Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qt154shg85
Target 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye
SHA256 28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840

Threat Level: Known bad

The file 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:33

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:33

Reported

2024-04-04 13:36

Platform

win7-20240220-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01261DD-327E-4fa2-8449-5A52A8E69F38}\stubpath = "C:\\Windows\\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe" C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}\stubpath = "C:\\Windows\\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3048EB6-2C35-4daf-A628-8160CFCEE987} C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A366651-1280-4e5d-A8B2-5CA00566D18C}\stubpath = "C:\\Windows\\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe" C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1} C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F910C86-4864-4838-A08B-6974D02587EE} C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F910C86-4864-4838-A08B-6974D02587EE}\stubpath = "C:\\Windows\\{4F910C86-4864-4838-A08B-6974D02587EE}.exe" C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F17303-6864-42fe-8C50-2685E8C133E5} C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01261DD-327E-4fa2-8449-5A52A8E69F38} C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7} C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}\stubpath = "C:\\Windows\\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe" C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A366651-1280-4e5d-A8B2-5CA00566D18C} C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}\stubpath = "C:\\Windows\\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe" C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389} C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C5264E-B694-41e7-B83B-639A0752B0DF}\stubpath = "C:\\Windows\\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe" C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D} C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}\stubpath = "C:\\Windows\\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe" C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C5264E-B694-41e7-B83B-639A0752B0DF} C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC} C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3048EB6-2C35-4daf-A628-8160CFCEE987}\stubpath = "C:\\Windows\\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe" C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}\stubpath = "C:\\Windows\\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe" C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F17303-6864-42fe-8C50-2685E8C133E5}\stubpath = "C:\\Windows\\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe" C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe N/A
File created C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe N/A
File created C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe N/A
File created C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe N/A
File created C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe N/A
File created C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe N/A
File created C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe N/A
File created C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
File created C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe N/A
File created C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe N/A
File created C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
PID 2184 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
PID 2184 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
PID 2184 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
PID 2184 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2592 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
PID 2076 wrote to memory of 2592 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
PID 2076 wrote to memory of 2592 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
PID 2076 wrote to memory of 2592 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
PID 2076 wrote to memory of 2776 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2776 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2776 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2776 N/A C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
PID 2592 wrote to memory of 2732 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2732 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2732 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2732 N/A C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2860 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
PID 2652 wrote to memory of 2860 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
PID 2652 wrote to memory of 2860 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
PID 2652 wrote to memory of 2860 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1948 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
PID 2372 wrote to memory of 1948 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
PID 2372 wrote to memory of 1948 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
PID 2372 wrote to memory of 1948 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
PID 2372 wrote to memory of 2268 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2268 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2268 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2268 N/A C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1908 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
PID 1948 wrote to memory of 1908 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
PID 1948 wrote to memory of 1908 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
PID 1948 wrote to memory of 1908 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
PID 1948 wrote to memory of 2308 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2308 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2308 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2308 N/A C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 1572 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
PID 1908 wrote to memory of 1572 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
PID 1908 wrote to memory of 1572 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
PID 1908 wrote to memory of 1572 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
PID 1908 wrote to memory of 2296 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2296 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2296 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2296 N/A C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"

C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe

C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe

C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E887~1.EXE > nul

C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe

C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3048~1.EXE > nul

C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe

C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1A366~1.EXE > nul

C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe

C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65FCD~1.EXE > nul

C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe

C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60F17~1.EXE > nul

C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe

C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0126~1.EXE > nul

C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe

C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87BB5~1.EXE > nul

C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe

C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE19D~1.EXE > nul

C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe

C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADB91~1.EXE > nul

C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe

C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F910~1.EXE > nul

Network

N/A

Files

C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe

MD5 5399c9798202f70a677ed821373fc51c
SHA1 df33b9f4610d0a532cf62daced1cbaeb12382e90
SHA256 83a474ddc1a9ba78ed554ecaf93493b6ff28e9cd4656ec8833f78ba3f2425f50
SHA512 6408c8b7846a3d5a0a410a839e0f1dca1dd3ad36d80ccac16c0a7b6e05d4735d21390dce54933f10650c1d96cf2fd6c0d13e0a2f0e0b7ca7832d601c06f2b9eb

