Analysis Overview
SHA256
f602d9101b4da30ca8066315414c22a3390a65e61a7b34702897c8fef123a6b6
Threat Level: Likely malicious
The file 2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:02
Reported
2024-11-13 17:04
Platform
win7-20240903-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}\stubpath = "C:\\Windows\\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CC593E-78D4-4e64-9804-5AD49650E279} | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3001DEAB-CB10-4835-9651-04B98BF02E48} | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267AE581-375C-42cf-8004-E29FBADC6508}\stubpath = "C:\\Windows\\{267AE581-375C-42cf-8004-E29FBADC6508}.exe" | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6122809-F618-446b-A74D-2744D7E14CE7} | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{093FCDE6-2445-45f5-A9F8-D3AF77B37787} | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}\stubpath = "C:\\Windows\\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe" | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}\stubpath = "C:\\Windows\\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe" | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267AE581-375C-42cf-8004-E29FBADC6508} | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5} | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640981C6-D5B3-4da0-93B3-BB51297F6595} | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640981C6-D5B3-4da0-93B3-BB51297F6595}\stubpath = "C:\\Windows\\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe" | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7} | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}\stubpath = "C:\\Windows\\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe" | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6122809-F618-446b-A74D-2744D7E14CE7}\stubpath = "C:\\Windows\\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe" | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CC593E-78D4-4e64-9804-5AD49650E279}\stubpath = "C:\\Windows\\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe" | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EF8456-B075-4738-8F18-19BC875C88B2} | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3001DEAB-CB10-4835-9651-04B98BF02E48}\stubpath = "C:\\Windows\\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe" | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74E8798-0275-44fb-BBB3-3B35CE799324} | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74E8798-0275-44fb-BBB3-3B35CE799324}\stubpath = "C:\\Windows\\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe" | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EF8456-B075-4738-8F18-19BC875C88B2}\stubpath = "C:\\Windows\\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe" | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | N/A |
| N/A | N/A | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | N/A |
| N/A | N/A | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | N/A |
| N/A | N/A | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | N/A |
| N/A | N/A | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | N/A |
| N/A | N/A | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | N/A |
| N/A | N/A | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | N/A |
| N/A | N/A | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | N/A |
| N/A | N/A | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | N/A |
| N/A | N/A | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | N/A |
| N/A | N/A | C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| File created | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | N/A |
| File created | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | N/A |
| File created | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | N/A |
| File created | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | N/A |
| File created | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | N/A |
| File created | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | N/A |
| File created | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | N/A |
| File created | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | N/A |
| File created | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | N/A |
| File created | C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"
C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF47~1.EXE > nul
C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6AB~1.EXE > nul
C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F6122~1.EXE > nul
C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98CC5~1.EXE > nul
C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{093FC~1.EXE > nul
C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C56E~1.EXE > nul
