Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-glkzgsfa37
Target 2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye
SHA256 04c8afa4242957923aa41ba0d516acc0595176100904f08a53f6bc32df6bb699
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04c8afa4242957923aa41ba0d516acc0595176100904f08a53f6bc32df6bb699

Threat Level: Known bad

The file 2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:53

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:53

Reported

2024-06-03 05:56

Platform

win7-20240419-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6462627B-7FC9-449c-BA2A-55825C683EC6} C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CC77AD-073C-4131-BFD0-DF89B617A114} C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CC77AD-073C-4131-BFD0-DF89B617A114}\stubpath = "C:\\Windows\\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe" C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7} C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}\stubpath = "C:\\Windows\\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe" C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44} C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C71F064-6111-4eb1-9184-ED968AFF1C0F} C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}\stubpath = "C:\\Windows\\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe" C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}\stubpath = "C:\\Windows\\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe" C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C} C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}\stubpath = "C:\\Windows\\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe" C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9075979E-CFB1-4160-B254-B9772FCDFD64}\stubpath = "C:\\Windows\\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe" C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}\stubpath = "C:\\Windows\\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6462627B-7FC9-449c-BA2A-55825C683EC6}\stubpath = "C:\\Windows\\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe" C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D} C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}\stubpath = "C:\\Windows\\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe" C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5} C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}\stubpath = "C:\\Windows\\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe" C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9075979E-CFB1-4160-B254-B9772FCDFD64} C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF0987B-FE4A-4862-A794-F58E2A63BD95} C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8394133-F9BB-4a68-9C3C-D03D9E82879F} C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}\stubpath = "C:\\Windows\\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}.exe" C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe N/A
File created C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe N/A
File created C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe N/A
File created C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe N/A
File created C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe N/A
File created C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe N/A
File created C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe N/A
File created C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
File created C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe N/A
File created C:\Windows\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}.exe C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe N/A
File created C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe
PID 2460 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe
PID 2460 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe
PID 2460 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe
PID 2460 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2688 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe
PID 1600 wrote to memory of 2688 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe
PID 1600 wrote to memory of 2688 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe
PID 1600 wrote to memory of 2688 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe
PID 1600 wrote to memory of 2668 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2668 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2668 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2668 N/A C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2712 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe
PID 2688 wrote to memory of 2712 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe
PID 2688 wrote to memory of 2712 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe
PID 2688 wrote to memory of 2712 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe
PID 2688 wrote to memory of 2212 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2212 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2212 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2212 N/A C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3036 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe
PID 2712 wrote to memory of 3036 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe
PID 2712 wrote to memory of 3036 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe
PID 2712 wrote to memory of 3036 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe
PID 2712 wrote to memory of 2340 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2340 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2340 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2340 N/A C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2796 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe
PID 3036 wrote to memory of 2796 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe
PID 3036 wrote to memory of 2796 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe
PID 3036 wrote to memory of 2796 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe
PID 3036 wrote to memory of 2912 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2912 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2912 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2912 N/A C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2492 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe
PID 2796 wrote to memory of 2492 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe
PID 2796 wrote to memory of 2492 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe
PID 2796 wrote to memory of 2492 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe
PID 2796 wrote to memory of 768 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 768 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 768 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 768 N/A C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1544 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe
PID 2492 wrote to memory of 1544 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe
PID 2492 wrote to memory of 1544 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe
PID 2492 wrote to memory of 1544 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe
PID 2492 wrote to memory of 2508 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2508 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2508 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2508 N/A C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 848 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe
PID 1544 wrote to memory of 848 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe
PID 1544 wrote to memory of 848 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe
PID 1544 wrote to memory of 848 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe
PID 1544 wrote to memory of 1308 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1308 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1308 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1308 N/A C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe"

C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe

C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe

C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B0EA~1.EXE > nul

C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe

C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64626~1.EXE > nul

C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe

C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C716F~1.EXE > nul

C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe

C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C71F~1.EXE > nul

C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe

C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64DE4~1.EXE > nul

C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe

C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3D3~1.EXE > nul

C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe

C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8CC7~1.EXE > nul

C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe

C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90759~1.EXE > nul

C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe

C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8BF09~1.EXE > nul

C:\Windows\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}.exe

C:\Windows\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59270~1.EXE > nul

