Analysis Overview
SHA256
cbf3ef0300cbe871b19b01392db4b0d9ee8db7ce8f575a4b377472920aadf427
Threat Level: Likely malicious
The file 2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win7-20241023-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F39AADD-6439-411c-BA24-A1F22AECAB28} | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}\stubpath = "C:\\Windows\\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe" | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7} | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C} | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}\stubpath = "C:\\Windows\\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe" | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}\stubpath = "C:\\Windows\\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe" | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879A088A-9115-4745-B672-57451A41D607}\stubpath = "C:\\Windows\\{879A088A-9115-4745-B672-57451A41D607}.exe" | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE50E6-8A75-4246-A5CA-DB37A4A19837} | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F727D49E-B92E-4d75-A6C2-1B58C073C839} | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A5779-4457-4290-905C-B73D06E657F9} | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A5779-4457-4290-905C-B73D06E657F9}\stubpath = "C:\\Windows\\{F18A5779-4457-4290-905C-B73D06E657F9}.exe" | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}\stubpath = "C:\\Windows\\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe" | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397499F-A32A-4050-BEF8-59C177965A10}\stubpath = "C:\\Windows\\{9397499F-A32A-4050-BEF8-59C177965A10}.exe" | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC0E8D7-94FE-4933-913D-C5984A076B8B} | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397499F-A32A-4050-BEF8-59C177965A10} | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}\stubpath = "C:\\Windows\\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe" | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}\stubpath = "C:\\Windows\\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879A088A-9115-4745-B672-57451A41D607} | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F39AADD-6439-411c-BA24-A1F22AECAB28}\stubpath = "C:\\Windows\\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe" | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0EC37C-62A5-4917-B56A-24C2E57A4201} | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F727D49E-B92E-4d75-A6C2-1B58C073C839}\stubpath = "C:\\Windows\\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe" | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | N/A |
| N/A | N/A | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | N/A |
| N/A | N/A | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | N/A |
| N/A | N/A | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | N/A |
| N/A | N/A | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | N/A |
| N/A | N/A | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | N/A |
| N/A | N/A | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | N/A |
| N/A | N/A | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | N/A |
| N/A | N/A | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | N/A |
| N/A | N/A | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | N/A |
| N/A | N/A | C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | N/A |
| File created | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| File created | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | N/A |
| File created | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | N/A |
| File created | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | N/A |
| File created | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | N/A |
| File created | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | N/A |
| File created | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | N/A |
| File created | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | N/A |
| File created | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | N/A |
| File created | C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"
C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7207A~1.EXE > nul
C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{879A0~1.EXE > nul
C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40CE5~1.EXE > nul
C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8F39A~1.EXE > nul
C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0EC~1.EXE > nul
C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F727D~1.EXE > nul
C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{93974~1.EXE > nul
