Analysis Overview
SHA256
f6cb08b1b962653e519b0c00359779f923105999334b45e5e1eff001cb447a8d
Threat Level: Likely malicious
The file 2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:03
Platform
win7-20241010-en
Max time kernel
144s
Max time network
126s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973E1756-05B4-44be-BD1B-99BD59EE1E11} | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6C9A84-311A-4c6b-9870-B6714100BBC2} | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6265BA-5C34-4116-93D1-619ED791E476} | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}\stubpath = "C:\\Windows\\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe" | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933D4D93-9CF9-486d-85AF-5EE54BBB341E} | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E452A98-9E37-41ed-872C-112B610E86FB} | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}\stubpath = "C:\\Windows\\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe" | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E452A98-9E37-41ed-872C-112B610E86FB}\stubpath = "C:\\Windows\\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe" | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}\stubpath = "C:\\Windows\\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe" | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}\stubpath = "C:\\Windows\\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe" | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}\stubpath = "C:\\Windows\\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5} | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53} | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973E1756-05B4-44be-BD1B-99BD59EE1E11}\stubpath = "C:\\Windows\\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe" | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5} | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609C0694-2563-4cd7-B21A-7C988DF0BE5D} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}\stubpath = "C:\\Windows\\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe" | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}\stubpath = "C:\\Windows\\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe" | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6265BA-5C34-4116-93D1-619ED791E476}\stubpath = "C:\\Windows\\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe" | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C} | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD} | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}\stubpath = "C:\\Windows\\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe" | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | N/A |
| N/A | N/A | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | N/A |
| N/A | N/A | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | N/A |
| N/A | N/A | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | N/A |
| N/A | N/A | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | N/A |
| N/A | N/A | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | N/A |
| N/A | N/A | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | N/A |
| N/A | N/A | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | N/A |
| N/A | N/A | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | N/A |
| N/A | N/A | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | N/A |
| N/A | N/A | C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| File created | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | N/A |
| File created | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | N/A |
| File created | C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | N/A |
| File created | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | N/A |
| File created | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | N/A |
| File created | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | N/A |
| File created | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | N/A |
| File created | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | N/A |
| File created | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | N/A |
| File created | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"
C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{609C0~1.EXE > nul
C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F20C6~1.EXE > nul
C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{261C4~1.EXE > nul
C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1CE7~1.EXE > nul
C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{933D4~1.EXE > nul
C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8E452~1.EXE > nul
C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{973E1~1.EXE > nul