Network

N/A

Files

C:\Windows\{1B0EA290-4DE3-4a14-B97D-E3DDA67E8D44}.exe

MD5 a410d7e8936f72a622b380a4b9cbcb55
SHA1 013a21eb1f81fc03663c45d7a070b4cd900fd9eb
SHA256 0095a38adadec752964d2d010af34473a556760759075ddece3a2ea18cad3a35
SHA512 2445200e1bccb48298a19f3bbebb745189b1fdc04db0a9f827779106c40d0f0b44b2ce5121602e3b9365801a29eb3c03fc057f4ace00bf9c7ae1c7a38742301c

C:\Windows\{6462627B-7FC9-449c-BA2A-55825C683EC6}.exe

MD5 3c1a59dda18a438a6cfde5ffc2340ebb
SHA1 eca5cedbe4defe21d6772c388e370c549e16c917
SHA256 5e70f7c70ecc5b18e233d6a4c9cf9fcc7f7adb3851cac0ff2be08c2fbeb494f1
SHA512 3006983a6e21dd19145b1e87592b227462c3565d5825ad1dd538715d8fb301368bf97f501176e593ce47381e7cc726a5df2758bac543c7fc3af4736f92d25233

C:\Windows\{C716F7F0-3265-4c43-B138-0D1FD2E80C8C}.exe

MD5 6c56513468deaab5583b563a81317943
SHA1 948a92dd3fe6923cfb2ba8c558f1b1c0a3ecdd69
SHA256 5bcb264040b812bd6a975caf1c878bf216852d505a69aaf9518397bf339bb450
SHA512 bc3f20c41ac5f167c6d1053005215cb544f808a0ba979ef7955d6edd3c9a951eb6a36ce274fe923ef7a4027bfc667ef6d3f72b5af8a2b3e0ac0230537ca42dad

C:\Windows\{0C71F064-6111-4eb1-9184-ED968AFF1C0F}.exe

MD5 1c567217debb73a85d70fec7aca76982
SHA1 75c031a800ca1b80e4ad298290d309dcda991175
SHA256 0b778daf4f1b8d3fa73d45cb26920968e73f24648ec2fbf2561ee6460b144d0e
SHA512 436aa5ead892114bf3674d235cca466145bae8fdcda1e95a0991b4b7a416d5359c9ab676a4e3d0a4ee591a586a59f8bb8ecee376c0b7ac691245dabecbc384aa

C:\Windows\{64DE4B61-3FDC-4e5f-82D3-500F45E99E8D}.exe

MD5 54cc9630dcd28ae2035e9fca5b1027b9
SHA1 6c9a1fccd58418a775085987565c68fbd525f9da
SHA256 0fcf6680ab8a09eb04bca71d13fdb3db2bee5eb2e10b29074ef56f003da46120
SHA512 715023c57ed5cc903bc374863bf0ab8b50400b3024cf741bea22e7b22d882e5dd6b5115ea308d2d2c3437e8d41f36904b7e11bee044c7b0365400311918a8d97

C:\Windows\{BF3D3F74-C517-4a93-929A-BC3C4ABF62C5}.exe

MD5 bda83dac4bc9bf7802bb51e6486aec94
SHA1 1c08cc0769fcce6b2103894368258843da796e47
SHA256 796660bc4578fd19d0dc4ce7456111f05f7d61f43e0655f2f25863b3e8f3edd6
SHA512 859563ea861b9d55ab9ed5ae93fe4c249dcc376e670f0f13f6ef671897b6ccf4af43750b0979222cf8eb50d15529e62ffe90e4521861bd54bc03091599a099fe

C:\Windows\{C8CC77AD-073C-4131-BFD0-DF89B617A114}.exe

MD5 29445d6de54c7b77f3eb8245b25b8e01
SHA1 c0f6fcebb9f5bfee67da7839a402eef374ff8679
SHA256 3ec5b54f1758f5d9404c80134498de8c4a58a91436b766e302e66f49fea1c897
SHA512 ff856bfe8955b89842d8f380fdc3ef054d1d9cc6e04132abc32a6b2c877a982356e0b61a2222a1a945aceddcc61e0b26cd7872027e00149be251d8b7929a549e

C:\Windows\{9075979E-CFB1-4160-B254-B9772FCDFD64}.exe

MD5 9e841a7e450614d03ede48b95d95b430
SHA1 a6746be7d2d95716a649b7ac4ae1850d34850030
SHA256 8401de49c1bfcab5f9cc1eb9ad513ef89f08f3dce84a2f84e6b9068fc21d6ec8
SHA512 3cdca1d634df584b9e0138347ab692b5ec70d072b8d5b66c5f8326a20c7f90481a2f1775a9839df120118cf8928347f0ae8c021decef30c63860b64cdd166140

