Analysis Overview
SHA256
c41a94fcd55fecbb3c558e9dcaa69db7e8d82475dd37653d51d36e5dce859ebb
Threat Level: Likely malicious
The file 2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:44
Reported
2024-11-11 12:47
Platform
win7-20240903-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2859455D-28FF-421d-9927-C30BCA4DE292} | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2859455D-28FF-421d-9927-C30BCA4DE292}\stubpath = "C:\\Windows\\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe" | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9051735-DE32-40f4-8D47-BB83102B6CF5}\stubpath = "C:\\Windows\\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe" | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63040175-D15B-4d3f-BFFE-50CB1455D068}\stubpath = "C:\\Windows\\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe" | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}\stubpath = "C:\\Windows\\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe" | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB46A62-85CB-4726-B059-3A56EF104DA5} | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63040175-D15B-4d3f-BFFE-50CB1455D068} | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB46A62-85CB-4726-B059-3A56EF104DA5}\stubpath = "C:\\Windows\\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe" | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}\stubpath = "C:\\Windows\\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe" | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9051735-DE32-40f4-8D47-BB83102B6CF5} | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6034D52-3871-4e8f-BC37-86CACDDC27E1} | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}\stubpath = "C:\\Windows\\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe" | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739100CD-99E8-4c1a-BD13-BB725914A8E5} | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240573A9-2182-40e3-AF2F-B4100EE1B230}\stubpath = "C:\\Windows\\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe" | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}\stubpath = "C:\\Windows\\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16} | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0} | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240573A9-2182-40e3-AF2F-B4100EE1B230} | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A} | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}\stubpath = "C:\\Windows\\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe" | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739100CD-99E8-4c1a-BD13-BB725914A8E5}\stubpath = "C:\\Windows\\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe" | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | N/A |
| N/A | N/A | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | N/A |
| N/A | N/A | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | N/A |
| N/A | N/A | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | N/A |
| N/A | N/A | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | N/A |
| N/A | N/A | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | N/A |
| N/A | N/A | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | N/A |
| N/A | N/A | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | N/A |
| N/A | N/A | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | N/A |
| N/A | N/A | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | N/A |
| N/A | N/A | C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | N/A |
| File created | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | N/A |
| File created | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| File created | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | N/A |
| File created | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | N/A |
| File created | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | N/A |
| File created | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | N/A |
| File created | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | N/A |
| File created | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | N/A |
| File created | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | N/A |
| File created | C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"
C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36F5B~1.EXE > nul
C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFC9~1.EXE > nul
C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB46~1.EXE > nul
C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0919E~1.EXE > nul
C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28594~1.EXE > nul
C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F6034~1.EXE > nul
C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB04C~1.EXE > nul