C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe
C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AE2~1.EXE > nul
C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe
C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C6C9~1.EXE > nul
C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe
C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5758E~1.EXE > nul
Network
Files
C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
| MD5 | eb2ea0418bd121f6625242e838088212 |
| SHA1 | 31b6ccf60e0589415ef2c92b432f18fe18d3bcaa |
| SHA256 | 13884e146695ae55e82e8b9618810b914342a88be0138fd3b0e799565f958184 |
| SHA512 | 1a75222c6cd242a322075257eafc9c4f0dd30051dc0ad3039d480c92f652ae72240ae7933343b810a944c9588f46db930e57c92b82fef2687b8d2a5e69904cbe |
C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
| MD5 | 1a5efad944dd2e2dd58ee29ce91c105a |
| SHA1 | d517c6547f463cec9becf8e22a9c719f5fa3f114 |
| SHA256 | 589923d70829b72fedf406efec6d1e506f7cbab1c414dccbc23f1e0f13b19a19 |
| SHA512 | 22c97e671849d5fc3805ce6cdf1c4ac475fcbf2006d0f9b53c66577b054b16c7b466838eb083603b16baea1d84239923a37416c6a6d9655297ec9506e06645da |
C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
| MD5 | c7775e16d5375821d3609691ed9165fa |
| SHA1 | 50c05a7a319606d6b0a2606d266fb4f16af764cb |
| SHA256 | 276b0d523bee667095e49569258d16d567fd2b4e3f6527de30689dc760117028 |
| SHA512 | 2a5daa267916afd3a1b129d8aabf5e7e8b5dce719b500ca824933fb0b3ccdfc942a506f8ff34ca3832a589f3c419601dbd34e3bb7f4cfa642505f9d691c7c7f9 |
C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
| MD5 | 8d16c2d119f5c56587da75fe8278aa1c |
| SHA1 | 0c78b14492f678d2dfb441b0d246276186629468 |
| SHA256 | 89d9fd280eaf518008de82df2e98996fc411668bcc2391c7aabb0c77588afb21 |
| SHA512 | 35a8af73ac17bd2a32f637d5d94c49d2be4097f8a41a587bdffdc1b367edcc507de9a9d46f65fa4e86f0c0f45249aaa0dfe1351059b0ff5124d2bebc6ab619a5 |
C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
| MD5 | 4b4c60dc5684dc8f785dc7e13e900a90 |
| SHA1 | 5a0c0447b3fa71cfbde6a658e3c8a06b5cfb6d45 |
| SHA256 | 32f81b5fa6877534a9f6eff6c0c74c9c5e5040793a142fcfff056eead261049c |
| SHA512 | 71f7901746dc04f079378dacc26d3bf8181a9146ed5c7b6041306ff7bb75fbd05e235b3c0db52f933a2b2db78fcfed0cf97259d8bde206aa09151d4c5b156b96 |
C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
| MD5 | 1afe872026dc006d366d6b5bfc8b5b0a |
| SHA1 | 9133a181a1ee409a49ef30e72b00748175149dc6 |
| SHA256 | de348b75369314c050578925785b44ebd760ac67dc316c67c11b46f69230a33f |
| SHA512 | add108e797e91aa49b13c7d229f5ccf0da9714381163bbeb0493bd54acd51dfc2e21c46461cfda691798f9a35be37c2aaefad16800af6a28dedc53743664d2de |
C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
| MD5 | 0694b40b7790cd2b7ef0dc2e41f880df |
| SHA1 | e8b08549ff84f4645905cc059b103e57c1e208b6 |
| SHA256 | 74014c99e2bae913424bd13ed92e040262911f1c98c8a19f51a32381f23ed9f4 |
| SHA512 | ada8f3e9e583a2a9c5f202c0a556d92bc04dda1ad1cf8ebdce4fdcafce6cd06378009e0f3417152acc752467bbf35f213dd18e2117116bd7f57ea742a0faf220 |
C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
| MD5 | 88bf2bc78d840bbda79fe89c563d6dce |
| SHA1 | 67ff7b3eb6863691180a2e7fc33c62eba61b5444 |
| SHA256 | a80720e770107a3e59b9fccc4458e3ac086516dec6bd0d28288e7bbcaa8d2da7 |
| SHA512 | 111a44993e6b41678c96ce1d4991e7d26ef894d994df46a0892d43c443cd8c30870b04d31101fadcf249f2fd85ff73fbe07be7ff80ea15387bd0506b4d10d110 |
C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe
| MD5 | 1ad7e83025282e967465a719b52680c8 |
| SHA1 | 90fd44e68da6563796f5a96b969a8b29ea4bfd38 |
| SHA256 | 6d5beac7c5b9d986811b8da505a48eaee13c85219afa8d24c5d5a26b4c0cb3e8 |
| SHA512 | 264d839cfbd9ddf15c2102a1b8c239cc10708705120c9d839b2383930349b78c4424ad7a0c94a35368fb6c3f415e15d1d5b9274f8d56567c5ac914ef65de0106 |
C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe
| MD5 | 6f602232b0490736e3b935be0f234d4f |
| SHA1 | 74487507fa7181f48885b931f6a38a05c54f1e13 |
| SHA256 | ca20731f91fbdc7e33c717761ea82bb1a1d87b0b2513bef086602e89feafdca8 |
| SHA512 | ab1ce372452edf7ba0f3bf47b758e45beb168cf4aeeb8bfd475b4f119b9647157ac6ae8eb0a62d3a5ea5188d1a5e7550a6212350282aaa9fbe7b1ee16d96355b |
C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe
| MD5 | 69fc628fb773c91357163f943295e7b7 |
| SHA1 | 100fd54b5daaddf243e632258d781d95b208a303 |
| SHA256 | 0b5426c2cc1ca719000d7bfeabf07b37048c6db93a5ceaa4c4db0a97f331d8de |
