Analysis Overview
SHA256
04abb388ddb92df04718484ce2bef2d85715f564a37685851f799d3395d49951
Threat Level: Likely malicious
The file 2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:02
Reported
2024-11-13 17:04
Platform
win7-20240903-en
Max time kernel
144s
Max time network
120s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}\stubpath = "C:\\Windows\\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A} | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116C90BE-628D-4e73-9D97-8998D9A8131F} | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E6A912-E222-4736-8593-E34B7EF07694} | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA37C69-3738-4024-B633-BC5D91F5A0F6} | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A31DDB-4779-45b8-8747-CE508CD457F5} | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF} | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}\stubpath = "C:\\Windows\\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe" | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC} | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}\stubpath = "C:\\Windows\\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe" | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}\stubpath = "C:\\Windows\\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe" | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55924DAD-C30F-4563-A09D-892BA5F34B49}\stubpath = "C:\\Windows\\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe" | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}\stubpath = "C:\\Windows\\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe" | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}\stubpath = "C:\\Windows\\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe" | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B} | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E6A912-E222-4736-8593-E34B7EF07694}\stubpath = "C:\\Windows\\{46E6A912-E222-4736-8593-E34B7EF07694}.exe" | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387F95F2-D435-49f3-A48E-13A3F21B0BBD} | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}\stubpath = "C:\\Windows\\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe" | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116C90BE-628D-4e73-9D97-8998D9A8131F}\stubpath = "C:\\Windows\\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe" | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55924DAD-C30F-4563-A09D-892BA5F34B49} | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A31DDB-4779-45b8-8747-CE508CD457F5}\stubpath = "C:\\Windows\\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe" | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | N/A |
| N/A | N/A | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | N/A |
| N/A | N/A | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | N/A |
| N/A | N/A | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | N/A |
| N/A | N/A | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | N/A |
| N/A | N/A | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | N/A |
| N/A | N/A | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | N/A |
| N/A | N/A | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | N/A |
| N/A | N/A | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | N/A |
| N/A | N/A | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | N/A |
| N/A | N/A | C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | N/A |
| File created | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| File created | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | N/A |
| File created | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | N/A |
| File created | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | N/A |
| File created | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | N/A |
| File created | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | N/A |
| File created | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | N/A |
| File created | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | N/A |
| File created | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | N/A |
| File created | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"
C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D08B0~1.EXE > nul
C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55924~1.EXE > nul
C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{84A31~1.EXE > nul
C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F8F~1.EXE > nul
C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB4CD~1.EXE > nul
C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A8984~1.EXE > nul
C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{46E6A~1.EXE > nul