C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe
C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E9051~1.EXE > nul
C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe
C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{73910~1.EXE > nul
C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe
C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24057~1.EXE > nul
Network
Files
C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
| MD5 | 105102fcc1f91f1e0464ab5d73831240 |
| SHA1 | ad4e72dfe03310da82cb03f15e07caa9092f9026 |
| SHA256 | cb159df8db98cb5e8d80a19ec69518b4c2d3248e2621f6aa6b3a35e87b1b07c6 |
| SHA512 | 07ab76a9c335e26a0b68dfc63b6cbf2f2dbaeafc8b08275ca7fe9bad1b98eb265a74eaceb2d52c18ae65e680d2db65a6bb9c0482c7c715719bcb129b94664932 |
C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
| MD5 | 05af0b39ce57b85866b27e0982f9eaf8 |
| SHA1 | 501967b479dfd5ccb6727a9497bbaf5e42b531db |
| SHA256 | 9a2186aa39e5b11ca4cfde0570ee47bd7ff1f95b24e11c77442e710dd4be6ec1 |
| SHA512 | d559063ae92106ff8711f5e001dea132a8ce8cb1ee1e20d969bbd6134cc899f9e6659cdf214934c4bbc31eae6de52022cfe488ee467af44cb6337338b30e52a9 |
C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
| MD5 | 20e096e2f50b58fa5a19ee2e30a1b9f3 |
| SHA1 | b1ba1ed242a0994801685baec4b69d9bd6a4c747 |
| SHA256 | 5f213d74cb748e0e3dc6476f2b7b79d6b49db0319575d2ee5e1d87e3eedb1b12 |
| SHA512 | 4607675f1890b983a395d61d0741185e650feb5bad4c2a4fadce603236cc1a2c3167966ec49c32ab0a09c2e781a2807a6de6955a65de34390b7171d906c6f94a |
C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
| MD5 | 28415c048f472e2b56c1b80eb499da8e |
| SHA1 | 1129c68094f4f98cfab479c08fec1861d48edd8a |
| SHA256 | 7d62274a1f66eed6a4ec24a46785ad3abe194a1183facef3d6d074f4e7d4a5d4 |
| SHA512 | f373cf9ee65b0bf89d52717495bd1473841f8c67e25619e66b483aa6a2ee195c825e2b07a35b8e3cd87d1b3cae071cc377aaa4ea8f2c7116ba26b923a43905e5 |
C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
| MD5 | c87a83dadb776c1f116f4e5c58c2b715 |
| SHA1 | 0ea2c88e0e2f3fcd0223ee97a5e08d2b8d9bd52b |
| SHA256 | 0b09570a651f939e61a70cc2717d7c3437b9a5c1caea6fd2b02e9371a06ad828 |
| SHA512 | 5913c9d91b387302011baac68c699edf243394c2aeff7f438da20e229720d0b2e7bef66362100172bfb336cc97c4ab3c43e3aa1618efb8d36a7dd635a630703d |
C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
| MD5 | b57455f4a77c524d2b52851d54845d28 |
| SHA1 | 64ff393f53b5238bfe6adeb8ce5ba97035f78515 |
| SHA256 | 7e976ef97568eac84bf9ebac5eb0ac186a8aeaccc79645df7e35739de59ce547 |
| SHA512 | 636bb020719084283307be4161fa1b25a853c41d9f15d67fb9c2592f0a1ee160d744597d50c9d1b3cb4464fad1a783bff6565b25e0570492c13e6412149bff69 |
C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
| MD5 | b99f2eab8d4972b2cdf4170790c17126 |
| SHA1 | e737ca8062a7e85d6d801067447b7caf11d55057 |
| SHA256 | ca1c0838563861ad4ceb2448e3a301deeca33b011148f8f7db9f8c026eecb4d0 |
| SHA512 | ba69a49653efae050ab9d4842de735728114ca3e3c354adcc2aba781549b7b1d788d9060a0de28e1efaaa5a694ed04d61271ccc32bc72de56e9cead2ef1cafab |
C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
| MD5 | 5a5ad383ca91ec2b0db5e591ba7c3edb |
| SHA1 | 6dcf6aaf0d59d9b2db7f4250e8c1a276f3b8bd2a |
| SHA256 | a7b5f180a1dac13dc40ad3f8d5967d2dcd03333625096015ab19ebd61aef1861 |
| SHA512 | 9e0bda4b9c08bfd802f341832978dba6249c9f5411d531d52e85bece15a8fdf473bc36332a429b9303dabb99fd940ba800b1b2386676d8224c218e0c5489454a |
C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe
| MD5 | 6a7cbe89b75dd42ddf8256d0906c10c4 |
| SHA1 | 160ab0e20fe75808687e1ad955ea0ae54503dbd4 |
| SHA256 | 96f157635f1895cd84177ea672fd91caa97e7f8c49131b96a7496df29c1c0429 |
| SHA512 | f4d7398c8017a1686c57d5d132ff1c201568968272841218dfcb5294b3cc55122f4aaf097756f3ab96f3e23e34b4a826b067b0b00443e25c23e50607922b8192 |
C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe
| MD5 | a9c71135e934d4f24d8293fbf272f963 |
| SHA1 | a3647ee9a57713e08d0cc97afad039c83b8e8073 |
| SHA256 | f2b691c45a2b9b53689c5efa5de584c929bdbbafa7faaf42813d81fe5acfd920 |
| SHA512 | d54d5b564c15379dc412a7031c2def9ddcaefea63af7670247951bea839aac14d66a2add5397021e38842c1c1282f929c184dba41dd9080a26c923ed823623e6 |
C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe
| MD5 | 50b66c31b42a75aadbf3ab6fa6bb27e5 |
| SHA1 | 425019f3375c705ee958b59d2078db60941ec27b |
| SHA256 | 95b9c60ec32404123202749199b50724d51127db38340f717bbe7bcd80a5577f |
| SHA512 | 740206d1c0e127645f82c51c48d70723a7e27c70d05e5563d1ddf403f2c1d50458231aee0ac0736fa9677f2a08837f55128072995c2f7f77a67e70a89e00dc4c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:44
Reported
