Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-2d99made76
Target 2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye
SHA256 629abf54d77eaf26bebff5146d1535eef92a7d6894143521acf8d428754ed373
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

629abf54d77eaf26bebff5146d1535eef92a7d6894143521acf8d428754ed373

Threat Level: Known bad

The file 2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:29

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:29

Reported

2024-04-06 22:31

Platform

win7-20240221-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68EA5B4B-7714-4295-9D06-47A1B79235C1} C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68EA5B4B-7714-4295-9D06-47A1B79235C1}\stubpath = "C:\\Windows\\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D566DE58-58E8-4f64-AB0F-DF782A1C3636} C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}\stubpath = "C:\\Windows\\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe" C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}\stubpath = "C:\\Windows\\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe" C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779DD137-5626-4d41-9E89-54C7A013C4BE} C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C} C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}\stubpath = "C:\\Windows\\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe" C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}\stubpath = "C:\\Windows\\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe" C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31805F02-4BE0-403e-9D65-7A13722E1A9F}\stubpath = "C:\\Windows\\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe" C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}\stubpath = "C:\\Windows\\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe" C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB} C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}\stubpath = "C:\\Windows\\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe" C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E} C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}\stubpath = "C:\\Windows\\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe" C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43} C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}\stubpath = "C:\\Windows\\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe" C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8} C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779DD137-5626-4d41-9E89-54C7A013C4BE}\stubpath = "C:\\Windows\\{779DD137-5626-4d41-9E89-54C7A013C4BE}.exe" C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0} C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31805F02-4BE0-403e-9D65-7A13722E1A9F} C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12} C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe N/A
File created C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe N/A
File created C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe N/A
File created C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe N/A
File created C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe N/A
File created C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe N/A
File created C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe N/A
File created C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe N/A
File created C:\Windows\{779DD137-5626-4d41-9E89-54C7A013C4BE}.exe C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe N/A
File created C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
File created C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2420 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe
PID 2796 wrote to memory of 2420 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe
PID 2796 wrote to memory of 2420 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe
PID 2796 wrote to memory of 2420 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2044 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe
PID 2420 wrote to memory of 2044 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe
PID 2420 wrote to memory of 2044 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe
PID 2420 wrote to memory of 2044 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe
PID 2420 wrote to memory of 656 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 656 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 656 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 656 N/A C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1500 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe
PID 2044 wrote to memory of 1500 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe
PID 2044 wrote to memory of 1500 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe
PID 2044 wrote to memory of 1500 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe
PID 2044 wrote to memory of 2648 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2648 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2648 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2648 N/A C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2764 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe
PID 1500 wrote to memory of 2764 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe
PID 1500 wrote to memory of 2764 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe
PID 1500 wrote to memory of 2764 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe
PID 1500 wrote to memory of 2308 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2308 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2308 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2308 N/A C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 896 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe
PID 2764 wrote to memory of 896 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe
PID 2764 wrote to memory of 896 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe
PID 2764 wrote to memory of 896 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe
PID 2764 wrote to memory of 1936 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1936 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1936 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1936 N/A C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2652 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe
PID 896 wrote to memory of 2652 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe
PID 896 wrote to memory of 2652 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe
PID 896 wrote to memory of 2652 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe
PID 896 wrote to memory of 2460 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2460 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2460 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2460 N/A C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe"

C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe

C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe

C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68EA5~1.EXE > nul

C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe

C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3335F~1.EXE > nul

C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe

C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBBEB~1.EXE > nul

C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe

C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0359~1.EXE > nul

C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe

C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31805~1.EXE > nul

C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe

C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{206C9~1.EXE > nul

C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe

C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D566D~1.EXE > nul

C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe

C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E89F~1.EXE > nul

C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe

C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4319B~1.EXE > nul

C:\Windows\{779DD137-5626-4d41-9E89-54C7A013C4BE}.exe

C:\Windows\{779DD137-5626-4d41-9E89-54C7A013C4BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF9F4~1.EXE > nul

Network

N/A

Files

C:\Windows\{68EA5B4B-7714-4295-9D06-47A1B79235C1}.exe

MD5 7041376d8f6a94f270009886f07fe8c9
SHA1 914d7992a8dd74b2e317075305e6a2c9a9582642
SHA256 74eb7673d50bd66468caa46292547b7951c911054a33927b24615fb5b2758631
SHA512 57a27690e75c4d97d60262643beb178fedfdd2e13eb2218898796588165a1a97b6fc43c1a2dedb107b5090212ae73d72fb57c7a352e0d69e7eda965cf05279e9