C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe
C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A01C6~1.EXE > nul
C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe
C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CDA37~1.EXE > nul
C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe
C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{387F9~1.EXE > nul
Network
Files
C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
| MD5 | a176bdce1b51e1a5181002b0f996323d |
| SHA1 | c72d68f374b0c16a341844c80ee512b17541a504 |
| SHA256 | f6d08f3a8c945a8b19ecf6e2707907ff45c6dbcb9e5f05682b56e64d538e459f |
| SHA512 | 8ff70d0c21f135e4ea62d693b27e1745eb20769b40d87e84232014e68063f181ebfe72df4f6ead653231a4f8e713733081cf546823f902bfde664ac1d5aba778 |
C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
| MD5 | 6a668301735c29228bb350914ca82b3e |
| SHA1 | 3f8ee5a0565c4557e600414c96a245f93d65a320 |
| SHA256 | 05a31d67f355f25bd68d65ef0dbbfaef3828886012164f31cdbb2b3301f63d7b |
| SHA512 | 7bd0c978f17ca2c347041172763735247135d3da67dfb4aa7be7839e2355c210e57ac358031b4edf7dce8fe9b42b0f9ce79b1e8cd939df52ba1620d7a504affb |
C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
| MD5 | 4fb0e4de1b2308d1294d0651b9d4c901 |
| SHA1 | af1c6348a29cdebdbe1f878100637b4f4bd07ae7 |
| SHA256 | 54131341ac1d799320e6df05be5205faf6ed857ddac9cacff452b59d820e5f8e |
| SHA512 | e9b99e7c9ca4b5600031818f0ca51384aea524ad5d63a210ca259ad168f849db7ef26ca8832082fbdaf5c9a811e374777336d085807419b974c42274c1560a45 |
C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
| MD5 | efff616091f10bc7f9f54a761ad5a1a5 |
| SHA1 | 0a416ee52d9330b28eabed7af5dd4d8d15c0d20d |
| SHA256 | 11eef9f55aef17d75884e6af74ea53e01aa5582514222392a41f86156be5a5fa |
| SHA512 | 422b179f7344fd15724e5729b0115968dfb3d432208377b4dc4228dafe0f6afdf8e82285ffd5b6685f295d5917fd0dbdbb0635ce694763c68190054b02712a3a |
C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
| MD5 | 4a22de5f8fa1ab085773e5706352c5da |
| SHA1 | c28a049b844857c2a315c1496fc058c9d59796f7 |
| SHA256 | 924b1b494d4cc5e01b8b23593714fc851493cf374ccd4387ce62e4d7c2b44bbc |
| SHA512 | 252dc65c583ebf102942f091a4b0ef231ec229dafd874a237fb3958b0208dec94e545a6acde496e79b5561add9742921f4269a0e01237881ef41b4882cf5d960 |
C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
| MD5 | 46f51f0f91d8c4049993ae058f9034f8 |
| SHA1 | 2ba25a572014ac5093f6d81cc1d374c15ebe3dc0 |
| SHA256 | ab12435d3929fbe9ad22a75e65dea43fdd05f29b4eec0f1666efbed99239ed57 |
| SHA512 | 74dadb941bc1b04bed250816c13357fc7ca62bb6bb70d9d176258ac93d328a46fd8b96ecdac5aca2eae00f6727241dccc419a7af987658a68e2c3a7a072fe83d |
C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
| MD5 | cd49b9bcc998402d9cb7ffac38bee788 |
| SHA1 | e2bfbc511176a1c24043e48a75bc480ca2c7d5a4 |
| SHA256 | 24e074ec1b17a3873404270467e2d84a010102d56a9bf1f0b62ca6870317bec7 |
| SHA512 | 36508cea4dd0146cda86dd851927551a27eabddd88d12e0e2c92dbf43a392b827971edeaa270e1038b5f6245f649651346555695bfa8d35c1af1767303d74d1a |
C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
| MD5 | 1508f9566854451cba21da23dbf46a5a |
| SHA1 | 7e4c4135e3243a3713b60d5b84156290eb14b2af |
| SHA256 | 62a900c6368341a9592c8fd0670619457d4fd5cec0e17ea9e31e7574f2c9646a |
| SHA512 | 4fc576c3d61c339217db885595ab0325d4371a7947cdb9ca3c2166e68cd8c89aa443928adce57be0a94b3d4d9cd2764179338f08cb0bfe00bb4c8d2ddef842e1 |
C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe
| MD5 | 963d6e83e487a2fc7c9694760f7c3f18 |
| SHA1 | e2e2e906613aaeba7f3dd3331564a528d2fff389 |
| SHA256 | aa46a4e2e814163b93562ae5b50d98a25556af72366d8796dce37aab3643c0e7 |
| SHA512 | f15d9edb480397a093d985aa235c69aec98ce0b64edd28ae9cec1b0e88561eb5db885b0e4077048e15165592fc8f2c57d4676506c5c8ca9103fb278a1c3174b3 |
C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe
| MD5 | 8a64be999c2d03a865cc2b509351a12f |
| SHA1 | 6f640d8deb9f834271e282adc635c8968638e019 |
| SHA256 | d60c4afbc4cf0ec16d01757d3ef3cb39d899d744adc4e1f5c58a9d329d7f4884 |
| SHA512 | bce869da82243faebc3253460fc7d6e61179d606b3f32861d959e5d7dc731ed36c9d6e78566ae96c831a71f88499fabb4a7ad1699b8cd54022342ed911042b84 |
C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe
| MD5 | 3cf0ac174204b315624772047af133c3 |
| SHA1 | 5c72a19416a41d98f0248f1e6bff5ae165dc6a0a |
| SHA256 | 8e76a22d50fd48eca01c6bd283bc04548b6ef5b57308e06b72159107459d45eb |
| SHA512 | fa5d030b832422cf531019a0f7ffc9c70a1325f930f7fc59146f96d66e2975f08f5cd18d5f908b24f84bbc71e65ec3ba641cd591d492003c3d9af69b5f60349f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:02
Reported
