Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qte8mshg75
Target 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye
SHA256 c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4

Threat Level: Known bad

The file 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:32

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B} C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B}\stubpath = "C:\\Windows\\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe" C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C} C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}\stubpath = "C:\\Windows\\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe" C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD}\stubpath = "C:\\Windows\\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe" C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}\stubpath = "C:\\Windows\\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe" C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6} C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}\stubpath = "C:\\Windows\\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe" C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE} C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}\stubpath = "C:\\Windows\\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe" C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513} C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23} C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD} C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6}\stubpath = "C:\\Windows\\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe" C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44} C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}\stubpath = "C:\\Windows\\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe" C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769} C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}\stubpath = "C:\\Windows\\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe" C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513}\stubpath = "C:\\Windows\\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe" C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24} C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5}\stubpath = "C:\\Windows\\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB} C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5} C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}\stubpath = "C:\\Windows\\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe" C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
File created C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe N/A
File created C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe N/A
File created C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe N/A
File created C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe N/A
File created C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe N/A
File created C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe N/A
File created C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe N/A
File created C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe N/A
File created C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe N/A
File created C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe N/A
File created C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
PID 2584 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
PID 2584 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
PID 2584 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 4344 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
PID 4080 wrote to memory of 4344 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
PID 4080 wrote to memory of 4344 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
PID 4080 wrote to memory of 3972 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 3972 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 3972 N/A C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4740 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
PID 4344 wrote to memory of 4740 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
PID 4344 wrote to memory of 4740 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
PID 4344 wrote to memory of 1052 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 1052 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 1052 N/A C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 3092 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
PID 4740 wrote to memory of 3092 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
PID 4740 wrote to memory of 3092 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
PID 4740 wrote to memory of 2840 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2840 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2840 N/A C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3076 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
PID 3092 wrote to memory of 3076 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
PID 3092 wrote to memory of 3076 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
PID 3092 wrote to memory of 552 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 552 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 552 N/A C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 5092 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
PID 3076 wrote to memory of 5092 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
PID 3076 wrote to memory of 5092 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
PID 3076 wrote to memory of 564 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 564 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 564 N/A C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 5028 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
PID 5092 wrote to memory of 5028 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
PID 5092 wrote to memory of 5028 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
PID 5092 wrote to memory of 3552 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 3552 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 3552 N/A C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 1520 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
PID 5028 wrote to memory of 1520 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
PID 5028 wrote to memory of 1520 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
PID 5028 wrote to memory of 4876 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4876 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4876 N/A C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 1592 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
PID 1520 wrote to memory of 1592 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
PID 1520 wrote to memory of 1592 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
PID 1520 wrote to memory of 5056 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 5056 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 5056 N/A C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2468 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
PID 1592 wrote to memory of 2468 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
PID 1592 wrote to memory of 2468 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
PID 1592 wrote to memory of 1236 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1236 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1236 N/A C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3324 N/A C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
PID 2468 wrote to memory of 3324 N/A C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
PID 2468 wrote to memory of 3324 N/A C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
PID 2468 wrote to memory of 3048 N/A C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"

C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe

C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe

C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E611~1.EXE > nul

C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe

C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE541~1.EXE > nul

C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe

C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97DFC~1.EXE > nul

C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe

C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD47~1.EXE > nul

C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe

C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC00~1.EXE > nul

C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe

C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{731A3~1.EXE > nul

C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe

C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D39D~1.EXE > nul

C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe

C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74D5B~1.EXE > nul

C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe

C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D66CE~1.EXE > nul

C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe

C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C39~1.EXE > nul

C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe

C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D24E5~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 89.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp

Files

C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe

MD5 aec8cf401e00a93dbac3ddccf835711b
SHA1 4befd17b1a0d5a0127d30764a1b951b3959bc4ee
SHA256 41c969952982ad9f5f319fdd5f53ac027a3d9c6bb16fa4982e01188201ce4dbe
SHA512 5d5af8424654e2b71b5e697cb4d7168301c0fcba036975fd9177b450ad5ba289c368d486ac4197133083137f5a3d28317daea74809dc20585425a0a0cf3b8d0d

C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe

MD5 13259300e9740eadc52ed287d433ca5f
SHA1 d97c6382212103401528929d37ab21873dc7f785
SHA256 fc24549fafb70d1d56496b2c3b6ab9274e86e7421a62cfe96f3025ac9e5da8dd
SHA512 d8ec5147f5da1b16f64b49535628ad47c1e262b1b08acb08cd3cefc4d73146dc45ab0a700a6e93bb5a65dc65bab3edeb5f99ee89168cba328dce3ed563e699e0