C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe

MD5 0cfb6f50aaf97ef9e5ca01d8a36ebcc5
SHA1 95aa04d2572a11b1f978e0b0d3382060ce8e10f6
SHA256 0d211aaa744e65a547e3e0d830f0c41ddfe34dc7be94228466bc1b7f864e4cdc
SHA512 13959bb866378473c2955611e8731803e10c67642bf83c332d610698c253b3a4379284c502cd66742544d6cd0b65b2df550c1513cdd4ea170437c4a7de32174f

C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe

MD5 dd9b13d119704df675d88dbc14c984d1
SHA1 8fb4f5e69eccad3da479da3f939849a7e7440d02
SHA256 cf6d076e08e1de2a1875d9b6a77f057fab9c493a72c3f444f65e6ffa0f958080
SHA512 b43526fd739633dc4c179c78159d289305f93478ebbc283dae96d943ea5debbc2264798790af0efeee82a369a8214f4341f521f79c87a722aabb98bcbdf2e23d

C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe

MD5 56b1c7ec78f95c4eef7ca5507a3c0005
SHA1 f47c3fabc38a53811f49a39007dbb2a257385d80
SHA256 202f1e8883e6598a33478c3bfcc88cc68523cfa4825e820e9b8696ff79389328
SHA512 ad20fa9607b97f171267e5dc297d964baa34296d3fc541de1d49a145e44bad3620afaad10ec596c74b8122c388c683d2d80a436a457e232cc1f2ca3889751b32

C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe

MD5 10f8fe41fa6795d904a76dd525a1b14c
SHA1 465781678a8836bc1b9e8f2bc3479f6764d79338
SHA256 8b62598ea62c5190f554faec567a11f49b84b5a9050056ff72f1ff0a987ca4cb
SHA512 69469a27e8c37df18afe0f44eccf8f2cddf5a7bb09f171ecabe180791ef866646f9c91f1959cb812fa2e0c31e4a9e7f5f415aa7104d44e85c4f571f985f6d01b

C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe

MD5 8d7a3f63fd15a12ddc3a21548dda960a
SHA1 721a3e18946836d4a2693025547f064c07c7c97b
SHA256 f2d67b64a2aba5ebf27a29f0641f00a615e24bfd25eb0675b586f96411f9d96e
SHA512 c946208bc5890f608df76c5aa420ba0a6d0f3b9c88ee2494a63875bbba7200c37d89340217e92e28ed3dc4ef910fd6181b5088ac6872171b7798b06605d21400

C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe

MD5 224dff83407275da3b6a1d8a11bcd345
SHA1 1a39fcce5f7b94f780733d680a27acd5eaca559d
SHA256 a84cf7b4b99616b150de50cf9d9f7d507533daaa7a4ff03139e8b2a9b0b1aadd
SHA512 3fe175f07c0d97252f20ddcffe307fcbf2868b1ebe2e0d99e35c74dec83dce777d0c6750c230ed658db1bc39cce0eb560a52759517186e279c78cdd3eff19d86

C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe

MD5 57644328720eb97d9a7c52d30f056161
SHA1 aa7b2d59dac00255ecd01454f59402a2dbcb23f3
SHA256 1be1a8af8b67d29c6468d106aef4f74c1474d099c7341338bf8529b2396854b0
SHA512 9b337607ba1badeb9e5dd1f96d7e12199dae9a396a4dbfaad8ca7cd3402149dea5b6610d85d1e36f31eb287054fab995be2cfd61bcef21aa0fc8243a0fd46420

