Malware Analysis Report

2025-08-05 20:46

Sample ID 240302-3cxgtaac6w
Target 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye
SHA256 4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e

Threat Level: Known bad

The file 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:22

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:22

Reported

2024-03-02 23:25

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}\stubpath = "C:\\Windows\\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}\stubpath = "C:\\Windows\\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe" C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08BD3BBB-6CB2-4525-BC03-B43296437F33} C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7} C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}\stubpath = "C:\\Windows\\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe" C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4} C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08BD3BBB-6CB2-4525-BC03-B43296437F33}\stubpath = "C:\\Windows\\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe" C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}\stubpath = "C:\\Windows\\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe" C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47029E8-60DC-41f1-886E-2679C02B46F3}\stubpath = "C:\\Windows\\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe" C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086} C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C022BA33-3522-42fc-A99E-80F6E8CA601B} C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C022BA33-3522-42fc-A99E-80F6E8CA601B}\stubpath = "C:\\Windows\\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe" C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0} C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}\stubpath = "C:\\Windows\\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe" C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}\stubpath = "C:\\Windows\\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe" C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8} C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}\stubpath = "C:\\Windows\\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe" C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47029E8-60DC-41f1-886E-2679C02B46F3} C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}\stubpath = "C:\\Windows\\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe" C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1} C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54} C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F} C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe N/A
File created C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe N/A
File created C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe N/A
File created C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe N/A
File created C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe N/A
File created C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
File created C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe N/A
File created C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe N/A
File created C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe N/A
File created C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe N/A
File created C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
PID 1632 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
PID 1632 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
PID 1632 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
PID 1632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2636 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
PID 1516 wrote to memory of 2636 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
PID 1516 wrote to memory of 2636 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
PID 1516 wrote to memory of 2636 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
PID 1516 wrote to memory of 2652 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2652 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2652 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2652 N/A C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2540 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
PID 2636 wrote to memory of 2540 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
PID 2636 wrote to memory of 2540 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
PID 2636 wrote to memory of 2540 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
PID 2636 wrote to memory of 2684 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2684 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2684 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2684 N/A C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
PID 2540 wrote to memory of 2900 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2900 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2900 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2900 N/A C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2412 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
PID 2592 wrote to memory of 2412 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
PID 2592 wrote to memory of 2412 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
PID 2592 wrote to memory of 2412 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
PID 2592 wrote to memory of 2700 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2700 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2700 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2700 N/A C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 920 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
PID 2412 wrote to memory of 920 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
PID 2412 wrote to memory of 920 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
PID 2412 wrote to memory of 920 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
PID 2412 wrote to memory of 1860 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1860 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1860 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1860 N/A C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1716 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
PID 920 wrote to memory of 1716 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
PID 920 wrote to memory of 1716 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
PID 920 wrote to memory of 1716 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
PID 920 wrote to memory of 2344 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2344 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2344 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2344 N/A C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2400 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
PID 1716 wrote to memory of 2400 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
PID 1716 wrote to memory of 2400 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
PID 1716 wrote to memory of 2400 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
PID 1716 wrote to memory of 1972 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1972 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1972 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1972 N/A C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"

C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe

C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe

C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1310E~1.EXE > nul

C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe

C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA8A~1.EXE > nul

C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe

C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{08BD3~1.EXE > nul

C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{366BB~1.EXE > nul

C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe

C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36F2B~1.EXE > nul

C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe

C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E4A~1.EXE > nul

C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe

C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4462F~1.EXE > nul

C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A4702~1.EXE > nul

C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe

C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63EE5~1.EXE > nul

C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe

C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DF668~1.EXE > nul

Network

N/A

Files

C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe

MD5 bf5893a05cac81266ebf0d6fb8b4c11c
SHA1 a766204b20e07f0bca823fadb7e38080db5efe00
SHA256 120c3c9085cff9bbd5db2bcbe7e357df6dba4718959d8cf484d4a4d6efce55dc
SHA512 3c12b41806b250e283598cdfb5d00823d619a1274e638c9f92b8d137fb41d8a51bd7086eb0e944dc1be13deb356c337db5257d50d35093b832760dd5e00384c6