C:\Windows\{3335F20F-56B8-4ce4-ABC1-C47246C83A9C}.exe

MD5 4b8841e319046e8bf0e3dda07def8935
SHA1 e007853cdc6863a18aa7e0c86d0d32e82e1aa3ca
SHA256 a54494fddd3d60a6b2ffaf4a2a72c0003429af7f2b46796045d046264aea8d4d
SHA512 be7ea120feff300ebc679f653f075ae34e7c826fb55e813859fdb81a7ad268383d50cf48d5e5ba34cefb8bf8406c64a1530bfda58221d7d4228be2f172472fc4

C:\Windows\{DBBEB1E4-06A1-48ae-ACF9-4E2716D7D51E}.exe

MD5 cbe78cf2ae07a1901eba984dbe8b8802
SHA1 e88884669720158753f0959bd45749318c95d11f
SHA256 154339d1f857622b5d9a017c155a9d97072b7529477d0ad8fcccf46b59ec4c52
SHA512 cf6fb173e2d18d43ac1239836a9bd60094fea0750db5439af03c3ba6fd4ac8f2a7a577585e855fdacec2a22c44d6a2dd9528dd8e4717e0108def7ad1c9e05936

C:\Windows\{A0359F57-97C0-4c20-B1EE-0525C9AB2CC0}.exe

MD5 d310dfa8eb6a43450c901b2e39673e20
SHA1 7f5a375f7c4dfc5fad84f5cee983da3b6bb0044b
SHA256 392e9f277fe983f936d97509cb7b3a5817031bae573b36ed3668c12df1b7866a
SHA512 b3b78e03a16139bcc448108dbc0e6c328503e876f649b9d157976ab9b235d040e6bf1da3a3a545f9c360158a7ec2d46892505e79b60e82f82689067d07601e38

C:\Windows\{31805F02-4BE0-403e-9D65-7A13722E1A9F}.exe

MD5 c6f2da893a3466dd804b041f33cb3a50
SHA1 256195df8f67a57c5411c6a69fdfbc3c7cdefe36
SHA256 46a7c3136aa247ac5f2af424dfec1b25167922e08a4b19390838f01822439cbb
SHA512 c2fd876c4e3f350bfc9ae56bd0b842b7fc373b8c51c633ff77213acaaaeb4efa8c77cd998441e154769624589b26aca037895bd2327888b211828c0c070185a3

C:\Windows\{206C9C9D-46D9-4a8b-975F-CE6FC7620D43}.exe

MD5 dbbb01f5537b8fa42bbe4f883da4d05f
SHA1 a1159b9ad8b08cabc4418b5e78f54c36ce7858bc
SHA256 470e695b11077ae56d83ae3f184c0fe4c0296667d7876aff70caf7baae19deed
SHA512 71c8d374d6074fd252d06fde1113001df17635231c1a426473f2d37e08a49988f47a12f3d5699b3b3d6db94d4f5cef7994ecb2247e2977a1fd30f8f1422e5b69

C:\Windows\{D566DE58-58E8-4f64-AB0F-DF782A1C3636}.exe

MD5 1b8e53630d158b3334ef6b23b1a6a9e2
SHA1 2d59b30259823100472ecf57d94517a2260effd5
SHA256 35b920b97ff7d40f0ee048b8678a535696a8d8030b375089611c8baa5d490fe7
SHA512 67fe46e40b4760e0c612ccd6f4961ea62e252292a491055253716abf52be37e74abd2ef2b0c0f0134a032db4c6959fea82281bb053370979e55330f355aca4fd

C:\Windows\{1E89FB9D-71F0-458e-8764-EBC3941F0BA8}.exe

MD5 86621337a8c61951baacc00f28f5ea69
SHA1 25242f5d2f6325701bb2dc0403b5d7c75811bba1
SHA256 e13176a3066a96e7802ed0b8b8aac50389c0e8389dc37b954b37c53e6d15b8cb
SHA512 f1f84d181c69c928166cd30e0f857d84957aa7f230617f103597e725b065811c8d1d9a2ad9120d8fdcee98b3b2e8f5ac7b9fdcba94977d55974ce2615ea3aa3e

