Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3dgsraag32
Target 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye
SHA256 73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5

Threat Level: Known bad

The file 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:23

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:23

Reported

2024-03-02 23:26

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89494701-917B-4d69-8BED-1BB7753C5AF0} C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1} C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9} C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4160388C-A54B-48e5-AFD9-EA793FA0A672} C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}\stubpath = "C:\\Windows\\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe" C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D} C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89494701-917B-4d69-8BED-1BB7753C5AF0}\stubpath = "C:\\Windows\\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe" C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}\stubpath = "C:\\Windows\\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe" C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59} C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86} C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}\stubpath = "C:\\Windows\\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4160388C-A54B-48e5-AFD9-EA793FA0A672}\stubpath = "C:\\Windows\\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe" C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}\stubpath = "C:\\Windows\\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe" C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6FA4E9-8460-4cbe-850F-098448677A80} C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6FA4E9-8460-4cbe-850F-098448677A80}\stubpath = "C:\\Windows\\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe" C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA58297-FFD3-44db-A01C-C17A5F501696} C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA58297-FFD3-44db-A01C-C17A5F501696}\stubpath = "C:\\Windows\\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe" C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}\stubpath = "C:\\Windows\\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe" C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD} C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}\stubpath = "C:\\Windows\\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe" C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6} C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2} C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}\stubpath = "C:\\Windows\\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe" C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}\stubpath = "C:\\Windows\\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe" C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe N/A
File created C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe N/A
File created C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe N/A
File created C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe N/A
File created C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe N/A
File created C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe N/A
File created C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe N/A
File created C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe N/A
File created C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
File created C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe N/A
File created C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe N/A
File created C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
PID 1704 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
PID 1704 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
PID 1704 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
PID 1704 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2704 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
PID 2980 wrote to memory of 2704 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
PID 2980 wrote to memory of 2704 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
PID 2980 wrote to memory of 2704 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
PID 2980 wrote to memory of 2588 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2588 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2588 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2588 N/A C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
PID 2704 wrote to memory of 2992 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2992 N/A C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1392 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
PID 2388 wrote to memory of 1392 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
PID 2388 wrote to memory of 1392 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
PID 2388 wrote to memory of 1392 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
PID 2388 wrote to memory of 580 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 580 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 580 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 580 N/A C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1880 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
PID 1392 wrote to memory of 1880 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
PID 1392 wrote to memory of 1880 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
PID 1392 wrote to memory of 1880 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
PID 1392 wrote to memory of 2780 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2780 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2780 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2780 N/A C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2908 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
PID 1880 wrote to memory of 2908 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
PID 1880 wrote to memory of 2908 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
PID 1880 wrote to memory of 2908 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
PID 1880 wrote to memory of 1892 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1892 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1892 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1892 N/A C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1252 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
PID 2908 wrote to memory of 1252 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
PID 2908 wrote to memory of 1252 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
PID 2908 wrote to memory of 1252 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
PID 2908 wrote to memory of 1324 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1324 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1324 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1324 N/A C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2520 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
PID 1252 wrote to memory of 2520 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
PID 1252 wrote to memory of 2520 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
PID 1252 wrote to memory of 2520 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
PID 1252 wrote to memory of 2744 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2744 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2744 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2744 N/A C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"

C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe

C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe

C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F457D~1.EXE > nul

C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe

C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{444EF~1.EXE > nul

C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe

C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41603~1.EXE > nul

C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe

C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC102~1.EXE > nul

C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe

C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1BA58~1.EXE > nul

C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe

C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33ECD~1.EXE > nul

C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe

C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{89494~1.EXE > nul

C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe

C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1B6~1.EXE > nul

C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe

C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA80D~1.EXE > nul

C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe

C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A65D9~1.EXE > nul

C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe

C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6ADC~1.EXE > nul

Network

N/A

Files

C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe

MD5 19dd66d6e03731e853c3f913fad3c9dc
SHA1 aa609fb963cbd978869d3ce807347fd1cb0be3b0
SHA256 c69c08cdc5d4386a2e2ab8ef11611a037365b2326ef132eda3e7c1d855adb910
SHA512 9bd46b04b8f0df0c4270ea1e783a057dcc388ab850d5688fc5430039b82c63670fe67ce508c79e14ab32560820c294d32fdc2c36007c5b75a4cad1c12daf7110

