Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qt5tashb4w
Target 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye
SHA256 0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285

Threat Level: Known bad

The file 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:34

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:34

Reported

2024-04-04 13:36

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B845A054-066B-49c9-8534-FA6692E64EC9} C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD} C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}\stubpath = "C:\\Windows\\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe" C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA75B77-B029-429f-AEDB-98353ADD729C} C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF223F36-74C8-4321-A72A-FB418B2CFF13} C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7ACB97-9533-498a-AD12-C396408CD496} C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF} C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA75B77-B029-429f-AEDB-98353ADD729C}\stubpath = "C:\\Windows\\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe" C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}\stubpath = "C:\\Windows\\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe" C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E} C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}\stubpath = "C:\\Windows\\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe" C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}\stubpath = "C:\\Windows\\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe" C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AE291D-10F4-4141-8D69-8CC6AD4C2921} C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62871A3-4B41-4119-A387-D24A9268E602} C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62871A3-4B41-4119-A387-D24A9268E602}\stubpath = "C:\\Windows\\{E62871A3-4B41-4119-A387-D24A9268E602}.exe" C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B845A054-066B-49c9-8534-FA6692E64EC9}\stubpath = "C:\\Windows\\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe" C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7ACB97-9533-498a-AD12-C396408CD496}\stubpath = "C:\\Windows\\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe" C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}\stubpath = "C:\\Windows\\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe" C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB} C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF223F36-74C8-4321-A72A-FB418B2CFF13}\stubpath = "C:\\Windows\\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6} C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}\stubpath = "C:\\Windows\\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe" C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe N/A
File created C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
File created C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe N/A
File created C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe N/A
File created C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe N/A
File created C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe N/A
File created C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe N/A
File created C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe N/A
File created C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe N/A
File created C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe N/A
File created C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
PID 3036 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
PID 3036 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
PID 3036 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2884 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
PID 2032 wrote to memory of 2884 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
PID 2032 wrote to memory of 2884 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
PID 2032 wrote to memory of 2884 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
PID 2032 wrote to memory of 2696 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2696 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2696 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2696 N/A C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2960 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
PID 2884 wrote to memory of 2960 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
PID 2884 wrote to memory of 2960 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
PID 2884 wrote to memory of 2960 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
PID 2884 wrote to memory of 2176 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2176 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2176 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2176 N/A C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1520 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
PID 2960 wrote to memory of 1520 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
PID 2960 wrote to memory of 1520 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
PID 2960 wrote to memory of 1520 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 568 N/A C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 1276 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
PID 1520 wrote to memory of 1276 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
PID 1520 wrote to memory of 1276 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
PID 1520 wrote to memory of 1276 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
PID 1520 wrote to memory of 2848 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2848 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2848 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2848 N/A C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
PID 1276 wrote to memory of 2112 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
PID 1276 wrote to memory of 2744 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2744 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2744 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2744 N/A C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2656 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
PID 2112 wrote to memory of 2656 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
PID 2112 wrote to memory of 2656 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
PID 2112 wrote to memory of 2656 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
PID 2112 wrote to memory of 2756 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2756 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2756 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2756 N/A C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 824 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
PID 2656 wrote to memory of 824 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
PID 2656 wrote to memory of 824 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
PID 2656 wrote to memory of 824 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
PID 2656 wrote to memory of 2812 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2812 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2812 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2812 N/A C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"

C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe

C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe

C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF223~1.EXE > nul

C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe

C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58AE2~1.EXE > nul

C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe

C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6287~1.EXE > nul

C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe

C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B845A~1.EXE > nul

C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe

C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE7AC~1.EXE > nul

C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe

C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D00~1.EXE > nul

C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe

C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5B167~1.EXE > nul

C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe

C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70A3E~1.EXE > nul

C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe

C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA75~1.EXE > nul

C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe

C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E78CE~1.EXE > nul

Network

N/A

Files

C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe

MD5 0d9c906f4439bbcfeacf1c8bb08218f9
SHA1 cee9409622ba76d42cccb3501bec66fc9cf26a93
SHA256 6896fea704b9eaa6d2f6465c14a29f17589f7304900075b523821c3e33ae7a50
SHA512 6f36c27e61031f889b3f03ef4af724c30fc3a4f73f8a97647d7eb91df9639c1002b44544937de5df6c8ba2629e5c5e7c1772a0f34c55bce6ea0d756c7a5c6215

