Analysis Overview
SHA256
bb2663c864ad205aa4b9cb2f4517b1d7818f6a3abd2c7a5b31e08651c83d6823
Threat Level: Likely malicious
The file 2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:29
Reported
2024-11-10 01:31
Platform
win7-20240903-en
Max time kernel
144s
Max time network
119s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}\stubpath = "C:\\Windows\\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe" | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C673F55-A10C-452c-999C-BB0D79B21AC0}\stubpath = "C:\\Windows\\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B690BC0-24BC-4c42-94B0-CCD508592322} | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC} | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}\stubpath = "C:\\Windows\\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe" | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141ACE6-22C5-4e37-8022-64E015DEED58} | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141ACE6-22C5-4e37-8022-64E015DEED58}\stubpath = "C:\\Windows\\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe" | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2} | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D85649-6923-4e03-9FA3-12C7F19D0431} | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D85649-6923-4e03-9FA3-12C7F19D0431}\stubpath = "C:\\Windows\\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe" | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B690BC0-24BC-4c42-94B0-CCD508592322}\stubpath = "C:\\Windows\\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe" | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55} | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}\stubpath = "C:\\Windows\\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe" | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AE86A4-AC23-48be-BD07-C7320683861A} | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FC378-9F41-4069-AEA0-D64B0E7B491E} | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C673F55-A10C-452c-999C-BB0D79B21AC0} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FC378-9F41-4069-AEA0-D64B0E7B491E}\stubpath = "C:\\Windows\\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe" | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E93455C-A6A8-483f-A296-BB381EF56195} | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E93455C-A6A8-483f-A296-BB381EF56195}\stubpath = "C:\\Windows\\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe" | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5747448B-FAF3-40a5-84BA-38E84B4A3388} | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5747448B-FAF3-40a5-84BA-38E84B4A3388}\stubpath = "C:\\Windows\\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe" | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AE86A4-AC23-48be-BD07-C7320683861A}\stubpath = "C:\\Windows\\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe" | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | N/A |
| N/A | N/A | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | N/A |
| N/A | N/A | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | N/A |
| N/A | N/A | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | N/A |
| N/A | N/A | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | N/A |
| N/A | N/A | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | N/A |
| N/A | N/A | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | N/A |
| N/A | N/A | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | N/A |
| N/A | N/A | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | N/A |
| N/A | N/A | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | N/A |
| N/A | N/A | C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | N/A |
| File created | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | N/A |
| File created | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | N/A |
| File created | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| File created | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | N/A |
| File created | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | N/A |
| File created | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | N/A |
| File created | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | N/A |
| File created | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | N/A |
| File created | C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | N/A |
| File created | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"
C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7C673~1.EXE > nul
C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71D85~1.EXE > nul
C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6B690~1.EXE > nul
C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0548E~1.EXE > nul