C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe

MD5 71aa768d0833da5568ef641d9bd64ec0
SHA1 94c390cd9318fae45b3be5a9abd7b375a3a64ad6
SHA256 0efdf28f900627b04006493e8b59b1996cd19d8d91594ad80e6e0e1343b725c1
SHA512 34a7d8a06bdbbc9e589196575efc06dfc384888c82d23017e02cc9e0bdd0b1dbd7a1b8221ade51d65309168244f6a4b3b7fbcfcd9b4d04d5c9747f04838716c2

C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe

MD5 c26bb1056be0b019c9eff58f47627b16
SHA1 30174555516dab67cee6729f51a8435ae1661bf4
SHA256 eecec752bff6a6e567edb26fc571a01576aa0b0e63551239c8c2217b2545dcb4
SHA512 4c625ccae26482efc38d35f295527de0186a48496cca285daaf68f6a7ddbe88362dd60455c56f80a0ea87c7bdbecb318eb4869c3d4466f727a423cb38bc10487

C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe

MD5 ba720864efd67e14565ae7a03f4d4d5c
SHA1 b00dfd0c9df14af71d66697479e6739137769476
SHA256 a7151f2068ddf5cded8ca8f6187241942d9b791d5b1f593557fa48a5824ea48f
SHA512 a6273dfcfae49155bb4eee41b98ba12c31a1bee62466ae0d5cbacfd09056a2fc487fd2ab0da8228ddd669df1786f1387bb5135aa18c66dafa233a0cbf5600d34

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:33

Reported

2024-04-04 13:36

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F} C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8490A6B-918E-4738-845D-083C6D5EF9BD}\stubpath = "C:\\Windows\\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe" C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC} C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}\stubpath = "C:\\Windows\\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe" C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79} C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685FF935-5B69-47eb-BB41-062752329406}\stubpath = "C:\\Windows\\{685FF935-5B69-47eb-BB41-062752329406}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25AF221-709B-4973-B956-8CCD4113756D}\stubpath = "C:\\Windows\\{A25AF221-709B-4973-B956-8CCD4113756D}.exe" C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35658802-4DD5-498e-A1B3-2A2701AD9A11}\stubpath = "C:\\Windows\\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe" C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB} C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}\stubpath = "C:\\Windows\\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe" C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA4DA3D-AD97-4154-A036-6311162F83DA} C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21867-9A9E-48cc-B8C3-8A874040480D} C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21867-9A9E-48cc-B8C3-8A874040480D}\stubpath = "C:\\Windows\\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe" C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35658802-4DD5-498e-A1B3-2A2701AD9A11} C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}\stubpath = "C:\\Windows\\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe" C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}\stubpath = "C:\\Windows\\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe" C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D74E14A-10F1-4a82-B628-C95754D6B2A5} C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25AF221-709B-4973-B956-8CCD4113756D} C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA4DA3D-AD97-4154-A036-6311162F83DA}\stubpath = "C:\\Windows\\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe" C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8490A6B-918E-4738-845D-083C6D5EF9BD} C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B60D9C-91B4-4c85-9BC6-874FEEE13526} C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685FF935-5B69-47eb-BB41-062752329406} C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}\stubpath = "C:\\Windows\\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe" C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}\stubpath = "C:\\Windows\\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe" C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe N/A
File created C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe N/A
File created C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe N/A
File created C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe N/A
File created C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe N/A
File created C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe N/A
File created C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe N/A
File created C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe N/A
File created C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe N/A
File created C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe N/A
File created C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe N/A
File created C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe
PID 3736 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe
PID 3736 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe
PID 3736 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 4948 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe
PID 1084 wrote to memory of 4948 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe
PID 1084 wrote to memory of 4948 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe
PID 1084 wrote to memory of 3412 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 3412 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 3412 N/A C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3116 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe
PID 4948 wrote to memory of 3116 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe
PID 4948 wrote to memory of 3116 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe
PID 4948 wrote to memory of 4924 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 4924 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 4924 N/A C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 4024 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe
PID 3116 wrote to memory of 4024 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe
PID 3116 wrote to memory of 4024 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe
PID 3116 wrote to memory of 3272 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 3272 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 3272 N/A C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 2336 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe
PID 4024 wrote to memory of 2336 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe
PID 4024 wrote to memory of 2336 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe
PID 4024 wrote to memory of 3896 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 3896 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 3896 N/A C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 364 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe
PID 2336 wrote to memory of 364 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe
PID 2336 wrote to memory of 364 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe
PID 2336 wrote to memory of 1400 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1400 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1400 N/A C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 4596 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe
PID 364 wrote to memory of 4596 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe
PID 364 wrote to memory of 4596 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe
PID 364 wrote to memory of 772 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 772 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 772 N/A C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe
PID 4596 wrote to memory of 1844 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe
PID 4596 wrote to memory of 2324 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2324 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2324 N/A C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3524 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe
PID 1844 wrote to memory of 3524 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe
PID 1844 wrote to memory of 3524 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe
PID 1844 wrote to memory of 5048 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 5048 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 5048 N/A C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 4324 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe
PID 3524 wrote to memory of 4324 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe
PID 3524 wrote to memory of 4324 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe
PID 3524 wrote to memory of 1108 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1108 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1108 N/A C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 5028 N/A C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe
PID 4324 wrote to memory of 5028 N/A C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe
PID 4324 wrote to memory of 5028 N/A C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe
PID 4324 wrote to memory of 1628 N/A C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"