C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe

MD5 df6d198f0371a49ae9609085f1291d31
SHA1 fafb82545d8e03093adb55789a34c7b675778d2f
SHA256 0a8bda7d501c4ea2897790daca60d1f7f92db74f7679679c954a43e0fa8499b4
SHA512 3fb4a4ba18375900bb860edb972cde9dc34c7241a36ca1fc3ee181aab49d77e54d6f9ef29a342bf1093c53a3978bfa49369116ee870cbddaab91a4b9bd426c62

C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe

MD5 4da37b754cd22f1dcc14716eeef6dd2a
SHA1 b478e10b9c256667b6d746e0ada03092ae8961b6
SHA256 7132656997c9490f24a1b53a0ad468c13ea2bf1aaa4aa7811fff28f5b3733d40
SHA512 b5fb4e4c1d70432ac743a496eff5c068ac7a871af2eb6cc4b28f1d3680727b8c644cf238e34031486ce6d4bb5a620be52c70c037d58c111a6d1660bd7e6061fb

C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe

MD5 0bfcf77dc8ffb76d1ab46afc929ceaa5
SHA1 1f41a3ddf16ca5a26af7825680df89e8b31ba105
SHA256 ddba66bee3ef076703679c5715eeff60ff62f6956e608387598befdf68610847
SHA512 e2770cad68cfb70b64df9908de017b0583068ab8f1e1be6286a788d3d778630963be7ee1f0ea76d0034027128a852c4a7c82f8f6066fc1aa1636cd64275bdcf0

C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe

MD5 7896a7db0afd39b71ef3d06e35e1396e
SHA1 188fbb2243b55bd84629a8bb35ef6b77a4137164
SHA256 e65699ad2828ff019d4ad2cdf763e7764c2ae5dc2a002bde0ae18f06df011f33
SHA512 e3a1e2c2a7755f8a0cb5a08264788e82426d9c31e7969ec600bd33f2cbd89dbd04826fd16edcb8ccb5a6a4aa3c5ec0c6e99f0df1e53b357ad7d51226a49e22c3

C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe

MD5 0a43bb9710db25a320d9b9cf090ed9f3
SHA1 972242682a43302561669fb8fba7c9dafc6c1118
SHA256 789300252398d6485978bcdd8b53238de3d16955e09aac236c49d69091c2fdba
SHA512 03db8011b3dcdcb1cd0db70f3c81c0fa97b8fe22f68ee6106102c5276450e1ad7eba7d4c65e26657a200c98ca52f975a3644a85930e8c2d09fac95295d557251

C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe

MD5 549eb82483622ce523a936a44bdbb3c7
SHA1 17e492ed0c4fffbe5380d4289f287ecd3b0c0ac1
SHA256 81f9f8235ee8491e9646df217b29bd66ad9ce8ee6e5d330498d593e4ea814ed2
SHA512 c8df51a747676d73641e76224ca1fe114e757b1b57dff14bf4f7f5720c702c19ff0d05e7c2989574806939a790b347ae1cff096a1a59d4bfce5f0427c9fd16d9

C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe

MD5 fd24fe43f08278ab608912090903e8a5
SHA1 bccaf567a8eda59ec49e9afe7a878e3556190981
SHA256 395d8e133184d7e982a1597938d49385d1107d32fe646339eb39bb634873e368
SHA512 1f9a298a0a052fecb96a192c374f744ea571ccdc176251998ec00b3a1caa6719c0bc3b5f6e69e6b57f3d7d3527cdbdd7b07d13c7c57ca92ef36c7c50a3a61ef4

