Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1hbq7acd79
Target 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye
SHA256 69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354

Threat Level: Known bad

The file 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:38

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:41

Platform

win10v2004-20240319-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325} C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}\stubpath = "C:\\Windows\\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe" C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}\stubpath = "C:\\Windows\\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe" C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666} C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}\stubpath = "C:\\Windows\\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe" C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3}\stubpath = "C:\\Windows\\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe" C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6} C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}\stubpath = "C:\\Windows\\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe" C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}\stubpath = "C:\\Windows\\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe" C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561} C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561}\stubpath = "C:\\Windows\\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe" C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}\stubpath = "C:\\Windows\\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe" C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D}\stubpath = "C:\\Windows\\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe" C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8} C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666}\stubpath = "C:\\Windows\\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467} C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3} C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B}\stubpath = "C:\\Windows\\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe" C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3} C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8}\stubpath = "C:\\Windows\\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe" C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965} C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B} C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B} C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D} C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
File created C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe N/A
File created C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe N/A
File created C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe N/A
File created C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe N/A
File created C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe N/A
File created C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe N/A
File created C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe N/A
File created C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe N/A
File created C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe N/A
File created C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe N/A
File created C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
PID 2460 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
PID 2460 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
PID 2460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 2900 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
PID 3224 wrote to memory of 2900 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
PID 3224 wrote to memory of 2900 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
PID 3224 wrote to memory of 2532 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 2532 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 2532 N/A C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3376 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
PID 2900 wrote to memory of 3376 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
PID 2900 wrote to memory of 3376 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
PID 2900 wrote to memory of 3236 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3236 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3236 N/A C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 1584 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
PID 3376 wrote to memory of 1584 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
PID 3376 wrote to memory of 1584 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
PID 3376 wrote to memory of 4092 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4092 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4092 N/A C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 3208 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
PID 1584 wrote to memory of 3208 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
PID 1584 wrote to memory of 3208 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
PID 1584 wrote to memory of 4588 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 4588 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 4588 N/A C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 3032 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
PID 3208 wrote to memory of 3032 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
PID 3208 wrote to memory of 3032 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
PID 3208 wrote to memory of 2500 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 2500 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 2500 N/A C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 660 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
PID 3032 wrote to memory of 660 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
PID 3032 wrote to memory of 660 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
PID 3032 wrote to memory of 532 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 532 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 532 N/A C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 2288 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
PID 660 wrote to memory of 2288 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
PID 660 wrote to memory of 2288 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
PID 660 wrote to memory of 1912 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 1912 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 1912 N/A C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 3592 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
PID 2288 wrote to memory of 3592 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
PID 2288 wrote to memory of 3592 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
PID 2288 wrote to memory of 3916 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 3916 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 3916 N/A C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 3236 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
PID 3592 wrote to memory of 3236 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
PID 3592 wrote to memory of 3236 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
PID 3592 wrote to memory of 4176 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4176 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4176 N/A C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2288 N/A C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
PID 3236 wrote to memory of 2288 N/A C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
PID 3236 wrote to memory of 2288 N/A C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
PID 3236 wrote to memory of 1828 N/A C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"

C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe

C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe

C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2229~1.EXE > nul

C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe

C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{943AC~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8

C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe

C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F69FC~1.EXE > nul

C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe

C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD77D~1.EXE > nul

C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe

C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A4691~1.EXE > nul

C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe

C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03379~1.EXE > nul

C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe

C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{44B3F~1.EXE > nul

C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe

C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{064EE~1.EXE > nul

C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe

C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56499~1.EXE > nul

C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe

C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{191B3~1.EXE > nul

C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe

C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00FB8~1.EXE > nul

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe

MD5 887611bb37aaefc95bab4d078d051c62
SHA1 d01d8b6c5b76900d1c23c2cbab1b323adc1b3f6b
SHA256 33d518d02a0150de36d2a5c64d5f1f50234e48ea190052edbba574a375399073
SHA512 2229485b5c791dc117b6439d1e94b81d086ca5472db9390aad79e433c8234173ef458ef6a79ff6cf6a715e30d33e64e0b743426ac00c6095a9c73a4b782ff6c1

C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe

MD5 73c5337ac5141449eb55bc204317912a
SHA1 319227bf9b4d978bbfe496802a67df4cc6af9fd3
SHA256 7b18ef2fb540e9682432f1ce02059e635106a48deee17a1f20826e23c2682f0d
SHA512 2968530b0ef244649b40f0e674df9caf408ef04318fe16482ada6087bfb77d0785811a4534dfda40c430a1c9507a66216ddc69b80f4c290f9b5ce09330f43907