C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64098~1.EXE > nul
C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe
C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B74E8~1.EXE > nul
C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe
C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D3EF8~1.EXE > nul
C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe
C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3001D~1.EXE > nul
Network
Files
C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
| MD5 | ebd515114a0957c9dfb8b49e01060280 |
| SHA1 | 5a9d704bdff8322349e879ba191c27e17193cfb8 |
| SHA256 | 5f2fad15144730b1dbe2698cd9123021b9714734d01bf3f7bb237b3469cd7593 |
| SHA512 | b31508b10c803d3c46baf184c459410f11bd2408abe34724f8e355a7283e27d4bbd1c5adb5330a56b9ce44d3ef9fffae658d3318c93fb87b23968e2596be13b7 |
C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
| MD5 | 40dd50e6bc88e37dc41243c710dcd818 |
| SHA1 | 5a180deb5c67df65e825210b4970d4204eeb7880 |
| SHA256 | 405a344eb040d79c8c3274c4f48a67e105e399b537a423888137ae626ebcb4a7 |
| SHA512 | 4dfc55391ad6c30caf22c63c6344e97f84b3df89a876bedc6c97e52d51f2ba9f7841582763c5ba505c50863c121eaadedf0ae902eae71f69eac2bc4085bac307 |
C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
| MD5 | ead24fda618b7ccfabfcd7485441869d |
| SHA1 | cc5850cf4194e569602a06356f5dfff4326e39ce |
| SHA256 | 826fab8c069339959082bfaa0ceadfa5440e018e3e37aef7b292576740749048 |
| SHA512 | 311e7e14d8b7be37d1e7d0e8aa01de058ea62737b499a00d9bfb15a56bdbe3f15246e335efb9c9cf681d4a98c4482001217c846e7b899dcaeb6f5897a1e19814 |
C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
| MD5 | fe802a036bf328f7febfea297bedb949 |
| SHA1 | ccf7dbdfcc5aebc8f17242ae1e819b4d3ff76e72 |
| SHA256 | b9d50f7be2b2451839357f77e3326f1f6ef995c1170da37a03207e55bbdfce84 |
| SHA512 | 435ff1e7b81a9d767f3e4c720ed815a3badbd37944a1e271162ac2af4f17805426eeb53c02b0d45ae67f7b60f7133960f4c5226bbaba0a7592d73204963ad434 |
C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
| MD5 | 166136072b4bd1f070316a2cef171575 |
| SHA1 | 687622300bdd718f3bb1d2a2d3e6335fbc5b3ab1 |
| SHA256 | 7dc4b898fce134ba04630854f2a2cdf329ced6c0cdaf6cfc312ee838f42a5872 |
| SHA512 | cd9e8c94fb09a41411af21cae99983d83a4c70c1c74f6578ae9d776c3a794b4861c0804806d83ca54157193bbde70dc98da1e6d30a988745b2aafd31f56687d0 |
C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
| MD5 | ecfb34f9285c3c71dc88fea921f4a564 |
| SHA1 | ddeb3d2ef6acafa753c43539a3dbeed7d7d42500 |
| SHA256 | 8e903e79b0db962b7bdb079e512371673c63db4fdacabba2d8c4887f5839c8c9 |
| SHA512 | 80c860ef0df1858b980b70c3ceb23cbbe628ca4232e3c59077fd30623506f72749f099e6cc1bc0d811b1423f4b9a371b33a714cb79728991954573768ff24d84 |
C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
| MD5 | dd07f60e70f053ad84f4158a2e3e0cd6 |
| SHA1 | 30c37000520f50600c2b54d4e7cf1121258423ec |
| SHA256 | 2203ce3bdaa9bae004791643466aa851963a4d47dd94ed30590883293ac5731f |
| SHA512 | ffa33c29dc4730250444dd5c3a1f2cee612df2c69219bab795941a4ccedf9f5f08eb4c987f97285b8b6746e81bd7a99449ae26b83fe82e9427fd400cdca4ff73 |
C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
| MD5 | 84525e9e2519b1db4f08658c8a87453f |
| SHA1 | f0f5683800b519d51c7d37895d468156d5137e45 |
| SHA256 | eb8daf740e3a88a72c49236cbb282587f2b1bd854beab537699c77905408a9ad |
| SHA512 | 5df819a9c13cf19e3290dca7f17708a7c4c477e92b45a9d324ffcf0ad8ec35eb1f5918974434e83cca1bbfd015f90b70f4ea9816917d976a8602b7202b567083 |
C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe
| MD5 | 80a34a23cb1e3d85083024100d519628 |
| SHA1 | 901a6c75d8c1ed042ef1272aad5715f0c26e82ee |
| SHA256 | 180a6b02d1236f2aafa07a48ed108f4f2714d34079579f2f07feac06eeeca5d6 |
| SHA512 | 26e9efdf56185e207eb31ccef5410a6e935955cf1fb072020e7bb9b96d64f4bdc50d66e2822aab5d20d9b9f67a8f47037ce6d7b4a7c4f49093b252fb0919190f |
C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe
| MD5 | 683b126a232a9fced854ba9e6c77777c |
| SHA1 | 60afadea58ab41def6fb9e9d1776e31f392a2989 |
| SHA256 | fcf451bf3f2903dbba1311e8544326fc12acc128077be42ce0f33fd1ed43cff9 |
| SHA512 | 5e038786c3f405fdcd7cf0b3875294fc83fd7a0215fdaa2b0fc93dbac4fea409e53b263ee1aad31e0888e05f64492b8d17830fcf4e6f06264e4e39a7b7dbc6a8 |
C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe
| MD5 | b31c67d2f2737eb7f97988b509546417 |
| SHA1 | 13d9b9d6d639f978a42d59be9b2f1bbf5db2b91f |
| SHA256 | efbf380a93ef05077fb5b41c8d96b77ea54eb197dbde3afd390043a38ca97809 |
| SHA512 | 4b5bc9c56b2d209fb8b8e0a991e56ee8c7eb006d0d3b815963a14e10d9da0d7be36193894edfef97a6a485d3f02e4cd3e3c09dc537bc7c7e9b3f215fe07d4285 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:02
Reported