C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe

MD5 e58f237c1885f63ca1ae73b28c25c4d9
SHA1 5c04a39b10544be8e8aa3ff793af9ddfeda7c931
SHA256 56b07c07a6ae7ef36a023bc1b0f6ece216ed0980746b0f24876cd430509431b3
SHA512 88818aac94ac07f69f7186705c800f42ce912876b46d4b81575afed84195b85ebba8bffa6e6a9d02c554a733317c38270fcb8fa172a89ce1b1a11e27c6c39548

C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe

MD5 e2907e946b074e715ffc35ada0113ee3
SHA1 2683ff522689464cc5951ebeb33994855582a906
SHA256 e4732e855cebd3856d0155e36531fef5afbbbbd50b25dd2dd17298710ef45704
SHA512 776a3ba089f7cd6d7ae1f5dded8080c54b6c6d3234d6bc7c17af18711238687460958daacb741aaaf60bf85f7f5c7ea5d451f58add373e874c9316a3ba63797d

C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe

MD5 5dd7407d6fae8ee099e912cf5740f447
SHA1 6f25130954f4e1ee37150f0916757b60cfdfcef1
SHA256 8c7e7d5928d73f09453f10f980293ba7eb100dc46824ad03e51270c27ed1ce22
SHA512 b723d0459cbdecc303e6c3f2e8e9978126ea6460776ba323074aaefcf2870c0cfa142472685170e2a04b05c0aee857ad7ab606e02296b85ed6e73a4953ee7534

C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe

MD5 9dcec0b191d36bb6cd02f520357b2424
SHA1 fea7cb6f4bca9b889155dc019963e08d2c6ddd4a
SHA256 2177d5eb4a66271ad3c97e9ea70ae4dda82a743c3aabf4a01a0922e3abaac584
SHA512 a1cf968dadee6b7a510a4439207f7a97ec3dab5b028dc3309d0b62d1d67274e4b3da5099e352f4b5bb76789d52b7b7b5e4a579f81304bf5327560bc7341343cd

C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe

MD5 e1ec5576b20a13658443e14c6c6adb56
SHA1 d94cd4c7f55dbecb2d8688778187296a0ffc5c44
SHA256 63096ba7627d00121ea67aa626f702c73cf5b93d327cabad82cba475b2c0919d
SHA512 f3f2e1e3fe0542eab8ae0f024563d1214d850fdac49488ddb0185cc92d6bbefb7bcd89a84ae9968f00b79667701ddc452bda520f8765fe4d7c5ea8ac391164af

C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe

MD5 b8563aee3afd588b58e3c7c4f326e0f9
SHA1 312845128d5790331358fdd828f409ea6f6aeaa6
SHA256 512b02fa0373f5b97ffc5bb70566b27815e6d605ae398d14c7c86c2b8dac8ea6
SHA512 0e04e599cfdafa8a890d5bcaf81e271eea2fe4532a0fde5ad5feea02ec96284e950cb2b1935c0737d4fb8ca28a18d3d458ceb2f350df920b294c9a79de382c04

C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe

MD5 f06e5fab6f63c8e7298173696f1f8477
SHA1 ae16f5021180860c1834bd17166990e6c3c648ad
SHA256 8913917cb2386c305c148a16f154d55dfe77af19a14e94e56c618256594f4c75
SHA512 516121830a46ddd8eb490f1f1057145f76ae7e1fa2116898704f2d72556125b4864c92891ed2a05b050b3382512fdcb639b89f901152ff4520602d31675d35b3

C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe

MD5 28e8a46d7ef3af17b2e3653ee6904f58
SHA1 790a670d48ec99bb00a9118a9b7ad0944292a86b
SHA256 ef89305cd943a920bb7a739102ed0f1e609f86a19faca905aee7a22cabd97cab
SHA512 e1304a7ed071d97eee2256a08b85f196c6418f25d9caccd8cb8c9c85aecdd54f13e71831fbc39cd08918fe369620aea50d9eb2c96a3f9178038d566830c10337

C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe

MD5 4c8a1541c140c78ec03c3babef52cb14
SHA1 aeb65bc977a08a1ac6b57ab0034b942e472eec28
SHA256 e1d49183187c66b37ce0b6398387dffa75d6b9db26f303d8acd5499e9d6ddda2
SHA512 931bd1d3aa9a85d19facb8da04d14e5406c2cf118465ef70e534ebafaa3dac2aa7b45b39de37004aaa2eec8284a7be4211a421ded4f4773683d781ef322e370d