C:\Windows\{4319BB2A-39BA-45c9-BCCD-A82F7A3940CB}.exe

MD5 7f29238b1b62e224ddd1e0d43139c375
SHA1 7c6b506babfc94eb1863a7ba3af536ed934501f2
SHA256 a707f7f225717ab816752b31944cfd5b83d838e03bb155344a70562f43cdd4f5
SHA512 79ccb52deba089befb5dc79a959f68d4b41b84c4a3882600c65b29f30c66cf037d6780a14a3678f4fdf23ecacd5f082bda12909245d58f90b7e5e14e745e0d02

C:\Windows\{FF9F4FBC-953C-4349-B422-5FBA6B5EFF12}.exe

MD5 bb1c314cab7ff022253c2c9298d53b1a
SHA1 aa04e30807a9f507590112740d9ff4a5fd697aef
SHA256 4099f151609483204b87028717e525b172b95f7d6d6dca43584204f9a6fc8943
SHA512 afdb8657b1d062ed3cf6f144e99583420d88f339bfa616d62e798e8d071e74d8a5a4a62369f75aebf853b229df6c8eb72b7c534445a4718c01f2d786565a5241

C:\Windows\{779DD137-5626-4d41-9E89-54C7A013C4BE}.exe

MD5 4e53ed637b1df65eba4743ff3e46970b
SHA1 3a77b81abd96c3dd96adb7d4ebbbdeaa72a66dfb
SHA256 25bd652a2c1d8a6590fb18763c1cf9e99ee46befb9d5e8bd0986f3079149abe4
SHA512 214f13c8aa39276afc3abc63c4d73987e0f842f6c54f510be1cb80a3b7f7af92d10903275963ee9bd8eda6e01b70d2ff93a74309156b33ed89f71aef842979b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:29

Reported

2024-04-06 22:31

Platform

win10v2004-20240319-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BCC6E81-5EE8-479c-96F5-C659817538F1}\stubpath = "C:\\Windows\\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBF65B2-2543-4190-86C5-3CD794913490}\stubpath = "C:\\Windows\\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe" C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573F9AA1-F17E-4008-80FE-B89E6160393F}\stubpath = "C:\\Windows\\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe" C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59F23E9E-C880-4e49-B8D5-A4E33057D605} C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59F23E9E-C880-4e49-B8D5-A4E33057D605}\stubpath = "C:\\Windows\\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe" C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE463372-326A-4b27-BBD0-406CA70F20E3}\stubpath = "C:\\Windows\\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe" C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}\stubpath = "C:\\Windows\\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}.exe" C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BCC6E81-5EE8-479c-96F5-C659817538F1} C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C41266-3AEF-4fac-A881-3D0552A4123C} C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD218272-2458-451c-B33D-E5A0A03E4807} C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD218272-2458-451c-B33D-E5A0A03E4807}\stubpath = "C:\\Windows\\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe" C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A} C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C0AAE5-E19F-4f90-9115-5BED1F53525B} C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3} C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573F9AA1-F17E-4008-80FE-B89E6160393F} C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}\stubpath = "C:\\Windows\\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe" C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C41266-3AEF-4fac-A881-3D0552A4123C}\stubpath = "C:\\Windows\\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe" C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE463372-326A-4b27-BBD0-406CA70F20E3} C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBF65B2-2543-4190-86C5-3CD794913490} C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}\stubpath = "C:\\Windows\\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe" C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684C63B3-C864-4287-96EB-DA92DC18919B} C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684C63B3-C864-4287-96EB-DA92DC18919B}\stubpath = "C:\\Windows\\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe" C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6} C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}\stubpath = "C:\\Windows\\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe" C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
File created C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe N/A
File created C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe N/A
File created C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe N/A
File created C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe N/A
File created C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe N/A
File created C:\Windows\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}.exe C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe N/A
File created C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe N/A
File created C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe N/A
File created C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe N/A
File created C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe N/A
File created C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe
PID 1720 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe
PID 1720 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1260 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe
PID 3400 wrote to memory of 1260 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe
PID 3400 wrote to memory of 1260 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe
PID 3400 wrote to memory of 3268 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3268 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3268 N/A C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 3940 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe
PID 1260 wrote to memory of 3940 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe
PID 1260 wrote to memory of 3940 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe
PID 1260 wrote to memory of 5016 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 5016 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 5016 N/A C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1488 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe
PID 3940 wrote to memory of 1488 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe
PID 3940 wrote to memory of 1488 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe
PID 3940 wrote to memory of 4808 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 4808 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 4808 N/A C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 4376 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe
PID 1488 wrote to memory of 4376 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe
PID 1488 wrote to memory of 4376 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe
PID 1488 wrote to memory of 228 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 228 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 228 N/A C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 4976 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe
PID 4376 wrote to memory of 4976 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe
PID 4376 wrote to memory of 4976 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe
PID 4376 wrote to memory of 3924 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3924 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3924 N/A C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 4468 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe
PID 4976 wrote to memory of 4468 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe
PID 4976 wrote to memory of 4468 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe
PID 4976 wrote to memory of 4400 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 4400 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 4400 N/A C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3100 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe
PID 4468 wrote to memory of 3100 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe
PID 4468 wrote to memory of 3100 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe
PID 4468 wrote to memory of 1540 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1540 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1540 N/A C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2252 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe
PID 3100 wrote to memory of 2252 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe
PID 3100 wrote to memory of 2252 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe
PID 3100 wrote to memory of 2932 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2932 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2932 N/A C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2776 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe
PID 2252 wrote to memory of 2776 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe
PID 2252 wrote to memory of 2776 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe
PID 2252 wrote to memory of 4272 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4272 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4272 N/A C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 3628 N/A C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe
PID 2776 wrote to memory of 3628 N/A C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe
PID 2776 wrote to memory of 3628 N/A C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe
PID 2776 wrote to memory of 2660 N/A C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5a7ab326f6fab9cec0a30a4f55f5430f_goldeneye.exe"