C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe

MD5 9390f36d7e90fe0eace05edc032af3f9
SHA1 9c0cee219a4bbd44862e8c884a0eec997b75e5d1
SHA256 0eff6419b35c29231ef363908bc3ab496032a513b1b8f8f5a6aee035331051a5
SHA512 d541c03ee435c7824d8c8266fb386591eb35a591e6021a61051bb37d8efd70adf16c596bc722238d3d4cd1b340484af34e08e666596e8c66a940915a7e3dcf09

C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe

MD5 ff01f72e93b9c1784531e3755fedce3c
SHA1 32e600631fd9a9de8d76691c60a9f4923a2a447e
SHA256 5405e3e974a000fab114d71fd42eb6f9a63070a3db0fb1065f266d084bbf7331
SHA512 7b9c5c989824a0a8d1b192588ea7b6886825ed7b539b3f32eabe74f5b5c9c2015785f9fc168dbff2e0c98875db6a6dff1162575624b8436ce4b9d38ac151ab14

C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe

MD5 7d9205e27d90261aa3cea7df75708474
SHA1 674912209c7815c755cfae75357743347abc3f42
SHA256 383a1a0add457c8c07affc7d42c7350a8474808a25c94ad10c5372343bbfcf11
SHA512 85979df49c5f17789d940b8c924c719b1fa93dc2e7e83497332a4fba9beca4616ae2ecb913c2b2a63750e16d8b5bed653d45c392eff0cd3635cc8b20c08546b6

C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe

MD5 3b4e8a1f6e1c8a12c43e381f22598686
SHA1 2ad0890605c9cbbba060dff691790d5df8865de4
SHA256 4130b91efd72fe0259b4a95626aead81b4145b993cffee596179e75efd34d8cb
SHA512 9bd671449c3169602019e03d7637c1c0d8e5a3895fa06c1e628bedb53f26163a3e8489602dfd82f1019347d25c3d7c7d1ee4d2eaaa940e401f4e381bfa0986ae

C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe

MD5 570ab4b81dcf8c188a6c19d79fb7c2e3
SHA1 618059626acf1427e916ae1850a1cd29400db13c
SHA256 82bb9d7f5aa73aba450673caaf69d722e80e0d5bf754b2087a3ed5fde20c2887
SHA512 98089631a444adc5807847d6616958cd460da98d68538490db3d8eddac61835958b931c95820cc6535d31287061d81f4be4e5b6955023dd3b86efebd12a63553

C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe

MD5 c24b48c3ac6557e15815464a42254674
SHA1 8d18b56971fe377748aa151b9b74a727f9b66fbc
SHA256 48969e88f95432f3672bbdfbb5909b89824100182edcafe5e4c1ce1cde93239b
SHA512 d5587ef12d68c514963ca5c106aa13ec5b9e1df0dfc41f1e05d57e2eca8760f708032ba8d83be004976f3bfb043da498116db86f27d3e146bb1719072ba6f646

C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe

MD5 7025e0b7edfcea9cdd346bcd3a991665
SHA1 ade87526547148340fb4dbf6071630494e033d84
SHA256 e47da23c2fcea4847aaff9d1fc615fc23ec9aeb0c11f2fe587643834ddd72f67
SHA512 cecb3a0e5c72b3f072e9538fc31c02c47cf1e645f0b0f8cc02041fb44c33bf35b17731a33aab77bd5cf81ef44564db4b6e77ea914cc92115067d2fb352c0218d

C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe

MD5 2b272c690240919495450b3427dc3e9a
SHA1 720f1f228cab367707bca34677fbfaa53ec938db
SHA256 7fa542690232729d30b8fd23d37a7e5e11c90cb8fa63841862290b6bb34cde82
SHA512 3c20c5efd2d0050630d21eba534b4ddd8f270d7441158568a96166fa117dd0bdd902ce82c847093420fb6cc3267c53c6694f52594904417c90f702f9bbcf2889

C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe

MD5 57aa700d1116b61bfa5b237c9382ae99
SHA1 173bd07bc03fa86308ed3550b34a84294bab1896
SHA256 0fe9bd515988976da82e09658fbb54c2a2f45d3250f18c94b31646cc2924e58f
SHA512 86d1a78b4739f309546b69a09449cb5f19e47af22a099d341d118e306eb28da5a9dc6a2602026c37a3cdfa566c76507c790bb4630d24c17bc9b52c4f23acc74d

