Analysis Overview
SHA256
4b68fad0ab917fe10c216e1423a457f847e97786e8aef673cea1ad74ba726862
Threat Level: Likely malicious
The file 2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Deletes itself
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win7-20240729-en
Max time kernel
144s
Max time network
16s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73743056-8EFB-4db1-8FAF-102220DB7DA8} | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF72723-320D-422d-8975-DACEE287A1F7} | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A1F3B35-23BA-496e-85AF-B9088C9425CE} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56E8823-A4F1-4c64-B387-FA53279B9529}\stubpath = "C:\\Windows\\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe" | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}\stubpath = "C:\\Windows\\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe" | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D} | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}\stubpath = "C:\\Windows\\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe" | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83F034D-097C-41fe-9952-2F8260CEBA08}\stubpath = "C:\\Windows\\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe" | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA} | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}\stubpath = "C:\\Windows\\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE} | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83F034D-097C-41fe-9952-2F8260CEBA08} | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2} | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}\stubpath = "C:\\Windows\\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe" | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}\stubpath = "C:\\Windows\\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe" | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF72723-320D-422d-8975-DACEE287A1F7}\stubpath = "C:\\Windows\\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe" | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC} | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}\stubpath = "C:\\Windows\\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe" | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD23FDF0-87F2-47f9-A62B-55987529206E} | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD23FDF0-87F2-47f9-A62B-55987529206E}\stubpath = "C:\\Windows\\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe" | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56E8823-A4F1-4c64-B387-FA53279B9529} | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73743056-8EFB-4db1-8FAF-102220DB7DA8}\stubpath = "C:\\Windows\\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe" | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | N/A |
| N/A | N/A | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | N/A |
| N/A | N/A | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | N/A |
| N/A | N/A | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | N/A |
| N/A | N/A | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | N/A |
| N/A | N/A | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | N/A |
| N/A | N/A | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | N/A |
| N/A | N/A | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | N/A |
| N/A | N/A | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | N/A |
| N/A | N/A | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | N/A |
| N/A | N/A | C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | N/A |
| File created | C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | N/A |
| File created | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| File created | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | N/A |
| File created | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | N/A |
| File created | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | N/A |
| File created | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | N/A |