C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe

MD5 2341cdd9bc2e637c5115066e12ccff20
SHA1 b5810615d4c594ca570d478205d44d9e91148678
SHA256 807151ad9b9ea2c66d773a7228e4e46f2b55204b135f44df6ce0d1cd4a6d1655
SHA512 df80a65bbdece33de8d313c49eba293bb6e3b3aa5d31e8a430260e4e0a730c37f8381e8ef932e2f90b0249d295974dbbad73211fe36e1e6948903f0dd2cfcd1b

C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe

MD5 e0b202ca06201b76882c9db30c08bdc8
SHA1 30adcb217d05127aaa4652a6ffee4715e3022878
SHA256 20ab1c1862250e33e425101a689d68290d93c9550826a36ee463d507f4174161
SHA512 667765d06ba99c74b341504d75c2a2708de2e2d4b509f3bb4ebad7e48f53ce59bf84e6d2d148d902fe0c496e6000ce4265260c3756a47a0be36b7a9df3187027

C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe

MD5 e05cd6bdd459afa849c9756e3ade185f
SHA1 08e0e380bf10083a192406ed37e1d0fdf694cef2
SHA256 f8362220290937a7b8812a72e6f0e7e137612b22b9ae881e8359309e4538380b
SHA512 8dc0fccf9ff2a6f2646a5cbdbfcc91e8e2c99b18f89245b6c9a02e21f4899dfdb7ccc434b09cd439ff1223a691fb87105c86e675d57879ce9daef2b4c46b992f

C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe

MD5 6fe04b71d10145c6009b2c3c85286b2a
SHA1 0068efbc843801259e4c936340960657aa60d8dc
SHA256 f28bac4c095c1bdcd778d6cfcc53187624fd5ed67088e5f6b4231bc9e4c16a65
SHA512 ad2e19b639973b55b05a70b5e3b00d85cbbc501325d320ffa45b24bff51f62d573c1183ec7e7c5e886637948bdb15ef8fb5a8d65ade2c207358fca1f102e48a9

C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe

MD5 3da95a11d54d8085456a3968ca46e144
SHA1 bd2b53da278aa6ae87e41ee1facb7d127ea1824a
SHA256 bc1325d5485ee19ca10cfc00256c8e32f6d03951b99ee801c3b2b69245cc051c
SHA512 f07e470747c786d6cf492b73c79c88246149d956e6ef437dec681c326806e7ed7d9a07a8b279a00750d7045965da184e9119b19aff69bbfa4b9bbc8aa469a761

C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe

MD5 ed12772c6d0118d7d50b1bdf2945282a
SHA1 195d7dbd4f120352f6a5aef223dc8cbb633a0ac7
SHA256 78ddd048682a6b9fdd72119575b7d3ba2f2443861f7dd610bb2ef71f374c8f4a
SHA512 b7d4d10b050c4f5d5cde79950d5d857ba0c44ce9ec17701361d5525683757b5466e9750e3b0adae0d66e8cb0e12ae464bc08a397719cd88c399d113a6dd5801e

C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe

MD5 177e436badb9c1cad8bd2b2969a1b814
SHA1 d418bd3d46896b6b73b1666b28640c6454511a69
SHA256 666abdf44b0fa1a81922d82d2fb61a9d57b1e1a9f1be8eab3838799abfe7b5f0
SHA512 14c05e57f58a5553a856bb84b17f6b5d83ee6ad463c884455bedcd3bd4481da7e861a7d61a519491d2b5e351f51e14c03cd1c6a66206ee95f1aec83a50691847

