Analysis Overview
SHA256
ccf8f77b4b030d82f1069122a1687d3a2ffa6bcb607e6c997a13f13caf4ed88e
Threat Level: Likely malicious
The file 2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 14:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 14:34
Reported
2024-11-12 14:37
Platform
win7-20240903-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7EAAEA-A234-4572-A5C5-D37C540100F1} | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807A9290-1446-4088-99A8-55D89031F654} | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86064520-5804-4dc3-AC8D-0A4A1B666C17} | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}\stubpath = "C:\\Windows\\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe" | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB10725-ABF2-4106-B158-DDB4CF803788} | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3400A2-B0D1-4529-B840-BF01BF80A627} | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}\stubpath = "C:\\Windows\\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe" | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}\stubpath = "C:\\Windows\\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe" | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0} | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807A9290-1446-4088-99A8-55D89031F654}\stubpath = "C:\\Windows\\{807A9290-1446-4088-99A8-55D89031F654}.exe" | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86064520-5804-4dc3-AC8D-0A4A1B666C17}\stubpath = "C:\\Windows\\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314} | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349} | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB10725-ABF2-4106-B158-DDB4CF803788}\stubpath = "C:\\Windows\\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe" | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF93DC2-A110-4f85-90B1-2AD12E964634}\stubpath = "C:\\Windows\\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe" | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}\stubpath = "C:\\Windows\\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe" | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF93DC2-A110-4f85-90B1-2AD12E964634} | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}\stubpath = "C:\\Windows\\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe" | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3400A2-B0D1-4529-B840-BF01BF80A627}\stubpath = "C:\\Windows\\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe" | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998} | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}\stubpath = "C:\\Windows\\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe" | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F} | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | N/A |
| N/A | N/A | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | N/A |
| N/A | N/A | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | N/A |
| N/A | N/A | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | N/A |
| N/A | N/A | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | N/A |
| N/A | N/A | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | N/A |
| N/A | N/A | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | N/A |
| N/A | N/A | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | N/A |
| N/A | N/A | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | N/A |
| N/A | N/A | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | N/A |
| N/A | N/A | C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | N/A |
| File created | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | N/A |
| File created | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | N/A |
| File created | C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | N/A |
| File created | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | N/A |
| File created | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | N/A |
| File created | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | N/A |
| File created | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | N/A |
| File created | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | N/A |
| File created | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | N/A |
| File created | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"
C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86064~1.EXE > nul
C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEC98~1.EXE > nul
C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC0F~1.EXE > nul
C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB10~1.EXE > nul
C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF93~1.EXE > nul
C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AE340~1.EXE > nul
