Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-tx551seh3y
Target 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye
SHA256 9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689

Threat Level: Known bad

The file 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:27

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:27

Reported

2024-03-02 16:29

Platform

win7-20240221-en

Max time kernel

151s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}\stubpath = "C:\\Windows\\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe" C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240} C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8} C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}\stubpath = "C:\\Windows\\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe" C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}\stubpath = "C:\\Windows\\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe" C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844} C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54} C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82615CFC-85E9-4b39-BE0B-C9035496F600}\stubpath = "C:\\Windows\\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe" C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}\stubpath = "C:\\Windows\\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe" C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}\stubpath = "C:\\Windows\\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe" C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB3F306-B49F-42f0-A0BA-28185E3286CF} C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D} C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B} C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B963F48-001B-4332-9BBA-5109266F44E2} C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B963F48-001B-4332-9BBA-5109266F44E2}\stubpath = "C:\\Windows\\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe" C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}\stubpath = "C:\\Windows\\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe" C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE} C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5261F3-E645-4037-AFAF-30BDCD25F287} C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE} C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}\stubpath = "C:\\Windows\\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}\stubpath = "C:\\Windows\\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe" C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82615CFC-85E9-4b39-BE0B-C9035496F600} C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}\stubpath = "C:\\Windows\\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe" C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5261F3-E645-4037-AFAF-30BDCD25F287}\stubpath = "C:\\Windows\\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe" C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
File created C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe N/A
File created C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe N/A
File created C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe N/A
File created C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe N/A
File created C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe N/A
File created C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe N/A
File created C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe N/A
File created C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe N/A
File created C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe N/A
File created C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe N/A
File created C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
PID 2140 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
PID 2140 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
PID 2140 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
PID 2140 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2448 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
PID 1752 wrote to memory of 2448 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
PID 1752 wrote to memory of 2448 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
PID 1752 wrote to memory of 2448 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2520 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
PID 2448 wrote to memory of 2520 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
PID 2448 wrote to memory of 2520 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
PID 2448 wrote to memory of 2520 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
PID 2448 wrote to memory of 2368 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2368 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2368 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2368 N/A C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2080 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
PID 2520 wrote to memory of 2080 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
PID 2520 wrote to memory of 2080 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
PID 2520 wrote to memory of 2080 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
PID 2520 wrote to memory of 2712 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2712 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2712 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2712 N/A C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2996 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
PID 2080 wrote to memory of 2996 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
PID 2080 wrote to memory of 2996 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
PID 2080 wrote to memory of 2996 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
PID 2080 wrote to memory of 580 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 580 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 580 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 580 N/A C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1964 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
PID 2996 wrote to memory of 1964 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
PID 2996 wrote to memory of 1964 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
PID 2996 wrote to memory of 1964 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
PID 2996 wrote to memory of 2040 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2040 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2040 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2040 N/A C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1532 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
PID 1964 wrote to memory of 1532 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
PID 1964 wrote to memory of 1532 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
PID 1964 wrote to memory of 1532 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
PID 1964 wrote to memory of 1892 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1892 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1892 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1892 N/A C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
PID 1532 wrote to memory of 588 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 588 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 588 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 588 N/A C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"

C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe

C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe

C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC275~1.EXE > nul

C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe

C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EED6C~1.EXE > nul

C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe

C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B8B~1.EXE > nul

C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe

C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B963~1.EXE > nul

C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe

C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50F05~1.EXE > nul

C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe

C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C05F~1.EXE > nul

C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe

C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA7~1.EXE > nul

C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe

C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{82615~1.EXE > nul

C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe

C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB3F~1.EXE > nul

C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe

C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E67BD~1.EXE > nul

C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe

C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E526~1.EXE > nul

Network

N/A

Files

C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe

MD5 9caa402c2ecda1b24807186a12ab26a1
SHA1 1624f79f1725cb0b1bc3efc2ca2c904d864b716f
SHA256 6c3a6d52570d7f63bc4e1baed9438af82af244df7378d506084e17838c937b9f
SHA512 1b26d852dc09c11df05263676127e6b6d68bc2c5056bc5165199151cb33cc456326be7e7d261eb14e70ca7b88c2a529e9572942b115481ea2ccf5b285c509c0a