C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe

MD5 4029006a148c5110ee41e6c750753dce
SHA1 7852be8e1e2b611de2e3b396d71dd12f3346cc30
SHA256 2e8d6f8ad94e213213a79ddccf14ae19c0fe754ded2e25da2572c71176458b26
SHA512 309cc28350bc00e588f57f6284f14d6f7f5c8045f29b733f41cb0bd9e1c9c6437c58dcd11b766bbb2f210203120affdc971a1b2b70827fc874bc5b415bb49d39

C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe

MD5 49d618031aa706f84e5f3844ee78a692
SHA1 0f468c6741f934f31364e07743212c1ebc5a0570
SHA256 780344dcb308065ac7ab4b8778792e9e37d5e5c32b3012960cbb116f13b5d6d4
SHA512 7def4b301e955e95dbf0879d4ecda59f32b47f5878f1ff6db1b14047c04c3cf1a638f0f36b2a1da77272cd24d5a5958597373deee90da0a2fc552992ec2a89af

C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe

MD5 613f2ad97542a487a26f360089250e84
SHA1 fc009aa0e33b8338e62f57edf6f9760925a93651
SHA256 5df7133ca0186d6b350b44c9014d8b8c3d50bd4c489049170f8010134d7e9bd4
SHA512 2f5baef724c7cec113cd4692eaa7014d1f1f74f57222ab3ff722020e8ce3032097583053bce8c825831039d7298ef594c3a1406e4a013dcb21df9aeade3244a9

C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe

MD5 fb4538c26575f82251a6b1f3caed779b
SHA1 884b180ed9e29a53749ce3bb86668fe1e2a9d0c1
SHA256 3da6c6fe57ccf4b60787a0d5280426cce802dabdbe5a05436e690202c66db02f
SHA512 2b01d8425155191e2361df215e44ee6945ba65530bac73ee8d9a6479c773c31dc0e4701508e8d6f62563fa0ea686f01368e75fa217b2bfa853a7320b470be3da

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:23

Reported

2024-03-02 23:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDD9A4-2E61-4951-83D4-A6221473DE44}\stubpath = "C:\\Windows\\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe" C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83C4698-91C2-4a39-8475-D5889B245D6D} C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83C4698-91C2-4a39-8475-D5889B245D6D}\stubpath = "C:\\Windows\\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe" C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B53402-B2A7-443c-94D9-9A9EF433B625} C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546A100-6D1E-4539-95B4-7D9630D41E13} C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546A100-6D1E-4539-95B4-7D9630D41E13}\stubpath = "C:\\Windows\\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe" C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}\stubpath = "C:\\Windows\\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe" C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}\stubpath = "C:\\Windows\\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe" C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}\stubpath = "C:\\Windows\\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe" C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22468F8-2413-45e5-BBEF-083E79560F7C} C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}\stubpath = "C:\\Windows\\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe" C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDD9A4-2E61-4951-83D4-A6221473DE44} C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B53402-B2A7-443c-94D9-9A9EF433B625}\stubpath = "C:\\Windows\\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe" C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844AF8B5-67E9-4b60-B862-D0132AB79617}\stubpath = "C:\\Windows\\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe" C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB} C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0} C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0948C779-DDDD-4b8b-A74D-73DCF1171F57} C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22468F8-2413-45e5-BBEF-083E79560F7C}\stubpath = "C:\\Windows\\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C13666-E42E-4851-9D5C-A2B21AD239BF} C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E} C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844AF8B5-67E9-4b60-B862-D0132AB79617} C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C13666-E42E-4851-9D5C-A2B21AD239BF}\stubpath = "C:\\Windows\\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe" C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}\stubpath = "C:\\Windows\\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe" C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1} C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe N/A
File created C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe N/A
File created C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe N/A
File created C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe N/A
File created C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe N/A
File created C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe N/A
File created C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
File created C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe N/A
File created C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe N/A
File created C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe N/A
File created C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe
PID 4464 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe
PID 4464 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe
PID 4464 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 3908 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe
PID 2608 wrote to memory of 3908 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe
PID 2608 wrote to memory of 3908 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe
PID 2608 wrote to memory of 3960 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 3960 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 3960 N/A C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3952 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe
PID 3908 wrote to memory of 3952 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe
PID 3908 wrote to memory of 3952 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe
PID 3908 wrote to memory of 1044 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1044 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1044 N/A C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3248 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe
PID 3952 wrote to memory of 3248 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe
PID 3952 wrote to memory of 3248 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe
PID 3952 wrote to memory of 4052 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4052 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4052 N/A C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 4896 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe
PID 3248 wrote to memory of 4896 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe
PID 3248 wrote to memory of 4896 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe
PID 3248 wrote to memory of 4424 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 4424 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 4424 N/A C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2740 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe
PID 4896 wrote to memory of 2740 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe
PID 4896 wrote to memory of 2740 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe
PID 4896 wrote to memory of 4000 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 4000 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 4000 N/A C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1660 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe
PID 2740 wrote to memory of 1660 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe
PID 2740 wrote to memory of 1660 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe
PID 2740 wrote to memory of 4276 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4276 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4276 N/A C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 768 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe
PID 4864 wrote to memory of 768 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe
PID 4864 wrote to memory of 768 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe
PID 4864 wrote to memory of 2364 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2364 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2364 N/A C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2280 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe
PID 768 wrote to memory of 2280 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe
PID 768 wrote to memory of 2280 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe
PID 768 wrote to memory of 4824 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 4824 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 4824 N/A C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2816 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe
PID 2280 wrote to memory of 2816 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe
PID 2280 wrote to memory of 2816 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1184 N/A C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe
PID 2816 wrote to memory of 1184 N/A C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe
PID 2816 wrote to memory of 1184 N/A C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe
PID 2816 wrote to memory of 2192 N/A C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"