C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe

MD5 0a405ef5b6c6a85df73cda88b782d0b9
SHA1 2f484c4603d305af7bdf10cf1a3f2f1fa345bd9a
SHA256 605d45be6ac9a5c22bb20795ef002dfa24695b9b68d58ed45f8266db200d4457
SHA512 8089dc66df0c0553695ffd9634bcb2c727f992da007d9e845df1d1e86718e53c2a03c23903e78cc0fe844e52549e7a26501179b216b496b13ac6c624fe4049f4

C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe

MD5 4dd52e8a894023e4c061c970561dc232
SHA1 5e0ba6ed2a726d38f733877c055c13c5157f4c75
SHA256 a5d4240b9817ca0fc143b40a8a435903598209675eccd53c855e2c2a2a496213
SHA512 4235d06b4f3655112d36dfb67520d4a7900b39a44a963a35d60f78c913dbc01c44682a8a79fb9a6be71d44062e48707b0a77e56645b9a445d1db91a20d433beb

C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe

MD5 9ac5901230132c027412b44f54a0e257
SHA1 9100d2d7fe2916ee1a722aac8bf89422e0e37815
SHA256 960837b6f5c71ed52d9d350f80beb307ea0e790c6494484c06f4db97f894dd2c
SHA512 8fc7d8bb42a2d8b28d562547a60ecaaba61e8c3f11f9d22ae5f39edbd2c3e5d7bc6a9c1ce13827ed0d017674224d4f21b91aa2b347c0cea6eed58ce1a3c69d91

C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

MD5 9a4df72d514601a3dbdcd44f29c28708
SHA1 e8c9a7ce05eabedcb6466c421c129540f451279b
SHA256 879a60f6b27897dd1486e681b54d7635f1cbe9c56f69606511fc1573ccc5eb9d
SHA512 3a934e80ac23b6fe55032c05469a453c9171eaf7a3c7870f9707cbbe41671f55b03a563e52e6b440a3c29197b117c92b0fb1d66a38e613a9d020d5e43cc107c5

C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

MD5 45b305bdd37c97273ae1ec96d3db6899
SHA1 86cf38fb9c0fd9411cdec9f9552e12f0906e0a68
SHA256 0c80e797a7452198fab95feb1184ef11c18670c92b01be99e5f4bb7badb41436
SHA512 a1a7b9c3ef353bc0f7ee591a1cd30c49cd50159886b0da120302d5b97cbda90e4c9cdf9fac058f6dee3f257eb41c3e5ef0faea5b1a22a55cc57c602d5ae64a9c

C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe

MD5 ac9ab5a456d663231ba2407492d2eddf
SHA1 7a6f6e4ca8c4bee1060555ddc2009bb564e74d96
SHA256 5ef8ae8de119e858043392dae9733b6fb1078afc4b836940d45458264eea0996
SHA512 8555bfd89866362c2e205a38b67ffcea67c3ffb29d0793de168936fb63c316dbf810ffee35bb520b7ada604144933fa247b123c8c13bdf4b4b50b057c43cf1cd

C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe

MD5 97eca6bb2e82095fc1b4ad37aad34c4f
SHA1 bb652ce2b3e0770fa5cacd4da40a13dc72777b67
SHA256 e0b0bcded9355370bc65734decabcf97cf920026c1e5ac767daafeb077abda4b
SHA512 37c2b3b38966242eca4eab8931ac94beaee60ca1bdb6cb86719ba6d7ffaae0d53f3b086b76275cc856337a16e5fa1db24c73cbaf6003fed9fe522b4e875f5206

C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe

MD5 97be8a348ae2e835fefcba831b1c97bc
SHA1 9d4d3c6521041c269cd6118fd96066ddd14af7aa
SHA256 a060c9bf3d5c6acd45ecd0fa34724bc0b43d2835988adb47bf57e426dd7f992c
SHA512 f146a51b6cabfd2440d70b09a747ee2a02f415503ad16b60f07d9b0996ff2c064a2486786ed053fa114be08a64bdf9756fe7624f94c3b2e31eca70a5797b04e1