C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe

MD5 4fe93c9ff5ee0b3669367d86679eff00
SHA1 6eb824aa7671268b2ace0f77eedb2ae2215d8e48
SHA256 c90b92a3b8c4d4bebd166a0e9c56cd175116fdc66cddec7093ec7b1f058d3b99
SHA512 543aea64aa985b64d20351619f937f3af196a3b0cc3a3e671b0d00bea28ddad77d7e14974de3fa6dcbbdd4ab760f2d498acf9e4445b54527fb59f50421f555eb

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8}\stubpath = "C:\\Windows\\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe" C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0} C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6}\stubpath = "C:\\Windows\\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe" C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714} C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}\stubpath = "C:\\Windows\\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe" C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E} C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B} C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}\stubpath = "C:\\Windows\\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe" C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81}\stubpath = "C:\\Windows\\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8} C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837} C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181}\stubpath = "C:\\Windows\\{08886010-0683-4569-B5CA-86122B334181}.exe" C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E}\stubpath = "C:\\Windows\\{79C0D496-1469-4659-B710-674F9255570E}.exe" C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}\stubpath = "C:\\Windows\\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe" C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474} C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81} C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}\stubpath = "C:\\Windows\\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe" C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837}\stubpath = "C:\\Windows\\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe" C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}\stubpath = "C:\\Windows\\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe" C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181} C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011} C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6} C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe N/A
File created C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe N/A
File created C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
File created C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe N/A
File created C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe N/A
File created C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe N/A
File created C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe N/A
File created C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe N/A
File created C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe N/A
File created C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe N/A
File created C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
PID 2632 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
PID 2632 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
PID 2632 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2968 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
PID 2464 wrote to memory of 2968 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
PID 2464 wrote to memory of 2968 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
PID 2464 wrote to memory of 2968 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
PID 2464 wrote to memory of 2080 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2080 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2080 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2080 N/A C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2616 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
PID 2968 wrote to memory of 2616 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
PID 2968 wrote to memory of 2616 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
PID 2968 wrote to memory of 2616 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
PID 2968 wrote to memory of 2880 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2880 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2880 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2880 N/A C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 440 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
PID 2616 wrote to memory of 440 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
PID 2616 wrote to memory of 440 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
PID 2616 wrote to memory of 440 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
PID 2616 wrote to memory of 1464 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1464 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1464 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1464 N/A C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 2856 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
PID 440 wrote to memory of 2856 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
PID 440 wrote to memory of 2856 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
PID 440 wrote to memory of 2856 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
PID 440 wrote to memory of 3040 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 3040 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 3040 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 3040 N/A C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2652 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
PID 2856 wrote to memory of 2652 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
PID 2856 wrote to memory of 2652 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
PID 2856 wrote to memory of 2652 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
PID 2856 wrote to memory of 844 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 844 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 844 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 844 N/A C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2636 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
PID 2652 wrote to memory of 2636 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
PID 2652 wrote to memory of 2636 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
PID 2652 wrote to memory of 2636 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
PID 2652 wrote to memory of 1928 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1928 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1928 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1928 N/A C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2692 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
PID 2636 wrote to memory of 2692 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
PID 2636 wrote to memory of 2692 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
PID 2636 wrote to memory of 2692 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2704 N/A C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"

C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe

C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe

C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{162DB~1.EXE > nul

C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe

C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A799C~1.EXE > nul

C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe

C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98513~1.EXE > nul

C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe

C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EECFA~1.EXE > nul

C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe

C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F9502~1.EXE > nul

C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe

C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{66BA1~1.EXE > nul

C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe

C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{08886~1.EXE > nul

C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe

C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32EF9~1.EXE > nul

C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe

C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{79C0D~1.EXE > nul

C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe

C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18803~1.EXE > nul

Network

N/A

Files

C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe

MD5 0379cc575c9d18df25411fd0bbdb53af
SHA1 35ef3986100d2a29eb6fb9a9a92dc7ad89457eb5
SHA256 f0e9c96b07a7c88faa80a8a2fd4352b70e048b378326ec01a66d9fe0f3aca09e
SHA512 885bf86a7a634e706c6d39911d64f285d4afa2a075ad900eb22a50f1303bbb5b693d8f32af31f0770024f7d072e8c58493fa941f3dbd5e79a837b047c4f5a991

C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe

MD5 1a7b9435ae338bf44dd3934059041120
SHA1 d32b0fd91db062c98c99e8f7429dd67c0bbba15b
SHA256 ec2d846e8cf9519f79b085b09745566fed17f14e74238d957b7f728e403e7752
SHA512 7e20d66810d45630b61de340eec94c5837acbf0383eb29acbbf6d12f8e07acb67b71d73452e53d0623d99dad1c4701c09b4690ef4fe5a1d96205b46f6f59cb2f

