Analysis Overview
SHA256
72b2a84b660df86b6e255558666f6c81ae42eb8981d30bd90cc2d414fd37cdd2
Threat Level: Likely malicious
The file 2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:03
Platform
win7-20240903-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}\stubpath = "C:\\Windows\\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe" | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}\stubpath = "C:\\Windows\\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe" | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}\stubpath = "C:\\Windows\\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe" | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94F6014-2FD8-437e-85F5-EE9496EAEECD} | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1893E4-98DA-411b-8803-FDA4A2823A22}\stubpath = "C:\\Windows\\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe" | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}\stubpath = "C:\\Windows\\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe" | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}\stubpath = "C:\\Windows\\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe" | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4} | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}\stubpath = "C:\\Windows\\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe" | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE} | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E} | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9} | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}\stubpath = "C:\\Windows\\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85062772-B07A-4fc5-94CC-D4949C2ED1F8} | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980} | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}\stubpath = "C:\\Windows\\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe" | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}\stubpath = "C:\\Windows\\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe" | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}\stubpath = "C:\\Windows\\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe" | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1893E4-98DA-411b-8803-FDA4A2823A22} | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC} | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFD2AAD-EECA-4eb7-8025-21CD93752061} | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | N/A |
| N/A | N/A | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | N/A |
| N/A | N/A | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | N/A |
| N/A | N/A | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | N/A |
| N/A | N/A | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | N/A |
| N/A | N/A | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | N/A |
| N/A | N/A | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | N/A |
| N/A | N/A | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | N/A |
| N/A | N/A | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | N/A |
| N/A | N/A | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | N/A |
| N/A | N/A | C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | N/A |
| File created | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | N/A |
| File created | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | N/A |
| File created | C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | N/A |
| File created | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| File created | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | N/A |
| File created | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | N/A |
| File created | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | N/A |
| File created | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | N/A |
| File created | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | N/A |
| File created | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"
C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4CE1C~1.EXE > nul
C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61538~1.EXE > nul
C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85062~1.EXE > nul
C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE98~1.EXE > nul
C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F94F6~1.EXE > nul
C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{42E4F~1.EXE > nul
C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF189~1.EXE > nul
C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe
C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8ED~1.EXE > nul
C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe
