Analysis Overview
SHA256
017afeeb4ce6789eb3ce1f048e09a8f579627e73e43157b2d7653ac448082126
Threat Level: Likely malicious
The file 2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win7-20241010-en
Max time kernel
144s
Max time network
126s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873BDB15-F50B-4d86-8E81-13979B67472D} | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDE664C-865C-49a8-BDF5-50B930A402B9} | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D} | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}\stubpath = "C:\\Windows\\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe" | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}\stubpath = "C:\\Windows\\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE36818-BDE5-4dc1-9879-29048ACB2545}\stubpath = "C:\\Windows\\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe" | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}\stubpath = "C:\\Windows\\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe" | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}\stubpath = "C:\\Windows\\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe" | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}\stubpath = "C:\\Windows\\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe" | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DF3AF2-91A6-4fbd-812B-14C81693E812}\stubpath = "C:\\Windows\\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe" | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889D4BB4-5A2F-441c-9808-C3AA69EF604E} | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873BDB15-F50B-4d86-8E81-13979B67472D}\stubpath = "C:\\Windows\\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe" | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDE664C-865C-49a8-BDF5-50B930A402B9}\stubpath = "C:\\Windows\\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe" | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D} | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DF3AF2-91A6-4fbd-812B-14C81693E812} | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE36818-BDE5-4dc1-9879-29048ACB2545} | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD} | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315} | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}\stubpath = "C:\\Windows\\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe" | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2803213E-7283-43e6-90C4-FA0418D7699F} | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2803213E-7283-43e6-90C4-FA0418D7699F}\stubpath = "C:\\Windows\\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe" | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | N/A |
| N/A | N/A | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | N/A |
| N/A | N/A | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | N/A |
| N/A | N/A | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | N/A |
| N/A | N/A | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | N/A |
| N/A | N/A | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | N/A |
| N/A | N/A | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | N/A |
| N/A | N/A | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | N/A |
| N/A | N/A | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | N/A |
| N/A | N/A | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | N/A |
| N/A | N/A | C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | N/A |
| File created | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| File created | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | N/A |
| File created | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | N/A |
| File created | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | N/A |
| File created | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | N/A |
| File created | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | N/A |
| File created | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | N/A |
| File created | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | N/A |
| File created | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | N/A |
| File created | C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"
C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9ADA5~1.EXE > nul
C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE36~1.EXE > nul
C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CAC~1.EXE > nul
C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B68~1.EXE > nul
C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{873BD~1.EXE > nul
C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FDDE6~1.EXE > nul
C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C85C~1.EXE > nul
C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe
C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28032~1.EXE > nul
C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe
C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2E98D~1.EXE > nul
C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe
C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00DF3~1.EXE > nul
Network
Files
C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
| MD5 | 2e81fb1cede10971a71554bb0fca908b |
| SHA1 | b170c5d29c828dce9afbbe714d50b88c6ecdd81f |
| SHA256 | 4ba59cce29d4d1fc191f23d9ab00f5a0a7df173888eff4f2e6f2724545d2abd5 |
| SHA512 | dd40aed501355f2b98fa3ca62fab40bb4622edbe91ea9dd1cc9475109a6004aa51036aa3342781b36f2b1db3a697535a5467a170c1a4cc9f976dae1efecefd6e |
C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
| MD5 | 218c7ad6d2dcdda99465f48996e5d0aa |
| SHA1 | 8f96c22a79f9e751b73f7dfaa8b3c34f41302e41 |
| SHA256 | 5e4eb086f5635bbf810ecdbf06a3ef70582c0b65d665f01a98cba27ab4de21c0 |
| SHA512 | 25671602dd63378812ba09ff4e3891977dfea1593c12055fe6de19e6778013bd6d843cd13c763bab8d2137f4ce612bfe4bafb4398573ed3e8fe9f312ef3b978f |
C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
| MD5 | e3a98463e800d82e50e468d457c8e965 |
| SHA1 | 5e6666429bf10c6ea64d716cfa31200497029827 |
| SHA256 | d88edbde799a33955ef128b591812f58f278a32b736efb6034c46c9715a17f72 |
| SHA512 | 4591843004f0054d9fa3686dcaaa45f73ac19f1b3bb99ea3a99702e2d47ee470d7ca7b78c13470dd9ce39567c05d2bacc5dd70237fec291b644b1dcfbee0ce0a |
C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
| MD5 | a1e9fea736308b146c3b6ba877253275 |
| SHA1 | ceb6285378f9725ab94f555facd044c133e36d3c |
| SHA256 | eeab5b8a6cf4002e1046b915999dcf882031fbb3b90317157e66e9a301769545 |
| SHA512 | df4ddae25dd23f0c3ca29236de50b2f21e702fb15160853ebb83ee926175643c718c9706ae8cfb61b43c252622f7780e11ec54589830491828f676692ef05631 |
C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
| MD5 | 2c3e1e0e594ad0e23272d07720a91c96 |
| SHA1 | 22a65c368b91e1d0f66f478cd77cd0c81570aa85 |
| SHA256 | 9725bd0d472604c64add437523b10c7bd4a39349b0a1e24eecc04bf3528db95b |
| SHA512 | ea1acc7652be6dd79c543a7b2821ac2c1a36993e8ad3c90a86462c1a3ce32634f60c12a0d22ab3c6f62f8de5a42b857271d2376286b41be5cf59ad6507cf3c05 |
C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
| MD5 | 09bc217bb98eabe273c3fae9b4d81124 |
| SHA1 | d6c08515cfe42812209d1c169e198cf353df70a5 |
| SHA256 | 8f74ba907f43ffc83304f7d9ce5cb958bcaea50a2a616569bd764e890388c233 |
| SHA512 | 5634516af1cd2faa75c45a9fcda03f3434523835c695900483409b4879b876b01c089d17a34d483b60574c11dd39cd40e7b7e7c428981f50255445e2dfa9f99b |
C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
| MD5 | 86e4e6e163f46b52281e8c5e31b3525d |
| SHA1 | 99abc8919c2f4b3057fa30f77d9feb5ede7005e7 |
| SHA256 | 9acdf9f6904e3344445511a8747077f8769b582d2bf5318c739c6f3897e46d0f |
| SHA512 | 8dd242f36de261aca8540f774b77a1445304da2150590517db843a91478a8d3c215caa8310aa6da7a631e656ab0d44eae36bf5c2500a792b07efe336c032d894 |
C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
| MD5 | 55c897369733a099687b426d77dc2872 |
| SHA1 | a7c5b38d30ef01ec6bdb3b36d1ef09cfd8778c7a |
| SHA256 | 7dec19d4f4b901140f36c6f7356146e4b6cbd0d99cdc0d87d874f285060b047f |
| SHA512 | 78b1c0c3033e6c9c9f4b3aec933017f719b8c7af23cdd7342c50b13343b512d3cfaa7a56b5d9fad991c6dd9679cf536f49ae90adbdc1b97a25008ee497fd7f02 |
C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe
| MD5 | 19d7da41ff327cfa4a4526ea10280595 |
| SHA1 | 79e3f47b9cdcade4b4742a69f31a4ea90cd69111 |
| SHA256 | a3ec303ada08c6a178e3b603bf0896a929557932c62e572de41a19a6064d8113 |
| SHA512 | dc63f05304e595cac0825400441a3aefeb983643c7a953085deca2abbf20ae2bab279710e052a657218c46104ad349e8654076de7490e172bfc991060e8b20c9 |
C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe
| MD5 | 1c71235eb9795a6109c81e450f2b9057 |
| SHA1 | 92e9d8e425d815f37e703458c59109761e2a1b58 |
| SHA256 | 4eb30b26b604d87937e72787096441e5f84b709ca65933443eb1368700e7d41d |
| SHA512 | 69ef935a3b0835891b9b680cbe182e2f91a8c3771ed3cafdfb6747d44ea8095c3f7361730a1acb696363b8220351b984d017d7ff2a5b0897b5ee7ffd9ae24e90 |
C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe
| MD5 | 62032f60c68c6655dcc243b1a58b2ab7 |
| SHA1 | df975affef1a78ea50b556ac840df70f104f8e07 |
| SHA256 | 2902109d66d4c5c7f700f58897bdbcf00b7d01ef6109ad7491199184fc47c33c |