C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe

MD5 33ca14285601737b87f56358389ff2ea
SHA1 96ccebad416d04c473f79325b621d120e7f8bdab
SHA256 9fc823ec4aa3f0fe74b4f2f866d25e4a3e1529f0f43b6ce19ff956ac028b9c66
SHA512 2f01063fb315abcef304d233836568e31ea0613ec9f18578ce5eac45af7985586b3b9a40c2e81d948dffc43e521fa0af0c968ac029004e9d82358c0b3660144c

C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe

MD5 5514bbed30469ec70dda59bb309c1ca9
SHA1 50f1fea57c6df6e5094a9e3cfd1a0c297c60a560
SHA256 15829ca22af7d3551932b1f14c2dfa22aeba8c4ff42712219df7625a310025e8
SHA512 85d1ee11dc3d626b5d6effc7076ea10041788d8943ce6a25708ee6ca4908ea34b517f97ce916750940b24ec71645a9e22a35bc7c6831e9e2fb085551edc24653

C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe

MD5 64c6aafeed2506adfac0132131b556e3
SHA1 cc5ce62fbb530d52d68b9d76fa76feaf6bd7e093
SHA256 a5221aa31ced443f6794329dafcd95cfd945ef091c791f06fae667cb5f558ac0
SHA512 18286d0b517ab4b88a2671dfa26e58ca2a00aefb0e05152b492d5c697fdea49f3425117e247fa1fe3cd8dcd1c9775d9151f5a5b1e713962d5e88b0105f8ffe1a

C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe

MD5 9b4b2f6661878e2990dbd378665ab7cd
SHA1 07d30ccb1db48165464167f3f1672e43de136792
SHA256 e3b48ae13c794dfa4b601b567c0dc98ef3861d82b976d98ece98308b96aa0de6
SHA512 c40afb6c6c7e774d761eb40d858549f053a3fa0a98f7cbaf4cdbd0aa443587bbb44104e5e80cd8d94ff50a10b6a746a812ea558373bd7dcf9c09783014271f3a

C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe

MD5 7164d3bfd369680ce71fcfa2667494af
SHA1 3c44900a5fbfcca5754676ffe6efcbc1f7588473
SHA256 d6f80b67d3bad7fcbdcba2752960e2dc7c47bf503bbbbf9c1541c7079d704d35
SHA512 f89f97a858fc09c8a9f7ee2214823d37ad4333520646fb1df5eb191c5d949866a0dc4325acb1003bf5d76df75d19a2605c4f361e6b729d0330624b86212f1f97

C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe

MD5 9d47b527d37f302d29871556c95085a0
SHA1 9449a065d790e5b225bd428b28c52c435eb0bd1b
SHA256 d2b40a9c0bd658699b350a42b9697e3769f4d2a856444b979afe930ee109932f
SHA512 5c2d32bebac3c2c2c8245d979cb50f4d1938b19461c6013d9f77a139efc397652c5eb053529b9b7c816329026f3aace4d6f9b756d0ea606280e9f822ff19cdec

C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe

MD5 8032e7bd7e0921788b84667ef4282eba
SHA1 df913b95132e5c93057aa3d7ad6321589abd41e5
SHA256 e7d504c6d109e564b7b494cb03682cbff0b37382acf15bab669ee8579227ee4f
SHA512 dca6ad023296f9578e9683dbbee707b47c242deb6e14d3e46d33ec3147239c26cc3423e2babda7b43631586852849ac63be7a845049dbfba595e7456a23f3778

C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe

MD5 da88213bdf6bfab96c212d0dde0220d4
SHA1 494e7fd74e0d79af2670845caece4df32c91c76c
SHA256 9e8c074fe1f90c08abeb1ebff5cfb13f9635be3a1cd782c16bbbc6b393636240
SHA512 2baceb525f10a8a53e385b022373edb575222c8f6f3006c630adde6e31f9e2147f6e92e1ada19c97bc4efad7f14f0c312ad556e72515c6cf383c9616ec46bd6a

C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe

MD5 b3c9f16d623251ae81e53d13a733a782
SHA1 84b65487ffed3df894c36db0d747a55b1fbb496d
SHA256 ebc490c2d9573e0727283320949061b455b0b10e350af692bd4710c80e55b6d3
SHA512 d01e5ba33f36d579d0983e0c51fe36b791e133a7869db998210cbef60423a39296ad503c418a166ba9349300dd9f4d8bde43cb9e9eb8b183c28942fa419d7350