C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BAFD2~1.EXE > nul
C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe
C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC86C~1.EXE > nul
Network
Files
C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
| MD5 | 8d557af35f29fb604f2afc788d0f620e |
| SHA1 | e9d3685d9339e3e107bc5f2673571e65af0209ac |
| SHA256 | fd093278512f105cac7b3f5688de69e18b227113818d7aab6551cbc0fbabdb6e |
| SHA512 | e335c98310ac2802dbc5d004e64b991430a0c0eec6f9f3620512ade8847b57539b41148b6e7aecec9535a420d637185b4dc3aa5e5d48a4371ccec909f0f714eb |
C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
| MD5 | e4aa70f9c457e13b98f80e900afaf4d0 |
| SHA1 | 0f40d8b9d21be18af17f2260d19557fc2ebc43d3 |
| SHA256 | 709b5ac229ea0d0455c6799a6adb4242f46ad6a25cfa627bce89a263ac46b0bd |
| SHA512 | d76016002d4438360ac9533b37a42ba277d41e17ae4644e1cbe3bf776d6828682682622c1975d4367af20af11c3349915c7d01ef90dd6379a2e312693251baf6 |
C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
| MD5 | 18855c72f6aa22127d7b95c676d98467 |
| SHA1 | e2109f7e6268104014cd00cdcbf31b0aac2aea22 |
| SHA256 | dbe4f769cdcdafc4d928e5aa0b8b68d459f6a637ffc32d251388bbc639948def |
| SHA512 | 7c83b4edc2f6ae21f6e04912db16528082bdbfb56cede88ff014c5acfa055a40624b393a5b05ee28220afb5d2dbbba04d22c524275cf3422f2f51c9644eb1f8e |
C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
| MD5 | 04bf8b8ee62f020845a5603ebfcc325d |
| SHA1 | d9c6b2196bda1b7125c59b11e685d4dca8307c43 |
| SHA256 | c8c7ef32ac784467d177e124d2df687a7946fb3c4b8b67516163ce2074324463 |
| SHA512 | b49f74146fe3daeeea92bf0182323a13bd6f2efed0eb30e83396da280d05369b9adae4c5c5bcc481a68514952e4f8a56a8e891d1230e3650b5daff7ee3d14245 |
C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
| MD5 | fc9e40b7d75aeaaf88761ba908e8089b |
| SHA1 | 2dd5babe15af7ab207f5d0a76a260df157b61046 |
| SHA256 | ad42f62bc3b2ad8b1493b922ddcbe8912d691ca67ff3f1f363e57207fbfe5683 |
| SHA512 | 8d524c9134901df2db30bab4333ed2b1cbdbc1157e825fa39e60d376eb7954416e19f053092a8018bfe71d74b22897b8425f76c1bb0ee3dc48f369e2b292ef46 |
C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
| MD5 | 1824302ba637df1e9ef44e85da7a586f |
| SHA1 | 6ced469c051cbba5b018a13db686bf00936e9195 |
| SHA256 | a4780f2d45bfd6b230b1f92774499504d00635d57fc1367a0387936eb45620bc |
| SHA512 | 296ba0f89205553f80d2dbe7c968404bfed25f375bb8e3d99479a500579fa755acac90a5007d781c0717e2000f61562bedc6a527ad81f19299b76eda94501980 |
C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
| MD5 | ecd78515688c086b51312e9c2005c4d9 |
| SHA1 | 80edd90066dd5940a8fb38166d57efd7b3cecf0f |
| SHA256 | 6fae171ff46a799656a0430041d415f7b0e841afef5103e0facad1a98d8b11a2 |
| SHA512 | 8dccc58018fcd6633b9f35af1adff4f17919756ca02c44e390800101441208f90ddcf657d22d43594e132e9dedb056beedaecd852a2ccf3a3d4bae5f5d29b24b |
C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
| MD5 | 096af8f4459c4fef6e576d51bfa46c0a |
| SHA1 | 8b5a81d16f189baac83ec22cefc1ad7a8221cfd8 |
| SHA256 | 1850a119515f01777885705c80a40bd45cdf4784f7b9d6347173e387e011f17a |
| SHA512 | 4cb35ee5b3b510b2d089db99918e181d2b283ccb7961bf555e40081e4d185edc0e59e7408fedf62d7a0aa6946f5890627b1fc7facf84a507ab35b7d8d806326b |
C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe
| MD5 | 497fcb46f36c5e8502ae87ad6037ec3b |
| SHA1 | 36c895c50b66691dd9dcce04a0c8d1f004dea2ac |
| SHA256 | bb22dcb7e14f57d8df959e2578d597774b811d8beb08936ab7a8987e4ec16714 |
| SHA512 | 430b95573cbf5671af15b0399d9a36bec7be940192185fb4f3d39031c9cdfef6926c5604f7c66f116e98e94abf786b70f25789298d8818fdedad7e56d0cecb39 |
C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe
| MD5 | 18126ec24e895b5df79579ae4657e969 |
| SHA1 | 8834ecb8cd8747ffd089a6d23a205b6f0800f88b |
| SHA256 | 9d31fded6d5b1c85fda7743f3b6fc1fd8ebb0f84f0d82bd17a359bd17f2cf27b |
| SHA512 | a08c4edac0dd45a765dda14946adbb3dd8caaae15333eb841e20d476d57c9d9963a3e9b38cf913354bf0386d5013f840d2c99e06039901ff51e9e11007a94e89 |
C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe
| MD5 | 501d89e1cac2c6bdafb308b72c4b4627 |
| SHA1 | 4f743c5e3b445c83f52eb84b610918ef162eb24e |
| SHA256 | 12613f4e7eeb433288b494ad0495010e8e1a825711b8687aeb5b9b5484caf129 |