C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe

MD5 298091adbd6370d37db33656afe1b89c
SHA1 9d969551f51dded49e86c4391eef935dd1c5a4a9
SHA256 d5e91ac7b5f4eb091e7624faefaa5a646ae34e14d962c7423bf55725bbe8257c
SHA512 9c745b822aa465823c7273034b5a61bd19ce8df71bd26a3ae9a8511268fcdc509e9d9a178241646f147c87047032575a1141ccac757707dc3b700380fd47a12f

C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe

MD5 d408dd2c36569776c03b0d392c453d9d
SHA1 d65a8c1be858271b328c1dc918d229295d07f639
SHA256 e54180b557030be6b7890055a2386b21452e67c24128f85bd5e15f19ec5b21e2
SHA512 b863a33b1fd775717830cf2e1927c54e874ac1700ea094c3b6935d761b14232b31f0ad1c464b2258bc5447753e50cbe68471f0cd2493b249523a4b6202a218ad

C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe

MD5 64b5cb59a5ab022eb7a31f133e7c5639
SHA1 bfd9e2377434f93f30401a6ba9fcf139d774b35c
SHA256 ef66ed80fd3593a828456ea25053be6c9576057513c0edb3081018de04d6d14e
SHA512 1d6946ccd7f7ac96a5559e3df6947b229fe50e1fc89a966fd575a09e440c3d11267347eeffc121de38a45a258fdebbd2c2215fbb1f27e8a28973483c1e91eeb2

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:34

Reported

2024-04-04 13:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}\stubpath = "C:\\Windows\\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe" C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C} C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A} C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0} C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0805CE4-B146-49b0-82BD-44D9E3444EAB} C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21B419-79AF-4538-B643-83E7C65C1CB5} C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21B419-79AF-4538-B643-83E7C65C1CB5}\stubpath = "C:\\Windows\\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe" C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{582093A3-ED38-4802-98BE-9BD36E38E564} C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{582093A3-ED38-4802-98BE-9BD36E38E564}\stubpath = "C:\\Windows\\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe" C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8} C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}\stubpath = "C:\\Windows\\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe" C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}\stubpath = "C:\\Windows\\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe" C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9} C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}\stubpath = "C:\\Windows\\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe" C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902AA2BB-3774-4f1e-A002-1591C8266969}\stubpath = "C:\\Windows\\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88} C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}\stubpath = "C:\\Windows\\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe" C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902AA2BB-3774-4f1e-A002-1591C8266969} C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{548D2A58-2777-4aee-8D81-6656009C40B0} C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{548D2A58-2777-4aee-8D81-6656009C40B0}\stubpath = "C:\\Windows\\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe" C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}\stubpath = "C:\\Windows\\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe" C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}\stubpath = "C:\\Windows\\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe" C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9} C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}\stubpath = "C:\\Windows\\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe" C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe N/A
File created C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe N/A
File created C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe N/A
File created C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe N/A
File created C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
File created C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe N/A
File created C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe N/A
File created C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe N/A
File created C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe N/A
File created C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe N/A
File created C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe N/A
File created C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe
PID 2156 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe
PID 2156 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe
PID 2156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 1452 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe
PID 716 wrote to memory of 1452 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe
PID 716 wrote to memory of 1452 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe
PID 716 wrote to memory of 1956 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 1956 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 1956 N/A C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 4940 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe
PID 1452 wrote to memory of 4940 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe
PID 1452 wrote to memory of 4940 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe
PID 1452 wrote to memory of 3116 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 3116 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 3116 N/A C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4704 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe
PID 4940 wrote to memory of 4704 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe
PID 4940 wrote to memory of 4704 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe
PID 4940 wrote to memory of 4352 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4352 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4352 N/A C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 4144 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe
PID 4704 wrote to memory of 4144 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe
PID 4704 wrote to memory of 4144 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe
PID 4704 wrote to memory of 2068 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2068 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2068 N/A C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3760 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe
PID 4144 wrote to memory of 3760 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe
PID 4144 wrote to memory of 3760 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe
PID 4144 wrote to memory of 3516 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3516 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3516 N/A C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4868 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe
PID 3760 wrote to memory of 4868 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe
PID 3760 wrote to memory of 4868 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe
PID 3760 wrote to memory of 3584 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3584 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3584 N/A C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 832 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe
PID 4868 wrote to memory of 832 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe
PID 4868 wrote to memory of 832 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe
PID 4868 wrote to memory of 1404 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 1404 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 1404 N/A C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 4476 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe
PID 832 wrote to memory of 4476 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe
PID 832 wrote to memory of 4476 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe
PID 832 wrote to memory of 3196 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 3196 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 3196 N/A C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1984 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe
PID 4476 wrote to memory of 1984 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe
PID 4476 wrote to memory of 1984 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe
PID 4476 wrote to memory of 4180 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4180 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4180 N/A C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2984 N/A C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe
PID 1984 wrote to memory of 2984 N/A C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe
PID 1984 wrote to memory of 2984 N/A C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe
PID 1984 wrote to memory of 4952 N/A C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"