2024-11-13 17:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}\stubpath = "C:\\Windows\\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe" | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1575E72-A304-45f0-8258-4A0F1797092D} | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF8EF88-9C47-429a-936B-E72EC8B154EC} | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}\stubpath = "C:\\Windows\\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27692E41-CA5A-4161-9A9A-25701F044C48}\stubpath = "C:\\Windows\\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe" | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68464B4B-958E-414a-8743-01950BBC1CBC}\stubpath = "C:\\Windows\\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe" | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D861F7AD-DA23-44bb-BB93-81CB07C529BF} | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523} | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}\stubpath = "C:\\Windows\\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe" | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}\stubpath = "C:\\Windows\\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe" | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}\stubpath = "C:\\Windows\\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe" | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD9FA70-20F5-4845-9758-8B32523756E3} | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1575E72-A304-45f0-8258-4A0F1797092D}\stubpath = "C:\\Windows\\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe" | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27692E41-CA5A-4161-9A9A-25701F044C48} | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0} | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9} | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E} | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD9FA70-20F5-4845-9758-8B32523756E3}\stubpath = "C:\\Windows\\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe" | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}\stubpath = "C:\\Windows\\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe" | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199A4197-54B8-45ed-B748-9FCA1E81E9DC} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68464B4B-958E-414a-8743-01950BBC1CBC} | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}\stubpath = "C:\\Windows\\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe" | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383235A2-85CB-4379-B1FA-C92783097B0F} | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383235A2-85CB-4379-B1FA-C92783097B0F}\stubpath = "C:\\Windows\\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe" | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | N/A |
| N/A | N/A | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | N/A |
| N/A | N/A | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | N/A |
| N/A | N/A | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | N/A |
| N/A | N/A | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | N/A |
| N/A | N/A | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | N/A |
| N/A | N/A | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | N/A |
| N/A | N/A | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | N/A |
| N/A | N/A | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | N/A |
| N/A | N/A | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | N/A |
| N/A | N/A | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | N/A |
| N/A | N/A | C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| File created | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | N/A |
| File created | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | N/A |
| File created | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | N/A |
| File created | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | N/A |
| File created | C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | N/A |
| File created | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | N/A |
| File created | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | N/A |
| File created | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | N/A |
| File created | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | N/A |
| File created | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | N/A |
| File created | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"
C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{199A4~1.EXE > nul
C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{27692~1.EXE > nul
C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{68464~1.EXE > nul
C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D861F~1.EXE > nul
C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7F5~1.EXE > nul
C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6E3~1.EXE > nul
C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{38323~1.EXE > nul