| SHA512 | 027d30581714c1bacc8eb280755b2cded2d896f509c90001164b7000b98106a2bae461bf227392e8c45d5b5453f9e8ebb79ddb76dd9dc124407a1a07c3d934cf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}\stubpath = "C:\\Windows\\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe" | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}\stubpath = "C:\\Windows\\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe" | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC0306C-F35B-467e-B0EE-232F9D268A2D} | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3178A2-B2F8-428a-BC74-D65D4986895D} | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3178A2-B2F8-428a-BC74-D65D4986895D}\stubpath = "C:\\Windows\\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe" | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62E58AE-7019-4709-8CEA-34E37492BE17}\stubpath = "C:\\Windows\\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe" | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}\stubpath = "C:\\Windows\\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe" | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F46C35-DEF0-4e93-AC46-594F684E264B}\stubpath = "C:\\Windows\\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe" | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DD17C6E-30C6-43a8-99E4-5816C6841B75} | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}\stubpath = "C:\\Windows\\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe" | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24264C4E-4CEF-41ab-B321-BF4A0415D38B} | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F46C35-DEF0-4e93-AC46-594F684E264B} | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BBC482-5272-4328-8346-BDE4F82DB919}\stubpath = "C:\\Windows\\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe" | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010DD0E7-CD97-4bc7-A47C-95330BFC6870} | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}\stubpath = "C:\\Windows\\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe" | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1} | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}\stubpath = "C:\\Windows\\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe" | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB48FFA-93D9-4767-B37A-93998DF7C18F} | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BBC482-5272-4328-8346-BDE4F82DB919} | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62E58AE-7019-4709-8CEA-34E37492BE17} | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A} | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}\stubpath = "C:\\Windows\\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe" | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E25C532-7B7D-4db0-8810-6FA50B89D028} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E25C532-7B7D-4db0-8810-6FA50B89D028}\stubpath = "C:\\Windows\\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | N/A |
| N/A | N/A | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | N/A |
| N/A | N/A | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | N/A |
| N/A | N/A | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | N/A |
| N/A | N/A | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | N/A |
| N/A | N/A | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | N/A |
| N/A | N/A | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | N/A |
| N/A | N/A | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | N/A |
| N/A | N/A | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | N/A |
| N/A | N/A | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | N/A |
| N/A | N/A | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | N/A |
| N/A | N/A | C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | N/A |
| File created | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | N/A |
| File created | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | N/A |
| File created | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | N/A |
| File created | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | N/A |
| File created | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | N/A |
| File created | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | N/A |
| File created | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | N/A |
| File created | C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | N/A |
| File created | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| File created | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | N/A |
| File created | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"
C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8E25C~1.EXE > nul
C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D62E5~1.EXE > nul
C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24264~1.EXE > nul
C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB48~1.EXE > nul
C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BBC~1.EXE > nul
C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{010DD~1.EXE > nul
C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD4B~1.EXE > nul
C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{07F46~1.EXE > nul