| SHA512 | 90847c641b7dc1678e0781380038c00da9c634bb7add00d71e65c6502bc42d8851abee548bd159463544e259a7fd8e47737aa305c6d33b8da63fd4e82680e0c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}\stubpath = "C:\\Windows\\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe" | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5} | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}\stubpath = "C:\\Windows\\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe" | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}\stubpath = "C:\\Windows\\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe" | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A447D4-5F84-49cb-9777-4C800DD53B1D}\stubpath = "C:\\Windows\\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe" | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF} | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}\stubpath = "C:\\Windows\\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe" | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF0480D-606F-453c-8DBB-F5113E1BE326} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E144AC-EB33-402d-9494-2AC9727FBBD5} | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}\stubpath = "C:\\Windows\\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe" | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E} | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B8F8D7-819F-495d-99FF-1AF8C025846E} | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B8F8D7-819F-495d-99FF-1AF8C025846E}\stubpath = "C:\\Windows\\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe" | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E144AC-EB33-402d-9494-2AC9727FBBD5}\stubpath = "C:\\Windows\\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe" | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267} | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14} | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5} | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF0480D-606F-453c-8DBB-F5113E1BE326}\stubpath = "C:\\Windows\\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}\stubpath = "C:\\Windows\\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe" | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}\stubpath = "C:\\Windows\\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe" | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F} | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}\stubpath = "C:\\Windows\\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe" | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A447D4-5F84-49cb-9777-4C800DD53B1D} | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69} | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | N/A |
| N/A | N/A | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | N/A |
| N/A | N/A | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | N/A |
| N/A | N/A | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | N/A |
| N/A | N/A | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | N/A |
| N/A | N/A | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | N/A |
| N/A | N/A | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | N/A |
| N/A | N/A | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | N/A |
| N/A | N/A | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | N/A |
| N/A | N/A | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | N/A |
| N/A | N/A | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | N/A |
| N/A | N/A | C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | N/A |
| File created | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | N/A |
| File created | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | N/A |
| File created | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | N/A |
| File created | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | N/A |
| File created | C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | N/A |
| File created | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | N/A |
| File created | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | N/A |
| File created | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | N/A |
| File created | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | N/A |
| File created | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | N/A |
| File created | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"
C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF04~1.EXE > nul
C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{54D9B~1.EXE > nul
C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61B8F~1.EXE > nul
C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DB202~1.EXE > nul
C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90E14~1.EXE > nul
C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BCA~1.EXE > nul
C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FC479~1.EXE > nul
C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47F3D~1.EXE > nul