| SHA512 | ad17551bd7e6576e8410b196a92cd9950b42ee8dd051f5874c36d13d5d40d6e6f36ffd049c395776775b57c6493778a7b2a149820b30ff4930dd02886ccdb47f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457A8537-A150-48ac-85AB-552983641D20} | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F1E73F-F79F-4b51-873A-60D34B31AA28} | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}\stubpath = "C:\\Windows\\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe" | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28EED0F2-3774-4646-95CB-04EB9688B30E} | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6CD116-4A97-479f-BD1C-9D345097A74B}\stubpath = "C:\\Windows\\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe" | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}\stubpath = "C:\\Windows\\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}\stubpath = "C:\\Windows\\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe" | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D401AB4D-E983-4b60-9308-27DA092FB280}\stubpath = "C:\\Windows\\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe" | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316D9C2E-E408-4015-B85E-88F60F79FC2C}\stubpath = "C:\\Windows\\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe" | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFF8995B-C731-4166-8439-2FE9B27C0A6E} | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}\stubpath = "C:\\Windows\\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe" | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3D7404-F4FA-4c12-A605-BCF712E04F51} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9} | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C} | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D401AB4D-E983-4b60-9308-27DA092FB280} | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F1E73F-F79F-4b51-873A-60D34B31AA28}\stubpath = "C:\\Windows\\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe" | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316D9C2E-E408-4015-B85E-88F60F79FC2C} | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28EED0F2-3774-4646-95CB-04EB9688B30E}\stubpath = "C:\\Windows\\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe" | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}\stubpath = "C:\\Windows\\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe" | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}\stubpath = "C:\\Windows\\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe" | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457A8537-A150-48ac-85AB-552983641D20}\stubpath = "C:\\Windows\\{457A8537-A150-48ac-85AB-552983641D20}.exe" | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1535D9-2068-4e4f-978C-7FD88EA061C3} | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6CD116-4A97-479f-BD1C-9D345097A74B} | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AACEFC6-E40B-4134-BF51-AC673D79E71A} | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | N/A |
| N/A | N/A | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | N/A |
| N/A | N/A | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | N/A |
| N/A | N/A | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | N/A |
| N/A | N/A | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | N/A |
| N/A | N/A | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | N/A |
| N/A | N/A | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | N/A |
| N/A | N/A | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | N/A |
| N/A | N/A | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | N/A |
| N/A | N/A | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | N/A |
| N/A | N/A | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | N/A |
| N/A | N/A | C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | N/A |
| File created | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | N/A |
| File created | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | N/A |
| File created | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | N/A |
| File created | C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | N/A |
| File created | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | N/A |
| File created | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | N/A |
| File created | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | N/A |
| File created | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | N/A |
| File created | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | N/A |
| File created | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| File created | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"
C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3D7~1.EXE > nul
C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2F6E~1.EXE > nul
C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA34~1.EXE > nul
C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D401A~1.EXE > nul
C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{457A8~1.EXE > nul
C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25F1E~1.EXE > nul
C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{316D9~1.EXE > nul
