Analysis Overview
SHA256
fcf50d8323df2abae64847060d2ecd29586bb32e027b17be2ea62ab1e6784bab
Threat Level: Likely malicious
The file 2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:36
Reported
2024-11-10 01:39
Platform
win7-20241010-en
Max time kernel
144s
Max time network
126s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDFC703-8B93-4a34-B68B-7C589C53E89E} | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}\stubpath = "C:\\Windows\\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe" | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}\stubpath = "C:\\Windows\\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe" | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B564B57-56F5-4b78-94F8-B7E44063413E} | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31887FCF-AA91-4039-BF04-CC833B36711E} | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDC27AF-40CE-4643-BFDA-48A17E134B96} | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31887FCF-AA91-4039-BF04-CC833B36711E}\stubpath = "C:\\Windows\\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe" | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}\stubpath = "C:\\Windows\\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe" | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F85938-7164-4ae9-A37A-C82540547E42} | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246} | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597F29D3-EF43-4d22-B83D-11559DF9BC53}\stubpath = "C:\\Windows\\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe" | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17AE1A9-2669-4d3e-845B-107822CBF469} | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3} | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088EC908-8403-4564-A575-241F2F4A6A89}\stubpath = "C:\\Windows\\{088EC908-8403-4564-A575-241F2F4A6A89}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597F29D3-EF43-4d22-B83D-11559DF9BC53} | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8} | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}\stubpath = "C:\\Windows\\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe" | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F85938-7164-4ae9-A37A-C82540547E42}\stubpath = "C:\\Windows\\{53F85938-7164-4ae9-A37A-C82540547E42}.exe" | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088EC908-8403-4564-A575-241F2F4A6A89} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17AE1A9-2669-4d3e-845B-107822CBF469}\stubpath = "C:\\Windows\\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe" | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B564B57-56F5-4b78-94F8-B7E44063413E}\stubpath = "C:\\Windows\\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe" | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}\stubpath = "C:\\Windows\\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe" | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | N/A |
| N/A | N/A | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | N/A |
| N/A | N/A | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | N/A |
| N/A | N/A | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | N/A |
| N/A | N/A | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | N/A |
| N/A | N/A | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | N/A |
| N/A | N/A | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | N/A |
| N/A | N/A | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | N/A |
| N/A | N/A | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | N/A |
| N/A | N/A | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | N/A |
| N/A | N/A | C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| File created | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | N/A |
| File created | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | N/A |
| File created | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | N/A |
| File created | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | N/A |
| File created | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | N/A |
| File created | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | N/A |
| File created | C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | N/A |
| File created | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | N/A |
| File created | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | N/A |
| File created | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"
C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{088EC~1.EXE > nul
C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2FD~1.EXE > nul
C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{597F2~1.EXE > nul
C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E17AE~1.EXE > nul
C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B564~1.EXE > nul