C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe

MD5 e1debc602b8ddfec01bc2adb2deec164
SHA1 78777ff37514a55cccd358022a2f889c6eda6337
SHA256 5861226d0b0eee913159d43f6d4ead3f984b56ac89be272a5470ae94e326a697
SHA512 fd52a9ad79da533bbcbcd333ddb1e8ee7cf97f73a7d288cb7f039c0edefca715555b21e9675ca24c2b6735ddf5aaa09e06dd7bcb91d41b0284475d47a3a584f2

memory/1288-48-0x000001FB42E70000-0x000001FB42E80000-memory.dmp

memory/1288-64-0x000001FB42F70000-0x000001FB42F80000-memory.dmp

memory/1288-80-0x000001FB4B2E0000-0x000001FB4B2E1000-memory.dmp

memory/1288-82-0x000001FB4B310000-0x000001FB4B311000-memory.dmp

memory/1288-83-0x000001FB4B310000-0x000001FB4B311000-memory.dmp

memory/1288-84-0x000001FB4B420000-0x000001FB4B421000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:41

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084}\stubpath = "C:\\Windows\\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe" C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B} C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A}\stubpath = "C:\\Windows\\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe" C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}\stubpath = "C:\\Windows\\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe" C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3} C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}\stubpath = "C:\\Windows\\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe" C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD}\stubpath = "C:\\Windows\\{32148707-3305-494f-A23A-AEC08124CDAD}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084} C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}\stubpath = "C:\\Windows\\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe" C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0} C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A} C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}\stubpath = "C:\\Windows\\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe" C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}\stubpath = "C:\\Windows\\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe" C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C} C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5} C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}\stubpath = "C:\\Windows\\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe" C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A}\stubpath = "C:\\Windows\\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe" C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A} C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008} C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD} C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2} C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}\stubpath = "C:\\Windows\\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe" C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe N/A
File created C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe N/A
File created C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe N/A
File created C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe N/A
File created C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe N/A
File created C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe N/A
File created C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe N/A
File created C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe N/A
File created C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe N/A
File created C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
File created C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
PID 2804 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
PID 2804 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
PID 2804 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
PID 2804 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2488 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
PID 1216 wrote to memory of 2488 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
PID 1216 wrote to memory of 2488 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
PID 1216 wrote to memory of 2488 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
PID 1216 wrote to memory of 2608 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2608 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2608 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2608 N/A C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2500 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
PID 2488 wrote to memory of 2500 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
PID 2488 wrote to memory of 2500 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
PID 2488 wrote to memory of 2500 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
PID 2488 wrote to memory of 2332 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2332 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2332 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2332 N/A C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
PID 2500 wrote to memory of 2776 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
PID 2500 wrote to memory of 2988 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2988 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2988 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2988 N/A C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1848 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
PID 2776 wrote to memory of 1848 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
PID 2776 wrote to memory of 1848 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
PID 2776 wrote to memory of 1848 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
PID 2776 wrote to memory of 1096 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1096 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1096 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1096 N/A C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1428 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
PID 1848 wrote to memory of 1428 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
PID 1848 wrote to memory of 1428 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
PID 1848 wrote to memory of 1428 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
PID 1848 wrote to memory of 1840 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1840 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1840 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1840 N/A C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2288 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
PID 1428 wrote to memory of 2288 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
PID 1428 wrote to memory of 2288 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
PID 1428 wrote to memory of 2288 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
PID 1428 wrote to memory of 2304 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2304 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2304 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2304 N/A C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1916 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
PID 2288 wrote to memory of 1916 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
PID 2288 wrote to memory of 1916 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
PID 2288 wrote to memory of 1916 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
PID 2288 wrote to memory of 944 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 944 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 944 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 944 N/A C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"

C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe

C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe

C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32148~1.EXE > nul

C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe

C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4613~1.EXE > nul

C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe

C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5263D~1.EXE > nul

C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe

C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18989~1.EXE > nul

C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe

C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A456D~1.EXE > nul

C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe

C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA72~1.EXE > nul

C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe

C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0730A~1.EXE > nul

C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe

C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD29~1.EXE > nul

C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe

C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{69263~1.EXE > nul

C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe

C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AC8~1.EXE > nul

Network

N/A

Files

C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe

MD5 190ecf2346d1cf1c06ef7b2568c1b169
SHA1 f27fb3a360382555204b2326f6e0e68b3c108d36
SHA256 600182a0f0903851c273f9ada3acdbf46b981928aaae0b818bd050c748bd490d
SHA512 4c5243b13a50b797e80edad29a4828af0afe3828199c4aff4af3e2b936ceea61202c381de498378e8857748e89be7afaadd1884af5ae253b7c4499a1e8080e8c

C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe

MD5 9db1deed3fca18618d279513b0b4db91
SHA1 e86495b346354027b07fb216601428f5c4ea9b72
SHA256 baa8975c164495389e1abcc302eb19e97350c8447d0d19bed991ae4132979f24
SHA512 6e13b855341e41d11ec0a8437432ab5e78d495b562e92e44cb67dede92748245ec50819962614b5a41cfd9c85ede9f861b2898eac491a0f66e5ecf496d6063b2