2024-11-13 17:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}\stubpath = "C:\\Windows\\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe" | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FE400EC-45C4-495f-892E-D2E7A91AC676}\stubpath = "C:\\Windows\\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe" | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}\stubpath = "C:\\Windows\\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe" | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FE400EC-45C4-495f-892E-D2E7A91AC676} | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654} | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F0801D1-0E0D-4966-BBF9-107D84BD0966} | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}\stubpath = "C:\\Windows\\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe" | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}\stubpath = "C:\\Windows\\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe" | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}\stubpath = "C:\\Windows\\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe" | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A716678B-DFC5-47c6-8675-B2EEC262DB04}\stubpath = "C:\\Windows\\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe" | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067CCD3-3153-4fd3-B89E-0FA0B315E947} | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}\stubpath = "C:\\Windows\\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD73D465-2CF8-42d6-B61B-35E94E9422D9} | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}\stubpath = "C:\\Windows\\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe" | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD4EFA3-015D-49a4-973A-D2809EEF1539} | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}\stubpath = "C:\\Windows\\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe" | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A716678B-DFC5-47c6-8675-B2EEC262DB04} | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A} | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}\stubpath = "C:\\Windows\\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe" | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}\stubpath = "C:\\Windows\\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe" | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D} | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A} | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E} | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A2357-E740-4b06-9DE9-F50E05A4DC6A} | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | N/A |
| N/A | N/A | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | N/A |
| N/A | N/A | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | N/A |
| N/A | N/A | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | N/A |
| N/A | N/A | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | N/A |
| N/A | N/A | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | N/A |
| N/A | N/A | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | N/A |
| N/A | N/A | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | N/A |
| N/A | N/A | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | N/A |
| N/A | N/A | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | N/A |
| N/A | N/A | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | N/A |
| N/A | N/A | C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | N/A |
| File created | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | N/A |
| File created | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | N/A |
| File created | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | N/A |
| File created | C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | N/A |
| File created | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| File created | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | N/A |
| File created | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | N/A |
| File created | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | N/A |
| File created | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | N/A |
| File created | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | N/A |
| File created | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"
C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E067C~1.EXE > nul
C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD73D~1.EXE > nul
C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86C97~1.EXE > nul
C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE40~1.EXE > nul
C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ED1DF~1.EXE > nul
C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD4E~1.EXE > nul
C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3F080~1.EXE > nul
C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4EEE~1.EXE > nul