C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe

C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe

C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{685FF~1.EXE > nul

C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe

C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D74E~1.EXE > nul

C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe

C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A25AF~1.EXE > nul

C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe

C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA4D~1.EXE > nul

C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe

C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35658~1.EXE > nul

C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe

C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE86F~1.EXE > nul

C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe

C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E8490~1.EXE > nul

C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe

C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31B60~1.EXE > nul

C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe

C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF96E~1.EXE > nul

C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe

C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA21~1.EXE > nul

C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe

C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6180A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe

MD5 dadee5902bb19a0f906e4322cd5eafd9
SHA1 c7b2a67df809e9d77f38f665378b173d22be83f0
SHA256 ae82694a54fbd17fc5933c58f123a33e5e59ce823a96f34f61c573be1ed8b0c9
SHA512 cd4f96526d0b0cad0895109fb0b531852d76f4ec13e58ac9367684538a6215b847f0c0452b0942649ff29a19fc7b26f5566007d0bf627aa333145f84687d9e07

C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe

MD5 f146143f2ef6021371270deef53111a9
SHA1 23bd8cca3e9237aede4b9ec330ff5e48c845b5e6
SHA256 e77d34eab745bb8d7bc9c2f3c84849646315bcb1c6df29242268d3aa76c54903
SHA512 1a1e823a499248024864d0695dfb9d3c920718219cc0acd85e106a3a016937e1f072c7e1ca9b1dc79533092e91b0584c48d10a36d180e85a6b9e99de940d1a2b

C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe

MD5 811ba40cedac4cfd57256e9eb44d1b69
SHA1 015047263871b3feb0b27d0d32787f8315cf2bfc
SHA256 228119a3bf659bd8bc5ce57caa6191bfc1000d40f7d0d7a307c224de49867c1b
SHA512 b1607c2f43a2b54be11b8c5640a593505e12460092e9fab644a8bb726189da9c75be8a4a81760b429587be37b1920fca31c5e55175bc6d88daacab490ee1c4d0

C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe

MD5 fafefdf99cfaa77daeabc2a6b2715962
SHA1 a43ae8a1da853dc7a44695ee4d41fa1ab636eb25
SHA256 7ebb431968c62e7651fcb582d3b4f5c2e2deff6f8274bf4b28d6e7bbda9893b2
SHA512 ca73e5eaa5ed7e9689212b0cb3209618fbf4933b7633203b3021c469d70fc005292b980114f1a2823c0d51e4aba966fa5be57cf4fda589226e01970a03d11959

