7677 |
| SHA1 | f37760d320eef647be6795bbf40ff213a2893d94 |
| SHA256 | fbf9375188994fc0e555f17c17ae08d16832fa1859faeb3c255ac922f8f88630 |
| SHA512 | 8ffbce959afd66fd848c8ea95a504965a101f3def5d5beac3b544f6d78d46049d83fbb0deaf313a85b4f1bd81c074717e6ddc4963ca7dc6767623bd3d7c06279 |
C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
| MD5 | 11b495905085ec582c1f740d1a02879a |
| SHA1 | 0f5ae7cf27ff27760f57e30b73d849cdf413a31c |
| SHA256 | 90d575b8014e9272a0d06e893e86d5296c4cf29dfc135b12a0cc7ba7c477838d |
| SHA512 | cd5fa7db1cb10341d243cd23798175750b3c3be0cf4672de67c88b07ab34083e566c923c9fa067be3f0929d381c7b75efb2e74768a08faf08b8fcab4f59b2e6b |
C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe
| MD5 | 234b8c7fdbf2a28783abed3fdb7f320c |
| SHA1 | 30d34222d028fb5ad540a023099bb67e621c6d63 |
| SHA256 | 2af4fc5d69e8bb9e08820291cd798498dbc5696a97c540f3d217c4846307d4a8 |
| SHA512 | 465b5b45353322a6b93b8ff2213e8c119d2d86c793e61b3a7a6f58ec14f064efdcbad3c0d27dc26b8c42757004dcdf399e8120522f9d06b3926f5f9271e875d6 |