Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qvyrdahb6t
Target 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye
SHA256 fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33

Threat Level: Known bad

The file 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:35

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:35

Reported

2024-04-04 13:38

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9913C8E-C158-4373-858D-684241B83347}\stubpath = "C:\\Windows\\{F9913C8E-C158-4373-858D-684241B83347}.exe" C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D8D6CA-6AC3-4346-B364-87F34C77C723}\stubpath = "C:\\Windows\\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe" C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF79E3A-7F93-4439-8044-011398DEF3F3} C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AD80E8-3627-4513-B8CF-07F1779EF0E1} C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657156EC-8D0E-425e-862E-0A58AF8D6176} C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657156EC-8D0E-425e-862E-0A58AF8D6176}\stubpath = "C:\\Windows\\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe" C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}\stubpath = "C:\\Windows\\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe" C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9913C8E-C158-4373-858D-684241B83347} C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}\stubpath = "C:\\Windows\\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe" C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}\stubpath = "C:\\Windows\\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe" C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11} C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}\stubpath = "C:\\Windows\\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe" C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF79E3A-7F93-4439-8044-011398DEF3F3}\stubpath = "C:\\Windows\\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe" C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A667AB5A-9E89-46dd-A6A3-BE39C8341433} C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963A86C1-70B3-429f-9E73-D400E033AF37} C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199D00EB-7ECA-4605-A153-FAE4DC4068C3} C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}\stubpath = "C:\\Windows\\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7} C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963A86C1-70B3-429f-9E73-D400E033AF37}\stubpath = "C:\\Windows\\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe" C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446} C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}\stubpath = "C:\\Windows\\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe" C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD} C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}\stubpath = "C:\\Windows\\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe" C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D8D6CA-6AC3-4346-B364-87F34C77C723} C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe N/A
File created C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe N/A
File created C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe N/A
File created C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
File created C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe N/A
File created C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe N/A
File created C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe N/A
File created C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe N/A
File created C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe N/A
File created C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe N/A
File created C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe N/A
File created C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe
PID 2792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe
PID 2792 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe
PID 2792 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 4440 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe
PID 3180 wrote to memory of 4440 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe
PID 3180 wrote to memory of 4440 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe
PID 3180 wrote to memory of 2856 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 2856 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 2856 N/A C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 4040 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe
PID 4440 wrote to memory of 4040 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe
PID 4440 wrote to memory of 4040 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe
PID 4440 wrote to memory of 2312 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 2312 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 2312 N/A C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 2612 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe
PID 4040 wrote to memory of 2612 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe
PID 4040 wrote to memory of 2612 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe
PID 4040 wrote to memory of 3684 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 3684 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 3684 N/A C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2864 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe
PID 2612 wrote to memory of 2864 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe
PID 2612 wrote to memory of 2864 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe
PID 2612 wrote to memory of 3172 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3172 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3172 N/A C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 4592 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe
PID 2864 wrote to memory of 4592 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe
PID 2864 wrote to memory of 4592 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe
PID 2864 wrote to memory of 4556 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 4556 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 4556 N/A C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3044 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe
PID 4592 wrote to memory of 3044 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe
PID 4592 wrote to memory of 3044 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe
PID 4592 wrote to memory of 4812 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4812 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4812 N/A C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1684 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe
PID 3044 wrote to memory of 1684 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe
PID 3044 wrote to memory of 1684 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe
PID 3044 wrote to memory of 2896 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2896 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2896 N/A C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 4420 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe
PID 1684 wrote to memory of 4420 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe
PID 1684 wrote to memory of 4420 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe
PID 1684 wrote to memory of 4264 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 4264 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 4264 N/A C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 376 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe
PID 4420 wrote to memory of 376 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe
PID 4420 wrote to memory of 376 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe
PID 4420 wrote to memory of 2276 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2276 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2276 N/A C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 4724 N/A C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe
PID 376 wrote to memory of 4724 N/A C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe
PID 376 wrote to memory of 4724 N/A C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe
PID 376 wrote to memory of 3300 N/A C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"