C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7D1~1.EXE > nul
C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{51A44~1.EXE > nul
C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe
C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D58E1~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
| MD5 | 2ff8425c534df4e986c5188cf9eaa750 |
| SHA1 | 5b33bb34c3325a1fb590ec951a7531b9e58bc4dc |
| SHA256 | 862964ae7c4332a46cd390fb73d252e607e791f242ef3c042f3b828958950ce4 |
| SHA512 | 2d64bb6741845b2e5db6fa0cb5bf68015b8a7f8b7d940e9e6600f04505186ba92b54ab7f303e859d3c5984da4fac47d4e4110de4df80b2274171a4854b5de27b |
C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
| MD5 | c7a03987f580fef32cd1c0d6f7ea6df5 |
| SHA1 | 773401e1c0c3cfe39b30f3e628a1a0852773d177 |
| SHA256 | 753b50d4dc5ac26b5a6bacc67fcc9458af8c076eff4596f2840e716bdad279c6 |
| SHA512 | 778c034b590799e20880b525ff3239aa463d6e46f2a10a689feeecccbab635b172ed9d10b569cc795b48eb3e06c473fa8bddc55866f3bf8f0e9b3e74c4cff18d |
C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
| MD5 | 8710aa319746c84def57f71d5ff8df89 |
| SHA1 | 82652d55464039d61a99fbcdfc4843aec628a870 |
| SHA256 | 70f934e1f0c6b3b2c992ae7c0e88945ececead56159dce0f04a7532a41b369fa |
| SHA512 | 0e8525b1b86787781edbf07039b4948d20ff918b193719bf863e65aa55d4c5b6d81d39156dc30de484419f6c8cff91082312a965df5df801ea44017356a87540 |
C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
| MD5 | 2ee9be60dce478b7fa9844d7fac1ab29 |
| SHA1 | f94b66f59316e1f1a54d66adebe76cac37ab14b5 |
| SHA256 | 28a812840f381db7ef119700bc607fd099aea1bb8df827992f93c87e32cff995 |
| SHA512 | 28b11a48f3e3a2a48dbfbde4eab0fec79b40ea348dab524938a42c8a9d69a59b195d09c6f0b8d53b8919e5ee211446ea5bf62532efd4545be6be782bf9a8e775 |
C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
| MD5 | e9827caaa58e43a2ccb20869d7d3ecdb |
| SHA1 | 6c0190ea205e096633067d910c3e983506434ac4 |
| SHA256 | 76a1a7d5c0a2b836819e32e5e4b7dbe615511f810636d42feca14b96f7a11ed2 |
| SHA512 | 06a590ebaedd802d56e36909265a945cd04197a4ad6195352981eb4b0e752516289575271ec0f23d272a170c95f9146c873835a3d671a4d954cba9bbbbf1c83b |
C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
| MD5 | 93d45fa6e5b643a11ef9ba5ab2f9e230 |
| SHA1 | 3c5443813cc7bbf89796d131b0a4c19bc6689140 |
| SHA256 | 08d6cae58b8d202380447cb6dc27bc4a89041d685a70a3cd37735a12e9ac1eb1 |
| SHA512 | d8244059d1bb5f6e9c86cc2e69b24c6c5adab8ee1048f171811cea6827ab88a4e582a403af175ad12d39c06566325a679817a86af4066794db3db4510d5b045f |
C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
| MD5 | 4433bb308d9eb89b358889fb45d68468 |
| SHA1 | 98b56614b09b2777e83af59948a2828f65c32056 |
| SHA256 | f95c0d2b82df8cf66b5c79125232f083e7b766b07a73bb183f94fce39b3fbbb8 |
| SHA512 | f56fd85964fb7860f8cd6003af9895731819d913a7503e7987c772869a314e20d6119640756371da021e456e045c372719ad46d18d59afcf1d6b730d3fd4c363 |
C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
| MD5 | c097abf8fdd99c1ced6d04274169707a |
| SHA1 | 08d7c3d8a071d651c2f558f4496878eec1aaed7c |
| SHA256 | 1057a1d201eebdd9671078378f9f69d5ba1b063068b772ba463b4f187f99b9a3 |
| SHA512 | 5c189d82937497988de5eae40e6251117396af3cee1f7eba6a377066a0b8428567c709ce41e120715a01fe7f7a74b9e6c18ceaa6ab3a2f30945fa2cb1d825d55 |
C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
| MD5 | b1eac2689e0da12020ce757c23adaecb |
| SHA1 | ed8bacfe5d1097dbde96637ded4478afee49b473 |
| SHA256 | 19e4fd7bd4ab0367ec11cb303b80a5982aa41bae1fe9cf7237bb1b2adb14a6fe |
| SHA512 | 43df2e745babf253edf894b8e6841533108326010416ef28e628594b3cc4e20603b1658b0c2675e5cb99f61367733fb8e1bd468850710d2df1eddc80a738fbca |
C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
| MD5 | 53f89c957d062c0539e161edfb43072c |
| SHA1 | c062f1b91a0075a433f7d515d151295e11eccd16 |
| SHA256 | 0c9477d90750cf2f312305dab90cd63e45834ed92205067c6f89bd7c59d3a689 |
| SHA512 | a108a19581543b6667cdff986e9206bfebf757c9ea892baa1ac581a4fd3040a7db485c08898480af40263ffc556ffbb0b889cb86882777ad79d5cf4dfbe37d3f |
C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
| MD5 | 0e2f87417da3bf083d77563cec657b6b |
| SHA1 | 1e117dc0b77269293c0bd67228f61f27435ff812 |
| SHA256 | da8f47ec94da3adb8feb6c4018cadf3db1c0271048b3051af5e9554984c4ca96 |
| SHA512 | 60852870466a416c20bb8a8e51b1352be93284bf98a9503eef880c21c7755a3e298dfe12ec50822f595914fb3330d8f67a6bf148483340ad5a2d72d5dd5fc048 |
C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe
| MD5 | c4c69779ffd8bbc40a6cdb8bc18f3b93 |
| SHA1 | 6c78c6ed894bb7fdc45b159887c11e6a13b2a169 |
| SHA256 | 1f2b1b88a3f183d05ee8b709dd8a3b129c214b1c15a5f3f2037a578b17a38a5a |
| SHA512 | e19148b7bd56f19f6a448f75fbbc739ac53644729771f179988c1f014644206b2033bfe4746b5bb02fe035eae425a16254a3e3742c65d750dffde99cd9620b95 |