C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe

MD5 437f553309631815b83524f6b0a8015c
SHA1 c14b86e7fa9e0b3933f858a0bb64d3ef629763e2
SHA256 536a383bbe9fc71556efab8d786a79e4c8957fa0fad34ed96c800e8c1bc92497
SHA512 083a1564e00860d1ef96f4b93cc268fbeb6027633b7f41319f8d1901dfe81fab67b1740fc687439c747531ef394bc199a3e12124da74be3a4ebd82f0a53286e0

C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe

MD5 3367e083a8d1329e3e9be49983d70384
SHA1 e79832f9f276a09c366baac202cee9209f42dc97
SHA256 fd896e8160e6297bd72e4608f53697b26b4811426125e0fe642b9570576cead1
SHA512 72c0cb9386cb5299abbefdb58124b460dcbabd42e84f8c73597bc75c634c15ac6537f8fb8febf33f45149fd4df829d18ab83c7e4140229a69e5a55ba407bc67a

C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe

MD5 60190b6859946ecea172554c14c8e6f7
SHA1 d26cedc54d801157fa57999a389dc572eba2e400
SHA256 ec0af3cbb9a99d4355ec7b8c3f276343227a96977b95fbc0afc80e23773b87e3
SHA512 7d31805dc601826173b4148f6a94e5b15cf145bbc8ce57b6117ca211b784dfee36e4716df4eaaed4f7cdb440931e64a12d65552ad1eb33f045c7a2e5bfaaaa74

C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe

MD5 c8729f000c1d8d62690489f56cf8b22f
SHA1 1c93b668df19c2b213f88fa550150a424c015413
SHA256 2e5f1dc39563c33c729b3dd8d9985e865dcaa5da6a28b531d80988311055f8c2
SHA512 0913ee1c09005cf2beef5a7444438dbd814f2ae4e137b102198abfcc215390baacd9119f3dc402cfd562b8b259ebeba3f28960ece151aceb3ac0d1e96bfea833

C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe

MD5 c68077a1f19cabc83bbc2c467d8d7031
SHA1 3b81248cd1b049940371c43b9927c580214d3a65
SHA256 9490ee55655f967407790556e332c69b15ecd388e36423560b551de7ed64e919
SHA512 7aeec26dcfbb3ae316a44897b39af5885895a80af94318b76c4a28c9ab425567a710e2395822e7c639f3c44021b61f1af958345ce970c7bce1c75194c750efab

C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe

MD5 e038dfd3c23c80927f9a33972f38c8f4
SHA1 afad7a8c28803b575be2ef00abb07ab636be3471
SHA256 ee1a7e6ea1a9a22aebd48832f2f4e988e563280d493182be3440b9f506fbe67e
SHA512 f0b5a21c64be629e12be56dd9dbe85af364694cafb3387acc25a906c8bac5e95d353a18d1973fd7ac87c9e350d3eede57aeb6cb549385f9aa3727a73830a09f1

C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe

MD5 aab357d4b3e0e14a8310095a2ce5af8c
SHA1 878f07764831d4a03824c37d326a26d8d6c48194
SHA256 0ddedbb24dd6be90bc0d79feaaab7e5aae11d9bb53ea2c7de9f1cac85e957c7a
SHA512 cdcefebf8c5b149dd641b2b39f864a1a0809aa0351a79912a4810dfa880b4e7abf01a56eafbc7f6d1d88d0ddc3953c1a0b1bda68cc2e487c0ae8a9ed78d26f2d

