Malware Analysis Report

2025-03-14 23:43

Sample ID 240407-w2gdkabc55
Target 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye
SHA256 40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90

Threat Level: Known bad

The file 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:24

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:24

Reported

2024-04-07 18:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49} C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6104DD92-11ED-40af-AC72-F522DD4B55D8}\stubpath = "C:\\Windows\\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe" C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9} C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C3E774-59E5-4ff5-B687-FE701689EB14} C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}\stubpath = "C:\\Windows\\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe" C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C07498-8388-467a-B213-9B5115E20186} C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59215EA6-93A1-40dc-A8F7-E0214AAAD562} C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2} C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}\stubpath = "C:\\Windows\\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe" C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}\stubpath = "C:\\Windows\\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe" C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6104DD92-11ED-40af-AC72-F522DD4B55D8} C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}\stubpath = "C:\\Windows\\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe" C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}\stubpath = "C:\\Windows\\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe" C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C} C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1} C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}\stubpath = "C:\\Windows\\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe" C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1} C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}\stubpath = "C:\\Windows\\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe" C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0} C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}\stubpath = "C:\\Windows\\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe" C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C3E774-59E5-4ff5-B687-FE701689EB14}\stubpath = "C:\\Windows\\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe" C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9D4CFD-2966-4eed-8442-A0811AFABA47} C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C07498-8388-467a-B213-9B5115E20186}\stubpath = "C:\\Windows\\{B8C07498-8388-467a-B213-9B5115E20186}.exe" C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}\stubpath = "C:\\Windows\\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe N/A
File created C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe N/A
File created C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe N/A
File created C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe N/A
File created C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe N/A
File created C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe N/A
File created C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe N/A
File created C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe N/A
File created C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe N/A
File created C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe N/A
File created C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe N/A
File created C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
PID 3048 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
PID 3048 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
PID 3048 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
PID 3048 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2548 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
PID 3000 wrote to memory of 2548 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
PID 3000 wrote to memory of 2548 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
PID 3000 wrote to memory of 2548 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
PID 3000 wrote to memory of 2412 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2412 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2412 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2412 N/A C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2420 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
PID 2548 wrote to memory of 2420 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
PID 2548 wrote to memory of 2420 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
PID 2548 wrote to memory of 2420 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
PID 2548 wrote to memory of 2480 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2480 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2480 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2480 N/A C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2388 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
PID 2420 wrote to memory of 2388 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
PID 2420 wrote to memory of 2388 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
PID 2420 wrote to memory of 2388 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
PID 2420 wrote to memory of 1636 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1636 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1636 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1636 N/A C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
PID 2388 wrote to memory of 2784 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
PID 2388 wrote to memory of 2392 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2392 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2392 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2392 N/A C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
PID 2784 wrote to memory of 2136 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1184 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
PID 2136 wrote to memory of 1184 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
PID 2136 wrote to memory of 1184 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
PID 2136 wrote to memory of 1184 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
PID 2136 wrote to memory of 664 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 664 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 664 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 664 N/A C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1472 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
PID 1184 wrote to memory of 1472 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
PID 1184 wrote to memory of 1472 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
PID 1184 wrote to memory of 1472 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
PID 1184 wrote to memory of 2732 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2732 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2732 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2732 N/A C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"

C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe

C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe

C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1DBA4~1.EXE > nul

C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe

C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB47~1.EXE > nul

C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe

C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F33C5~1.EXE > nul

C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe

C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6104D~1.EXE > nul

C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe

C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87431~1.EXE > nul

C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe

C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9133B~1.EXE > nul

C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe

C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C3E~1.EXE > nul

C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe

C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B9D4~1.EXE > nul

C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe

C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE21~1.EXE > nul

C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe

C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C07~1.EXE > nul

C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe

C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59215~1.EXE > nul

Network

N/A

Files

C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe

MD5 8eb92fc46bdccb7571e2df68a386b0e3
SHA1 10805b7e859888a01b6881ccb26c13b249bc3498
SHA256 6b8e34889fe6fbf679780035fb3adbc17f175fd512d09480219d024886bc1fb6
SHA512 b5f5a60f201b0d6cf3b836583a2b669ef2716722117f385fa3fdac984590434e62d278fc93fd76ca9621da3ee1d7bdb45b6a00775bd0856e8b73de5e771bf7c4