C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe

C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe

C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6DB9A~1.EXE > nul

C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe

C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F9913~1.EXE > nul

C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe

C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14D8D~1.EXE > nul

C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe

C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B01F~1.EXE > nul

C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe

C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ECF79~1.EXE > nul

C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe

C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{44AD8~1.EXE > nul

C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe

C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65715~1.EXE > nul

C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe

C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76ABA~1.EXE > nul

C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe

C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F355A~1.EXE > nul

C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe

C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A667A~1.EXE > nul

C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe

C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{963A8~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe

MD5 32651d41a6a2bf57dd4ce64474a1e4af
SHA1 19961b60b30281704f185e8c63cc812efdd613f4
SHA256 2df4c15dbac32a250f88ea08c6bd9b85b1e2eabe2bbe39a87b98588735abb523
SHA512 edbf2939a4f5c8d55d6e7e920d16056d650293ddfa7a68f4ac00b812116e43818a1e290b65982e42b0aa486711fb343a44a9d5577920e4318872c3ca616950e2

C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe

MD5 a0cb047d09d4cd6e80deea341b3ca5b1
SHA1 44d96db58ca5ca3d421572ae85a85e99ca162b7b
SHA256 ea9cb02db62e5df17d11091ab3fb8933332cc7c43d9d8803bbf804dfbcfe46ac
SHA512 55b2f854daca938032236fb1775c6e98e0dc6aec6bc728c14b39cb0045a2ad8d1c4b36626d22d22e46422ccf402e5bfe0ef146f0e07d178e97ea518332a26215

C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe

MD5 821674d0454023c4f4f679964ee62cfd
SHA1 953f0280f756a5e19b22db5a4a6b36096de6db3b
SHA256 2d3e0817be10b06331154e004808e8332539a96a64743b8d96eb56bee86890a9
SHA512 90e287fd5664a35651629f65482ef43355ce4a1c207d011c5cdf25aff407ec6eb34e6aa78193842b04a051a0bcca6166b3539dcb14cfc71b24b87129b48b23c2

C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe

MD5 e8c2e77fb2fb532915d00b3373b29bee
SHA1 a097e32a4a500cdfe7cb132b3173c6d15425b7bf
SHA256 90f8adb215f3bfa7573b901970534735cadbd10a0d5c5942fb6e20337adf4060
SHA512 2aa4da78356dadcb943d4e4392be51ffe7f94995a583773b952dfca20f786ef5b65786a0fbfc1afb7b6af1f3cb9d821d7faf033de34c33b7f6a73ff340654ad0

C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe

MD5 4db616f2bf5c550bfc27934a4fec9de3
SHA1 48ca0f4d254832f2a9defa0191fcaaea8ea26bea
SHA256 bbee10a408520e3e97608fe93b95e4e59e48bfe87691ec648277714fa108f3fd
SHA512 6c3de249ebd338c65ac3d66ba4167cc41fb855594cc191af0fbe838454a11553c153e8b543cc72a0c924f1598cfdf7efc7a4e081894071035b35084ee47fb0a5

C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe

MD5 d174c64fc77199f704e18588543cfde7
SHA1 20b5bd68d5e95fda9d9257c4a3c34567cf0a2a16
SHA256 d91eacaf0ecb50c417a05b8d1b9c09cedbcf46c334e20b94aa6341d997fb8ffd
SHA512 068eec547574438e315325b799bf8740f9938ca2b7efaf089418416a8e5fc52875be68571879d5735c31502e9dd17785a02543974599327ba1c3c4e4ac2cb072

C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe

MD5 2ab59873d513e0492307b146a6010def
SHA1 3de3db02e28ff2a26021669002e1354b421a449e
SHA256 55747f8936787e46e3d60f5f9709c13ed5eaa7f26756500ded2f811508ec3442
SHA512 f36751ab7b99b6666ed03e0554c94ba4bdb5638eb874259176a91115fae8f99f7a539fc82b0e1cd1f4e0b824f64b146e211ef81bdc74ca5392810c9f3cd83240

C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe

MD5 601287cc2d2e33a297edf35aa26d14e6
SHA1 840b545ae2253ee07bc95c02d3175159072f23a1
SHA256 e6fa3f7779d6e6599057082273ced9a4e799e177061243843573721cd6e93f94
SHA512 d44d1126202433e6aaf9bec71b41bc88d0d1853ef2686d5cbf0352faf55b8f049f921d701939e7f13913511c7ecd6e33a9c65a7e9c4d2338ae8e4255b10e526b

