Analysis Overview
SHA256
267096d35bbf3c22791dc81f8b5f14822e51a097274da8d6cbd40557263ff0b6
Threat Level: Likely malicious
The file 2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win7-20240903-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C79C11-37B1-4c96-B602-61669A0FF19A}\stubpath = "C:\\Windows\\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe" | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}\stubpath = "C:\\Windows\\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019435A5-843D-401a-B567-53026A824141}\stubpath = "C:\\Windows\\{019435A5-843D-401a-B567-53026A824141}.exe" | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D723502-0E39-44af-A229-66CE79AD2600} | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D723502-0E39-44af-A229-66CE79AD2600}\stubpath = "C:\\Windows\\{5D723502-0E39-44af-A229-66CE79AD2600}.exe" | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}\stubpath = "C:\\Windows\\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe" | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2} | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C79C11-37B1-4c96-B602-61669A0FF19A} | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4771F2-3184-4694-A44E-13B9F3367BEC}\stubpath = "C:\\Windows\\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe" | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB174E0-36C4-4718-B777-5A633090AA2B}\stubpath = "C:\\Windows\\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe" | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}\stubpath = "C:\\Windows\\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe" | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5037658E-FFD7-41f9-B5C2-BA6441B59762}\stubpath = "C:\\Windows\\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe" | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AACBC01-97B7-46cc-9C67-B00B533A02B2} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C01059-F848-478b-9234-BD620A1BCB40}\stubpath = "C:\\Windows\\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe" | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5262F2-3764-4c85-AED4-851B6DB67FA6} | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}\stubpath = "C:\\Windows\\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe" | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4771F2-3184-4694-A44E-13B9F3367BEC} | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019435A5-843D-401a-B567-53026A824141} | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C01059-F848-478b-9234-BD620A1BCB40} | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB174E0-36C4-4718-B777-5A633090AA2B} | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92} | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5037658E-FFD7-41f9-B5C2-BA6441B59762} | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | N/A |
| N/A | N/A | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | N/A |
| N/A | N/A | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | N/A |
| N/A | N/A | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | N/A |
| N/A | N/A | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | N/A |
| N/A | N/A | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | N/A |
| N/A | N/A | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | N/A |
| N/A | N/A | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | N/A |
| N/A | N/A | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | N/A |
| N/A | N/A | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | N/A |
| N/A | N/A | C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | N/A |
| File created | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | N/A |
| File created | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | N/A |
| File created | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | N/A |
| File created | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | N/A |
| File created | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | N/A |
| File created | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | N/A |
| File created | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| File created | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | N/A |
| File created | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | N/A |
| File created | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"
C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6AACB~1.EXE > nul
C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{01943~1.EXE > nul
C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C01~1.EXE > nul
C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7AB17~1.EXE > nul
C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5D723~1.EXE > nul