C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

MD5 355aafac59eae3c8d6028b44822bb8b2
SHA1 f05b6bf032d7dc2a5e56e2bca00eefa06bfd3d26
SHA256 19627490c00de9143b078c3f027e1b2d03e75ccf313613f57648ec69439a6dbe
SHA512 63bb502885765bf1d21618159f6943719030a9301a331c26452273b1cf91797b28487db8edb38b44f11706118d37f487be58aee527de19642064fb10c7ed0ac7

C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

MD5 e1695743024df604140a61181bae51fc
SHA1 d5b203f56963314db28e7273de38548754e6dbf2
SHA256 9713ae2d0c7dc8f5b204144def75068e2faeb76d4db70212a1d2d300d1b78ca5
SHA512 79e7393f9e690a7fd2df4abc99abce127c204a5a74f8c3ded07dba0108ede7e9c1b630acf81a062618968fead1082db5b7bc9a0becf9b0a057d5e90263078968

C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe

MD5 7a7ad37f6f336e30ddb3f37aa4300917
SHA1 99f79c54d61aada85fab3884fc241327e32af862
SHA256 2bd8a6e89bb3888ca900d151877c303873a9de11803ce797e392c87a52853b26
SHA512 5f8aeba4c490572333f4ece215422daf358ade01a3c30bb36778695a0b0de55b3fd8106afba6737bb60cec2a006cf2a009e247ba0ee69e1eb626a9b9a2854482

C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe

MD5 2fd17add3928887ea89e93f448867163
SHA1 1a89311d494a8309295d417f372febd9225a26d7
SHA256 77901ab2afecb8fcda8bd3a79d40983e75ded7562021b2265231a850d38b6a25
SHA512 b85421fe6cf71dcef830fb40087dc5baf96dea8160a71ce5022e9647a2324c16a65dc9a8e35d2916500548da1ba714df6b4871047dfb4e0e8048113d1771a298

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:22

Reported

2024-03-02 23:25

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}\stubpath = "C:\\Windows\\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe" C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}\stubpath = "C:\\Windows\\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe" C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AACE733-D40F-4085-AD76-84BE7353859B} C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}\stubpath = "C:\\Windows\\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe" C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}\stubpath = "C:\\Windows\\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe" C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DFF0C2-A810-4199-B651-C8391022BF19} C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074DBE8F-4E21-49e1-A330-499557A09302}\stubpath = "C:\\Windows\\{074DBE8F-4E21-49e1-A330-499557A09302}.exe" C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD} C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}\stubpath = "C:\\Windows\\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe" C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D4680D-BA9C-4c80-9504-646A16104998}\stubpath = "C:\\Windows\\{99D4680D-BA9C-4c80-9504-646A16104998}.exe" C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08} C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC52356C-CC8D-4231-9255-CA0691BBD852}\stubpath = "C:\\Windows\\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe" C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DFD35C-6FEA-4e42-8376-B394404B1AD7} C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0} C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DFF0C2-A810-4199-B651-C8391022BF19}\stubpath = "C:\\Windows\\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe" C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074DBE8F-4E21-49e1-A330-499557A09302} C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D4680D-BA9C-4c80-9504-646A16104998} C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5} C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC52356C-CC8D-4231-9255-CA0691BBD852} C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}\stubpath = "C:\\Windows\\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe" C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213} C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}\stubpath = "C:\\Windows\\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe" C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AACE733-D40F-4085-AD76-84BE7353859B}\stubpath = "C:\\Windows\\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBD5B11-1C4B-487f-801C-1DE109ADB838} C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe N/A
File created C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe N/A
File created C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe N/A
File created C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe N/A
File created C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
File created C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe N/A
File created C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe N/A
File created C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe N/A
File created C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe N/A
File created C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe N/A
File created C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe N/A
File created C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe
PID 1064 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe
PID 1064 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe
PID 1064 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2120 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe
PID 1112 wrote to memory of 2120 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe
PID 1112 wrote to memory of 2120 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe
PID 1112 wrote to memory of 552 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 552 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 552 N/A C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4380 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe
PID 2120 wrote to memory of 4380 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe
PID 2120 wrote to memory of 4380 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe
PID 2120 wrote to memory of 5068 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 5068 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 5068 N/A C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 5012 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe
PID 4380 wrote to memory of 5012 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe
PID 4380 wrote to memory of 5012 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3504 N/A C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 2480 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe
PID 5012 wrote to memory of 2480 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe
PID 5012 wrote to memory of 2480 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe
PID 5012 wrote to memory of 3512 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3512 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3512 N/A C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 968 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe
PID 2480 wrote to memory of 968 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe
PID 2480 wrote to memory of 968 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe
PID 2480 wrote to memory of 1600 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1600 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1600 N/A C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2484 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe
PID 968 wrote to memory of 2484 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe
PID 968 wrote to memory of 2484 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe
PID 968 wrote to memory of 3004 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3004 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3004 N/A C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4724 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe
PID 2484 wrote to memory of 4724 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe
PID 2484 wrote to memory of 4724 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe
PID 2484 wrote to memory of 432 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 432 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 432 N/A C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2468 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe
PID 4724 wrote to memory of 2468 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe
PID 4724 wrote to memory of 2468 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe
PID 4724 wrote to memory of 5032 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 5032 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 5032 N/A C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2320 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe
PID 2468 wrote to memory of 2320 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe
PID 2468 wrote to memory of 2320 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe
PID 2468 wrote to memory of 2712 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2712 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2712 N/A C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4308 N/A C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe
PID 2320 wrote to memory of 4308 N/A C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe
PID 2320 wrote to memory of 4308 N/A C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe
PID 2320 wrote to memory of 1376 N/A C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"