C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe

MD5 3e6a89b74e8dea1f0c28a64f928d9c71
SHA1 1418acf7d9dbfebcfbcebda9a2b871cb3234bd9f
SHA256 ec0f322296eb3ee997ecf20378eea5d7b32854a10c608b6548c3658f5f3dd088
SHA512 487b2b0ec3a748c28fd463efe9b1d862997226ba5a63ca2f19fa4095a20fd43699c2e1fe7d711085a9807824ab3b15273b9260f84b2fe6eb978adc65c929c350

C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe

MD5 06272e755c384de1a081d2395b7f7b2a
SHA1 8df14bca266be3ecfc3cc3fa2f4dc647634398ff
SHA256 51d55b87e028ea0be9136782bb3411ebdbd30ea344ef3c815e4123cfa253e921
SHA512 805ee201ed564e7693be3aecfc0c2d43baf18b753f95589f86eaa1d8d91ce5f52ade109679e3d4f8d90333dd076894886c472091bce526850dbc67c08c8eb072

C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe

MD5 d9e53cff0c7416cf19881cd8af84aabe
SHA1 f1f960bec071cf452b9470ffb89a04f421927550
SHA256 6de67f9b4de05038ea3388a8eaed035dbc7c223dff4ae829b5216dc255f9b7a6
SHA512 c4e3317aae262493eed0b37b9f4da9ab37f664a7894b35714dda07a4fd204435248722eedd3d6fe8bed1df69c3869774aba759bfae509b0c6a9c9461c31c484f

C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe

MD5 52d97fd0c95607f5202d29b86c9f6c79
SHA1 aabd384a91c1a9c0477155e79a29aafa87a8dcc2
SHA256 e42312a0d9a337ac1afc2aa19eebffb2312a4a8381d4c105270f3940ea5144da
SHA512 e4da362deb83b491b96a1db3576fa7d7da1194994690ba8ea7fe4ebb4254bae3f895cb670fe89984a25cf1f6f876bd81e5f1a8d6d0b7106cb6717ebf5c60ee21

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:27

Reported

2024-03-02 16:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}\stubpath = "C:\\Windows\\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe" C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}\stubpath = "C:\\Windows\\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe" C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5} C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09} C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}\stubpath = "C:\\Windows\\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe" C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE} C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6} C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA985F33-A890-4b4a-A3BF-ECAF2F340068} C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4} C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}\stubpath = "C:\\Windows\\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}\stubpath = "C:\\Windows\\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe" C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}\stubpath = "C:\\Windows\\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe" C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BE3E2C-4B07-4bd0-9D63-9641B4310803} C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109E3B1E-9226-460f-9A30-02585EE25206} C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}\stubpath = "C:\\Windows\\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe" C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}\stubpath = "C:\\Windows\\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe" C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C1A391-9417-4250-B837-D94ACF5F76E8} C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C1A391-9417-4250-B837-D94ACF5F76E8}\stubpath = "C:\\Windows\\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe" C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB} C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E} C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C94FCB-2BA1-467c-8D4E-C477667EF06E} C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109E3B1E-9226-460f-9A30-02585EE25206}\stubpath = "C:\\Windows\\{109E3B1E-9226-460f-9A30-02585EE25206}.exe" C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}\stubpath = "C:\\Windows\\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe" C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}\stubpath = "C:\\Windows\\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe" C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe N/A
File created C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe N/A
File created C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe N/A
File created C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe N/A
File created C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe N/A
File created C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe N/A
File created C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe N/A
File created C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
File created C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe N/A
File created C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe N/A
File created C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe N/A
File created C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe
PID 4228 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe
PID 4228 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe
PID 4228 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 5000 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe
PID 208 wrote to memory of 5000 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe
PID 208 wrote to memory of 5000 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe
PID 208 wrote to memory of 4868 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4868 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4868 N/A C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 3780 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe
PID 5000 wrote to memory of 3780 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe
PID 5000 wrote to memory of 3780 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe
PID 5000 wrote to memory of 4424 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 4424 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 4424 N/A C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2568 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe
PID 3780 wrote to memory of 2568 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe
PID 3780 wrote to memory of 2568 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe
PID 3780 wrote to memory of 2992 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2992 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2992 N/A C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 3044 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe
PID 2568 wrote to memory of 3044 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe
PID 2568 wrote to memory of 3044 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe
PID 2568 wrote to memory of 4036 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4036 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4036 N/A C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1220 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe
PID 3044 wrote to memory of 1220 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe
PID 3044 wrote to memory of 1220 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe
PID 3044 wrote to memory of 4520 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 4520 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 4520 N/A C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 3168 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe
PID 1220 wrote to memory of 3168 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe
PID 1220 wrote to memory of 3168 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe
PID 1220 wrote to memory of 1116 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1116 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1116 N/A C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3448 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe
PID 3168 wrote to memory of 3448 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe
PID 3168 wrote to memory of 3448 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe
PID 3168 wrote to memory of 4176 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 4176 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 4176 N/A C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 1764 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe
PID 3448 wrote to memory of 1764 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe
PID 3448 wrote to memory of 1764 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe
PID 3448 wrote to memory of 2128 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2128 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2128 N/A C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1920 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe
PID 1764 wrote to memory of 1920 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe
PID 1764 wrote to memory of 1920 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe
PID 1764 wrote to memory of 2468 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2468 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2468 N/A C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 4240 N/A C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe
PID 1920 wrote to memory of 4240 N/A C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe
PID 1920 wrote to memory of 4240 N/A C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe
PID 1920 wrote to memory of 1204 N/A C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"