C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1FB~1.EXE > nul
C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25D07~1.EXE > nul
C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe
C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31887~1.EXE > nul
C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe
C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3DDC2~1.EXE > nul
C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe
C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53F85~1.EXE > nul
Network
Files
C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
| MD5 | dc91a56093c7044adf0c70fb12a2a154 |
| SHA1 | 0db3333bed8ee6dfe67f0c540bd1b53adeb97a3f |
| SHA256 | 6f7c8fa3da3889a4779b2527756ff7f117709e5e866eab1c6f35d34d90c6588c |
| SHA512 | 8734d3cac7ecfa0aeb4b5b889ab0a78de0dad41b2fe729e532870a1a5b47bf00bb0f5b303244dbdeff69909d64a025d320e4db081e1e5c0be3612647014277f6 |
C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
| MD5 | bef4be638cf5166619f2fecf61ddb9cf |
| SHA1 | ce0c32fc1e0ba88ed0b149ca0b90a4ba066a8162 |
| SHA256 | b43435cff57afdd371d8270af2152d86a825ad16aae8b585c427855303a2a16a |
| SHA512 | 720a53321cd0875f1ee52b004a2d17fa7dd797eb4394bfce20c6c4a9dc0130d66e844db7c0fde588c963e6a5dc1429c1f780418bd0fe42b1f3c59499b29061d9 |
C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
| MD5 | f09b6b26fa3e4068fd39ae700a9da571 |
| SHA1 | ff6d314ba68859ffea6b4e015834be15e570f72e |
| SHA256 | 94d16dd7f37c3e1ce68c6d300c1f0537e61498a18417d0cc471c654c578cf999 |
| SHA512 | 85f0d2f284362630e18ce95a383a17c2f33b05007dceb0b54cf9ba0741bcaf6d4322244220396a12e765a8d151861b2d0b224927a6a27d88951d73178a9e6bdb |
C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
| MD5 | 23aa6cf252f32aa2a8bcfe777c4b8f8a |
| SHA1 | 28639a1dc42b0e966a8583648854a8620d04ec9d |
| SHA256 | 120a44a83d08a77dc645d11ec90c8de3df9baaad894f01d12a9d6d3aa298e196 |
| SHA512 | 481e64698f653aaaa4c9dd49213447111f60e4761358a974a9e519920b15f04c2fe7b891aa050b4b30a37388d36844de41e93ef787531b9e0e4f9b6a5099653b |
C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
| MD5 | e9c57b18070e1ecd6dd2d3af171d6ce9 |
| SHA1 | a7499740cb4940ef685e4c84381f93ea11ab8946 |
| SHA256 | 04cc951543ab165b810b7a35d2567b43af9796668f5adbcf3613d300cebac78c |
| SHA512 | 219323564fb19f0a15333f38d5c2848855f13d6c98b8611924859badcfb811cf78a4bb6150875e9e9f42db520351ce0e1eeb2fc49818909b1ac2253ab3c26fba |
C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
| MD5 | 547539455f68f280e01e1afaf9b47b41 |
| SHA1 | 5df9439af792623b4e2bebbbf890c48524450e48 |
| SHA256 | 3a95e9b7716039658c0e3b25605894f8ffd1729507ae9b338c17dda5734eccaa |
| SHA512 | c6596ddfaf01307a2de48896d1766c1232f64b42636f477e6fe94dc3e0ed5688926b0a5b2a26401bdd2de0d1ae60f75295f2784e676e05ebebf0ccb4990431eb |
C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
| MD5 | 769463f559ae664a14b68ba8305fc0ee |
| SHA1 | ef620d9e489f7346bd7a08fc555da8414fa32e60 |
| SHA256 | 95047ae16e478208d11eef2a833f953c5014f9f859b224ceccf4c360dbfdea8d |
| SHA512 | 6ab415ca6d38167d279741f6ba574be2633fc226494a244ca686aa242f5f8b87b73b40b8469004291bd3d830a3b3ee1d79c49810e743a63fd8767e47d01c12b1 |
C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
| MD5 | 58b3e58227d6d9fcbb5150945b453de5 |
| SHA1 | 5b0e6fed311bdd8fd1358907655a91266ad25100 |
| SHA256 | 32504b27fc5aba1d906d0ed6dcf7626800b89de513d8b0ddbe5c86c359e02584 |
| SHA512 | e42cfd307beabc48a0eaa88edf166c276d34c9b58c9919d352992070236d06635ef3d8a3b03064771f71341adda42d40dbb5c3f634ae1fc09c0ffdf53e114f46 |
C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe
| MD5 | e008a950d4e88a19ceb91b5f8e6443a2 |
| SHA1 | 68c5a58faf73c6d90a34954d1d9fd802e3a026fc |
| SHA256 | 2b3855a0c8d952d8b01a6c585f68108353e80283919491d5d8edeabce95a643d |
| SHA512 | c4157fe586e37553a61bdc8661e34290056ddf7dbf1bb7ca5f370ef37de025dc6ff9316fb22549d18f9fa5e555b7b8fc066b607c88d6139f4db2490d791243cf |
C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe
| MD5 | feaf22510d91d6a7d86a9af72054f1e1 |
| SHA1 | 9b61058b55276b8c80ae061f02c303f57651ba24 |
| SHA256 | 75443d4fe4d50cf2b69b10d62251397fb195c87027443ce51c688403ba739de1 |
| SHA512 | ab72c7e615d9372385946b0ca23c3b96f17bf55e533f59b4ff1394981c267bfe800ae02c4d9383fb9a2e89d27ccef4de95b3c30cd76569a76dd9e5912f693dea |
C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe
| MD5 | ce3bac0013f415eaf320ca7094358e65 |
| SHA1 | 62b68a652ab3170d47d423b95e7aa17f281dbe9c |
| SHA256 | 8da81880332a5641063be05395d6322b4b61ffdebc5bda92ea364335f088d68a |
| SHA512 | 62d8847a64cdb45307298b954ac565ded5d859272313436adb4d3d76cf3a3fd792cee5266beb56bd01c83191ad2a693dbf8f59e0b90322f9b7afcb5822681072 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:36
Reported