C:\Windows\{8BF0987B-FE4A-4862-A794-F58E2A63BD95}.exe

MD5 24ce7e63d89eb1f54825bc62ada051d4
SHA1 1e7f031ac2eb8aedb292d7eeb5cf989c239747c8
SHA256 d809b9b9555893469b8f0c61dbba5986fbbc4343e22ed1e3ab841cbc3b26fc65
SHA512 29183fc294decb72cda1f05bb1d7a26669c248fc97dfde1c373d0acadc5543483cfc807e9716365d050246da65f63a0399d9529fa18eeb15b44a56824cede9c8

C:\Windows\{592708E2-134B-4f3f-BDBF-656B5A0A1CB7}.exe

MD5 197520de76e5a287d5df6637b2adda97
SHA1 cb9ace7010aaa6780d2052884cbc04c0a2c6bfe0
SHA256 803dacc64c65d879be1f0727662384cb55cc19e581fcb215e8d67fd34781728a
SHA512 6f888b48b39debe5b80b223f7ce0506400a56241bf51b0928038b6921afd6ddeb9e2693eeb90611c0776f465c1e0f5e5006cfc733d1846bc23a28a6320f9304b

C:\Windows\{E8394133-F9BB-4a68-9C3C-D03D9E82879F}.exe

MD5 d67601a3811b9e3ad536329ad81625c2
SHA1 dadb0caab1462029f7877dda75f37c34c4311fbf
SHA256 9695da8aa5672c9fb3da7b9ce28b7f1dabb8cd866e392f090580f7af01c88a2b
SHA512 0420f09f57df18cbf3c3d8d952bb587da44eda62534c5ac4c25e47ce0e7f5701c3623809c47b7e44dc102d3a6f46f89a749b61694cb08d0377df4d2190ceb567

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:53

Reported

2024-06-03 05:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}\stubpath = "C:\\Windows\\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe" C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8295CBF0-238F-4ca5-8D40-3CF7136357E3} C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}\stubpath = "C:\\Windows\\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe" C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33079A09-1936-4767-8778-42E795ABF30C} C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33079A09-1936-4767-8778-42E795ABF30C}\stubpath = "C:\\Windows\\{33079A09-1936-4767-8778-42E795ABF30C}.exe" C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF} C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}\stubpath = "C:\\Windows\\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe" C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}\stubpath = "C:\\Windows\\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe" C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D} C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F16B34B0-5F78-4d95-A680-9350873BFB4B} C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F16B34B0-5F78-4d95-A680-9350873BFB4B}\stubpath = "C:\\Windows\\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe" C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}\stubpath = "C:\\Windows\\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe" C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}\stubpath = "C:\\Windows\\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe" C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00} C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD} C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}\stubpath = "C:\\Windows\\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}.exe" C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB} C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438CA909-9760-4df7-AD53-AF64F4F4CD4C} C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA} C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD246FA-F8EF-4531-B7F7-FB683924658E} C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F} C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}\stubpath = "C:\\Windows\\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe" C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}\stubpath = "C:\\Windows\\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe" C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD246FA-F8EF-4531-B7F7-FB683924658E}\stubpath = "C:\\Windows\\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe N/A
File created C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe N/A
File created C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe N/A
File created C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe N/A
File created C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe N/A
File created C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe N/A
File created C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe N/A
File created C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
File created C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe N/A
File created C:\Windows\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}.exe C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe N/A
File created C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe N/A
File created C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe
PID 1952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe
PID 1952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe
PID 1952 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1940 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe
PID 2792 wrote to memory of 1940 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe
PID 2792 wrote to memory of 1940 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe
PID 2792 wrote to memory of 3672 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3672 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3672 N/A C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 5040 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe
PID 1940 wrote to memory of 5040 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe
PID 1940 wrote to memory of 5040 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe
PID 1940 wrote to memory of 1492 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1492 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1492 N/A C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4184 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe
PID 5040 wrote to memory of 4184 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe
PID 5040 wrote to memory of 4184 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe
PID 5040 wrote to memory of 4484 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4484 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4484 N/A C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 4312 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe
PID 4184 wrote to memory of 4312 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe
PID 4184 wrote to memory of 4312 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe
PID 4184 wrote to memory of 4012 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 4012 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 4012 N/A C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 2660 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe
PID 4312 wrote to memory of 2660 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe
PID 4312 wrote to memory of 2660 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe
PID 4312 wrote to memory of 1416 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 1416 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 1416 N/A C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 404 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe
PID 2660 wrote to memory of 404 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe
PID 2660 wrote to memory of 404 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe
PID 2660 wrote to memory of 5044 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 5044 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 5044 N/A C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2300 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe
PID 404 wrote to memory of 2300 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe
PID 404 wrote to memory of 2300 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe
PID 404 wrote to memory of 1092 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 1092 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 1092 N/A C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 4292 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe
PID 2300 wrote to memory of 4292 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe
PID 2300 wrote to memory of 4292 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe
PID 2300 wrote to memory of 2504 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2504 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2504 N/A C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2140 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe
PID 4292 wrote to memory of 2140 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe
PID 4292 wrote to memory of 2140 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe
PID 4292 wrote to memory of 3992 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 3992 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 3992 N/A C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 4376 N/A C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe
PID 2140 wrote to memory of 4376 N/A C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe
PID 2140 wrote to memory of 4376 N/A C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe
PID 2140 wrote to memory of 980 N/A C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_270bb9cc20aa5e9bf0182dcf0f72f9a5_goldeneye.exe"