C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{364EF~1.EXE > nul
C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe
C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6765C~1.EXE > nul
C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe
C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B1C~1.EXE > nul
C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe
C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC7EA~1.EXE > nul
Network
Files
C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
| MD5 | 143717fde94a137faccef92702eb7706 |
| SHA1 | 8b336d970fdf5b8da84d62ed90744e503cc9f519 |
| SHA256 | 8439892242946fe58b81b16fe75ff593313f0b6d29bc4953cf6d1ee0b4fe91c9 |
| SHA512 | d55879d6c1952d5c0f4a853563c16ca269ebd982d5c5aa094e549d8c5e141732affd874e6114f650c51b65203803f0259001730631ce8f364e322ab11019f7b7 |
C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
| MD5 | 99feacaa4a209bff5b8a146afde46f4f |
| SHA1 | 35508f0079f8cae9296c363a1b8b5ec0ec0ac5ab |
| SHA256 | 001bd885c16b2d48ecf94de1aa3df7434d275d8526f39a5649ec831434302ba3 |
| SHA512 | 538457ba746d6c30e7165f6d5199d883ec45b1daefebe606e963cc8a1027af177fd393bb0f495280235c22d526fc4cdef35124f044f7cb3ac107eddef6379472 |
C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
| MD5 | 58a552cdc36a173bb3e2a4216ef11990 |
| SHA1 | d9395fef41f4372768d1e1baeb25e919ab565137 |
| SHA256 | f8ff7a2060df0c5ed14284022d9073eb3db9e4bcdf9279d566ffd843ce20cdca |
| SHA512 | 69cf2d7d7d3d029c8b917a32e9f6233a3a483846ba9efc78167fe55ab12e2ac8dbdfd40a7afe78aaf02c20a5061dcdae74440b58a4d512589e6928d1fcccf021 |
C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
| MD5 | a6a0e102ae5e38df813aa59d507e5e70 |
| SHA1 | b1f611f9f0108bba789e0a4b71c9979688ca291d |
| SHA256 | 58d374cce6e1de95de659a75cbb2a00b1ec4900b3297030f9793a3606bdaa01b |
| SHA512 | 7edf2b119b11fd9203ba965ec55d8264dde47d7cd50f3f72c0c56e05b5aa06686328a268f38ad803e87a8836e2c63c1caf94b9ef6dbd1920e4de33ff6cf54982 |
C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
| MD5 | 66947ef07c6acb67a25e607d8b0299a5 |
| SHA1 | 53b0a337838f49ab655581ecea4c9bf3edc3d2ba |
| SHA256 | 3d514837ec904b9c0514277be2836bc11cf6952d144302a28087e489f9d335c8 |
| SHA512 | 618c9c57e3850ebdb0d46832db17d80bd51e135046fd27e1202512b626c2b866dc579cc4abc5803e3c2001174776f6ede426ccd5d691369792a3afd123cad9b1 |
C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
| MD5 | 052075ff91d2a2a083bc9bc9e9405658 |
| SHA1 | fcc9a83a7efbbaf7c68e57bb53633e1b577e43a0 |
| SHA256 | f920c376382142c8b84a3ab193f1625aba8a576943b5452a450df51c7b8caeea |
| SHA512 | 4d0370772fbfd1ab2c4c756e8f4c6b9e5765f27c1508daad1f65dad84e4dcfd18d42dd6999bc660632c9dd562452c0d87688d19517098acd45408b18c8da5188 |
C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
| MD5 | 2b3594d95c8d1dda577daeb190100789 |
| SHA1 | ba80ac5d5d68dd786d5938fae0f13db88e4295c6 |
| SHA256 | 7620dbdc6eeb837ff45ec02ba92b0bf463c047b2ed4f049b1d87095e71bff829 |
| SHA512 | 3dbbaa1923c28f00cb612fae3bb65b8129f6e65c4b76e37b5a0c6fe46e766b0edb4c176c5c998c07bee763a887e3dc726d4ff51986fc3a7ee1b816a23e4ab089 |
C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
| MD5 | ce7e9a5e0b8310ede63cec6d0db009ef |
| SHA1 | ac25211495d31849015463ee1e4540cba452a7b0 |
| SHA256 | f7269026de6cd0067edaf565e38084bca93173b73188f3a575e7332406afdfc7 |
| SHA512 | 53346b54b1dd2e5e083463f6d3323f89950e26a8201b4ddb17908b89023424b790349b14f25c2d45633a13ac3a759c9965e51b07f09ebb1adabfdbe29a31cb6e |
C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe
| MD5 | 632762fbd2eb3bc9bca474666c6df722 |
| SHA1 | 51c527235d9e48ef3166413105929a1e4daff3f9 |
| SHA256 | eea5825f41820ac298426ee57dc46ed17521070d2b7cf021c6c28f3ede351663 |
| SHA512 | 6efc978acadc18fcb27d66f23fd4b2df66a44e3d870996cf8ef4a7ca66d7f99f24648f2f95bf59c4804e754e4b1f4834fb1cf7dd97db835c6a1aded98c5e98c2 |
C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe
| MD5 | 9fef1aa3bec869a5bc8a96bf5a8d88b7 |
| SHA1 | 156bb13780136e127fa030e57a309652af1f4007 |
| SHA256 | 516481fbe53c0c09f373fc0e556810b994ef532ee026422e65538b5bfcfd0574 |
| SHA512 | 458c40908157ff0e1ce00f63dec394021bc1c72292155c34b0cb94eb0deccebaf08bc3fd384ada1a5b75453865da95f1a852a061e3cbfeabe184b045c9ef9c57 |
C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe
| MD5 | 3e9699a387339f487844770e13c266bf |
| SHA1 | a4f898e177a464ebbc8aaecd3df6eac30b8f824f |
| SHA256 | 5effd5c7740df457efb3c1aee1d2e1fb0406dbf7c9a81022674c6564f7f8f2b5 |
| SHA512 | 6edc34dd39c736cb4438dc672c1cdc7e3c9cc34d7c9001853c7cf4d2458047ba2068fa8c1e6784cf6ab84fd346283ec217a00a59f0acd5f8e27af4281dab130f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 14:34
Reported