C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBF1B~1.EXE > nul
C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{70416~1.EXE > nul
C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe
C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A526~1.EXE > nul
C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe
C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C79~1.EXE > nul
C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe
C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50376~1.EXE > nul
Network
Files
C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
| MD5 | 83752cf08041843928fd630b4a3e1573 |
| SHA1 | d905fb83e87133df4674330ab7372d36f233b287 |
| SHA256 | c238aa7064e05da1c14a75be359f186fd43d66d4e6a977788eb466937436349d |
| SHA512 | ddc069af8f6ff5d2e4ac0205822f3a90170d78c1e5a5c039715178da7aafd839f8e8ec719693bc072ebabe2649a229a78ee51091c8b6472fbe5a409aa575e92b |
C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
| MD5 | d0d7d52b64bfc7ae5c5ccab43e286c45 |
| SHA1 | 10d13c453582f8b80ff395c46f167d7b5037d80c |
| SHA256 | 8871649690474ac019da73eb132f2b1b356197fe5b202adcee6ef703db3aab11 |
| SHA512 | d3dd24794469f6d8f6b8d857144d8d6303ab872e0d6b9775029f33b45643ea4a15113c31af5d6126e4c46924df6376e0e3538705cd1c2e87a9470278f53e4499 |
C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
| MD5 | 54d3e37ca024b2c147793d44d27feaaa |
| SHA1 | 2ea5c2237e37e01ca292b389950f10be4e2a7b3b |
| SHA256 | b29bf3a19151ff26223ee41821f9ce006eb5903a558f14c942afb1d820b46ec9 |
| SHA512 | 5697530448db4cd98d6c024a75eb96be3c5f437799932513f6d8ce94eac0bc8edc4d3879fa5aa30f868aa324975cb926520efd89466bead7de8ad87240c5dd6d |
C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
| MD5 | b0a1bf97d894a975f1368834b508ddc0 |
| SHA1 | 2ff2d3545b8df87920cdce5d4bb8682b3f9f3eb6 |
| SHA256 | c2b29090318159bb96a4e2a3db0b30b7e35fa5de204c2ee2d485778705600dad |
| SHA512 | ee2acb95d35ae533ebfe0a808560ddc24840a7d3de7dbb04d7d7c90b4ff9419e2cd10b76ff01e8a45d20825203f803a63b34591e17b267a3607458a521ea1ea7 |
C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
| MD5 | 743b1e308d8f3021a6da7253e52fc731 |
| SHA1 | bb9ef1350696cf6b60ca4e5594c0449036e2af16 |
| SHA256 | c261076e08b5952efc7ba2aa6e21b38f30ee7c626bc4f6c1ac7b182ced90920b |
| SHA512 | 48617ba223bfacca65f134d4b89693b27020612e51f47207171abd27147d111607771d5d43b53aac34471be6ee8986c6c64b099e5a1d73019db4ae1573f4759a |
C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
| MD5 | d71d212e9e09346da853bc96db7108da |
| SHA1 | 858c65a2421d6b35f09c20e0dcba70f8ae44a513 |
| SHA256 | 34a79700f48deedf350d5b5dab63cc54a268b8acc74ef17e1294b91f861a5f92 |
| SHA512 | 379036980a9c23a7655d0187b38571793de50211f67826d0a6423e0bb974e39b053fdc286fc31bce9a784a5be229a2e2f0b7d67e5af31502a961b6d34ad9ca7f |
C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
| MD5 | 1f6d0e5240cf62316ef238b20ae4b532 |
| SHA1 | c92ed7fcf3d3f5f3dc90c2a3b2c3d68a004c0181 |
| SHA256 | 9e33b0d5569cc6da6dcb51ca278d93221c245c990099c522d4dc21a29bbdf777 |
| SHA512 | 5431330b91eb105d8c800d8e94bfcc4b2a8a788cd64fe6812abf210cb1946e460fc0ff6595999c34ea4c0ed871f3a9070a716874a8ae32e0f87a5f02bb924371 |
C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
| MD5 | a361ea83c2448ef556125d6840aadb4f |
| SHA1 | 79701dd0a7ef32828d1d770208fff31c3f7e50fd |
| SHA256 | a453a27b4e246c8c4f5ce494c8ee420174ead910098340e408047d3d57b23b92 |
| SHA512 | 991ac5d42666db3e4e733f9a4a0977d19f276c2365f1853d0099d08ac4955a18c4bfdad229d2c80416a87f70ab090aed2f0dfc711bf3c9445f78d745f1258ef1 |
C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe
| MD5 | 9bc0e41f5f5babbe5a90c616a492ea29 |
| SHA1 | 6980115f84d7a4a464ea609e84acdd69bed8727b |
| SHA256 | 8b05791c5786d35ac326295ec8b029aa6ea72014d8e566c696203cf3e31005ee |
| SHA512 | 78656822063ad7ca84d30a7c32dfb85564a6e11811dfe21774feec50b774ad3928f0e81ea35e2b122d4c073daf38c2edcd0587cacbc7a61b674b69f18a8068a9 |
C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe
| MD5 | 71e157601c5690665229232603afcca8 |
| SHA1 | dea8f27ae828ea7604d3816978f082cf6f53576d |
| SHA256 | 2940bacdeccfe2624a231bd0b2786ce19e1b67e3ad675ae007671e2c5e1aa3b8 |
| SHA512 | 7709677d82d00720c0c262a1d9bda10f386fcfa0cc25c33fb1555bd633f8076b2e8ddb3b50b06ed900f7738c8acade1fc97314d38622b3f138887007226df16e |
C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe
| MD5 | 30bba1d4b63d6cad33570216f4c03608 |
| SHA1 | a3e72dc1de2a62df242f2fcfcdc39bd04d918a7e |
| SHA256 | 1627a7ecdb2ee8fce0a87eedf1063a6f6987da929b7ba37ee16f45b626a10dc8 |