C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe

MD5 986f3598c94abe8ee98a87cc60858a5e
SHA1 a1d74da3cffc30d4ed7019b40f65df1c20bde696
SHA256 e73e2e5737cb3701892a729a6f1b35bc31454da09497c7b85a79a88f6d06e01a
SHA512 380817c31c7060861b8b5039e361322da4321236bffcfd670f679979db9d6f00302ae410ea81e2169185c23c2101c3dfb5a703ca911d943b65a8ec41522c8650

C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe

MD5 9543d896e8aff2ab70a041aebba78a77
SHA1 472dc9b27017dcb9629cd6e6daa234fd476fcf0a
SHA256 162ffc6878676bdfbf9ceb295260438d999ec4a97f4638403a7312bc9f9bfe17
SHA512 6aa15634fdd6f892b1a44f78122b81f335ded44d83ffec6e492b3ef5b20f772d2c1a07ee37e10982935e926d6550452c0c21aa628143a3b75600a55f8193bf53

C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe

MD5 234a6474f1e552df770afd197cc8c03b
SHA1 0f592778f7e5805b5d773c7354c15864324dd44e
SHA256 d2e9491ca216f8c20ce7bb8b5a09145b88d0f3f884c0e137e45a1f48462b7fb4
SHA512 df8afa3f2b3b0fe4156f088eee9e27cabfc1d2313ae190a077ff6e8f3ac623ba87b0a2e15bf15701ab97e58f39cd62135b9e3f4c4153517d5e18b370fb6c63df

C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe

MD5 0bbccb98b8dec5d87c9387b68467de64
SHA1 8e15fdf5e28cc967e53b12c38404c111aedcad5c
SHA256 8701ff50be69c0b1f72b97eb7b6a5592fe953198be7e41287395c30110c6ae6f
SHA512 522881606a737271ae2896081a10f479db3e46a7a5530531162bd44617e2993dc6aa933641a09a902c73a46c968fdd934fdea6df1d3c3d73d3376bcb1e88804c

C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe

MD5 733075295c9d4f2a9ccda6e5cb372131
SHA1 3a7dfb07e29018032d85902aeaf9ef04399e9f95
SHA256 41bb38202c598f28c93c579536f86c2de3a2235084333b7c5e7949e8684525e3
SHA512 93263930dce05349af7af88a15cad3e956221d384fce5c576266d8e17814a54c5c066675bdfbbf4835958ccde1700a5acdb77e8f5ce1314ec24e32ca5a7909f1

C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe

MD5 e0a4cc304a27c881abbfc01289459d19
SHA1 5f6ea5a2e1792b32c9e82519bf460e53169e808b
SHA256 7122f690889dfbd1ed4ce546d9c83e2537b8b8fdb4270e61d13a1e3bec757ee9
SHA512 f90441e6a6b9cefa3be9f618ac02f98d9c7cc9605d7af57b17e28da164adfe65e2663ab02d3fb5f27a0952ec5ae09d88c434817a5dc67bec715effee0948ec3a

C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe

MD5 1e67d672ba4473f572081cc44b23046b
SHA1 f08b2fe030456c822b5b0f3b670bb52ad0b20f50
SHA256 7935b164bea338415261b0a91c95ef5f83a12c57909aec276b101d45d88ce7d8
SHA512 a0dd0342526a9db5cb797c7a124d93ac4fced7bb7d6ac246452dbb12e7744987c55a24f3b5d247a39cef21573f459fdeecf5b24963d2cb0fc8b4ef36beb29cd2

C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe

MD5 69bc1ab2a99e9531f7bb99886cf022c2
SHA1 b456c333b5de19a090dfec5228c81eb65ebe303c
SHA256 30a4fc80b401da0cbb771838f5f9cf8d71b9a26f1b355b5ad81298eee321e4d5
SHA512 a432aa2ba733936ad514e51176e8b1ca810cb660c49b965854434f99ca717739841f7a332b297bf570d6c2c56da897bf156d8b2daee78ddfe875964424f6c38e