C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA153~1.EXE > nul
C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28EED~1.EXE > nul
C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6CD~1.EXE > nul
C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe
C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF89~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
| MD5 | 8dab19a3e4e1aa44fb975f525f656fed |
| SHA1 | e323c11f66ef32eafe4be3e446b0707a4caae99a |
| SHA256 | f96317304b8b95023e743ca6b4374feb934f7a21e426fdee028141eacd74af7f |
| SHA512 | 9625e63182905916f4b06b288cf004ce11bd5b619d0e57666621dddf777cf827feedc0e960b0debd7260f41889211674d83007f0389f22e46a6b423ed2a4156b |
C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
| MD5 | fe2fdab7aaabb883ada2be13b0650b9b |
| SHA1 | 73e33163f9083d2fa6d1dec36df5932c0cba729f |
| SHA256 | d08e9c54677ef42545e7282369ad262bb152e0edfe8a679f91196893bf3fcb03 |
| SHA512 | d2fcac605b4986e5d10f577ae2049a8bf8d111b46174ad0afada435b94430065718d0c46e2c06c9906da2e9540ba2f33c997e3e703a2b77396cafa73f51df93e |
C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
| MD5 | 957ec8d6b9cd2bfd3f5da119206a8fef |
| SHA1 | ec9c38eb407dd32e15f41edc4477fcc82f181159 |
| SHA256 | 0c96cbb72924fa08644ac6a7f5a0c2921b98af7f78a9ae3d3d9ff1cb51dcaaae |
| SHA512 | c2f802e1fab197b0868842e24672f3f8d9a9ac495e93d9868fc1d601ff21f5cf423480b3dcd01bb9c5f6e3289432fdc2249ba9474aa3fb3898ef8dc18dabb638 |
C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
| MD5 | 3ecd5e68d9d7893478571b23f6ea6794 |
| SHA1 | 42d64ca749c37ca257efd75696267a4dcfe83337 |
| SHA256 | 21d321f2741f8568acfb7641f0eefa056b59979e9a790508fb9a68d188dd2cc9 |
| SHA512 | 27c943b67cd8ea109e4aa246e047eccd8fdd7b7c45cf2e03c2dbc891318037b420a533ca69b8f12c5fa6044b6d05afdc7395c22020d099684607f630e2b4bf74 |
C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
| MD5 | 1476790f37a5e2037fcdc322ef4ecca8 |
| SHA1 | 63e5adc9f335d64c768d31c9e64d41fe8ad24677 |
| SHA256 | fadd71879e967261b809d47927531c9754e405bec1f7d4d366060102052867f5 |
| SHA512 | b70321da3ed60442ef125bfa644216399947b2c274ce81a46910ffb635f2d66a03810e660353a51f580d4e58c16a7c6a4e217fd84738d906dad3efc3bdff71c1 |
C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
| MD5 | 1f960d55bfe318dcd30a1f8af35e25a5 |
| SHA1 | a5edb21461426431802c718212c25a3784e21c33 |
| SHA256 | fc47890e7c1a1e64e785b772881dad2fd397ac21a066b8bd23ed208f0e942836 |
| SHA512 | 6ecb18e543c55a8d687cc11f94119da453dd4c16c2c4fde5b7ea7624b21c4a9c69d89cd8ff26180104cb053d011b0a016bf0470ef462d1c5630071d4c635b6ea |
C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
| MD5 | 6dd9a51138167a558c44b4b600e6d3de |
| SHA1 | 96de0afa5758aa8d814ffdebd5a20dd50ac70f08 |
| SHA256 | 4200368d17e6e616fea413d44deb28ef7f91c35d8ee145cd59fa52c8ffb5c03a |
| SHA512 | 0f50e24175dfeee9d310a476942e73d7aceb800ea59c49c8083755982026070ee0846aeb42fbc5a24b05e48644cffbce21e0b0bc07603fcedc46cfa8281552ca |
C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
| MD5 | 27e3215cf5762f3c9b120f3d429cd906 |
| SHA1 | da4feef843d98c89d0249f072bfb6da73658c5e5 |
| SHA256 | 77e3d36a0575ef96df5ef2fbf13774b0304a59a59830a83fd73fa88dd87b2c5a |
| SHA512 | bbe87d367d564f133521ae1159639cab11c3cb959d57afbe1ba400a77c5fe058755d54d31997f38f99ccc2499268f290c34323013b01b10b3e8af94ef721cc91 |
C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
| MD5 | d89081b102a4c224eaef10acadfa1312 |
| SHA1 | 58ef7ad03d7de69a7ebbc64da7dcdda03fcde0e8 |
| SHA256 | 6a6a484a2bdab0204cedfadf9fab6499bfdb53fed27922bb732ff0f228ad6de8 |
| SHA512 | e973f37fc9a41828813518f5896018c85da279539752a9dea0a873ff47140e0850c874cd6e4feb58edf97c6841ce5072588809f1111286cf3e0e49e1f95cfdbe |
C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
| MD5 | ccb7dbfe8856eea1b23eb90d8d0669b8 |
| SHA1 | 8317226784587e35df5dabb5b7e714dc5e778db3 |
| SHA256 | c9da40c457ddbd8d5a8a2469e1ade6bbacedb56b7af3bc61283eee4418159723 |
| SHA512 | 69830b29c6be57dcf23a61f0f0401f040b54617c5f86dfdc9825f5393ee4c2750d0458a5690dbba8aa7921c0a5305e44422f32005a657686e2fa87f485bb1aaa |
C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
| MD5 | a695a04796be3f0993c4cffa0de2efa8 |
| SHA1 | 9a5c06132aa6a8ccd27ef0e538574f47e57f0864 |
| SHA256 | ad4c6b8e8a2265fbdde27ae3db2225933601e887f560d36db9bc12f1b35c69ca |
| SHA512 | 11e13f76b98c71e6a363a4bce44d6dff3c0bec6806b3b565aade846059d649d1a7c4868e5c28c688a9cbf0c319f5faf4d442459fec4aeec92013647cbf485e6e |
C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe
| MD5 | eb967b830eefab7c7f481b0219d95566 |
| SHA1 | 8bb2a5c4ba5ff031178b3127d72d04c124140bf4 |
| SHA256 | 83b530cbfa79a4acc149b53322fadbc20dbb62c52392e70815b20eb9aeea20e6 |
| SHA512 | c58bda1d28e2a00caeac577f52287bc5cd4b186dc010bb63afb6e86327c39d0d82e452900eaee690c3fc677d316e9930804c72a0038c805a104e6f91bd435008 |