| File created | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | N/A |
| File created | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | N/A |
| File created | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | N/A |
| File created | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe"
C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe
C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe
C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6A1F3~1.EXE > nul
C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe
C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{055BD~1.EXE > nul
C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe
C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B30FF~1.EXE > nul
C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe
C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C72BF~1.EXE > nul
C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe
C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F56E8~1.EXE > nul
C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe
C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{73743~1.EXE > nul
C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe
C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F83F0~1.EXE > nul
C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe
C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D79A8~1.EXE > nul
C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe
C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD23F~1.EXE > nul
C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe
C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA43~1.EXE > nul
Network
Files
C:\Windows\{6A1F3B35-23BA-496e-85AF-B9088C9425CE}.exe
| MD5 | 5d91a239b0cd7b823875bc417ca95836 |
| SHA1 | 7ba6840588c5c3e37367d24ab98f34228ad5d912 |
| SHA256 | 9f9080b31e48ea011fa94e00f2778263d26cc1233075b920c46e1ea5ed1ca1e6 |
| SHA512 | 3cccd3f2916e5d737ebb2c065af42cb5d2890cf221c1376d9f4ed9c2e5918f17f30c28819ec67fe8477600029dcb2e05eb749ce9d8da278e1baecccd8b9a2294 |
C:\Windows\{055BD073-4C4A-4a3d-85B8-C0D98F70F0AE}.exe
| MD5 | b1a2527dde2095c861a63ff98ee4d593 |
| SHA1 | 2297ae805933ad7d3a3afc604c2f840e1f7a88c8 |
| SHA256 | 99558cc522991e86ada3a73d1cf0731e8f5b090767540003d2f21991542349cd |
| SHA512 | a3f3b96ba6c7f6d8caf1e860360e926e2703e7ec0c1c39f9a5c81ad27cfdc76362df85798ce3dfe8978462c2d3d51b231b29b1f3035456f457750cba4896e357 |
C:\Windows\{B30FF59F-1A70-4c44-BB98-6E1FDC5150BC}.exe
| MD5 | 914c99707fb4b5624e385ecb438eb5e4 |
| SHA1 | 60c8ae1660a321697626242a0550b420dd5427d1 |
| SHA256 | 90532ffd6f43b690592158a6f435ab75e6103535f83904897e4308974fe6907c |
| SHA512 | f652ef413ab8c3a011941e196eb6c98e4bb30ca542b072d9d9151dea6bdab2e38532ff736ad1c2df0da8a26d416856558aa4f1689afc4586e80e3d927ee2b13c |
C:\Windows\{C72BFFC8-6D3D-47da-BCEB-4945C587B42D}.exe
| MD5 | c109f693afc954896ad82b5c33cb3f6d |
| SHA1 | 985e6308b76e13cc46c45c201bbc297588bf65c5 |
| SHA256 | d806eebd687328ff7c21f59a2c0ee1d49c7c1dcec422055905f2b6532942cc94 |
| SHA512 | 04419afb56156a60aed2f2748a0b85eb24a30e489358d25ea7b05119465b0fa5098ff4d05a63d611558a14e0afc011119b113c7275460e94456657ab02105503 |
C:\Windows\{F56E8823-A4F1-4c64-B387-FA53279B9529}.exe
| MD5 | 0ca10fe2536772d81214ee251a3f7215 |
| SHA1 | 67f3e6d0579b16eb0bde541f082bd246ccd387b8 |
| SHA256 | 1d10c4d4efa5566f855dca5acb5fb5d38a750f3497bc7d77a99c4b6f0a78f33b |
| SHA512 | e39a3734483f14ab087b4bd159a996dd0e16eecdb008d8be2e9bf1ca400f5e533689f5468e87958607b51391b19a5ec31d9d169761bc205497e3b6854c4efc88 |
C:\Windows\{73743056-8EFB-4db1-8FAF-102220DB7DA8}.exe
| MD5 | 38a1fdd4cc4e847a6608f0917b7730fc |
| SHA1 | 1b8c410cce854d9bc23992d883d3f85c4b9ffe4c |
| SHA256 | 67db7629cf3c1c98dbb1b03f9232bc448bdb739170b56c42c454fd681b2cd45d |
| SHA512 | b5bb5a7248eb7070f75ebf0276b9ec727132f381c75f96f3decc4fbd56dd8fed271eae41859f17b90c37a33567d558b09e95f1fdd231efc92f93429b6b32dc5a |
C:\Windows\{F83F034D-097C-41fe-9952-2F8260CEBA08}.exe
| MD5 | 4b3650f472ae352ba151e5f84121510a |
| SHA1 | 2d3b5c09ce0f96788e2bbf374659825eaf54f0cb |