2024-11-10 01:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EB1228-5A73-4404-BDAC-55483150AE2D} | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67} | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996CB105-957C-4650-9F52-DB5E9480F381} | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E584E0AA-9DD2-47b7-94EF-C06521884945} | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E584E0AA-9DD2-47b7-94EF-C06521884945}\stubpath = "C:\\Windows\\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe" | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3470D9EA-A5FB-456f-95C2-6924277C4A32} | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE5105E-3922-4174-9ED1-23E568DDC139} | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE5105E-3922-4174-9ED1-23E568DDC139}\stubpath = "C:\\Windows\\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe" | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926B61EC-77DF-48d7-AEAF-1F6F173A841C} | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}\stubpath = "C:\\Windows\\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe" | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6} | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FA080B-0E8E-43f5-9031-9FC153E5AD25} | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}\stubpath = "C:\\Windows\\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe" | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}\stubpath = "C:\\Windows\\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe" | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3470D9EA-A5FB-456f-95C2-6924277C4A32}\stubpath = "C:\\Windows\\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe" | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}\stubpath = "C:\\Windows\\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe" | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4} | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EB1228-5A73-4404-BDAC-55483150AE2D}\stubpath = "C:\\Windows\\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe" | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E8A749-E635-41a3-A9F6-56043D1FCBD5} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}\stubpath = "C:\\Windows\\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E40A9B04-A923-4921-87AF-CFF9753419CB} | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E40A9B04-A923-4921-87AF-CFF9753419CB}\stubpath = "C:\\Windows\\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe" | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}\stubpath = "C:\\Windows\\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe" | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996CB105-957C-4650-9F52-DB5E9480F381}\stubpath = "C:\\Windows\\{996CB105-957C-4650-9F52-DB5E9480F381}.exe" | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | N/A |
| N/A | N/A | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | N/A |
| N/A | N/A | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | N/A |
| N/A | N/A | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | N/A |
| N/A | N/A | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | N/A |
| N/A | N/A | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | N/A |
| N/A | N/A | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | N/A |
| N/A | N/A | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | N/A |
| N/A | N/A | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | N/A |
| N/A | N/A | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | N/A |
| N/A | N/A | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | N/A |
| N/A | N/A | C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | N/A |
| File created | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | N/A |
| File created | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| File created | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | N/A |
| File created | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | N/A |
| File created | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | N/A |
| File created | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | N/A |
| File created | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | N/A |
| File created | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | N/A |
| File created | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | N/A |
| File created | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | N/A |
| File created | C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"
C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul
C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E40A9~1.EXE > nul
C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3470D~1.EXE > nul
C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A0C6C~1.EXE > nul
C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE51~1.EXE > nul
C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{17FA0~1.EXE > nul
C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF24C~1.EXE > nul