2024-11-12 14:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}\stubpath = "C:\\Windows\\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe" | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C} | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A0C504-E52B-49bc-818C-CF1407CAD46D} | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87832885-91B8-46c5-B7E9-B1184F6088BA} | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76732DE2-B150-4f86-A783-F25B7D73E53E}\stubpath = "C:\\Windows\\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe" | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA604791-1269-4682-8D67-1336E1B2432A} | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA604791-1269-4682-8D67-1336E1B2432A}\stubpath = "C:\\Windows\\{FA604791-1269-4682-8D67-1336E1B2432A}.exe" | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4} | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4B66A-7631-4b29-8F71-2C85B7DC0292} | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF7A370-0A34-4051-B174-A805676D52E6} | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}\stubpath = "C:\\Windows\\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe" | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}\stubpath = "C:\\Windows\\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe" | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A0C504-E52B-49bc-818C-CF1407CAD46D}\stubpath = "C:\\Windows\\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe" | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87832885-91B8-46c5-B7E9-B1184F6088BA}\stubpath = "C:\\Windows\\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe" | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395BDADE-7766-4bfa-94D5-8F934C88D9B6} | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}\stubpath = "C:\\Windows\\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe" | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}\stubpath = "C:\\Windows\\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D6711C5-AE09-4d7e-89F9-9193AAB28958} | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430} | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}\stubpath = "C:\\Windows\\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe" | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76732DE2-B150-4f86-A783-F25B7D73E53E} | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}\stubpath = "C:\\Windows\\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe" | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF7A370-0A34-4051-B174-A805676D52E6}\stubpath = "C:\\Windows\\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe" | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681} | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | N/A |
| N/A | N/A | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | N/A |
| N/A | N/A | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | N/A |
| N/A | N/A | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | N/A |
| N/A | N/A | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | N/A |
| N/A | N/A | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | N/A |
| N/A | N/A | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | N/A |
| N/A | N/A | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | N/A |
| N/A | N/A | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | N/A |
| N/A | N/A | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | N/A |
| N/A | N/A | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | N/A |
| N/A | N/A | C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | N/A |
| File created | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | N/A |
| File created | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | N/A |
| File created | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| File created | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | N/A |
| File created | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | N/A |
| File created | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | N/A |
| File created | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | N/A |
| File created | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | N/A |
| File created | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | N/A |
| File created | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | N/A |
| File created | C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"
C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBF0~1.EXE > nul
C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55A0C~1.EXE > nul
C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{87832~1.EXE > nul
C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{395BD~1.EXE > nul
C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{76732~1.EXE > nul
C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA604~1.EXE > nul
C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49E37~1.EXE > nul