C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe

MD5 9738455a1098e34cfb65170366290d41
SHA1 a0522dde1ce313aa792afddc14ac5194ddbe712b
SHA256 01775becc18f72ba4f07d39b3e6957b793202ff923f9da2dfcf3a2947e00ca60
SHA512 f6df89469cedc66da82368dfe78c60315186646b111221a129cfb9b6ad2e71b4e4d11f5c8ac10f80f8408349e181e72ed63705f36241f4267e67f3fea9e6e027

C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe

MD5 de2e5cc37a307e545c83586be2396047
SHA1 42651372aa40208a14dbc10310824240f73b3059
SHA256 193c225da6f5d4040f479094e721485fae09306aeb2eadc7f8439ef65432b81c
SHA512 6bdb41559736fe6d0dc75f2e81f93f028e76aea5f6acd2288f311c372a996c021a38f2a74e629a819b68666e5ccbbac9806a56e1b58fa6f637ca17ae525b755f

C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe

MD5 603a29dcd7b1592bca898f5040a886c9
SHA1 4f619dce77fdcab53dff39cc0dec7c12e15cb818
SHA256 77288278e856b01045933ce6489f8368ee054855d70546648059068b0d72f263
SHA512 b25a6f3c6968edec96bf8543260b584da9aa1ef6e4393a07bb5002bead0e71551f475ef633dfdceef9ee03cfdbdb8e00274dfd2ec189125dd29e56f3483bfc18

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:24

Reported

2024-04-07 18:27

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69AD0E30-5C72-4972-8ADA-033698153D5D} C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8} C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46494377-F956-473d-8783-F4D6CB7DF16C} C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20796186-C809-46e9-AA62-FEE02AD318A9} C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20796186-C809-46e9-AA62-FEE02AD318A9}\stubpath = "C:\\Windows\\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe" C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D23301-4294-4d2d-8B11-DA2AC8834B14}\stubpath = "C:\\Windows\\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe" C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9669F571-58D3-457d-99A4-C87C7DEE27A5} C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}\stubpath = "C:\\Windows\\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe" C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B124C05F-AA98-4252-8045-A96047CF4392}\stubpath = "C:\\Windows\\{B124C05F-AA98-4252-8045-A96047CF4392}.exe" C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C} C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}\stubpath = "C:\\Windows\\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe" C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69AD0E30-5C72-4972-8ADA-033698153D5D}\stubpath = "C:\\Windows\\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC} C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}\stubpath = "C:\\Windows\\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe" C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B124C05F-AA98-4252-8045-A96047CF4392} C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{954C3D71-5268-4731-9EA8-0B74D2B76E09} C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{954C3D71-5268-4731-9EA8-0B74D2B76E09}\stubpath = "C:\\Windows\\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe" C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46494377-F956-473d-8783-F4D6CB7DF16C}\stubpath = "C:\\Windows\\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe" C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D23301-4294-4d2d-8B11-DA2AC8834B14} C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC} C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}\stubpath = "C:\\Windows\\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe" C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9669F571-58D3-457d-99A4-C87C7DEE27A5}\stubpath = "C:\\Windows\\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe" C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{615AE48F-379C-474b-B573-CA8696803F47} C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{615AE48F-379C-474b-B573-CA8696803F47}\stubpath = "C:\\Windows\\{615AE48F-379C-474b-B573-CA8696803F47}.exe" C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
File created C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe N/A
File created C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe N/A
File created C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe N/A
File created C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe N/A
File created C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe N/A
File created C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe N/A
File created C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe N/A
File created C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe N/A
File created C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe N/A
File created C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe N/A
File created C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe
PID 4520 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe
PID 4520 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe
PID 4520 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2692 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe
PID 5068 wrote to memory of 2692 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe
PID 5068 wrote to memory of 2692 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe
PID 5068 wrote to memory of 2608 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2608 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 2608 N/A C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 3100 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe
PID 2692 wrote to memory of 3100 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe
PID 2692 wrote to memory of 3100 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe
PID 2692 wrote to memory of 1216 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1216 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1216 N/A C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2196 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe
PID 3100 wrote to memory of 2196 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe
PID 3100 wrote to memory of 2196 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe
PID 3100 wrote to memory of 4016 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4016 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4016 N/A C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1372 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe
PID 2196 wrote to memory of 1372 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe
PID 2196 wrote to memory of 1372 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe
PID 2196 wrote to memory of 2000 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2000 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2000 N/A C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1972 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe
PID 1372 wrote to memory of 1972 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe
PID 1372 wrote to memory of 1972 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe
PID 1372 wrote to memory of 2508 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2508 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2508 N/A C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2280 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe
PID 1972 wrote to memory of 2280 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe
PID 1972 wrote to memory of 2280 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe
PID 1972 wrote to memory of 760 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 760 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 760 N/A C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 216 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe
PID 2280 wrote to memory of 216 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe
PID 2280 wrote to memory of 216 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe
PID 2280 wrote to memory of 2624 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2624 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2624 N/A C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 4384 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe
PID 216 wrote to memory of 4384 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe
PID 216 wrote to memory of 4384 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe
PID 216 wrote to memory of 332 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 332 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 332 N/A C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 4116 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe
PID 4384 wrote to memory of 4116 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe
PID 4384 wrote to memory of 4116 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe
PID 4384 wrote to memory of 3392 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 3392 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 3392 N/A C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 1352 N/A C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe
PID 4116 wrote to memory of 1352 N/A C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe
PID 4116 wrote to memory of 1352 N/A C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe
PID 4116 wrote to memory of 1632 N/A C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"