C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe

C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe

C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{902AA~1.EXE > nul

C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe

C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58209~1.EXE > nul

C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe

C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF1C~1.EXE > nul

C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe

C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56BDC~1.EXE > nul

C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe

C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{548D2~1.EXE > nul

C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe

C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2295~1.EXE > nul

C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe

C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1CEA9~1.EXE > nul

C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe

C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DCC26~1.EXE > nul

C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe

C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0805~1.EXE > nul

C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe

C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA53~1.EXE > nul

C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe

C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A21B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe

MD5 16a7b73d2c73fd08215e90727d29d38e
SHA1 e63c99a592bf630e5df938ccd009b66dfb44d589
SHA256 b5ddc3dc92e6da2f370c8ffa00b049f12900edba3bce7379974ebe480553022f
SHA512 1dcf6fbe05ea1ab0574475282a751af96bcf7231c9240fcbc8760563c8804c783d09500fe738e27900e8be4a840f747ae1e034fe3f1c2984f0c930273ba11f4b

C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe

MD5 32ac4ec35baf5cfa3a5900c79d00a036
SHA1 73a4465a66ee096e05ac60ebd0240a2628b8aec1
SHA256 ce7953372321a2c164c65647b1f5ad6787f7ffac883bd3e767f29567bd7a94ba
SHA512 9f7e3fd0adb6dd8870c9c0289413e65eb34b1afe35870d5a2b44ea6ffba06611e7440eece48ecd0157b7aa558c3c889c8a63c0cc4bd3a9b2e2e9567328916284

C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe

MD5 2640e945f1ab332267dc03dd264bbf5b
SHA1 d8e8e2b9094208a008653800a7aa8893f2eba5c7
SHA256 f106f77dbdba2b91f65152cdfa083dc713e547fc1b7ca0f1ba6b64bf79a698af
SHA512 5713ffc950005feef210b1e9d6091456502dd530d03973b30cb384e76bc5d37aa0551adfed33275c87e692ef4e380962f36477e83a43d9f361ccff40c730b237

C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe

MD5 ded34ab414e98684a678de6aa638cd84
SHA1 28cbe97c92f43a4bbdfc90bba35fe4a4b2c89a34
SHA256 844c133a9db791837bd96a87fb909aafb1f0288df88cae983592cbdfd72854cf
SHA512 4e7ebdc1fcfbb6b56fe066d36d4bb653c4ca31a2303e53e3b8a69cfb70793e9f943dc8536e06c0301192c45ab367607562b34633274ce9a02afd52bd7fc0cc9c