C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3DD17~1.EXE > nul
C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC03~1.EXE > nul
C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe
C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1BE~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
| MD5 | 82472e526a8d788e6b495be916bab0b2 |
| SHA1 | a6e5b39815d7a73ce9b7dd5b4ca31a4e865a5d9f |
| SHA256 | a16ee6d7dd24ca49d5aad65fca20a5384532b61d2b86a807da953e08579eafaa |
| SHA512 | f12386fb167d44ec197d9676b779b38d7d7d66a5605ecc22bcbc6b8c2bf5127bb97894623cc33ae89d8c7c2b99862d5e06db53833f6606dbeedff564dce70d22 |
C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
| MD5 | 7db6df032c7004bdda5858d66606fa8f |
| SHA1 | c14538f25221de846fb8049a1779e7f5be76872e |
| SHA256 | ffca67f84bb292c4416102ea9293ec8fc093c61cd8b7768cd2f76c0bdb07d029 |
| SHA512 | 38b015dc9e32729b4f23ce094cdce4f1387f3c84a5449c2a9537c39329c87fcf010352b5f80bc42ebeaf1a7beacc84046bcefd9af4893becfae1e3365cf534a5 |
C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
| MD5 | 55f9be7458e47d50134135a26fc65c0d |
| SHA1 | b0746d1df5e3caec1f7016b8e7c49bbd00e39ab2 |
| SHA256 | 57115ae3e26ab12b0605128bad380634a359130c0c373002a899910f0e19ae0c |
| SHA512 | bfdb52f4ab4ac033ade9ddb31de6d56c470739e1eeb4e557110a203ff2d3239b8eb7719d73f3d6fc550c2f18a7a4ffb420320c040b5c854040d3512b89ed370e |
C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
| MD5 | df1bdaee5b8071eb1778828ce139d6be |
| SHA1 | 0169987fc2ecb7e36a35d6b43162ffc54a3586b8 |
| SHA256 | cc0521a328e62c1f081f578a73add41dd40edf10ef02f56dabf3a8f394d5c111 |
| SHA512 | bf3874651c04ce5de113a3ba132d92f371fcc9e6da50c42a1ee25aa65c7975004546d8e1927d4d8b1ac4cbd327d64dabd97501beca2357537117277fc11d9728 |
C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
| MD5 | b9a142713e2461656a1d51db4292bf8c |
| SHA1 | 1b45d8dd54e94b577f7332c4b646236110ba4c44 |
| SHA256 | df3869da2165447a112efce64e9ca87209b9e82a27babc2ae2b3b911fd628cf8 |
| SHA512 | ee2837a890e4e0425e2798b1c82702f28aa68e662583de7b4115b1498114970d5e83b994d5c1e195a80b948256a97dcf6231c58d03f0c909e848a3c2cd438656 |
C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
| MD5 | 5f52ccd46e44a1a9421181ed84d84935 |
| SHA1 | be1f3ccf43efcb926e243ada02c0fe8d378c367a |
| SHA256 | 86b522e9335a818389e2f5eb7936c12fde0828cec6b981c5cc4acb27856df465 |
| SHA512 | 382b55c2e861d27e8d03922776eeb60087fba557f3b2b2a2316a7b1ac7e4015a711a2fc12d67c8e4c699b92bb20df8280b55f29b393e69602e62a172e1721d9a |
C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
| MD5 | dff9221b67990a2ab3222821083ad751 |
| SHA1 | 7d4b687d852d02cd236f11caf3bd27927965fb4a |
| SHA256 | 5e108754eff515b3ab40fa998d0f146bad05b8ba2d976ce56855a0c4f2e7fcaf |
| SHA512 | 72519924239e23522551fd5ab79724a723fede60ac20374ac789f8472e6178e4d5c776bbda33ac16dbc8ad47e6c5625b5269814032916752774f3a8e8fd4f389 |
C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
| MD5 | 883d4ee4acce2fb01bbe0f5e0dd89d93 |
| SHA1 | b64c1fc8f1a21878388673070b59df0c944b5f37 |
| SHA256 | 1f34213209a4c93fc9c87d2dd08ecdadfeb3c61a6edd591ee1a01cef19689dda |
| SHA512 | 0a123163fc2610f407a1c417f92933ae3e17b3594e8983bb77db833ceacf78ad299ece7ed7134ca3d3ea4dde56c813c427930e6313cc0d7f277a0f25ad4e908b |
C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
| MD5 | c4dee37caf85b43d0d97d38c2eddba6b |
| SHA1 | 41aed659f189284cf861b1277deec6bb6eedc325 |
| SHA256 | a7ae1eac045e3bb678bee3ea537f59b8f1142f212b2689326b37de0aacc6f4d1 |
| SHA512 | 9644c9acb1c021b32923a6aa3562a74f494dc9e3fc866b4e2d5a954f59e29a6c3d0ce3ea77bdc11eac6582e00aa88ead239382ea4b7e8beb44edf600fce127b8 |
C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
| MD5 | b8520f416a6138cc6d680b3b9cc0f378 |
| SHA1 | c3ec898d7bdfd4cf681283f1fa8b62c1d8b5ea00 |
| SHA256 | 4b166cd214bb099982572e72bd6c450da4c0c79cc2675b00de7f671b4f0d710d |
| SHA512 | 4ceac8097792bf76a3051726ade86d18b7c56a702fbc4385019f74083efbfb8668b1306f58a4bb95c2341466521ddc8a0d8b12123fc015ce5ff707f29af1b016 |
C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
| MD5 | ffe3748d31768bef0b08edcb5bacb7c6 |
| SHA1 | e72c37677f5af1d4be1b4c170ca2e83cdd68e89f |
| SHA256 | 138030c51441a8459cea23920c52e3881080f57b5898dbbc371fe5a27e3961d8 |
| SHA512 | 6462ff626ba18dd208c34582b7282bbfd2180fff9b178d1cf03a23de805c44e669694d8b2a013e0d868ae8141af4e31d54a29b9a0afdeba4d4eb4875b137d6fc |
C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe
| MD5 | 24a03f635e7e3ac94174dd7f1142becd |
| SHA1 | bbf778066317ca200267c4437f281c62cc740762 |
| SHA256 | b5fcba7b6277f0fd08879168f7e53fb54eb02dfdca0026dce13caca4c2784f31 |
| SHA512 | 5abc80e9dcefaa15f22e6616fa5905391859fffc7f3e0e830250572cb874a5e35bcafa472505bdf3115ea9863ea4344f1829cb6a47638ec3000f5f7a5ff91574 |