C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9FE~1.EXE > nul
C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49F4B~1.EXE > nul
C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF7A~1.EXE > nul
C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe
C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D5E~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
| MD5 | 0151ec62f7690acdd943bb326bb09bd9 |
| SHA1 | 8e3d80fa902c83ea0b171d7d7a342b35577e0591 |
| SHA256 | dbe13ffd5dfa67a839412c50e411d110760df61906873764c20b8907ed136a32 |
| SHA512 | e8e028ff7de89604e77180136c8bd29a3017ce803307687569f26b28827f26995161d581f55670f0f7e178441aef5fa08bb61dc901f61d55e6daf3fd97ce78f2 |
C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
| MD5 | 2a218b6dceb8b37cd311405fd8af1493 |
| SHA1 | 40c92cff30e8d13319b4d19505dfbb5aae9296b3 |
| SHA256 | e2fc12d9dccdc78dff1c2702a737e9c3ac3ec03d6c0f01747e8443d7118b5e73 |
| SHA512 | e49b7a9154fdc8199ade7b1adbe7faf962f1ec4fde4900e60a36cc0f5c5facea3015cc1ac6bec625059711f1660ea1b18d4f199d316f32b19a8ba84cf45d9350 |
C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
| MD5 | 5cbc44c11d8de9d7be0ebe14d20af98b |
| SHA1 | 35b0491677785fe4cf406497ac45597fbc31e725 |
| SHA256 | 2e5751640dd3fdb4de067e2ff55b314c92a793b3524a86a55ce06bbbfbb1cde0 |
| SHA512 | 35ee23d4309be60c5bbe48e143156b4b89c84fb778f475364d48ba6b8c0c3c4fcaefb956b0ae18745460bfb0b2cffd1c3c9b473aa71fa8d9bb7f26d444e48589 |
C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
| MD5 | 240c3af038484ce58aa0064a01747054 |
| SHA1 | 5c19acf2aa3e1cce32a4fd6f8b441f1f7b9aff1f |
| SHA256 | 697647dcf7606494fa9c08ceb48e2b73f5038bff075eebe1ae5334950188c967 |
| SHA512 | bc357347b6a29d40dfb2ad0a7811954ad72039c2cb6676a65d6bf520900b1ddd46504adefd1292f292565e8b0107b32b6239e0c06eb9e8c9941144f0573740ed |
C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
| MD5 | 07ce41c47f608ccf65eb0489f514183b |
| SHA1 | 03c568fc3e74cec3044d7ee0eb7f0b57d1fe3de1 |
| SHA256 | 3ec81806853e8582abdfdb352b2f43a1709ae44ab4d9f425ecb21b3e78e40ea4 |
| SHA512 | f9823006907e59fa1e7e74dd741560e6d162519078d9184f68572c009667fb19479649d7d86ddf60f5104d5f9d485ea425447c0d7c5595974ebdc8b79f701bff |
C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
| MD5 | 8aa0e87f4d749d0d1aabd703d805c5cd |
| SHA1 | 7e1be2897fdd82290c7caeced40ee27599ab8325 |
| SHA256 | fb9ac2ff59702016c99935cb272a3cb48c20b272337cd14373359932a50aa09d |
| SHA512 | 5b800f99a74aa0d4bf745553a9c4008d52beb434d9217f97abc2aaadbf4b04e477beb1b1f1ac5035b0ce4093a96cc4055c792b7274e9c098d5be37f2743ea982 |
C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
| MD5 | 371ddb9f16c7012949e0e49f7b1f5439 |
| SHA1 | f629c12e906c01bbf3b8608e8983ef339f077f45 |
| SHA256 | 43137261cb3b80345e08b5e71b0654bee4d1c7fb89fd523bef64a536369bfbda |
| SHA512 | 15f3cce051fc5a51622ef76996e0563897875928f24418ba0af2fc99529d002a62f0bacbfae6a4a933c9089a3b00d2433912128d722a0dc2d0ff65dbeb74aed8 |
C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
| MD5 | 145a0925de16259a41e714e2bb068d59 |
| SHA1 | ebbb88d609f5f178890fd8b1aaf3bbf5315cc4aa |
| SHA256 | 9d03c58ac170cd978398b05b405989ea50b280a39c1bf50aa448a6ec59406675 |
| SHA512 | e3ddf9890debe7d0b212f349fb6ee26d08b46784c54cd025933ab50d6df7c940fc311e6a56f822901cc7a23b1c2cdddaf208a00efb50caf530d1c95fe6dc916d |
C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
| MD5 | 75fdfeb3e729254696aab893f66be796 |
| SHA1 | e38a3e800efe3a08cd071b69e5f35ed822c77981 |
| SHA256 | 9a66b8bee2b11583db4ab3b9c98372174ec5d39f38c2b97c42b5656bc3dcdb24 |
| SHA512 | f3fd517894279e6d857dedf7dd8498c76211ea25a6313972f9583f58f6cccaef10731afaa1be1da0ea83a2aa43988797d28c712ca313da4bf4dd2f36805687a4 |
C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
| MD5 | 1e0b6573e761afe1acf94dc5dfe5217d |
| SHA1 | 42b4685e11d9fead7b9f93f4ca17a669d8877a00 |
| SHA256 | d8ddef30734c018be80b7df2ff99d876890f457f4d108c695108cc5d3f3caecf |
| SHA512 | 068a48d7aea06b243eff3fbbbea575008552b81f529cf16ba11052ebd0530574f8b2af83df1e61c3a45b05078b466563ff095992c035edde7aff894611970f35 |
C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
| MD5 | 46dc4fdf3cbe84669d4eed255bebfb1c |
| SHA1 | 78c5d739b0eb8bbbb17c93f68e57ff591358a1c9 |
| SHA256 | b7a094975196fada7632549ed8fd172baf525c0d9a3aeba7cf13d311be163fb1 |
| SHA512 | 6bd1b0a0db04935163a036038813fb227fdf4629bf49db0188f01b88f2210bda1ed589b84abc97dd241c99e4b2bae703b7cc130012350c0e19b8f3e7c7f42013 |
C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe
| MD5 | c85791b768c9abad107b4e0744d41871 |
| SHA1 | d225b84e84fbf96ec7cc9569101eacf229deb5f6 |
| SHA256 | 580cd3748eb2ccae1d521d07576ecc6749b0124c8b38c8d39e8e046c14d56ed8 |
| SHA512 | d06be37aed7500043cd9dacaceeaf4c917c579e379f95be3a95370a3be5ee153ec72d297c83c59defe88ab733dd52b0c95b87729f2d3ea319b7666f24031fc97 |