| SHA512 | ea07c6241375e626933913db293103039e976449c7161f0705e1ebb5560533e805011107c6c4c97157f66766c029e84fc49bb18f35262bc565dad8b6a7aed6f3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81} | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}\stubpath = "C:\\Windows\\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe" | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8D1543-7099-4f94-86B9-46D2F5B65B48} | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}\stubpath = "C:\\Windows\\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe" | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4AC0A6-DD95-468a-AE56-0109345EF882} | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}\stubpath = "C:\\Windows\\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe" | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951925AA-24F0-4c61-A9DA-74637C254A75}\stubpath = "C:\\Windows\\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe" | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C797AA8-05FB-4913-B375-54389C06EF6F} | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E} | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C797AA8-05FB-4913-B375-54389C06EF6F}\stubpath = "C:\\Windows\\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe" | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A} | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35DB112-5284-4ba9-A83C-F2C7075D43EC} | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF} | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}\stubpath = "C:\\Windows\\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe" | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF095EB8-6201-4740-94AB-510C15F0C1C1} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B} | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}\stubpath = "C:\\Windows\\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe" | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}\stubpath = "C:\\Windows\\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe" | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4AC0A6-DD95-468a-AE56-0109345EF882}\stubpath = "C:\\Windows\\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe" | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951925AA-24F0-4c61-A9DA-74637C254A75} | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF095EB8-6201-4740-94AB-510C15F0C1C1}\stubpath = "C:\\Windows\\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3} | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}\stubpath = "C:\\Windows\\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe" | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}\stubpath = "C:\\Windows\\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe" | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | N/A |
| N/A | N/A | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | N/A |
| N/A | N/A | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | N/A |
| N/A | N/A | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | N/A |
| N/A | N/A | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | N/A |
| N/A | N/A | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | N/A |
| N/A | N/A | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | N/A |
| N/A | N/A | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | N/A |
| N/A | N/A | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | N/A |
| N/A | N/A | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | N/A |
| N/A | N/A | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | N/A |
| N/A | N/A | C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | N/A |
| File created | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | N/A |
| File created | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | N/A |
| File created | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | N/A |
| File created | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | N/A |
| File created | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | N/A |
| File created | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | N/A |
| File created | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | N/A |
| File created | C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | N/A |
| File created | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| File created | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | N/A |
| File created | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"
C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF095~1.EXE > nul
C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{478C6~1.EXE > nul
C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E13~1.EXE > nul
C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8F4FB~1.EXE > nul
C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B35DB~1.EXE > nul
C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE4AC~1.EXE > nul
C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C384~1.EXE > nul
C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35D0E~1.EXE > nul