| SHA256 | 1c0f3fdd08028dde5390992fb5b3d52751ce678bfbe22c1ee6d4118dd6f386d8 |
| SHA512 | 40711bbfaddbca626b5420622ebfdf1a831ae5c1cd4712f881b2718180c1c74df0fb3a057b9a230fec473cb8378c75348f3e727422b1a3a6d0b5e1b8c82292d8 |
C:\Windows\{D79A828B-CBF5-49c8-B7A1-5A0933BCABA2}.exe
| MD5 | dc79a310f4fbcaabf8a55bf181597751 |
| SHA1 | 230dc70c0aa1267bde998c89b672bbf1cd0b0494 |
| SHA256 | db2d72f597b23a685ebc03b80781562b85000df8b935aaa9c606d083b496d101 |
| SHA512 | cc6268204deeb5d7bc83051303f92a95cb6cc519d18ede35816c5dbf5ddd18a885d02d241a001a30c93f67f651f2807cfe371a6b6a54c438614f27ede6672789 |
C:\Windows\{BD23FDF0-87F2-47f9-A62B-55987529206E}.exe
| MD5 | d406a230acf4fd531131c6d9382914b0 |
| SHA1 | 4bc6882da8c91f955ff5ccbb6fce4f5597dc3b72 |
| SHA256 | f1d73fbea8e4e4e3166af4df9931cd5fc6a09c1410ad81bc2c3dcf521f489ca8 |
| SHA512 | 19f46754025bf3748850d3c0ddd46550457c470facac0d98897468a3004a77406afbdb4caa4edb56a457dcebfbf8c08b51dc446255605b791e63d77369216b8d |
C:\Windows\{ADA43962-0C5B-4ae5-BAE4-FB14BAF4E0BA}.exe
| MD5 | cf1f017c10d4e1e224fed4f7636c5ea6 |
| SHA1 | 6f6a1f1b9d5ecc9f62850ea3e23ba1e454b49d6a |
| SHA256 | 9babf53c425ed26a62a471610cb2e574511565902f8c203ad0af952195d6545a |
| SHA512 | c0ca5bd9fba9a4d35d35ac560772244e6e32f712b6f546667a5c7a154f034cc3df5601f2ac126456337b3ee8176443c85ae90fa1223e7dd81e1ae9103b4c8f1e |
C:\Windows\{1EF72723-320D-422d-8975-DACEE287A1F7}.exe
| MD5 | eaf9a0e86536794bd535f80ce8d6033b |
| SHA1 | ba177898be4fe6f8f3735fc2b2b446293e5e203c |
| SHA256 | cc26b96f3b78f77ee914e323772229fd876740316844f5524467d1e1d9fe43ba |
| SHA512 | d75633a51aa849c8ecb1eedc8c9bd743f8de92c43fea521b739ad33404470aa68894a73834186fbdbb8f1cd82ff9b658e5f5e2233a139bc4159bce48cca053f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:01
Reported
2024-11-13 17:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D17AA90-4144-4a8e-8F5F-C434520BB302} | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B} | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}\stubpath = "C:\\Windows\\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe" | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50319E1-9C16-46f8-95E0-0F732DD90105} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3} | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E639F862-B6A7-4262-926A-E852CB6C600B} | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D17AA90-4144-4a8e-8F5F-C434520BB302}\stubpath = "C:\\Windows\\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe" | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5} | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}\stubpath = "C:\\Windows\\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe" | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401D531E-B56C-4b33-9554-405661F2B67E}\stubpath = "C:\\Windows\\{401D531E-B56C-4b33-9554-405661F2B67E}.exe" | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA} | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}\stubpath = "C:\\Windows\\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe" | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92D189F-5454-4d90-9051-2F312F51385B}\stubpath = "C:\\Windows\\{B92D189F-5454-4d90-9051-2F312F51385B}.exe" | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}\stubpath = "C:\\Windows\\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe" | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E639F862-B6A7-4262-926A-E852CB6C600B}\stubpath = "C:\\Windows\\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe" | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401D531E-B56C-4b33-9554-405661F2B67E} | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}\stubpath = "C:\\Windows\\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe" | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}\stubpath = "C:\\Windows\\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe" | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB37B667-62A8-4c08-AF64-4CD56E298FD2} | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA76847E-577D-4721-B6D6-384A678B7C61}\stubpath = "C:\\Windows\\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe" | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92D189F-5454-4d90-9051-2F312F51385B} | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50319E1-9C16-46f8-95E0-0F732DD90105}\stubpath = "C:\\Windows\\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5} | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA76847E-577D-4721-B6D6-384A678B7C61} | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | N/A |