C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe

C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe

C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9AACE~1.EXE > nul

C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe

C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBD5~1.EXE > nul

C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe

C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{99D46~1.EXE > nul

C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe

C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C53BB~1.EXE > nul

C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe

C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DFF~1.EXE > nul

C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe

C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B809E~1.EXE > nul

C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe

C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{074DB~1.EXE > nul

C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe

C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC523~1.EXE > nul

C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe

C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0DB~1.EXE > nul

C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe

C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53DFD~1.EXE > nul

C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe

C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7A4~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe

MD5 cf0f11b7ec143213d54f8c58a75032cc
SHA1 d8a4bff85e1142a6c098f7922f539c60974cc6aa
SHA256 c48b4ebfcddcd3edaa92c71fe20921e9d362ab7d698f0f494b438c474661baaa
SHA512 71f3a440b723d7795e6b088307835f070c915de180677d774fee15de7cf5c8b5b631f799dae3ec4a3e41fa048d275bd4ce1495ecf666feb6e45f7476627b5cc4

C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe

MD5 b33215fe8a93f7d6be4b990497b4f9cd
SHA1 464469e083eb0a1a7affb92fe0d7c11987d1c1d3
SHA256 09fd55a2beba009e6442b9401d62f842a38f1a0a36f9d299caadf55340fc2e33
SHA512 699a20397e4a4885b55616e05c70a1b6feec0a8035491648568883fca1b884f1fac501db04c30de8324d187b614e8d9300bd71c04960a7630c869895db82821b

C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe

MD5 77d707cc315d02d290e9bc1c7d96e6a8
SHA1 e10e889450742ca58d6ed160aedb844d1edbb1ca
SHA256 92e244e970491f26767eece391b9d6fe0b3fd51806c90c84675e942889d46317
SHA512 ec632629a2f59c35bb04fcffc296b8628cc361f1243ba7a8aa84a650da2b99a9d97865ea9d0a8651ed02015403669d0485ed5d865593a49ba3251e13be4b77f9

C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe

MD5 8d336a4b3dc55f20ceb4939bf95cf10f
SHA1 865d9fcfa713f185501788bbe40c46a6eaa262c0
SHA256 95735c1de957ecbc38b899b28fbbd9637c819a0f7443d904507aa87e00625841
SHA512 26d09d7ab4e96cfba73fa678b95522d39e787b715a238dfedf72533ad040ae7e13743c7dd0b4e09d564f08615c139501ab0b1cc573258d49164cb4fad36e6d40