C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe

C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe

C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{107DA~1.EXE > nul

C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe

C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93C94~1.EXE > nul

C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe

C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{631AE~1.EXE > nul

C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe

C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12BE3~1.EXE > nul

C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe

C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{109E3~1.EXE > nul

C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe

C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D9ACC~1.EXE > nul

C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe

C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DC9B~1.EXE > nul

C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe

C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC9D3~1.EXE > nul

C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe

C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BA985~1.EXE > nul

C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe

C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{73C1A~1.EXE > nul

C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe

C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{617B6~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp

Files

C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe

MD5 43c51fb80aa0f1b98433899f89f4d71e
SHA1 fd1fbf6b87fd46d8a18ec8ad0e864b56767adabd
SHA256 18df50f2ce0960e9e7fad557e167a11bf46f526c286062878d7101a4040cc278
SHA512 ecb1a2dfd387a26dbc680254545a2ef3d239a7ee040a8795ef613123024cdf61ce26d7a4ebbc2089a122414380e7f92bca9a28648def9465cf3d8539f6e0fa69

C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe

MD5 30e80dbf239022baa7758140027b69b3
SHA1 d71995f2fe021cb43223380e888f0db927df0054
SHA256 edc08cbaf3d253d487197c32435e239beb7f657fec5a62669c65fea90e713e48
SHA512 3ea61115282b0af959893450d8a013cebbf406d3f1aaef300ee4ac28715130237cc34cb17d406bad5014ae48f4b43c45f57c45234596aadf317e1a2da03e123e

C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe

MD5 71d7b31990b462bb393f2aecaea242ca
SHA1 a32c811de9fe796958490c9810d55057c1154679
SHA256 1daf8c3747ff15b89552892ee1e578fd91650468a00d71b6f8d5a7cf10673609
SHA512 1784ab495c6a52841a6fb6ece79189eb665b8ba3a415c185d6e14da0465675be4a031a9f7902ccbe9cdc5725f8568292a781b93829bcf1740e1ea0cc454673d4

C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe

MD5 305179d79c8a0a123bc347f0b5f78514
SHA1 abb329fa8a8553f2c26de2167ca7ef682c396961
SHA256 b53918adb8a367a68a8c9c06b87fd11547876a523a43ebf8ed51a86b2ec56691
SHA512 a6e4ab3a98050933fd02afcfbb68506b614ecf524c06580bb1cec0d70ef74f9a4e569edd881472e41927f1048d8ba8c5db6928568eea1c2a69819deac734b8c5