C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe

MD5 87ef0bc28a61ac359e56c5cbe9f5ffe8
SHA1 5ecf593999f0eb6c6e24cc78b5b112be94a6fbf5
SHA256 94e56d00df762168c6ab26febe3f8a1e1957835a4559d245374ed4a9d58a9fe1
SHA512 9415f6c3ca27a0e6740609d3cf32e8cea3dd2d681b8299ae9ec8b9276b4407398663207f81f6587d1f6ed3721e450bec96a50809193b5ef4f4914935bc472687

C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe

MD5 60a69933a680e105860be1713da3f0e0
SHA1 4837af4ab057fb11dd9ce675a76f80bf69e5cfb4
SHA256 f2aad0027d12a27dd5d8002a36e2fcca7417508224dfc55636bd00ceee1976b2
SHA512 b907307daf1581d35248eb70c6207c6f21531a1f7c9c6cdaa4ec616c5d831d35374eb9e77ba2fdf57fa1090460616e53579c394b244f64a3a1d536e628c4d537

C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe

MD5 00abee47345ffdf7cf7703df02d45b4a
SHA1 3020a37efab8a9b375610e252a3d9365d62444d6
SHA256 bab173335d06915afc6464ef1693ee2173e4f0901c633a6a72ba92a7b68a5cec
SHA512 d2c7e818aa1d56e2e0d7659939c3499152f57cc8ee59573b5832f2679360ff70a399075502d91ca45d60f019ec060a3b8d0eeefa11b45d9019ef3d7004194463

C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe

MD5 c4e344d3e94fab2741f5fa63b457510a
SHA1 86f25a0acb53669928accb3db26f3e891da9ba24
SHA256 4bd0f966754e2b8114684fb74f785348786b6d3304ad1dbbde778fc2b3f2bbf2
SHA512 e386f81bca0c04d6f9d0b9f6e6133b8ae1d824c0c97ea0338b7d134f4b496adfe363b0de3c1a87b427030a9ddea67146e435adb2359db09086e0635d8e122389

C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe

MD5 3cc74f982262b2fb2d450a5196681b37
SHA1 78e3be41e4e3675049c2d1ea665c6b947d859e72
SHA256 b825a35ebf4e65c7a353aad1fb8f0c97425cc7a33ffc99894f1c572452f0391a
SHA512 76d0ed7660d1b7aa17046b64d0861265cdfa3dbd4ce4dae975234c2aad8d89fbdfbca900eebc99022ab00f6b4f395175a23e7c062d5a6a3709d3949b34cc7c60

C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe

MD5 658ff29c1d05e212bcc19b92a2d5db2b
SHA1 3a90dbe4fa9aba73ef16fdbcb27a73f1f880e820
SHA256 a8ec0a2b305673dbf5186c3276e639ae649ab6c91d0ea088bc17afc88092f3f9
SHA512 f459493be97eb1a0b657a8f2be36327b6e5287d6f1434fea7fdb5bd350e269751f4cdd933fde64f5e86611f84e9b0a31e24f93cc12f1e25485d10b025481d16e

C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe

MD5 871ae90fe42404da8087759c20ce4639
SHA1 6f756ca0f21f818b3c5f1d770a6e13b7b2716f4e
SHA256 08b98c1056e88d94f323984d572b1088bc602d456ed7e68412df8772b82b49ce
SHA512 d3b2665ef0210e1e112d2293d1a3815a5cce3f8fce26c87f913bae2f82378a11a6b1b24b27f44fe97a46945a49a0e19e91c2143ce521175d7917ed5d6f28d8a5

C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe

MD5 d657b61b37f6ddedf05c03215838e8de
SHA1 00323e974a8783bb7bb022c30f79890b6ecd7687
SHA256 3f2f53d8f4333e8a6efe69744d0f456d37478ecfb8c241a150d2a2498ab5a6dd
SHA512 c334d1f93162a2407a72f2abdef56ab1dfce6c08cbe1561de16e3c70a46f9c602e7722434122bfb3c9b4522d0f4259f4dcf8814892463ff1d13a3f872d7fea6a