C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe

C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe

C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2246~1.EXE > nul

C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe

C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02C13~1.EXE > nul

C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe

C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F01C5~1.EXE > nul

C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe

C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60FDD~1.EXE > nul

C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe

C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C83C4~1.EXE > nul

C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe

C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60B53~1.EXE > nul

C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe

C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C546A~1.EXE > nul

C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe

C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{844AF~1.EXE > nul

C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe

C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06E78~1.EXE > nul

C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe

C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A705C~1.EXE > nul

C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe

C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{922BD~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe

MD5 ab4f5f4702d7d1e8256056a0a436e4b2
SHA1 1b6ee746c13a4af8c6ad9335411d57e756335cb9
SHA256 a0f02b6efb02183ae16d34882417cfa7d62c54b3fcf11a4a16486a5904fecbd2
SHA512 77a7dee410e595a2859786a19987baab9a66cadd9c83c537b1de25e6cb690dfe5284f11ff0842e33f06a4ee822d18a9242c62c316f1496eb7044a2b0f28b063b

C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe

MD5 a00470546208979fbef9de90c66ee2e7
SHA1 6a551484118040a05cd48dab14a3461346eff7d9
SHA256 790af07a96a255f1b008b07857be199d5bd6a1b81e22ae27d5fa92d84be554c2
SHA512 ec66304e79dddaa9d1cb5dcdd1538414c799915d53b488fadf933f677ad06c6e41b484403ef23777cf6f27454571fb312803bdcb8b5ed854ecbf6ec369f85207

C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe

MD5 1eb1efa41a1f8a74ab5202983fafd400
SHA1 1f97fb40f8b9031e5a88aacdbf429eecbf7f2122
SHA256 31bdd84953cfd5a162d330ce1cfe21f5aacbe239dc665139d519cd2362d06877
SHA512 d6ca79ee320b6b5e53ea4db2e70574a31ca9d0478a345397b35f4db75cd9cd4b49785c9333714a4027939f6ce82bdec77b6bd13953d2441f052255f83c1788ec