C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe

MD5 fb81e0977bd32db128c631a40b40017f
SHA1 33679f47fac44fe2eee18df4572a93d316b400a4
SHA256 ea00e8f312f87e8f1053ed1045a68ab8c2181b98b1503ca05ac22b5f6110c506
SHA512 4e666f6c157e37d3980e7de592cd8311d16f90d29182baaa239c9c2a4007f39513572c8f0a5e3e58eac503aceaa484679afff4d66cc44ccfd2bbeda80427bf41

C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe

MD5 4d8830f5f658a7d6915f962f4cf5988a
SHA1 b087991b8c1daf93b302bf3b873685985d78eb1d
SHA256 ff80f6d554870899610bedb675a147567d86bbba5284726677e0bfa7e927568f
SHA512 0a8782cf0b4cc5930cf9a547bc8e99bae8bb1c4e1e98fb075ae7a424e396774a2bacaf8d4a08b21a8b67d30726228edbac8225ef093e355c1cc3441dc57b6f5e

C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe

MD5 c7c1b9f3f20a6434b03a2bd1ab17dfaa
SHA1 3c983702424f15eb34d868ed3a0176fa3559393a
SHA256 c30443bd9c407ab25513f93eb5bb96dee05da2d6effcf0a06530385d05d83d69
SHA512 b0b3af8dd22926ea8eb1c98111e86719cada262b2a152d59ed4004b2d3bbcf4bd62242893fdb6023e575b81ce68db87655408ae3b0d1c1024c6d9b3db4518246

C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe

MD5 48335daceca2d6f00a9a62aa59fa60e6
SHA1 db6c7246029ea1dafc5670ea0aed3cbe8cf0189b
SHA256 a1228f18fb50ab3f62ab97ec04d7e33f242e9d4d849fc61f878c38165abb8aaf
SHA512 54238c425dfb6f7f9e5b4d92a946fa0975aa2a1bfe363693c87d4b0670c6f5ec15118724aeb04dae60927e62df12ca4997ea962eb9b7877ef6c39aed0ffcef2d

C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe

MD5 0ec921de00125c0e0d29a4a151cce93b
SHA1 4837eddf7f55b735c305b4bed0ebf0a2cf515bcf
SHA256 06c3c1803790c4cdacf511664f0e354ab4224341fd5957a208bc7c9393d31435
SHA512 db33ad44cfe7b785f5a32d30eeb4f60e8147f9e162ebc8c47f2ed484e521207b7344714fa2e1aba22be8f55533fb0d961a8ee90524a0f5fb537653b5add18234

C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe

MD5 b717fae994ac25bebb414a416d5895a0
SHA1 cb0e64bc03a2df43e60c5ba3cb76ee92674fee0a
SHA256 9e227a39a161cef1d6e51d57fa690f0d754425d74b90fe73d738ad4849c899a1
SHA512 21502dbb78f98985868f3c1c7670979fd5204061b86537d199071f619332d42e5cf791bee3b93b0a22a866b1edd6f80f45d88d544484d9faf4f2e01a835b1ee9

C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe

MD5 0dbe3f48b6db8372dd88885c02ee2982
SHA1 46c4e48c0add4717a248c60d64c54933d04aafd8
SHA256 a11ea72bfcd6982ba932d182b492349d300d731f978356bb45679ff9c0f8e584
SHA512 82fb02b77c322203ccc6c90ad66215c6cbadc9acc4cd737950a6580e6a8c9487acf670dc89bd2ac2ddc971ef9adff3fca68a1d7b940c9eeb21fa0d299a085cf1

C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe

MD5 a390168c82f61a9cad66b1e70d98c0d1
SHA1 93e2681e2f28c2e16e71cc7dc716187b6483ff17
SHA256 99af0a45597f486cabda6bf6b7847182519389366ae66677ea0840c6e6ee539b
SHA512 d21a3fd57a6f561854e9028c949ea7e1a5456efa032be420e0263f8cdf1a9db603a208171a6febab7ed5a7e3517bc74de3f9c931d9806533f7bd79c60fe06a17

C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe

MD5 7a7c3f6c91d22f3c99f65de5bc1e4965
SHA1 a2eb92e01876d1d864aa81a5fb4acbcfd77d1e47
SHA256 e21d59a0640b3d3f940a09dfff4f49d3c34d7df305edf7e4c8cead8086842dba
SHA512 8a5994b51ee5a3852d1819f4402bae4dc89d6b2dd9054ae755686438e3fb3d0275aaecdcb324e06f37610a95d564b95c0e7e34c883da7adc19fb5b3047a64f52