2024-11-11 12:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}\stubpath = "C:\\Windows\\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe" | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF} | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}\stubpath = "C:\\Windows\\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe" | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C028EB-5439-474d-9450-52A69AB4D710}\stubpath = "C:\\Windows\\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe" | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1600B7-678F-4133-92D3-F60615B92B5B} | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}\stubpath = "C:\\Windows\\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe" | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58463E48-89AC-4904-BE45-E3E3912E8E84}\stubpath = "C:\\Windows\\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe" | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC061E6D-8FD3-42af-9547-AFACB1A6F840} | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}\stubpath = "C:\\Windows\\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe" | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3718F11-EEF4-4ac2-9958-A50383FEF543} | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21} | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1600B7-678F-4133-92D3-F60615B92B5B}\stubpath = "C:\\Windows\\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe" | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58463E48-89AC-4904-BE45-E3E3912E8E84} | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C028EB-5439-474d-9450-52A69AB4D710} | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}\stubpath = "C:\\Windows\\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe" | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0} | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3718F11-EEF4-4ac2-9958-A50383FEF543}\stubpath = "C:\\Windows\\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe" | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9174A466-2CD1-4ef6-81EC-434E5748015D} | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9174A466-2CD1-4ef6-81EC-434E5748015D}\stubpath = "C:\\Windows\\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe" | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49689193-4991-4d07-A803-D6E303D6081D} | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}\stubpath = "C:\\Windows\\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D} | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD} | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49689193-4991-4d07-A803-D6E303D6081D}\stubpath = "C:\\Windows\\{49689193-4991-4d07-A803-D6E303D6081D}.exe" | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | N/A |
| N/A | N/A | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | N/A |
| N/A | N/A | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | N/A |
| N/A | N/A | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | N/A |
| N/A | N/A | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | N/A |
| N/A | N/A | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | N/A |
| N/A | N/A | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | N/A |
| N/A | N/A | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | N/A |
| N/A | N/A | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | N/A |
| N/A | N/A | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | N/A |
| N/A | N/A | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | N/A |
| N/A | N/A | C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | N/A |
| File created | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | N/A |
| File created | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | N/A |
| File created | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| File created | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | N/A |
| File created | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | N/A |
| File created | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | N/A |
| File created | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | N/A |
| File created | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | N/A |
| File created | C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | N/A |
| File created | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | N/A |
| File created | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"
C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC48~1.EXE > nul
C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C02~1.EXE > nul
C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9604E~1.EXE > nul
C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F160~1.EXE > nul
C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{58463~1.EXE > nul
C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3868~1.EXE > nul
C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BC061~1.EXE > nul