C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{95192~1.EXE > nul
C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8C797~1.EXE > nul
C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe
C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB9B7~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
| MD5 | b28893fe7b2ec13f4c59e3b4938b4117 |
| SHA1 | c04d997927d592582ff2b0a18a6a50c19404af1a |
| SHA256 | 27b8854a9b257293b8ad6e18b28a016b1dd95cdf00f67aead07840e43dac92e5 |
| SHA512 | 7454c0396798790c3675ea470d9f659295c74e64c8ba0ddaec5f99b20ce38ecfa8b79b2f9810057058b230645de4f43bf11deb45cd91a5dd2cda9db450de2af5 |
C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
| MD5 | 0db539c6728f01cad5f7a5b5a96dedca |
| SHA1 | bf97250bcddea367077a405f422fccf1dbb3b179 |
| SHA256 | 83073dd8cf595980c6218c1291e2e851a2b628cd4c2737402134cccbbd820755 |
| SHA512 | 813310fc693dca66b3c65b90a81ea8876859e67d4aa53a3ef6bc1490144e9f70ab09e05d36fa48cc4fd5809506f87ccf272092cf5c2bac226712c48ed8aaf336 |
C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
| MD5 | 568f13568ef0dc496f7bc35691f20962 |
| SHA1 | dcc3b9d9614ca427c27ccbb7a153042d2ec9c06b |
| SHA256 | eddc8044d64b9778d6182216d258809ba25195115f071cee17e80b2f20b426fb |
| SHA512 | 144363c4a48cfdd2dac56466825295ea83893816dc86886c4953c8ed67498a40848f0caf77ecc2ea23eaf05dcf6d571a67d91e13f632a1569c5691e249d8479f |
C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
| MD5 | 18fb039563a8ee5ad3cb2879d9e095ea |
| SHA1 | 079069d220c2e8b3328c8ef4abf116bda8a11f03 |
| SHA256 | 504ead76725523cde12522903934b88a827aebfe0efa6b5027a2b46f0ecdb6d3 |
| SHA512 | bad81d18f49cdde113ede38b53a4bc1bee162815ff8fc0c2bf097dc0b686ae8c4d8b3a11d815f66718458932e3597e7988970c109874c69ff3a3c00bc5ba1d92 |
C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
| MD5 | 4e129f01c1eaa1e43737155e7c43e090 |
| SHA1 | 7fcd9cfda7034c83fe3d66dc7908b8f40dc665c6 |
| SHA256 | a122877309d587474a85ee0dfe7ab28afdd2f219d358fd3eabd911a8c4b5459b |
| SHA512 | 0e5bb8b2d1a339fef7dfe3475f3eebff13306c8cc26ffd86bd71e2fb4e51583306fdcfb7f31ba962923390abae0ea727fd93b0a85bb0d7acc5dde277b50344b6 |
C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
| MD5 | ecb161da552e1cd98bba61c688efb5ad |
| SHA1 | b5a4a2f2a54e825d78bb69902a334aeb8ce51454 |
| SHA256 | c9471709880d914529440363c85ec98375d93375013acfc62406c631264699e0 |
| SHA512 | fc55937b9b5ec2feb50cab12c4e4810264a2693f4f7d3c3235e28ee511c2007d61d92ee6b4a2bb473693120ee001a6060af9abad3ecb49aa0f7e69c3e012010b |
C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
| MD5 | 3f1d95e2b7cb9412f29f2c3138b63ad4 |
| SHA1 | f805c4aed8c3689e126621ba11a369d080fa5557 |
| SHA256 | 5690dda085290e91bd3138fd6f2a0d900b3f61fd5bbe75ff516ad3b76e206c31 |
| SHA512 | cc1172722d3ddb12d5683d9a43182cc2731cd3c9dd68c5683a7d74bffc012e5cc1a2edbb6ece9e17214ccc6cfaa43297967ad80eebd95f98ddefb089373088b1 |
C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
| MD5 | 987afe78802d706eeff5545046ca3dfa |
| SHA1 | 54cd0d6d4d3c9689e6572eb562c7a0d341f3785c |
| SHA256 | 8f8e8e5694aba3abcaac85c8fdf18047108ca77fbfb8a4ed4fccf7b53f7c94e6 |
| SHA512 | 2ab05545c9ea737935816837f4642b7c806e2e49435912a86f49c1b996beec6738e7f09ab63084d82674fdc411cc103cfe2dc4e2228c1264ee06b2ad0571e5b1 |
C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
| MD5 | 17f2d0cca70158714ef84bb08b81ba96 |
| SHA1 | f83922215c28f65b3772879a4b36a3617c60dbe3 |
| SHA256 | 83b5b3b580213856db06ca429a1bfa26c92b5a24e21a9c86f7aea74d02ee0b94 |
| SHA512 | 61e98dae647a186e4bd65f3e67d71b5ba767dc6d036d5aa57009e5406ce453bc4aa66eb6766db26b2b9f2a23f091f8d98a53baf5b19218295cd6666dc418682b |
C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
| MD5 | 45441d4f29d7a3ec47abd39b759479f0 |
| SHA1 | 6881f87ddd6290dd4f3e0475efb37ebfe6afa6c2 |
| SHA256 | 855730d4006a4db6003fe31cd6ebe46979b29b9ccbc3f30f183af16c4d738f13 |
| SHA512 | 2c577394e4e6159ca029329041be4d4cf07e340a394b1ace724a2423731538e16d7c0fa4865f2798c73afd3bd2b531807c4f91225cbc7dba13b429bd204c8f6e |
C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
| MD5 | 8d16bbb4aa57a8d28f596d1c921a26ec |
| SHA1 | b567685ca0b00f0f497497bbb13ea2a7da9f1f2a |
| SHA256 | 7bcf83a7e5e50a4fe7d25506403bc782f56f4e0b7d9c8ed7903b21af32851e20 |
| SHA512 | aeafd353baffaddacc45ae71e1c467a8b22a0ddd99e9311a1c2ce63bcbb31a6081d0fe014afd48cca8cf042898e3d90ea74c1209c5dbbb490e6dae611e4b3bbc |
C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe
| MD5 | 0c328c48151a8d13c70c2d82b5b053c2 |
| SHA1 | 13d8d55c86c8d8f8dde13f1c3ea3177f76ef8fd2 |
| SHA256 | 6a772eb0af8e2aea49b1db6707004b6f4454a0f1173c8538907e464c445b7ec9 |
| SHA512 | ae54d80df9d5edef5817822ff0ce4564509aaf210a64103b7748c384ce7193a9596e9462070f3b8054d66e8d3c17d466128aa693e5047913c337d649ac0ab943 |