C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe

MD5 4ef422f3c6ea451cbd7f971d43438ec6
SHA1 9dba89ea587070541976b092fbe10d2a8d49762c
SHA256 fe0050c1edc122ebae968a569a2eb81bb56066d30f4fcd605a5e4a71603f74a2
SHA512 9cfaf34d79b03de6e1b0019a43670390ee0cd55360a856c9f69988aaaa506b835fba1e2072f370dba25fd0c0506e8583f7889e35db8f8db7d4d8690f7c35b3f8

C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe

MD5 747c3d1729a4c12f15cb6da39b9de5ed
SHA1 eb0065e3975ecb42d65eb145aa21adc630ba478b
SHA256 05846db44b80ed07decb1f7de7f4ded561e7b98cde5147505c4febb6894b0ff4
SHA512 796e48c210ae614c3a2265d5e5a98a0a0544153400d63608561f034d5ae8d7dee103754369bb374aec756dbb63dece689d12784303231f5d7e63558d8d18fc2a

C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe

MD5 c1d84ce1e59d84f86f591cd4350a92a0
SHA1 631bf32ee6b8fb35751bd8f30beddf48d7ea6b28
SHA256 ffb21f2f2473b8f5224f962accb68e6e81dfacb3649973cd9cde8f92dd6ddb8a
SHA512 b8d24e06210843c81d4a117a5324e070f6554ed9ebee071a10fe69db56cdf43644a7b98bcc5b9d75345be7a92c0fa778b59a89806c5983a6888f35b4c804a259

C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe

MD5 eed948192399c02bdb84db40bbbcb8d6
SHA1 930020cf008b9f925eaf8a90b024711d4861b1b4
SHA256 ad3e996a28996afc9c22d1b441b5254a64e87bf122cb71a68ed5507120c26c06
SHA512 17642ff2c53ebb7498ff0c6aebd36b164051ea1fb029d620445f54d0140844fb01d4362814a0799d09b88cb2e93d4e66e0893023fb8622fc07258602a376eec9

C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe

MD5 4a83304a2fcf1cf9f889abf336627014
SHA1 76c180301ff84936f432ed911433ce115aecf027
SHA256 0f2d9ce68653305ed3b62873b23e642ed4c88e46fc8c91ee304a1f0bcdb3f123
SHA512 a5c8967703ad1d4066751e6a693f7cb051fc2e841c9a5a72167dfa70ae69e6f5f8ee82fef4d19630a7143877ae0e94ca61fe1239437b9c4677d736e91237c9d4

C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe

MD5 49981d61550d1aec9f5e9f95bf5748b9
SHA1 3d9050140d444dfbb9b22ecc205a62524a36ee08
SHA256 5272be0e013813e77e4c5e669052c9f07d520c38873bc2fdad5940d135d24a80
SHA512 c91cd8b9f3b108e251ff94b0153ec1d71f282f1a7d427335d9a6adffb2c73bd103d5b67b604f50bacd1f7840df7176a7320cc091c441490beb0b31d4786d74c7

C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe

MD5 f8c6bfc1ca17850ab1e93c840b43cb12
SHA1 b28d58891efafc179e6c2dd5dc4391e7d1443f9c
SHA256 e8d0520d79cd021da29481539bfb060eceb51cf36f305355cfba58a48dd306f3
SHA512 b1b36fa6bad64c256fe12152355e41167fb60cd6f2ae2195a16e01bd4caf55979f63451c168f39ab705fc3a950ccbedf08a6ae22cad1c8dbe5713f82424d2051

C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe

MD5 bd8a36809420d2233a8f715b66cc6617
SHA1 a2f012e9d416d8258192d3278b81c4797c7ad3c7
SHA256 4aadc32865d6b031d939a549eb62300a0ff00f6098b191632b514d964513e1d2
SHA512 d945aed1344adfe5b7fe6124ea0e1a12003538cd36335255cc117afb385e7f6626d4e430c24ee92b20a66e0c43f2dab9d21981113ac50197730808fb4a1df8e1