| N/A | N/A | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | N/A |
| N/A | N/A | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | N/A |
| N/A | N/A | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | N/A |
| N/A | N/A | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | N/A |
| N/A | N/A | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | N/A |
| N/A | N/A | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | N/A |
| N/A | N/A | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | N/A |
| N/A | N/A | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | N/A |
| N/A | N/A | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | N/A |
| N/A | N/A | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | N/A |
| N/A | N/A | C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | N/A |
| File created | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | N/A |
| File created | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | N/A |
| File created | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | N/A |
| File created | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | N/A |
| File created | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | N/A |
| File created | C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | N/A |
| File created | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| File created | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | N/A |
| File created | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | N/A |
| File created | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | N/A |
| File created | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_a267aa6fe4aee559180291b48f3f2047_goldeneye.exe"
C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe
C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe
C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5031~1.EXE > nul
C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe
C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3A24D~1.EXE > nul
C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe
C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B65ED~1.EXE > nul
C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe
C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D2E68~1.EXE > nul
C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe
C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CB37B~1.EXE > nul
C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe
C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA768~1.EXE > nul
C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe
C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B92D1~1.EXE > nul
C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe
C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E639F~1.EXE > nul
C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe
C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D17A~1.EXE > nul
C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe
C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{790E1~1.EXE > nul
C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe
C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{401D5~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{D50319E1-9C16-46f8-95E0-0F732DD90105}.exe
| MD5 | 93540e9f874fe729c9b1580a35da875d |
| SHA1 | a0611761739f21a551c5e700b23f7b72864013d0 |
| SHA256 | fad5c264792ab4b7b21a846eb50766103887299c2baf85db59e9030b8f71cc3c |
| SHA512 | bf45ddd4154e553c63f38287abcbc05bf87a2e8374b45757ff13be3ce009bb349e4ff947d97b9a326c8327ed312ba0e9af828a325f7e84c6e6498452d57dd338 |