C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8E934~1.EXE > nul
C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C571D~1.EXE > nul
C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{57474~1.EXE > nul
C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe
C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B141A~1.EXE > nul
C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe
C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22AE8~1.EXE > nul
C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe
C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5DDC~1.EXE > nul
Network
Files
C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
| MD5 | 00cae272425f4dbda931db6c99febaa9 |
| SHA1 | 0ed6ef4eda0f87ae60444430189918c1d27b21fc |
| SHA256 | 6415c5a1508b3c1a849fcb99b6fa9f45e1563da4b670fe0f2d125c1515e6a1d9 |
| SHA512 | 5fc18b6cf03271bb4f0ceb1256b7441e9ff74ea8b49c1cf56eecf995aa85d0b9f213a8a976490124714c084007f9c1793380d38855982a05ddc5833994bcca0b |
C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
| MD5 | 98b0cec363f55793aa4a4ad42f92616b |
| SHA1 | 2c7e77c551dbf65a9141bb47706140603958e3d4 |
| SHA256 | 9809d842ecfe8f36d96cb0da69317335242cd835af5e13e6210dbc7f62a234a8 |
| SHA512 | 13bc37ecc03cd30cf802311eccfa515e56b8fd847dda4eae0aaf591255d0c2e98e224438d3ce8982e2a777f0c7af6a47d62bed33336ff2664b8286bd0a3c3266 |
C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
| MD5 | 5bc032009c1df9ddfdc7bed604b23eeb |
| SHA1 | d2004cbbd35dba46050e7dd418db0c423b7263f9 |
| SHA256 | b68e04682bb84fb01ae2e0143e952449067a8c32ccfa1668a53573b8cf87e1f8 |
| SHA512 | 56b99a787892b38ec3a5d8be53858dcbf64777935692433f88558f1bf7fa7a9557bfa0cf85f1f5d88ca9f645520946a0604ef512326cbebaa837815be5a1e735 |
C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
| MD5 | b6fd6764af9057f5822fd4d91468c7a5 |
| SHA1 | 6661172a25c410f2748dd1954a6401b7945ad73c |
| SHA256 | 9ab87bbaae0da0294ef7da5da2581f1ab8f14f7fd50336a81810a7d6c9e79a71 |
| SHA512 | 3be502897279139a416f1c9d52ac268e6b9cea586f0983bd8e8bf11db5cdb8110a2e4cd1fd4f8bfc320093ff34dcde863a618e898c98d41224577b7ff1d462c1 |
C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
| MD5 | 6d5babf88a03496af1e93ae0bc87a4e4 |
| SHA1 | 73a4a42d948e489571834e124048a2ecf7eb157b |
| SHA256 | b515b80cf1f31140aa46a16681de1b79107b7755fdcf1427a84ad9e3ae3adde3 |
| SHA512 | cdcd0f552a67855f745b49362f6b898256ed4f1f774172d824d7228accee86f923169b931fcc9c0fd2169aa7cd492074a4c996446607dbcdc7459b4bc697b49c |
C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
| MD5 | ea440d13f88388d5f767c8afed57b00d |
| SHA1 | 32840340e1030744fe59a7fea3028f8e43e87b51 |
| SHA256 | 2f498c76bf62b5922debd370aa5bed9ff4d9a1ce7e96d0e01dc80b856fe1108a |
| SHA512 | 5d16777a5f240406677fc544bb4f5a653aed143520e5e2baeafd6a6c89aa82e27b6599d60f8e5b727da4fe67651d5daa9170092e6c41f9b800a9849d42f35a5e |
C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
| MD5 | 2d81bc928a7bdf3a8a5216304f676fc3 |
| SHA1 | 213c79c3d6e79972029ad1996d3f83f655200062 |
| SHA256 | 273f226a6d345c1ab2130df9e49f14f9e440ff843166df34e1914eb4ea262eea |
| SHA512 | afae4fd24dd350e1a8f6519498021f22c06f71b7cf6f7db2aecaa235ab253120b391ef8c1f1fdd8f42f531781fc868830165f0a842db969a5c2316294f841f4f |
C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
| MD5 | 93530488918ac92833a6f1a834e1ecfb |
| SHA1 | cc4bb45a13336c82b11f78bf0b49834d7332f079 |
| SHA256 | cb9a5b74db9d363ad54590b474829c194e5421b298a019024ee7215c6bb52d80 |
| SHA512 | 552399ca72a7677668520987cbd7c5d1e1d42f409e1a8e43c607af1c05c04092bb42d1ee4065b0e0c5146bc0d085f4f97605da2c6cc567b33421a2469debee85 |
C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe
| MD5 | 8616375bbfd23545ee4e0b1e8d4fe3a8 |
| SHA1 | 4089170b88e57f1ff318b651dd1ac476d73eeefa |
| SHA256 | ee0e7b9bb7d68ed7088e6dda8aac443bf782a1c38a2ca8a41d3f42914fb4433b |
| SHA512 | 035877b81c9bb48f50f3e483843cbb2b93606d479ae4a953063481b43afbef4e2e9dca8e088b42839809af52455f559f825319dd4f7a70b02bd1647625bc5e97 |
C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe
| MD5 | b6908335492a3c0d02cd629b8474e33d |
| SHA1 | 363d87ce820b8c631ac267f3c4a38f0005496653 |
| SHA256 | 09439842876595c3d55bffcc16bf0f9ad7b29146c89e895b13898b2c12e7737b |
| SHA512 | d9d70428367e88204ff53060aa81ddd0f5cb12886f7f3e8f0280707ae45954d58f1df767f601f0f6610340ca48872cb72e80c3f2cbfdbfcdb1899640c5cec2a5 |
C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe
| MD5 | 6d6cb59bbdd0310016093fca711fea37 |
| SHA1 | 84073941e97161d024661adcd4645e964a92d87a |
| SHA256 | 107b07e6e49f9160be74165224973876729efe0a31830bf3ab5cc198ab8763f8 |
| SHA512 | d2a54c44c6805e8f241b352267db738edc5bd5cc1ccc051bec370b78d439fb7cb0e34cce2fb19fa9e2dfb0a6118acd5ff307bf98440bcfcf4fedc852486d525c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:29
Reported