C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe

C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe

C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD24~1.EXE > nul

C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe

C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC695~1.EXE > nul

C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe

C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{438CA~1.EXE > nul

C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe

C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B75E~1.EXE > nul

C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe

C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F16B3~1.EXE > nul

C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe

C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D0C~1.EXE > nul

C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe

C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8295C~1.EXE > nul

C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe

C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9F0FF~1.EXE > nul

C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe

C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7EEB~1.EXE > nul

C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe

C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3980F~1.EXE > nul

C:\Windows\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}.exe

C:\Windows\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33079~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\{EFD246FA-F8EF-4531-B7F7-FB683924658E}.exe

MD5 dc46d1fd3b52426832d99e3c8f7517ff
SHA1 8bc6686addab13db205bcf965ec9a35b42714305
SHA256 9946a83607772223449efe2ac6b0370e44b089c09eee1fa6a44e6856083487d0
SHA512 4979ba34c47fec2a235f1682dd32d30ada074325bf53e0896af0f90a409209158db67e9d1111e61c58a1b64565de5ea6fb479e2c8103e7a4911c8612f4e7d881

C:\Windows\{CC6951C4-B08E-498a-9E31-7DEA2AD8DCBD}.exe

MD5 9dbc5435a7197ceef8729d73fe4817b5
SHA1 746ffd5889cd07dbb5f27be742326bbcb9067cb1
SHA256 42539866cb4dd5cf550f1774fe808a8a31efba43a936dee718ab99ee119490dd
SHA512 ae54dff0260d08f07de8cf4d6dbd165a52aa28151ff538227871a8164aea651fd07811ce2633d3e9519ea491618a396d8659f0370ce3e3c085a5f2c161667946

C:\Windows\{438CA909-9760-4df7-AD53-AF64F4F4CD4C}.exe

MD5 510eae22fcb23ba5eb59046404090f37
SHA1 c3e3f3023d6f256921470f94d8f7964b68d2729a
SHA256 5f8615fe5a67e01b3a46da9c09f8208b6764cea9c701fa5b9af44802089bbf87
SHA512 7e3c89d43688dda7e9764c4dc4efa8416e70d5fba71b9068eca8289565334d4c9ee2147711612349eb769bc0897fc14f50e30664a84a87f63ef68d445803cbe5

C:\Windows\{7B75E2D2-9D5F-4a68-B86B-FE89ED58284D}.exe

MD5 ef41f6d2b658a1c964c8adc287fd6b8b
SHA1 8bddf797c6f736db3d03b9089fd8769d87c92a41
SHA256 793e2bd29a1f454f69d4e16baeb2529ba0999b49eb3cbad9917fee1380071b8e
SHA512 4f814616180a088f738a91833ad8046c0a95629b98b780c41eefa1e2c7782b79d1804c74d2ce474ea039dc8e6cfc4289c7fc711000eb2a29b7c64359a6408b27

C:\Windows\{F16B34B0-5F78-4d95-A680-9350873BFB4B}.exe

MD5 c47798d66f1563b455a822ccf2d7f3e4
SHA1 6400d20b0a2f6e8d081b49b5824f43f1b118b399
SHA256 440c178408dfdbbbf9585f9dc2018d0be221dbb7811286fa9c6448eed57fbd1a
SHA512 5f00dac81fdd3ff97044a03a944c8b2a9f21471e213eb12f30851815ba47a401c395adeebf750210d1464559192156f1e77360b5d119a37b753b082811b82dd8