C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe
C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC0A5~1.EXE > nul
C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe
C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F888~1.EXE > nul
C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe
C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F18A5~1.EXE > nul
Network
Files
C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
| MD5 | caed4d5778515d72d1abebda30bf0f0b |
| SHA1 | 57f2ab8eda7c0336578a83f8314672932b6941dc |
| SHA256 | 6105742eb36faf9f5ce850513b9fb216edc9ec0b1539bb2d7c560f010489b6c6 |
| SHA512 | 31cfe1b58177a8aba1163dd0c2252ed056b72c7ab0f31bdbf3afa544067865388b6cc1fff6d0de9b0882a58077451145bb98035b6248ab12708af8bd73b2326e |
C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
| MD5 | edfd5268d3eeb107ed3eeb897a5b45d7 |
| SHA1 | 0158c282fb08ac3f98cd2677fea682443a30e17b |
| SHA256 | 2728de2ce171933cdc7b86d1dd74b20dfe16b9a6e31e16f3831637ede4df317e |
| SHA512 | 780b629fb297c5d73637776f46c46ccbebd257c5f1712e51a56fac5b1d4faeda8a4bcfadedd72e0209b1347330be16fc225d54676db7a66901dbeb8b4b4a6ec5 |
C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
| MD5 | cc90ae31317727d00e537f0d55377ff1 |
| SHA1 | 56961833f7ea8dab0b548ee8da8d5d6b6410d4d8 |
| SHA256 | 0b3dbec27a1783d7acee20c8d8b2bf8d5b5ca0a7f7a80f0bfa97d4397b1bc8d1 |
| SHA512 | 0a4a592341c62a57ae2cd55e48da5065d00fc1098e1c85ccd7c3a2286d35bbf5033889b9dc7d103f62ae9cb29d44d058b185d00219e6bf6543a8d1f321494e99 |
C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
| MD5 | 379d157d2194594c15e522d640ce25e1 |
| SHA1 | fcc2e6dba4b35661894bc1f0bfece345dceac03e |
| SHA256 | 284f0953fd295ddefe7475be4be420cbfc0ee370d299cd05d577ff6ebe73ea79 |
| SHA512 | 9e213e1d341d45b68772f400f53acdcbfcc4abd1eff6f906dae5346ad8a10d7af9e751e1479286409ad53a6d1911c1503070ab55b6efeff649ae524f325e9102 |
C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
| MD5 | 7d9afb3eca09e313022a6bc1b56efa33 |
| SHA1 | c978e57d90385db2bbf2a4570a78d0fcf2ac5684 |
| SHA256 | 266ec6ce0ee1d3df7fd3f572f64a1f6957c9eca45a13128b8300d1f4f66e8da7 |
| SHA512 | 0694a0572c027a7f40487f7d1b073745d3411a93c1e177fe4826fb4e7ac1d3058c4b5606340d38664598892dca9e752480a8e178e8de818f516b0481cfa5798b |
C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
| MD5 | fd73d8b1177a0d9de447546cd30a6aef |
| SHA1 | 271f9ea8561bb9e0f22fd1988b353e8b9462e4f6 |
| SHA256 | 3910e9b6e60cd68ff8ffde89a8f95200d51e993b144b2e9e631f58d51d066b3f |
| SHA512 | 161fc0e3ae9ba6a97da48d19e96950cd2b5e8861e52aea9a104671a8b4beeb2bae30e82f8642a4e1432db921a644545bde54b344694c52f507a4ced2c39b0c68 |
C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
| MD5 | 73d638fea355224cc5f19e091208d46d |
| SHA1 | 7d3631efbb32a26a4f94f1e4fa275e6f9d632c7a |
| SHA256 | 36be9efd026c597da73fedc5fd71eb455ffaafe0444001fc6348757a723dba3a |
| SHA512 | 20c98da13cc3f27dfebe2db6f1395db6e829d0b560bce7387eb10b94ea2a54a1c79e0e970694aa27286cfe388255af3bc80e62aa2f9214633500e3d0b0f05252 |
C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
| MD5 | f923ceb71d94c58f1166d96180f39ac5 |
| SHA1 | b7582ff929a268b2e32ad0c9690aed3acdf89055 |
| SHA256 | d865ad2afbe98cb4baf22189386ffc9ffb181503dc2758be30cd40a6bedee6f7 |
| SHA512 | 23e3f440f824ce55efa33239606eb372791630e505deae354d00d9bcb518573767c177229359bc6534a5ac0734ae971c2c7ae1c2dcb2477364a0b5319ba5d79f |
C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe
| MD5 | b54803be16feb4a1457b8d060ad2cee9 |
| SHA1 | a9ea826a70977e9070250eccf408c06bec056679 |
| SHA256 | 79bc773fc6b947e527d9c5dd5158c1986765a188993c616056a0f69e9f2c479c |
| SHA512 | a85d07f23388d356b360c1d54d8b6a439d0fd31a2c84800638746bc8d20513266e22815e5d94ad784b5a062814c45d52b613ff1ba9de9bd61b23639d9d9d12af |
C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe
| MD5 | 7c3333039cd1273ed6fe794522d9292e |
| SHA1 | e90c627bf664e6aa5299b5b0380bd43f41299d13 |
| SHA256 | f991d9ace4cb1166475b33246d630ef18994e4d3036f5d4bc836736df58c0b01 |
| SHA512 | e76f314faebe3be24e60da7e4759d3a7ca35d78e240087df661dc82bf40274f6b9353a64dbb4242a466021bb40f7b63d6b2f659337a79aaa2460e67b6f6c2a8a |
C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe
| MD5 | b6e664338cc77f8ab470a0e0a4d5f221 |
| SHA1 | 123f2fcb920d0be5e4fcdaf6d243bc4d9992f143 |
| SHA256 | fdcacf84447c58a96e1635622a9322386538101fc2cfe731d24b81b2a130e07c |