C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02EB1~1.EXE > nul
C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{926B6~1.EXE > nul
C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9B2~1.EXE > nul
C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe
C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{996CB~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
Files
C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
| MD5 | ba097ca5f08b21791ef385a1d735ab0e |
| SHA1 | 158b0c5420cb126de14f26ab630d4e48277d47c1 |
| SHA256 | b335b9dc859a5e1578e14d87a0d50d152de3e649c5f9008a0069877e209e591c |
| SHA512 | a3f75671d909de0982f473ac6d2c657d39f09152514013575391ce6cdd879e34d459412d24d9ad5b5cf6074ee6a6f605a9effb4b3a1ea4c7921fd2305bf9fa06 |
C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
| MD5 | dfe75b6cda62e132f9c930e21cf7478e |
| SHA1 | 1b4d06877559a707ddd9e630832914bc25ea3084 |
| SHA256 | 311592616f930e9f984ec642c39a1b581a6f3aeb733b2d597d778a72507c6659 |
| SHA512 | 477e2dbf585f16b6e50698bc0303cfd8ed71336d6d559271ada29098266235ec0f765190bf4e9aa3073019e95a44558e9c87c552397ab4ea1ce68ea7b38acfd9 |
C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
| MD5 | d849bc5026bc84611006e4cb7ea99076 |
| SHA1 | 851ced9c0c9199b115448defe53efe56fdbc892a |
| SHA256 | 9ec0a6563397fd537bfee1cb34bc36b936189d8506ec8afb227350391d16e8fe |
| SHA512 | abe143bb59c86030d85074c787f4591c5e70dcb29e4c516f72eeec13417204dbbc25e67e50a3ac364858b7428c39c2de90b0fd21db32ba831c27fe6d12fbffa0 |
C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
| MD5 | 38b650eb006ac8cec5ca7d25b6816f09 |
| SHA1 | ca1a72bdf67df32f0a5b5a779277a4537527b01c |
| SHA256 | 75fcb09878fbcdbb00d1781a6e8216c771a4267f89eaba464e687a6e7408ce3d |
| SHA512 | 6978140eda550a8703b3b53752e60973dec4d78b1d7ed7c2b886915551e302de3e312d00cfa9100a6c4154418d3fe018a3d563632fad4fa0d7b0b8444412b425 |
C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
| MD5 | 3a22df310a2b8cd39613c625a65d1bc9 |
| SHA1 | 6d5a64169803a1be3b854d3dae6ca2ecc3f73a22 |
| SHA256 | 239a5b9805cd1553a7af0e48e8dbadf292e1d252573962a39203681fb96cd73d |
| SHA512 | 080cd059736f531f5cc54bc0882e6db2b7b636aadc3be505339dccf3b8f7b2f25dfa74194d0887392c9ee2a7367bbb8f95ea758efd354de757407a23ca0a1e9b |
C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
| MD5 | dc9eca1ba736056cb7a1df0de4a8ce78 |
| SHA1 | a4b9f6ac7553ad457cf5afeb526d8afa7bd1c695 |
| SHA256 | 9184669bc513a0a6d781aa3c274fb196c7000ab94b95c950d8a1d31f6893f442 |
| SHA512 | 1c37765c07fddb67b4d522a00c7cdcdb4fb7215f3b0484eb4cc9483336eaab8e22127c49362d20d2be645e48bc7191544c594a77217d712cf186099931c20188 |
C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
| MD5 | 610dad415f538f1c9e59bce14e7944f8 |
| SHA1 | 70510037437c494bc7be9d37677533b736d56aff |
| SHA256 | 6921e68833811377281f702b455c4cd783d5ebea7ddffde9b6bcae47f65b1293 |
| SHA512 | 932a59bac3b02d112710e5d76dc86f361141d81747841d782e721929c7f66bdb578a04fc0ff0d2409c61a71d2bc979446c15d944f943f83e632339e96259f466 |
C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
| MD5 | ec1e564765c4eaf70d23ec2537ba2632 |
| SHA1 | ea6868cf36d6cf438ec13a945a34572cdaffd511 |
| SHA256 | 9ed99028f200b6de61fe8ee94e3cb522fd5a9851b205b4509e1a3b37fec22ac9 |
| SHA512 | 2641569660697031a1ef8eaf7c9339643b547118ca5f20ee4ff93e772ad705a47047b2ad89ca544eb76a51e66569e2f9f2835a6f3e41eb5d4c7b59583e9c1846 |
C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
| MD5 | bb61a56d67b46d98cc8deaf1ad00abcd |
| SHA1 | 163eb529d907d9dbb46e81fb3720a41e49873fac |
| SHA256 | 4a784f2ec4afb061e49c478c8784daadd73366305c3c8d4dce19f6f319eac249 |
| SHA512 | 8931ee898429bfe1c385499a58947d1f88a6cd9b211c6c1ee924130d6a07e3d083aa5213b465c36fad058af7557fe48f54a891c0198328d2e93efaec8d567e33 |
C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
| MD5 | f14dd6a9a606fe392808996c1f4e9698 |
| SHA1 | 30ffb79e715baac78ab74aaabe3a00a70ab51f71 |
| SHA256 | 3c3075c477906182f6d5f2f813cbefd0a61d7c843901a33de92be3cc3efa01c5 |
| SHA512 | 450673646a6030843647f898378a6695c62fc2cde1a30fd2a361ca67ab92bb2b1d7d59b29c77484ca2dacde63e8808d53ba96b5fc49842522283e4082dd00dc6 |
C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
| MD5 | bd1de5f394063d02fca62d053fe88bcd |
| SHA1 | f582d9ca5f8ad42dc6f7ecdd79c2bf68fab3a13c |
| SHA256 | e7177770eda8cc50f3c0566a3a94a804bbb1c1b3e1e86c88b8f84db969ba9d70 |
| SHA512 | c58d7f4d835b34de91251154c6b6fe6cd6fb49b7664cf96352c58eeccea27a24d94f4a01c43550b00a42c741f650350e3294f8dc318450ab6d6de152d910c73a |
C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe
| MD5 | 5efe79e0edf42338961b63cd058f188c |
| SHA1 | 222251515e24421ca905100216ede5cc92c0e862 |
| SHA256 | c5df3e9c531c546674d4155fdbe026d772657ca8e7974931c1ab50b329a3d723 |
| SHA512 | 18f541544636dff22465f5a54bc7bc23ad0a6c1aecdb276b894a1dba5799da5d632c855f3d1307c97098f38aa4037d41527ce683ced891773b8ca4a3051afbce |