C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe

C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe

C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9BCC6~1.EXE > nul

C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe

C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0EBF6~1.EXE > nul

C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe

C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{20C0A~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8

C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe

C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0AAB9~1.EXE > nul

C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe

C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{684C6~1.EXE > nul

C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe

C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{573F9~1.EXE > nul

C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe

C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA22~1.EXE > nul

C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe

C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0C41~1.EXE > nul

C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe

C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59F23~1.EXE > nul

C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe

C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD218~1.EXE > nul

C:\Windows\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}.exe

C:\Windows\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE463~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 172.166.92.12:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 51.140.242.104:443 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\{9BCC6E81-5EE8-479c-96F5-C659817538F1}.exe

MD5 706a9c31dcb29e1fb05187db48cf9c25
SHA1 7d3e32843aa54d842186896f16f306f9371ab3eb
SHA256 6a2023e206fab07d785f5c3d7dee7329ca38cd98033468b1a3633d5bc8e6c140
SHA512 0423a273e96388a861de4167ba1b3835f65dad0415c3b9208e6b001a39bbe3d4a49d83d5af0338e97851c283f2bb9cc0c5a52ca5cc381a046f16a2345bc88d02

C:\Windows\{0EBF65B2-2543-4190-86C5-3CD794913490}.exe

MD5 ae326cc6ca03732bd53a943187f3886c
SHA1 f2785761fda9a28eeb2a31eb491a2ae7fc8ed253
SHA256 55d602ffd72766eb3f4c29ef1cb8ff80626ffa35e9e4db318c6c40ddc8a97e01
SHA512 13bac76c5f28e04d47c783279110a200f2a85a40d68dfaed43c998f81e3b26f0fc632dbb82376747036805e5dbd00254d483fb1137b73766ecfe26f523442db7

C:\Windows\{20C0AAE5-E19F-4f90-9115-5BED1F53525B}.exe

MD5 25ce1f045ee833227aba45c377e05df2
SHA1 d305a3a443e946a8847c1fbc738cfa03168bc518
SHA256 b3a11e882add83f9e5d47ca4c07ccb7d501b313f45556be3fa170ca28979a7e6
SHA512 2aab2c6e39e208f39028d4706cf97a303441f6cc02997abfbe3785fe0a3fe8f63cf90929a376e4f104e6e74accaa96f007b4fe1494a0865471e1fc79c9c8934a

C:\Windows\{0AAB978C-EE2A-4b51-92D9-0ABECC396AD3}.exe

MD5 ddc58e92c0bcecd55eb1a9572368a34b
SHA1 d8b2a618b8e1cd85f383c6ac16296df56c3dc289
SHA256 16c4872c58d65cf06949cb444d4881261e1d222838c13745fff4cf4193d59b18
SHA512 09c1df1ac388a8ae661a87679531ea0ee843e549ffafbdd663c656f1d1fc1fa8f847df3ea7926c0f2d097ebdc75d9c0de3400709692289c813079b5e9d7942c2