C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe

C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe

C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{69AD0~1.EXE > nul

C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe

C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9AEF2~1.EXE > nul

C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe

C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E78C~1.EXE > nul

C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe

C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B124C~1.EXE > nul

C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe

C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{954C3~1.EXE > nul

C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe

C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46494~1.EXE > nul

C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe

C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{20796~1.EXE > nul

C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe

C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51D23~1.EXE > nul

C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe

C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9669F~1.EXE > nul

C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe

C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D9833~1.EXE > nul

C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe

C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5C8~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe

MD5 dedbb4a21c8cb96e68d8a48afce9dc4b
SHA1 4ec0e5c76f9c0b0d3b5cdb7085d5556656652f47
SHA256 4bfd8d53825d21e5cccdc7d624e910dd498ed189a8547d1a40cceb7dbc4b03f2
SHA512 48cd4b5d3c67e55c76a428d5db5cca833a4b69ce4a011f6e4480eac22590407826e2e21bceeeae9ff01a741cdb04091dba43cec443ec9b831ac43ad1d90f2542

C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe

MD5 8764ca4173ee3854370d419746d02be1
SHA1 0b5dca907685159ab3757f2aef7ddfa804571d6e
SHA256 96fab3c27830489548a207897067003a9bc8fd141b9086f0772c45acf0a5d2b0
SHA512 5321b81dbd73d7bd6f8a30b73bd2a04d3eb85943678b711bb17984c1ea6eb45814528defc9d66151bde575d278c1c35a6c156aee3d5653f62dc51680bd8709bc

C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe

MD5 72add08a7fe4edbd9f6f8f772955fab7
SHA1 ac3c3c2bf19407c0b6bd2321e3224e6a69e0fdce
SHA256 1ba82af1286fe44240ee11fafc10fe0b41dbbd3e4c341cbecfa46455b9cf9625
SHA512 ef982069337e7d5e09b01181133470714f2f09b453e77987a801e6a7fc72a589a065159cece4189a9a7982926f9c53cd278e752734bfc269f6052e283047493c

C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe

MD5 89b710518ca00d5a34c44030f2361c72
SHA1 3dcc5b83709086a09f316fbc4d4266f66fca5da2
SHA256 87d4f1d589e1de32641619052e61eab68aa4d24022420913032821ca82983d5d
SHA512 82a909dbb185b2e4d2c750fdbc670c2d16dbd2656f115b3e5d31a686a98dbfa701b261a11b3934a336746a401d5c9cfcfcec0dc43a23f45dcb98893684317dc1