C:\Windows\{D4D0CE72-2BB5-48b0-8CAC-E9AC39B51BCA}.exe

MD5 7f0643a40c6d5167464c557c491dd344
SHA1 1e508a4f71d704321a3d51b3c3f3de250dbc6552
SHA256 a73362468b8c6c2a399d5e8697947f9072c8f4485be739eeec30f5e1762c3d4d
SHA512 c7d9e906cebb7b50bfe9100542ddb2a8d4ef5664256a305328ddc4e19fc2def1643ade4937e24c866d20cf079a70c9328cecde405a97121a177eedd0b648956f

C:\Windows\{8295CBF0-238F-4ca5-8D40-3CF7136357E3}.exe

MD5 86df540a7e288ffdca2e44bbeb817982
SHA1 d4baa39bb68ad963db740ca5e769a3433ddabb04
SHA256 97a34981d6f9b0ab0dc8b4d78c78cc699514132171c0b4acbc580ba4f312f5b9
SHA512 b10510931bc780cf87e8f6a7b6c4f8cbb51b21b2421f71b6fa262ee058ff1e081532268b0e0586019a1c20df40334117cc7a258cbbaa7897c83857c59aa7535d

C:\Windows\{9F0FF8E3-03BF-42da-9EFE-62BFE3CA0D00}.exe

MD5 19f1fef8788c1e03b69c5c1f874d02d1
SHA1 2a33ae5f7e484e9cbf5f988ee109b6ab14faf5f0
SHA256 45fdec3caea06725603808ebc157e5ca24edd75b56acfc89b70537c7ef06d223
SHA512 6f623e5cdcb537f68f856a4f4006212318c7c66e0c35b77d9af047bb094c35a4f1709dddf93483a2969273f60b52c987d63a8aaf542a896358a13a7873d13930

C:\Windows\{D7EEBFC6-E6E7-41f8-B8C2-FC217D1D4D8F}.exe

MD5 d3e723e0bfb8c5cfe0626a40475022a1
SHA1 fc1e39877a7520c91e602842ff5332681dc9b669
SHA256 49f72da986368854f71909d35a4abea4ce42980ac2d46a75866f807b0fec87be
SHA512 c48e42bc0128a52d8b8992274ee17101c5d1ad2fa5909f6206e6762c38eec56554831325f2e9a11e3b7a71c368ed04ddb0b7883c80b1f588ed56ca8f2c671ca1

C:\Windows\{3980FF92-6F46-4b51-A7C1-39E64F6E6ECB}.exe

MD5 1e9caad06bbb4ead723321252b78a266
SHA1 75ddf10f6d62da4365b6a4c59a73048fe5f2fa08
SHA256 663e6267d098aa205354f4f737674eae722566ac88db188a84b704db3ec1397c
SHA512 a82b20d827232eaccf0fb9020f4ff796330fe7b4755b5ca403e25ae1ffdbc9f50af9aff7c14211529781831897cb70cbe70e0529815b065ef53a463f4022e0c8

C:\Windows\{33079A09-1936-4767-8778-42E795ABF30C}.exe

MD5 1e76a7128714ccccf72ef7ed5ff5d8c9
SHA1 18b9453398b76417ff1d9bc46a8899c456945f45
SHA256 f3aaa68b1cce13d469247bcbe46c90aa43487f572c1d3c3f22046230da2bfb2c
SHA512 55d8152476673f7e3d99fc89d01d3417525668121c526fbd15a578fce0d6f190cea0f8d6ce99aa8203f22c0f4963046ca151d050aa16fb8beb1d4acf7df853d3

C:\Windows\{81B1F966-2C0B-4e9f-A880-A75DE8085BEF}.exe

MD5 45d1ae96bd0201f062083255ae032710
SHA1 42cc29a4e60d23bfa8dc76bfb5e63909830cfe4d
SHA256 e626a8e7cdd1406d52f161986a4c108761d34dcb2c226a8efb30fe6b402ac894
SHA512 6a78a962f00dfa7cf0d4a96483f6b614936e9fd59763e973cc05418135de9d9c2a267adeceb3cf32473e6ba41eade81f4b3ed8f05fd836f5e6a07808082230c3