C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe

MD5 da40be5853bc60ad215406d5cd94fd3b
SHA1 0d35259c7f7c90e4b85eed4f3b2808318792b5e2
SHA256 e22a5f5e0c6fa9d72dcb958ca855683359a4146586e5720e99d985469fb7497c
SHA512 7dba0e477ae44ef13894de78f54c9e987eb0d17746e3b1ffaa196f0c146a7e48f71b3c417b107690d952095dfa5415bbd0ec981fcd9d346806a1139367a83796

C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe

MD5 235e803a92d9a27b636e61f08e0bdb3d
SHA1 1541bece82604eddc1a7f4bd8a7a65e014ae3d13
SHA256 91e42240aff224ae114426cb7cdfa0dd167f345503e52419ae5ddbc637f2512c
SHA512 f873851a88ea3fc71ad2d46bf40cc5ac3b5749fe6fe44cfd3bd129814a2029d299bc35ddebc72742692d00ff357f400aa70625b76bdcb5d93e93e63033d9ae92

C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe

MD5 48b93c069cb8b65de95e7bfc7c8bfd45
SHA1 72d5c048d1cb2b9bf61dbf9fc897e44012d38739
SHA256 9b00215f4d5a1aa13118680d076bcc687dd5cb15ac9d09c28f3166c35a9f41eb
SHA512 6b612b7ae8da146e57985233b4e2958d4707324cc78019cfa69b07ab09b110eb0a98208e658fd4c73566ad47f0d5aaea99f7567d35c600d4e39116010d0c7d82

C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe

MD5 814b4b91ecdb0b335975a70ba7e7cc7e
SHA1 35c99d1226a74711ecf85c529e071a9001ae5624
SHA256 090554f10ae2b8bb34f0f3a5bfe2067cefbe83c74ce4b40341e41cc4f39a080c
SHA512 6287f56b9e9b8b9608d02d54ddf23061c834d10b5cece2577d4e474a019ff22abedc1c7c6fb0b20a947a311ee5fd7266225a0c6e861d544e2ff67c2b38841eb4

C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe

MD5 460bf4434d28eb429bdb61ff2ea043d5
SHA1 5e8c26fdda90c6968bbbb619b7ccef3c1c71db3e
SHA256 62769621c703e1144f8f6bc63d77afcafc0d27280a1e527f834245bb30f6ac3d
SHA512 1aa74921404cffbbdd700d5a3feeb2b63a8d07438af14c134bf6f7cabcefa541a10006092adf7d8d2fbe52ec18b2678f3f4332f10ead349935044739ad5450ce

C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe

MD5 15cb0337e01710db1c895fa861c5111b
SHA1 f1c4e0e8996f9aa89c85283a14f3c2e8543c814f
SHA256 61dcf5f83c78f60cfe1601a3f628f3547d88b7735f40959fa6ff2524021d2ad5
SHA512 40c47650ebadba4f21616e37f954a9989a9c6bdd3041ed484ff8ff6762762b810f998bd3e8cf59bcb02bf22abfacdf635ee66f522435c947a83e36887b80786b

C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe

MD5 a8e7e63dd2e7cdb3337d8818ad61f465
SHA1 09c232a7ebbaf4a7f93835d4aacc47413746f6e3
SHA256 a7292be80d9a57a60ef55905f9be44f5ba0d9ddabd26276b69f5f10f1039bbf6
SHA512 279fdaef1093854e80bedb4310555257f6a4c78d5f99b155d35342a32ea13f9b21056608aa68f9dc12778fc23789f45c8ab058cd5ae0a0809096a42d72887554

C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe

MD5 a8f266f091a11853ec78930e1eb125f9
SHA1 9f9a34165c568e53ecfa9039edf8d92a04b11cff
SHA256 5d22c6265992fda014ebb3532a90c972bf2f14e94b145820d3caf3bfa32d8bad
SHA512 96ff3c659d6beb82f5632b2992f0adb086230788be679a5cb42a6a978527d59e5250f73ac5349ea2ed9ab91e2fde7100fc8bb6403a5611140ef56ee6c26e5a98