C:\Windows\{3A24DE3D-3A59-4724-99CA-5FCEBC2AFADA}.exe
| MD5 | 6079a1271ec12205a827885f212572d2 |
| SHA1 | 4484af697d9f85682e6fc7e9ab6d169bac145d12 |
| SHA256 | ba9bf0fdfb3961c4a65995bd343d5e06a30a53357537f5382f142164eea5a51e |
| SHA512 | 7d1173159aafc51b0753ee27e9811379f52052ed70af7fa99bf6dd553e878cc0c30dd5a407e950e9822ab8f3306635abbb3ae62837d60c575c8a7015205a5758 |
C:\Windows\{B65EDBFF-07BE-4342-B5A8-1C1A85CB01C3}.exe
| MD5 | 641129699726c3896c386bbc7ceec23c |
| SHA1 | fdd1e23b556757525014e62b1e8af5726f64cc21 |
| SHA256 | c425db4fe88ddb9dbe94bdccc5910362bae9a57b2a962ec33c0346486598517e |
| SHA512 | 3e555d5112cd629d45214f8e79cbc44da15ae22e8e894c886dc2270f49fbb4ef7d2b309810b68f898373c55db2c93fb7f0b0ec34f6119c4d76df5e6ae0cf3f39 |
C:\Windows\{D2E689C1-EA6E-4d16-8159-BE068B7AF4B5}.exe
| MD5 | 96ac844999a06d71b274e4fcb026865f |
| SHA1 | c4a371307b2c8a6b962deb0c481f83e97c21edc2 |
| SHA256 | 83ff1781577c4ff2dd73a485fcefa216a51e1e658b7a0a99d88ae5ff1896a6d3 |
| SHA512 | a2785edb667250e16cbb62ce51aae5e7dce13eda88f2d7005cfda763e6c427734c2700a41ed6569cbe85cb64cf66df1fc6cb21b3fa2367e169c06a64d541c884 |
C:\Windows\{CB37B667-62A8-4c08-AF64-4CD56E298FD2}.exe
| MD5 | c0603fff14df936d3676443ece697ca3 |
| SHA1 | d35af9f02d8d2b32db0c4377dcdc019b1ca7cfed |
| SHA256 | 48d9978ad504ad29edad9ddad3ff9c6d41b96fe30866848be0200caddcea61a0 |
| SHA512 | d8a8fc911c242cf040fb1c2208a918d368a9f7f65f31a2512384e755f35643cdbdb55ab101e14dac40f7a75e5dc33c20f5c6bfcbcd5447f8d44d05aec6074beb |
C:\Windows\{EA76847E-577D-4721-B6D6-384A678B7C61}.exe
| MD5 | 802055c65c4e9c2cbf40008228e11ade |
| SHA1 | b2cd69fe0748283ca5bae4c0bd35a9f7b2f2b9ab |
| SHA256 | febccb261dbf287356d657df4686123c35d23421087b69cdcd3cb7879efa09c4 |
| SHA512 | 2ed65466ab1687692c5785ebce6c08d66f7e2430dd68c2d0315cb2cd2d8a04901684378d928fec59cae56b64d2123a09a8132025d95e8fc05d068ba5a72a183e |
C:\Windows\{B92D189F-5454-4d90-9051-2F312F51385B}.exe
| MD5 | 5e1752356344bfdfa5b1e7fc1a223b6f |
| SHA1 | 97286866ae3a09daf823c28e04d7acb747e535b3 |
| SHA256 | 349dd3370c92bb0f025c2c3f6c71c134433e8f2f747927912d14da17c79a89fe |
| SHA512 | f14923b7d3abad3a458a51aa42e6cb287f3eae53188c2b188608c602209a423577a0b5dac7a016c2261d83ed9dd5db84e26993a629bb050505e83c5012beb9fc |
C:\Windows\{E639F862-B6A7-4262-926A-E852CB6C600B}.exe
| MD5 | 0353f87d6e83069e1d2200061124d282 |
| SHA1 | 3759b871bf25837f27b8440c84db1be6388181d3 |
| SHA256 | 0af4d1dd5542a435e1529547f6a0faeac5adfb274a7f97307ab7d140a89a2558 |
| SHA512 | ea185f9498ece8fc253bca32084f08fd48eff405003950cf96180adfa53e6092665523e12ce7e2b6148c9de8af0a74cda5db6c0e6b077ec9f91c673cab329526 |
C:\Windows\{8D17AA90-4144-4a8e-8F5F-C434520BB302}.exe
| MD5 | 6e54062e257dd1f4a0e72a2de392bc39 |
| SHA1 | d7c30951b8c9bcc4732f6e15e9158ace76611030 |
| SHA256 | 043494b569023fec9e49c5d0a618d04f2f2b4ad410347c506d3c96963b705c18 |
| SHA512 | ecc94f123c243afa217c3b0d559794b9483bbdd1dce9fcb3690d604d48c27b554bf11a3ccbb8801eaa8aa0374398da89644b8e3334e502c87558a68dc5fe86d3 |
C:\Windows\{790E11E7-CEEA-4d28-86E4-CEACA990EBF5}.exe
| MD5 | f0350963bc0163153797b2c384176cf5 |
| SHA1 | ec0739bc3f8d57c618d7f3a7d6de99ad359ca66b |
| SHA256 | 647b17530e3c47fe1325e754acdc3b0ff04966991a578d5af3089151a99ed21b |
| SHA512 | b5d8021c83532eccef17b738ff6533eb9dd35e65673437e175df07158e1ac1910adb87aacf447fa328399699dba48fcd4ef12482936b455140f397b927c4d153 |
C:\Windows\{401D531E-B56C-4b33-9554-405661F2B67E}.exe
| MD5 | 8fa32a179cebbc6412eab0767eb4dcdb |
| SHA1 | d2280b19c52ce940a66703e44a9ca37020fc5de6 |
| SHA256 | d9d89d43624141d376f0be5cdbcabb3e13e9106e334d720b89cab46594aaf9f8 |
| SHA512 | b87eceffb3e6c7918fa6c4f78d05fb2dc7d6e75161f44ae2d4e7028b2dc31f58db3e861893f4eedb64065c7a947cf1c778f386d4544ad5c4ea4ec214cba7b214 |
C:\Windows\{20FF64A9-3C45-4b37-91F3-F9E6A2E78E3B}.exe
| MD5 | 9f5d5f12f18a33f02ee913f09b258254 |
| SHA1 | 2ddd19c969401fbf0384bbe6f3004c6416fce0c4 |
| SHA256 | 50626d81ab0d6319c62ac3674ba273f6cd62384863c25b0b27af9cf10dcd13ad |
| SHA512 | ebaa29ca4a1b73747b1d5fec46ee55dbe6733bab7233e3f362317f7be3e433001d5b2eeeac9ed66c8d3129e9340ed208e334a18c89b4013f6876dd142d8391e1 |