| SHA512 | d723dfa6bd56f4416172f6f0aadb7e21061698e448d40f4aa57f694c609738df1590feb84e98528f486781bd5bfcdedc114fe2515afff386388f8fb140a26080 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0226E8A7-A838-474d-9057-6C5CDF67B586} | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF1528F-6268-4a47-990C-2D83998DA4C4}\stubpath = "C:\\Windows\\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe" | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C} | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6} | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25986D9B-870D-4494-9219-F17AFCE9FBAC} | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25986D9B-870D-4494-9219-F17AFCE9FBAC}\stubpath = "C:\\Windows\\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe" | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32509209-0672-4fe3-B958-CA07069F1CDA}\stubpath = "C:\\Windows\\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe" | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC22F8A-9C56-4408-905A-B7BECE76C39D} | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}\stubpath = "C:\\Windows\\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe" | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0226E8A7-A838-474d-9057-6C5CDF67B586}\stubpath = "C:\\Windows\\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe" | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9} | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}\stubpath = "C:\\Windows\\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe" | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF1528F-6268-4a47-990C-2D83998DA4C4} | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}\stubpath = "C:\\Windows\\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe" | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9} | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}\stubpath = "C:\\Windows\\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe" | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}\stubpath = "C:\\Windows\\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0} | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}\stubpath = "C:\\Windows\\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe" | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65} | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}\stubpath = "C:\\Windows\\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe" | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}\stubpath = "C:\\Windows\\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe" | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32509209-0672-4fe3-B958-CA07069F1CDA} | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | N/A |
| N/A | N/A | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | N/A |
| N/A | N/A | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | N/A |
| N/A | N/A | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | N/A |
| N/A | N/A | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | N/A |
| N/A | N/A | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | N/A |
| N/A | N/A | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | N/A |
| N/A | N/A | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | N/A |
| N/A | N/A | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | N/A |
| N/A | N/A | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | N/A |
| N/A | N/A | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | N/A |
| N/A | N/A | C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | N/A |
| File created | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | N/A |
| File created | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | N/A |
| File created | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | N/A |
| File created | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | N/A |
| File created | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | N/A |
| File created | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | N/A |
| File created | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| File created | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | N/A |
| File created | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | N/A |
| File created | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | N/A |
| File created | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"
C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E64D~1.EXE > nul
C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{13DB6~1.EXE > nul
C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0226E~1.EXE > nul
C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{815DE~1.EXE > nul
C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF15~1.EXE > nul
C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47221~1.EXE > nul
C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{14DF9~1.EXE > nul
C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD8B~1.EXE > nul