2024-11-10 01:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EE300B-EE47-4806-B675-BC62536611E3} | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD} | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}\stubpath = "C:\\Windows\\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe" | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57} | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}\stubpath = "C:\\Windows\\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe" | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56} | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}\stubpath = "C:\\Windows\\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe" | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C} | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}\stubpath = "C:\\Windows\\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe" | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E38E5F1-FAEC-495b-A902-16C335962968} | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B8BBAB-3102-4a12-B60F-157655ABC020} | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6} | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3} | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E38E5F1-FAEC-495b-A902-16C335962968}\stubpath = "C:\\Windows\\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe" | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B8BBAB-3102-4a12-B60F-157655ABC020}\stubpath = "C:\\Windows\\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe" | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEDE93B9-9359-4263-A4F1-D415D3544B78} | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}\stubpath = "C:\\Windows\\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe" | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEDE93B9-9359-4263-A4F1-D415D3544B78}\stubpath = "C:\\Windows\\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe" | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}\stubpath = "C:\\Windows\\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe" | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EE300B-EE47-4806-B675-BC62536611E3}\stubpath = "C:\\Windows\\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}\stubpath = "C:\\Windows\\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe" | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}\stubpath = "C:\\Windows\\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe" | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2} | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C891E89B-3B6E-4acd-BB98-3141AEA7346C} | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | N/A |
| N/A | N/A | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | N/A |
| N/A | N/A | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | N/A |
| N/A | N/A | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | N/A |
| N/A | N/A | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | N/A |
| N/A | N/A | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | N/A |
| N/A | N/A | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | N/A |
| N/A | N/A | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | N/A |
| N/A | N/A | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | N/A |
| N/A | N/A | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | N/A |
| N/A | N/A | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | N/A |
| N/A | N/A | C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | N/A |
| File created | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | N/A |
| File created | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| File created | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | N/A |
| File created | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | N/A |
| File created | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | N/A |
| File created | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | N/A |
| File created | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | N/A |
| File created | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | N/A |
| File created | C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | N/A |
| File created | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | N/A |
| File created | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"
C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1EE3~1.EXE > nul
C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA81~1.EXE > nul
C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16561~1.EXE > nul
C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{81BAF~1.EXE > nul
C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23B7E~1.EXE > nul
C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6DE~1.EXE > nul
C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CA83C~1.EXE > nul