C:\Windows\{684C63B3-C864-4287-96EB-DA92DC18919B}.exe

MD5 4150dce7b76182befa13cf9f32d993d1
SHA1 0860a6862cd55f56174a906b143bee38791a0acc
SHA256 c2abff559a9f80fa7f9ad8de8ef06066def902e89e855d234fd4317210658f0c
SHA512 72435ecfc88363b403fa2d3145dd79f347e8c6b18d4203cf5c7dbae90edd82c39840c88cdd89b3246ce927e87aa77d796fe63e4a7fd278bc1426ecbf17e9e612

C:\Windows\{573F9AA1-F17E-4008-80FE-B89E6160393F}.exe

MD5 d691885140ea13fd85ed407df0966d4d
SHA1 abbc23034207643529517bb713645e2b26878c1e
SHA256 971903022fa928e31c6a806ea5bf0c1b898eb226f624203babb6f177745135c2
SHA512 91bf6ceca41501a01d20debd0ebc40ffd9d55da3d882915ca066d9c9740fb4ac09038acc44c2b5c191cc9c52c8ace0471c7f9f6026abefb8ef5d5f30cf9ebd14

C:\Windows\{CCA22F9A-D8A6-4b5b-A1EC-B7894DBCE02A}.exe

MD5 85c57c4a84a43d7767acc523df000c5f
SHA1 efbc280542b7f7cec6be083c2458d621c11b0929
SHA256 3960e73f796fed4750faeb92bfeb98264be752e5e4d206a57ab255761814ee25
SHA512 63acf252262ad03db9f064c93c4426016b62f6424bf2f756b024befd9251c72d05503a73bff106ce94b51cdfd63e073a7b587940478bcc95d8db739d3b0b0b02

C:\Windows\{B0C41266-3AEF-4fac-A881-3D0552A4123C}.exe

MD5 6d002d586d1fa7f9ff882f683f409dcf
SHA1 1e3ea05139efd6eab0f11de0b7e4b4b9f183cc02
SHA256 4e31807991050803068bba92d141e9ccc528a40f46237a04a7fec2450a824943
SHA512 6db9d5e315a59f64bca935f2fd7187cac4210055c8308643e0f50681f0b6d3a7a5acf2ea3eeb9de02fe9f3a4be7aa2ecccc298a3e5ad3a4f6f96eb2644d5d436

C:\Windows\{59F23E9E-C880-4e49-B8D5-A4E33057D605}.exe

MD5 535baf5f6cc09a7f3e89aadb280af695
SHA1 ef594370ae74777bdf05405b3720eb3a21deb85d
SHA256 b9f4c3d21ecc86e1797471601d89ff4e91976562a583fda685744b5bc0ed4c83
SHA512 69f8b926d0ec7e173cc3862974775c4b1cce3c34247ed2d4a5c64ec8830b8e6b434b080d492a81198b6caa220a21ddb213cdd927db25729df83b90043ca90db8

C:\Windows\{CD218272-2458-451c-B33D-E5A0A03E4807}.exe

MD5 2dfb176e39935ddcf033b7e42f03f05e
SHA1 9e09250cd5b5426c9a4b9dccb45cb2a7646a82a9
SHA256 e5d00f9e847c766eec475b34586fee28039e498bf51fe67361da7b4c3528df60
SHA512 46f60c3101b5e187ee66231c4c2fac5e4a6485daf1b7b1627395b0b13c875f20dcb5bdabd168f1005c9ce245feb345fd0d02e5f457941e1ebd59d02b6beba19e

C:\Windows\{AE463372-326A-4b27-BBD0-406CA70F20E3}.exe

MD5 d90c7a4e6c7c6d9b621268bc113ba94a
SHA1 50f6b1c4d108c0d0fbef59d8e2cec867fd3440a7
SHA256 59d6418e2ddee8f46439c6719f7ab0643d3a8e0983b0b3816eea85479c133baf
SHA512 3a0cd2bb15040d25eff97555b987b1c55aa6b96f6bc928e1f2e3ce7fff5ef074c8ba92deb1fd813974176e0b60102dbf2ccebf27f1e8aea6285e9be6a05ffc7c

C:\Windows\{2B2D5C9F-CF41-4250-9175-C1A705DDA6C6}.exe

MD5 969d9f2a0c28d7022b277e0877d68ece
SHA1 53b4248450aec2f6c83cc788e22364cc8de30904
SHA256 2d82102c4368ffc63351edf260a33d5ccae90a8e98de36f90fecf983d11304c9
SHA512 a6543925325484039786bbfca5fa640ea2bdb1599579756052ddb6833ea28c59cd2ef34502398472fa67274bb58eac604982b18ff325623a272b0febd4991d13