C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9F14~1.EXE > nul
C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B0A~1.EXE > nul
C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3718~1.EXE > nul
C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe
C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9174A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
| MD5 | d7ea58dffaf6983cdded39b53a10b21c |
| SHA1 | 6d33d59a6975028d05836d2d1405f725d34f52d4 |
| SHA256 | 00e95111e1be0206e618d252fd983dfcd5a62fd71d978aa8aa1d1e0e2c598b46 |
| SHA512 | c20a96cb5a79a10ed603839dc6172f0fd27b8aa4477ca6325bf9176f69e0a02e63b8eab452b210cacc4151764858e371a5259b6fd62034fe451e14f3b8fbb17d |
C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
| MD5 | a80882a152514bd3df5f7173546096f3 |
| SHA1 | bc4d39b35e29e6285d973a2667b374cdd345c112 |
| SHA256 | 5e221ab29cc19648c224d16745c0f91fc4a48bd04e63fd8c0c39f17b35653b5a |
| SHA512 | e76c0d4cd6bea4d25bdc4ca857b77a9b46c4070e316bba388dbe16a94b57e352110ead7e957cd17a6e8782cea16636cc3d22f0b13f7bc71be522dd27de93684c |
C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
| MD5 | 067cfe6bd38a04df0cc1e4030e28b4ac |
| SHA1 | 303051b5d428afb08e8bd0c9941edded78c87f3b |
| SHA256 | 22d0788cd1a888a41ed66b74b3d1afaa8bd8ead921f08086b11643db7d82be44 |
| SHA512 | 2dd4fda627a8b9ee305394c1f8e61141ecf77b7711b57cb5f8ccc7841fe859cbe9d3634fa295bd2cb56596049311e02ecc497cd31c775f2ef42ea416543def66 |
C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
| MD5 | 9121f0716542ca25a48cfd46925df29b |
| SHA1 | 92516e728553202e6936b54d5325f25e50cb15f0 |
| SHA256 | 304403a041bfabb4b898f20ab531b50ae0ae96bc4e469bcd7cc47c1cebae831b |
| SHA512 | eb58d4b3645f0881e2476b605227fda0f495e9b17c7f561ae643afef260aa12252ac6304b098bf0708c552b8f19ef30f7d96c2246848e20a4c816888df9d7cac |
C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
| MD5 | 00465131ce920b0569849f103d9affb6 |
| SHA1 | d484fa5ff6dd65ba3097c8ea23eb57c16fc60cda |
| SHA256 | 6e30ba6b8c90a1c3629f45e33bd46326f2a11443f9403e4745c2f58de7b48b3a |
| SHA512 | c6b38e33e6b7b5cba2d0d490dd64d3bd6ebd261f64d9268b919389e9cedd5ebd87b4bbf2e6436aa23ee78ffeb685ecf3eea59b5a28d7b8d775cf939539d38442 |
C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
| MD5 | 98d8a7626f05c2f3122beb08ddc19958 |
| SHA1 | a78f5e904a34ebd3544c9f5bf460a717208b0129 |
| SHA256 | af971f03f89af9342936df21e40ae2731508c87f0bafcdf1bcc3471c6ac63f62 |
| SHA512 | 4338834e968ca786f210d7a54b65cb2513da592c2e62fcf3589c8d04637533c18f7727cccc90425633f369c1adaa76ae18ec8e76e9522437e08fbd348bee4f78 |
C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
| MD5 | 2e6696e847587f014f051b277f6cde3d |
| SHA1 | 1fbc888cbcb52d01e55792dfc483f93617d6ac8d |
| SHA256 | 0ab46f60b164b429f890c7a0711aecfe132529f80cf75173cdc8b5091eaa32f7 |
| SHA512 | cfdff24dd25a604a7f06dcdafee85a68fa0bd9b1a4e5716c35b2f4dbb024479626278238da8592f9e5f73eb9042aaa76bb287eeb689d369869f84a14d330f49f |
C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
| MD5 | d7228e36e4393d5bc4c496829a0b8d60 |
| SHA1 | dde50dd360c8337a404bf01aa24cb013801e00e9 |
| SHA256 | 2e91683bce5dd7ffdf533266ff5cc930b2f28a1aa9249aafa94d9b52c3301f84 |
| SHA512 | c74f8f5104fa9ab5b02a7e49106fe9a5124e243a474228190822fdd937bc3d40367870448e38ad5185e96645516d902e8f4bea22bfdf867563c81edf4d5278a4 |
C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
| MD5 | fac460d2d9d374d21b40f90e0b9a8f53 |
| SHA1 | 9abfd88280645a6a564d826a0717b9c8e0dada60 |
| SHA256 | c31f4ed30efc97af427dec194ab10d939b64d40b064219b9f74b8c84d546798e |
| SHA512 | bdddc58e626d793aa24f808a22748641f271957706664bdd3c47262dbf0649180af6fce5a0a49e9d1d55d07d5a3ab53c15b87e5f43248663c192ce3922e1627a |
C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
| MD5 | fd22b08ccabfef08fdc7705279aa254b |
| SHA1 | ae59a469630ef9dad9d8b7977036a5a327f6b62c |
| SHA256 | 4ff72f19c1ef901eb7ff188637de73f9fbb0eb54871a1716d72bc02eee6b821e |
| SHA512 | 8a04cae55c09e0fa5dde9d10aecaae06ca693dcbfda1e64895db1124d7ad559aa0fb436bb07987a281b47123d4b6865008b738b6a64beed05dce67101bb88ea6 |
C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
| MD5 | fe588dbd9783795bfe1c104f95369ff6 |
| SHA1 | f2200415fd3842573157e13ea6315e90f2c98e2c |
| SHA256 | 688b720e3d506b04bc5a4f8765c063be2592920beee23db98607bf18f1809529 |
| SHA512 | f0b4e14c2b4a35579f01ec6555598352421e1adb991cd5ae7668584fc470df39017c6ce1d1ef7acc887f9e0b4fe580bcce81e2c73e63ebdfcaf3c47819802550 |
C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe
| MD5 | 44c1150d61741a416330cd28ce8028f1 |
| SHA1 | 6885237b0b84cdcabf2b5de56a2aae6c0d4f7a94 |
| SHA256 | a962cd4fe36a301d92be29306fa4b8972da78677ef609b7db75c0a72b352ead0 |
| SHA512 | 3d3110c2c7d20464812a9bbb268082c4663f1e85c676fa5528b801c583e75314134ac806014b43012367bccc46536852ef1cd9307d80eabd4ef0bd22a668a2e8 |