C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0D0B8~1.EXE > nul
C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25986~1.EXE > nul
C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe
C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32509~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
| MD5 | 4b63291b1771c9ec77b1937844a2691a |
| SHA1 | c5bbc49432912df6a62b7ad22f101fefaf50c882 |
| SHA256 | b31fe7ee705733f295e18df82e01de8d053ec5ff9268ee9a18925bd1216d51ac |
| SHA512 | f87912a953e7ba4b19c0b921395fb802986186046948451511c6dfffa52245674ea2f9307c3fb92f1cd76978ba8df5fecdbe77e9952ed9d5ea8e88a933afbb3b |
C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
| MD5 | 119bf51375247b208e6c8703ccec8e02 |
| SHA1 | f009cece460320c31f930c320081741d0cd684c9 |
| SHA256 | c46a3a6a75b52ef315410ac6a6da80132a4b060d20ad07650b91ac00c1f1309f |
| SHA512 | 3ae651e6383620e8c3a84c97ebc9309c3b3a7dfdb1f51a60dcb5c78a1c612668d7e2749839a2a250401f15553e0982baf43a49d10e7964ec8f740997ed92e822 |
C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
| MD5 | a6d7b539d4a6b42b58c7f079485890c8 |
| SHA1 | 28fb3aab5e34985061414301db726072a1f116e5 |
| SHA256 | 8a753a3cc52d34cdd3f913866f3801e5f292c89aa74c96f98bc0cf661e602b56 |
| SHA512 | dfc086f0b344c374cfdb5a70f91d4421c493f4cbd03748f6c8394e4503725d1875312d6cd808045badf7f8a0e0b38603795d30878655a8495f4b59d8980c64c3 |
C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
| MD5 | 08db86adf955bc9b72f9f819a45bb1e4 |
| SHA1 | 44098101e563d53f61f8a14eb3635d702f4088ab |
| SHA256 | 4e5638c7119a4a03168d5703711834aac5f5b6afebf53b9876d3f9dfb9193738 |
| SHA512 | 8d1b466759849565dd468ee50d7a1961e3f30dc769353278e602f8ef5ad01eef28626718e7c4a3007aca49e81e1b64a9a6f220f6d6a9ca507c4fcaa5c040d7e0 |
C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
| MD5 | f603094b50df52af1bc7a01f79727cde |
| SHA1 | 26cf803d5f40093400d9e72ee5ae8a4de03f0a5d |
| SHA256 | 2531a30ddde8645bf7ae9ee4df38a90e9edb62edc7e56352f0e53e0045810879 |
| SHA512 | 701a3a0ffa9ad526ef0ff3cdd29af41fce6c36a76ace32b0abf89ab78245a2cf4a901d83360de81c9ce3c13a4552f68848bd940750e2469c00db707b0ef88481 |
C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
| MD5 | 6ea1174c1b0e4de0dcfbd34468a66b0d |
| SHA1 | e3a9e1d02945ae71389bc97032bae040d4ac5308 |
| SHA256 | e2f9ae742931d8b937e3136c5d067301a1a0a1aa25e044291dfbfbc4bf846c48 |
| SHA512 | e55586cc8b9f4879495958bc858feae84633abbd2ab917a6d9b3fd04a902c68e6fdb53c1d9daefa4d8ac81aa24f92b9f3cfc97dee54e41cf2616b2d921755e09 |
C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
| MD5 | cf2581314dee4c4962b6d0f1cd717587 |
| SHA1 | 384ffe110b94310efed6c91063bc589e26a596ec |
| SHA256 | b6f6744f62bea004823e47b083e17732ec6c69486aaa2bd7a826eee86b61de97 |
| SHA512 | 7ef45c373d04dc0ae44dac092d0349e3eb50cab060680d524c7b8f18e1250db7eeefb35a4005327b468c3a8256714753b44f4fe920e7b3fa10a70275bad20509 |
C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
| MD5 | bd6b427d8410649d95705a1b40f667a6 |
| SHA1 | e4d255ec8137de78a0a59b68023d4aaade55f363 |
| SHA256 | 388d3ee9e917b0f95791db85a395f2ef9b6c26069412ffcf6756d6a0fe082c54 |
| SHA512 | 0685d69015a037a1d41b8e0728b04f1de497a4aae32c21544f8dad32e80b4bebc86ba09d755c2705c0c7fadb98dbf13d3c79e2f762d747372bf8587548a3aed6 |
C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
| MD5 | e454929d666d15f897050bce50f714e9 |
| SHA1 | 2fe644dd8fe27851c0d7c9e9fa31f6e2f3ea7003 |
| SHA256 | f362406f0f86188767968e8618717d8ad47d15661697f5fffea2e9f1c81c36a2 |
| SHA512 | 80e0ad90f5ff63363d5c6597d0132cd7de3a630ddacdcaafef174dfc76a1fbb9c374a53b5393e261ae4f7a1078bd9513f434fdfdf31768f4d6985f36366e727b |
C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
| MD5 | fbee3de06c1d453719c5f89d0ee6300a |
| SHA1 | 5e5b0f6a2ba9146c38603b1165dd65ea72cd10b4 |
| SHA256 | 59e1a532ecada95b358e1b7ea3be252026302f72058f15f443b8ba7b65ec65c3 |
| SHA512 | 4f53223204080f0815e7ce14049ed8d5f59f4f4afa2fad8f198b77096a0fafb6ee625cd8d5afeda3c3f38410ed6e8b265530fc73684316f38c0d3eabe59377ab |
C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
| MD5 | e7502cdc099ddb34ce32cf5996c0b8e6 |
| SHA1 | 6e3f5de3751dbc6125b8c051c9854d1d5ca7b561 |
| SHA256 | b66bf9bcace7aa7fce7c4c21ff0b8700afdc466c54ae219d6bbfc3c4eafbf5a1 |
| SHA512 | d1478d526bbc4ff20426f0ca0a239f9b15427f615112623e154ce2b27ec78bc76d5985cc98d19f1a7511aa8f38b55785ddcde199a84245fb22488d9bc73a698c |
C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe
| MD5 | 45a03b2b123f9ad8a2917021130d627f |
| SHA1 | 11d75c29ed71b7b488a96d28bc1d4f97423ea45a |
| SHA256 | 5435f7914ab11ee6af5316631707cc5618d4623fcf42e2c232ac2f290cf5e201 |
| SHA512 | cd4e87e5a8cb2fb5c9da526495447ef9665e48bacf0f087cacd61c61213d7c6fe2409b4814ba08b0847a18d4a4b6542316b09118381a910e5ed217cd29abc652 |