C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C1A5~1.EXE > nul
C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7166~1.EXE > nul
C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe
C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{907A2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
| MD5 | 466a5fbb9b5adfd5e0f3d748531ff261 |
| SHA1 | 79ffc81d7c9cf6ae7ae9e7154f83225ef554d574 |
| SHA256 | 17da1a56a609b91fded76e2cb3b78320425e062cef658c410e93d3ded64d2644 |
| SHA512 | b47b7f2c77e051216f6767bd5cfa08d9013af16ba5f0c65ac6ad2f872711b5878e3e4debcda6ecf8d889cfb1f753f744f734a5afd91a3102a9e60b9a55703aaf |
C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
| MD5 | b5eb79389c4056a0d7d1089a0ff73134 |
| SHA1 | 858428b1bcba7711e871d6592e8f834e708378b7 |
| SHA256 | 4e102aba47cde4cc0b12f5f28e7a4da5496b636d239f05b7a099e7c25474d67d |
| SHA512 | 065874b11f8f2668d883f75179fc72c1216d42aa9c482ce6fc9d6d77446aaf36913e5baad86c67881282f08024c53d24b82a0baba6abbdbd0dfa41350e1548f9 |
C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
| MD5 | 16bcf7f00928421ab6820b61bc74f60d |
| SHA1 | eb11f27ab6e52769d08935aa22527cc48eae4de3 |
| SHA256 | b5770dcb17483943995b147babd0ca68eeb343691e2b96aff138af85bc5eb867 |
| SHA512 | 5cc352470d5d466c334f1b8d7b1bfcd6a84c3ded42d95bd517a339d3aaf4a73c2509a5053659dc1e02f351e0cab2a9451246fa6da68dab5d5cf3ece4856f175e |
C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
| MD5 | 641b819480c8380d6e313610660e31b5 |
| SHA1 | c1ac627a1c830c5f4c9f5149afbce483e49eb1a8 |
| SHA256 | 48e2aee58e93c0669a96e0373a293b30cf3440575122139f5d1d25b51d124efc |
| SHA512 | 515105de978d2f4a2372bf40976e44d3710eb70fff1e7e83cd7b5ab2ed9ddd1de356c8ec2ee62b6414b9636b7500c4d1dd88935c69df9b4b5b926e0dc626a6bc |
C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
| MD5 | 4a2dec28904b423d3d3b842bc0ab374f |
| SHA1 | c2cc430a81a533d900da6e01df98ae780b4318e7 |
| SHA256 | ce737a20b8d70980f4688e7f1b4ea81e5e16f43dce3c2654e07c1a596d58b586 |
| SHA512 | d41af33aa5fa282801e4fc87e0c840ec1766c882952f04e58f89d43892409f1fa23d602fe90689f8ee5a9c48ed49e742ba129a05f81f9fbca57882201d302b1a |
C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
| MD5 | b415f5fecf5f15c4efd13fbe645ca81f |
| SHA1 | 9e61bde605569dbd52e63a5b5fe0468032619ac3 |
| SHA256 | 61343e81bdd1cfdb27d59e4c353932b9339373448ccff8f66f5e13a15819b042 |
| SHA512 | d42b665f4730ba8ae943a49d1a06ff8868ab93b57af51c157de10de1653d4ea94ddd8fdd33ad3a3626a76279a4ef7025cfcdb1419de8972ca70e5453d6b3be55 |
C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
| MD5 | 283400b4ff48479526ad3fb99dcfd96d |
| SHA1 | 1a24a013cc881b9df2348081ef759c85accbd082 |
| SHA256 | 916b68e042fb014a3059df1f6667459c5900b20a23637d9359d6c209d6954e8e |
| SHA512 | c514bc190658952de69903b358da1673db9204da4b13cdcc593d1b31ef31146c4e4201b8cf7cffdee8c69c14fe2fce4006fb673a2f34575d1957f7c7f703ad81 |
C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
| MD5 | 1885e73072c209baf4e580883714404b |
| SHA1 | 47aa632bb4d3334f8a57b919a1f1f3825d1efe62 |
| SHA256 | f839ec9040dbeee0dd0dd6bc30eb47cfa6f08dc6bb04befd4686eb9995ddf2c8 |
| SHA512 | 767cd6bea90f3d3a5946a9997d3e66dd619120478e4698639c0194900bfd3b11b081ee3687135591badb1fbed9f188d2692e3bcda1ff21412bb1f41d90ad4fca |
C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
| MD5 | 84087e0eab586a3f492151ea5b4d4004 |
| SHA1 | a88f1b028bda51921ddb7b06be941fc2a6088997 |
| SHA256 | 2b7fe8331d12d37fa1a98ac70a43ecc40a05da1a91b28aa9c2fffab8cfca2cec |
| SHA512 | b33514f37e4e167904f64895c29e99b449bfe010b93b8fd56159fb403c3e79d3d1b37e78c00c2ae7d71810b6fb1572533d3d81ce91c3c4941cf330cadfb5cd1d |
C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
| MD5 | 30ba7bf58d8bc17614fb9302d93881dc |
| SHA1 | 06340ed48a7e6f3f7de8543165d794f3df205c3e |
| SHA256 | 014e606cf26d25583768d84585e97c6a47553506861c6c51ddc3e91fdaeb93c4 |
| SHA512 | 71aa8e11171fd2f460bb12a7202e44051b38454427e27bf7d0c970291ff76a050b81cc453f526f137c0f049e58b9356491f4bf54b7e5a675331432783a9cd50a |
C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
| MD5 | 4e6e30572fc4fbd75b400bead734190d |
| SHA1 | eb754cf67f8f208f6b603344b0ab5f68e14bf7f1 |
| SHA256 | d4af430c93044fd054e6f0fff9ef915560463619f16b58cf31c2365e869354a6 |
| SHA512 | 2bba1772a5d5fcfeaf32c0bcb26e6a79bd318fb59e75cda3d9132a18ec364c997428f3bc94188e220c8eb5c0cbdb88f60aa2382e971e92c8d3c37779af49fd8e |
C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe
| MD5 | 68e901df972c472c171f6ee3db247682 |
| SHA1 | db5c076d3b22496cf1bb087effe12dba70b386c5 |
| SHA256 | 8702e4dc5880e7bea29cf36a1fa05f67f8ea68e8233a41de1b00c32b7023e849 |
| SHA512 | 1efc22cc7d5d40742e6d1aaafd870d94889df1d2ee8c43647da21e7f12abc8a0a33157e5ea15ddec65eda93129a1e5e17b9ffffe38cc552b48c35883434175e5 |