C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E38E~1.EXE > nul
C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C891E~1.EXE > nul
C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85B8B~1.EXE > nul
C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe
C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEDE9~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
| MD5 | 5e5c2eda16db47ed337d1bd9d47342b1 |
| SHA1 | 97395b9bcaf0268121108499ab604f73156398c2 |
| SHA256 | bd65e3bcced758bd8d2d6553a6aa9f9781ef0c0e67bd1c16cc84584fef2a6b9f |
| SHA512 | 7ce69583e59ae5c8eb19a858030bd4a26a2c96c33555f59d682506cd668f8dd5295259628e17ccf82c74884f19023cecfa32b45e8d04231356f310c6d4a932ea |
C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
| MD5 | c2405b087ce718f5cee4916d467ffd63 |
| SHA1 | 9dd00959f2ec976de114b11c1422d78654a73035 |
| SHA256 | a6a5aeb043d6fb373150e71937a730bc6612939aa371577e108f50f443ace812 |
| SHA512 | b227246a06bf3ad8060cb987a2b8d16a5830b9b1c0ffb4360ac76cd3323fdaf3d4e6bfc766952b7a71359280670268e56733f266aafd344f588958bc1acf09c9 |
C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
| MD5 | 26354ec8c8cca613c5e77aaa7e549d67 |
| SHA1 | 6f16d2ba65816b08a15c325b54ea9f9f91fec778 |
| SHA256 | 6706f608f5559b398a91ce9fd53276e1c42baf031e12c7b1ba2597381c17de22 |
| SHA512 | 013b957c8d15a87e004746c1c5d8975444026d08f0e7bf283f5213400fe3721efaeb134885d36fc23569eb0246e61c79ce64e756e651ea106c4d3d5d44b9a659 |
C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
| MD5 | 0cee2b8be6e5ace16cec1f802a98142e |
| SHA1 | a40de7aa9f10138e1f6667318b53950771642b64 |
| SHA256 | c88bb7bcf8ca04d8d46a9642026a49aa9b3e82ff6ccf9d1237146787224f3580 |
| SHA512 | 207cabaf40f5f225b5bbbd3780525662ad68626847ae27442f6c819423e0f7d5c5ff4134116eb74ca1c281db7a7b0b0c790f6f503dc1e8ad9d40e3868f33ac33 |
C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
| MD5 | 62da053b7a35394c01726498d2c35fec |
| SHA1 | 1915df10b269e6b57a555a0d176cb66d0405e00a |
| SHA256 | 56e10bb9e924d89061ffcbd2acd1db1ef71ad3bf133fb011a32545c28e2f6660 |
| SHA512 | 593cc7a7d0e5d7c2ee010cf0159b51848f818a572eef980cca850b9fb7448d1c1f913ab827ed6b572364d2fc5c01dc4b88df7f4156841f18a9fc31b944237b33 |
C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
| MD5 | 0eaa9f37f8a50bbcc81cf280b63869c8 |
| SHA1 | 625564520529fe464ed72672f172728b5055aa75 |
| SHA256 | be0412273a75c04bffdd1dd43e983ea6801cd969e71c77f6bdaccefb39f2187b |
| SHA512 | 1253e84d09edab7e13d463dad320a09f0c949685ba1a556e315df6dad133658e7598f370eb4585cf677c74e9039f72dc73cc3577e2317149d32880018251cbc8 |
C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
| MD5 | 9ddd28cd816832f3f90b7856a1672ffe |
| SHA1 | 2d8aa10299e9bc54a980b1a08e4ae3d87c84b9fc |
| SHA256 | 64705ba679dba47b75249850610294adc8524614519a4b5c37b3e05a0e2ee75c |
| SHA512 | 4773f415ff87b047ef7b0db8f3ec989ca9c1748301a1fadc9576030b4de329432893ea2b16904cf0dbdf094e1258381d64545bcb57a79d33ac4e5f3f9e1f7696 |
C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
| MD5 | 2fda627352c3b20cfd0e85989be5d215 |
| SHA1 | c6a6d1f8ef9c46761a3018a6c3d43c8ff29a2c78 |
| SHA256 | cb13ee890d2d67d39d3e6d51dde04770b980db1f662c52066dde2db04e4c3988 |
| SHA512 | 048cf11f45ac2b78ae5f4c05886d7e9470ad5b50e13db26d5e2013f0fb47dd2797ebb4d37afe9977267b3d4e7a03861145d2402151e28f184945dd7497720788 |
C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
| MD5 | 5976d733af4fcb1a4d55f6fbeb0134a4 |
| SHA1 | 680997ad241f8bb6bfcd6c4741fc21db40a65d9c |
| SHA256 | c582c40c83d345268a40c7ab8a1e6e313a94ce09c4e4a9e24f6d7a967d1a5382 |
| SHA512 | af9cc1b8532c695fccb339fd384c37819fe0b61f55dd19824f3241693e7ad11f6e374a8e43434254073440548dc9fb68b19254f501f8ec66a8f880908aa82241 |
C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
| MD5 | 64390b795b49857f7af27a84bc7731b2 |
| SHA1 | a2de108d2b9a6358a2d174fd90ffdda1c4f0180a |
| SHA256 | 6df4f45435d028ff9e7bb7cfe3e9b581bcf900d2ca9ec110f1841ffd9f0d9c0b |
| SHA512 | 51c6fd6871c60f15b70d0e6fea3dd8c68d667cbc089c35e57c57adebbf1877b8331cf18b8d931d2417d9fdff1453149fcfd4e266eea345db8d6e95fae4544d38 |
C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
| MD5 | 0aa94086acfd833eb0d1fb8e215a371e |
| SHA1 | db62fa396ceafe67d43d7ff827919805fab92941 |
| SHA256 | 39c78c4388c9eda5ebb27f3467b99694145f0a73e7675fa8c671297c7f805319 |
| SHA512 | 44d967fd6809e1f899990c1b0f8276eabe1f8a2654df75445aeeadd7c257d3bc043d67cd9cc28869de9b37e00d99cadcc4ac1127760b82e39778b8701efde236 |
C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe
| MD5 | 2989202d973449763d2e21c06c4cc11d |
| SHA1 | af9a3cb0acf8cc689e760df07c1961324db59111 |
| SHA256 | 70dce1f14b455f586469e1b45570103ad00b40129a39472bae65aa5afcda4a35 |
| SHA512 | 1bf52ae9c587ebeed7b42d9ff636a1df2060ad75dabb371ffd6aa128a015de0391749e2153e03331df03472864b84a88fcf438d588406cf5ab0255e235986c99 |