C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe

MD5 d2b3cf41526d12a408ead0393d256516
SHA1 f7febde408852e80876b9ff1711216f0c6bd81fb
SHA256 48e60085828790b7da9e699d8d25417ff67b525684ad0c96f886b55ae628f88f
SHA512 3e7c6567de9b390ee2b28f6f9bb48fff525efeac91c57dfde8cfece5e0eea03d0c9754d6c43c2df72abe24292c4629e0ee163c0d6dae3f88abdf6c27f5c06828

C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe

MD5 ca7109822e6cfaf2a1af577244f2920c
SHA1 5d80052b368c2ee9844c8b520fd1d78d74289009
SHA256 795e91e405957dc4e8f14dd581cf06dcafcff227ace3edeb7f72d28ab3d1ab23
SHA512 5b68b3c17e517320960fba33f925bfa709e0aa108767f690dbecb5cb4cd74d39c2bfee3f240a0e4388734dc133fbb7857099378cbe8383898f23a5873d945471

C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe

MD5 638e397f7fe47de270e0220ce4b7ba20
SHA1 3e09eb275628d8e178832486db75c94d5e1fcc83
SHA256 3330a2d2249afca14cccae0273b4a62d72bfacc2302479e885119e408f38eff7
SHA512 048b2a802c43a93a5f09c4154f14b7371ac84ad66e66f5630e4f97ce4dc105235a4d131f0ae624fb93695b15add73e52b9c3c47b57f0eb22fbf489543df28838

C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe

MD5 e02d46a1fde63d3d7e9dc98635590596
SHA1 2f15c4c7c5f792b61860e116f1523012951f766c
SHA256 a7cd600a3cc97d1f6ebfeb316298898fd7620fd19e0875325779f7bb6451e5fe
SHA512 48c60b0f99f736fa33c600e8d038ed9e3fe1a9583a6b4fb301d92b8303fc60db797e47163c5d63f98a79f47a68cc4cfdf84498a7dcd74fd697f8c53e71241e3e

C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe

MD5 7bb1314b66001ae9f3756898ff3d98bd
SHA1 1ee8f75be0374fe1a303bdc115ae9b7fc330759b
SHA256 a56331ba3f5f0cc3ab2534f390dc9bb5e7eb4dd9cf941d7895c998e1bfda0858
SHA512 e1cb46fc3c8ef58904ca409d5a05506f027e10b8910a294ac2988aa6a846cd445c861f0ff160cbd766e3e31f437c7f9f263f7e1325575a569ee7e28d1f766e18

C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe

MD5 0e50b84893c33492b3919db64f7fe0bc
SHA1 49cc65d91e7e9d35208e34469cd9979308852305
SHA256 38d6dccff438e42184318c7c565400aeaddfd3c8387f654edd06ffca4d5600fa
SHA512 29d252027aaa2ba133c0607a34af5ff26793d59c6f82d17950cab06a92e0f4855bbbe2d8842eb05cfa06bc3f48267be41b944a49f3bc07bfa57c7e965eb1de12

C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe

MD5 ae76382ad8378c2c87874091f255b0d5
SHA1 2972fb2a946c240c59b848855086d9c4adf6998b
SHA256 16e203977448b20094136871ac2620bfb111d32950e765a674967d17d1a73a58
SHA512 47fcb8f19849afc26f8517f5126a5c1f01a0ef6f6746ffd53d891ae5e233053c47e83ce84f3e0f13834b5a986ca0df292cb93eb7056f7964cd56bd42b5f24146

C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe

MD5 7271f7fd4216b79aad1ba93621fb8cf3
SHA1 7d976676e12cc7ff39f016ab3f8b47993a616ce1
SHA256 e6992493d49ada8329da39ceb3a51e99a30d338ad30615facee18372922ebe25
SHA512 b474c76b29eba4348cd89d124b052d334adbd44e7b6dfd90212079595bb78c6404c39f94a59ac1572cced13836ce40317913b71d69b3bda3987344a594bb382c