C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe

MD5 90daba52049b932a0bee2a6c4a99b529
SHA1 13a41c1ef35a88a5cd7c35881fa68eb3b4c10e6d
SHA256 961de6077251df4dc460ba85f917d8f68888ec903d86bac0b8eb33e161b4eea0
SHA512 e1a4854c123cb56ee3b695b0e806741a77a02196c833313926644115cf8ee44a6ccc4651883373ebbe2d4c796ac9cc6528a4f45fed1c6a36f373bbb05de72cf5

C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe

MD5 08ce0da54c7a22c30affef5319fb0a57
SHA1 2257aff90e9691a3a1e651ab6cadaef38afc592d
SHA256 1a0200d31a27dd94891f04ad20aa9992cb8231ec8b81cb7ce15347a9dd4e908a
SHA512 84860e47798499ddd540f652d79103558ebc2ea12edffd4eee6a8eefb1c0457ebebc678f10f0d3c318808ab458a900bdf3fedc9e50646fb8eee5bdc16411ac1e

C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe

MD5 9d53619cd30fa43882b647c0e414d2b0
SHA1 892174098883a3924f2b6fc102554140b4fe07d7
SHA256 fd6f36ab2cd315e1bf19a8a27e93c3212c5ae4915677010dbfffa1100b22ef68
SHA512 d955b90b7db5b19737554dd36868e9109303ad84d2d8a3247900ecb8fc7538605afc49d0f2499dc3c2cb7077bb9bd30de85d9a30a01e4b8e2a5a76ea3f177a3f

C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe

MD5 f38d5d6e495123ab90dcea1c9396cd5d
SHA1 fb94c4cdfc82418cb5f66d9dbcc37a30f828d625
SHA256 5548f22f61c39454860189d9fa29037aebb5bcaa9e79f06e6b1cec4353a4514e
SHA512 9b08442243e4139fd7f5d745fca1ae1dc6f95f4debed2a556102019f96f443a3af6c777a93ec5313541c71f44a64d8ade91ac597841f9ca5a93521e273dc990b

C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe

MD5 b580fef4b3f0694af11dafe7d420ca32
SHA1 3d5c003f97c3fdf195a04e9fa1ae5e3ee942e842
SHA256 72d0ed1fc33354930117e354700f1fcc6dcf061686c6b747233bae08718d1032
SHA512 8a4f0043bb892cd9b4f77a27778aa5eedcb429b785ff6b0366d23c97f79ea081bf400eb63803803cfeff5bb7e124dfd7e6222216cf84b2b157e88c9dac205177

C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe

MD5 132db0dd058db563b45cc32b07385940
SHA1 e3a31c642306be6bc5defb4793b8173cc4abb1d2
SHA256 4839377d0b71c92936a9dd32c84abb6558ae582de41c5c668e7137c837bdaac9
SHA512 7ee5724e8d200cbb16550b32d0b34c671d7fb59d04dda72279e289c316a166b8f5dbc157bc1229ad7868dc1d853b0b2d8ecf101b744d9157fead2286dc57d427

C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe

MD5 9ac1b1ebc8269f440e033d83c7456314
SHA1 bdb6a44dd3d735561c853a9c6f2e5d35b522ad79
SHA256 34fc1b6388aa77487462d8af99772aaff3b04089cba3480d97e941e323eae623
SHA512 008ec4d50ab8137389a3b6618851401b5a8873d1ad36e3fd690e2ad4c283fd90d990138a5d1959725370b3d81dff32064afcdf17220a7bda9979dc0e67dcd989

C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe

MD5 fd4aaef922b7bbbce0f98f0d21892f93
SHA1 795e470ade6ffd2bccf39deaf95f1a3f9af4e504
SHA256 ad508dad33e8f018a69448d1012f703c64e7098d5b2e306d894b8c50142fb523
SHA512 45d9647ccb364c8c0c29369fbe24928e0d2ae4514c3d76a876e0c6ffa86d5f731e605834bb831e66c33364bd0a217f03ab2c47eb8e4176fac4c0bd60769ff6bf