C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A86C~1.EXE > nul
C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD9F~1.EXE > nul
C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE8F4~1.EXE > nul
C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe
C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1575~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
| MD5 | a8502837d24d3d4ad2c77047bd872b9d |
| SHA1 | 09dd527781953c6df647077b29455665ba9fa0f4 |
| SHA256 | 974e0afd9f0c7102a95bfe22a61da87c56c34fa7b03b03374b7628ae8be09fc1 |
| SHA512 | ab2caa375ca27dd2df7867324504762ec7ede60c3191199efc207d5d62fcc1d93611e6dbc760782ac34f5945999d6420aaef4293bc1b250779fd64f9c89dac8e |
C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
| MD5 | cc36445db903c596267ff89ab5f1fbc6 |
| SHA1 | 2bcc0eaa4f925e11ac2a51a4a05447c9ccf54abd |
| SHA256 | f100c07f4f6f2af6ef46ff855c1b1d96ddb4da0de61be323043db6713f0f6ba1 |
| SHA512 | 027601748e7902ba1d6f444a2c8ad78a18244d2f0e000b68b98e81843aa1377bc6cbfa3e07a4c8116e05ca4b4d9a0b8987db6c64b250901bcc878c03c22917af |
C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
| MD5 | 238f457755bb34eaad92690e256b913d |
| SHA1 | f8ca2b7e965696182378038d576261f8b568437e |
| SHA256 | 58b56f6db97c6186114dcff124b094d4bd099df68f9a2d4b82dd2860ce2c36e6 |
| SHA512 | 7df6bdb608e066b6cf3c5dc40a5dd48b69846adafe9c4e8c14bece7c1d106c5b3dc55384fb10f81d157c6784b8c60603b4cb2a54a85563c4ba28bb16d0af0dac |
C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
| MD5 | 77c2c1c2369efa233cee3a7d3528d452 |
| SHA1 | 06c046af3fc76899adb8e495c58fdb7189cc15cd |
| SHA256 | 2f411e6b7550993eaf8c156ce67988a8002eef73230c1d2d8c0d733a65d7181b |
| SHA512 | cfbc278e09e57e7075d3a2a80431bb803d8c86e22cc8a9f395fff2263fe210a3c3c34d8918945cf932ca0c726b5f47719b84601629d19f207bffa037e6e080bf |
C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
| MD5 | 957229e15b623c47c2ca32649f634afe |
| SHA1 | 1fb4dd1dbd2d7497d8df8b7660896c2cbebc09e6 |
| SHA256 | 2672f1e3786246354aafcb01137e694853ae9d6b82b17150d24559a40e370780 |
| SHA512 | 2d331ed3fa28424c35dd9eae63c7d67086f4e44903f0ba0f12b7d794a433c4db00a4b97c8654a5c1738acda23b44761aea036eeb2ec1e44d6722e8d33e3887cf |
C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
| MD5 | 265b4a64573123e7c3295fba0b50eb1a |
| SHA1 | fe5995e57040e73dbe69acf11ca9654e0ade76fe |
| SHA256 | 853830c5a8c048db2ebc710989b106ade119ecd532d82e277f4c596a847022f6 |
| SHA512 | 46059a5658751ebb709a88207c804be5b3c4306bfd452bda77e373ca8f209ad7a835ad6a6c7c85b1b970d08a731c2206d556f3ac842d232e4897981e8dd22b76 |
C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
| MD5 | 0fcaab194100881c0b1e381a92cdc99c |
| SHA1 | 9b236718049d3c5e08ca12393ff8b600f264e996 |
| SHA256 | a6adb3713541a892e34be8d0cd82484d984ce791197f3261a7819b52535a7b0f |
| SHA512 | ba0d0e683e4bb79d24290b822f085293e4f49a80d7893a23fa0f3b740902d2e6f1b7fcd7c6f2f1001c167e4388a92535e034bf302cc6c9fb794298a3e3f60567 |
C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
| MD5 | 130dd01f9bee56e22be34a10fafe9f40 |
| SHA1 | 507497c97c32e1b87eb3c04d562843be54666f75 |
| SHA256 | 12751b1c934a2025455b558ec54aa20755f08ebd7a86496a985b6c10788a3829 |
| SHA512 | 8f925a51c414c9e5715a1abe6e0ea65772af5ed1d6dd2222f546ebbb69a8c5178231ee69b2180a7ba823850b7d39e7dd6867cea4e6ad8db516ba04ccbf92278c |
C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
| MD5 | d78f04e50802cbab72d07dbd5cd58c4e |
| SHA1 | ad10e12ce45a876bc8c75516c9e23660264a46d2 |
| SHA256 | 62242784402f26f12cb68ce82ca04dc1e63e8226550a218c20944adaadee10dd |
| SHA512 | 868b05e9ea71e50aa4dc81f17b92068462f6a5cf7ea6e880287d0af2146c5ac115c76c02b6fd65cc9f9fcedec30382025b265065df71129bc2f49281e967fe23 |
C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
| MD5 | bf4dc9431237f67cfea4f936d0294f86 |
| SHA1 | 76ebea7069100f18f5e84494a9c83c53c78799cb |
| SHA256 | 030d3b26e14dddea498fef6147e8ca88314f62971c5bd2246d89c4c7814696c5 |
| SHA512 | 3e49d65f41d68a134cfd3b7a94bd7a33480b45ce583cc54e4806b574863ac6a9f17db4e75dc7922cc5b3f64246458070b1b3fe4dadd8ca0a0e2858cfc65bd057 |
C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
| MD5 | fc348826e4904b964a472d572f154704 |
| SHA1 | 7aca5f53b9cf461f821c78dbd13d36ddee6e00d7 |
| SHA256 | edf85b7734e9dfe17c85d9b21633eca9c4802946a8208cbfdb38795669ca7f66 |
| SHA512 | b26832cc613792249192957e9824405bf9cfc7e3fe049aaa5976251b567c31576f370235849cc3afa44138970200bf48ab8122a09e00d145608d5da1a14e46a3 |
C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe
| MD5 | ebef918c010a88c15a4754fafe5627fe |
| SHA1 | d7fdb259b0c3303a6928626f95a4a3bad6d71933 |
| SHA256 | 85c12605478d8f47c401be198ebca27ef24dd1fb1977f66b958731dd25ef34de |
| SHA512 | ab9fa5dce7ca5728ca41c3c024ec46c61bcf8fd42d1ea0b85633f07e537fe77e88f8185c4d28cee5ccfeb97ba123d0cd9053b32dae48ee367948440d19d8c6e0 |