C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe

MD5 74717dddd54aefb6806290bbb34ceb94
SHA1 26e9ac3f57230a8ea1aef23e4d6f624440c89232
SHA256 272de64826bc5122b0f878ad0906244d5cfaaa221ffa01970f52748cf0e467b2
SHA512 3e733437d7bf9f36d6af82095161f3e8859901894aa8b0fda5a55a342cdfbf55516550f3e32cfcaf24992ad4faefd10ff5c99bb3fc13b370794e785d42225f1e

C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe

MD5 62d5177d959432f4dbae4abf05fdf36d
SHA1 0d841b3710ba96e1179c1d1bd1c5ffcac4d3286b
SHA256 ec90ccc264d2eadc25a984741c27a146209e55421c58be91601d6d2a57e61193
SHA512 fbb204e5d6fa32e99c89e079abc9bc9ead53ae31c16f353ef95f9bf4ca15f9902028fc46ac927a479b3ec8fc2232ae19ed8b03d1aef91c14f887af21b2f59a23

C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe

MD5 88912de5393e531fe00a2adc2956927e
SHA1 68e344e5e21c7c3dddddb2681f2768b1852d3a7c
SHA256 7c9313f755bb6493c044f8ee50b07b4e367229a42e6139798bf362207fac5744
SHA512 6f7ef0c10b549ac34bb4a6750ddc3ab3391dd36b9b069a627edf51f17f9762823f67354a016ca0a0b0c8801160278122c8edf865c5bb1a9e342373c926c3e226

C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe

MD5 bdf0ce51aec66ec1ae5d5b8c006168a0
SHA1 1c018a0237a46b07168cdf08a9c05d559f9413db
SHA256 964785e87b5dfe2a12f7ef2e822bef7441bb047a5334d3240ee76b02d22d18ef
SHA512 fcce6f40341002e404152cfd434245ca63267fe867cb2d0bede8e2500d79f79cdc882f6a0e73841ae34b40f163b855c6725bc2f40f951c3b7429380248e792be

C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe

MD5 f5a24b39704957c26a2a581c2ee14907
SHA1 ef989bafc07196f7cf2e625f89ae442ea31bb806
SHA256 392b0578b9da37472a9eb6c0db3dc78b1db3ff882b46ff654907226518ce9976
SHA512 f2b7b192bf4a924952bd91f284e79912396ed03861342a75373a5a878e5624ab73f784ce1b5d5e5aa5fa4a1b42d00064dc88c78c977295dfaa5f930d2afe76c8

C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe

MD5 48f8f0885dd877c1885ebb8e896c89a0
SHA1 c0d560ed164531b854144841bb8fc9ae24cef030
SHA256 ad9c054b18703c0a560699e28637229949378262c4fd0297663f81433c13a558
SHA512 67c8b94a13408f6093d4353620ba974eb3158e8048b48d2c543da8d3b7d4395ac63855731b41ef21939c125aa3d1b5ef8c952ba8fd2774ffd3a7e719b5fe5e77

C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe

MD5 8da0d5ae136c1afdd2f2327f0bd79993
SHA1 0e046cefa3f8c926f6bf1ca706830fb2c1135d70
SHA256 63fc4def3e7502b511f728cb8215e141498786bdaed171072962909cd66e7a8a
SHA512 7b4b6cdebf570bce8e0d68c8098562557e4e6388c2455063a59496edfb0144682dc24fc615255a27f67e25059920adef618b0e1a978c009c5c0fe2f6abf602fc

C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe

MD5 ff5742a575c2833000ae071b72258a5e
SHA1 763d729dcd5d132c9ca9d64e5faf9b6f9017f847
SHA256 3d4ad9985a08c3041d94378d3ff3245c8106f84b8c19570e7263308518d0819a
SHA512 6f9f8410a890ca3ab99b2ca709b5c559e1756bbf6a28684f5400b57d6a98c80a1a72083d2522385252e6c7e4d738e31f7df97970382820cb024f623ae918d645