C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe

MD5 8b58a46ade66528664244579aa6cbef2
SHA1 057ef6c0f472a2408bb94645fe67329c64a707dc
SHA256 834b4479cc78dbe21d919e5debc7c2f14e3e256fbeaed1801641f1fa7643447c
SHA512 cb50b937711e58907b905e0f815b77bab3a9614b4ad9032dcd742a15b34a8743cf73cd2b844e8e44f2aeb5fe856b8ea31b7fc191d3c81cb65fa1db31bcc17971

C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe

MD5 7f62503c9619f4636ffe863a1cbf0175
SHA1 bf6837a400795ee472ae49ee2a349a36114c2b66
SHA256 58ec75fa61468938d2685e2cfc7876be7bbaffdcf4d28f35a3261d2d5ade49a9
SHA512 2084736a65f94fd9f6cff19c31af6ee5598223776202b9ffa162274b5f566c41dec762939052e56ad886f7c3f9106c126fe25615010e142e097a7856bc5606c6

C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe

MD5 e52cb39e5576a05a0292f2ca8e7da159
SHA1 1e404747b71a69e2065f573dd9e93082570223ed
SHA256 574aa4ef5b86a3a075e1bebbe152ba17da6fa0d0930227493f1961eb3ebc4fe9
SHA512 69347722bf38350b8e0537ceb3d41ce446a2d8c1dd1506c6ec182076df1f4cf5e4616041c3f4ef42acfc4950527278dae4c6a6fa2c4579f76ba9d3a6a707a55b

C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe

MD5 c52472e2a98cebb80da79306d259e400
SHA1 cf8a7ee686b73594226d87dccb456fdda88ed659
SHA256 2539cf392c02958463726181830960f6bdf4c188d363058874a2d19b63f3910d
SHA512 79393e0c9c74c5ed0511d21901c0653ef7bfe4ae87e313594b5a5d5738430f93581e4502322a9b8de3a99f27174ac062353b4492888416c0798c2359fbed3258

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:35

Reported

2024-04-04 13:38

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}\stubpath = "C:\\Windows\\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D} C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}\stubpath = "C:\\Windows\\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe" C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB} C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}\stubpath = "C:\\Windows\\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe" C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}\stubpath = "C:\\Windows\\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe" C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017} C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A841007C-6540-422c-B8A4-F13088944423}\stubpath = "C:\\Windows\\{A841007C-6540-422c-B8A4-F13088944423}.exe" C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19} C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}\stubpath = "C:\\Windows\\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe" C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE} C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D74B840A-03EB-4d99-ACB9-FD508FC76035} C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D74B840A-03EB-4d99-ACB9-FD508FC76035}\stubpath = "C:\\Windows\\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe" C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1} C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0} C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}\stubpath = "C:\\Windows\\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe" C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D157068A-6C63-4c72-92F3-827474DEEE9E} C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906} C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}\stubpath = "C:\\Windows\\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe" C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}\stubpath = "C:\\Windows\\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe" C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A841007C-6540-422c-B8A4-F13088944423} C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D157068A-6C63-4c72-92F3-827474DEEE9E}\stubpath = "C:\\Windows\\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe" C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe N/A
File created C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe N/A
File created C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe N/A
File created C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe N/A
File created C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe N/A
File created C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe N/A
File created C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
File created C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe N/A
File created C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe N/A
File created C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe N/A
File created C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
PID 2492 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
PID 2492 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
PID 2492 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
PID 2492 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
PID 3008 wrote to memory of 2568 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2568 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2568 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2568 N/A C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
PID 2636 wrote to memory of 2464 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2464 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2464 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2464 N/A C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2692 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
PID 2544 wrote to memory of 2692 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
PID 2544 wrote to memory of 2692 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
PID 2544 wrote to memory of 2692 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
PID 2544 wrote to memory of 2704 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2704 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2704 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2704 N/A C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2296 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
PID 2692 wrote to memory of 2296 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
PID 2692 wrote to memory of 2296 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
PID 2692 wrote to memory of 2296 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
PID 2692 wrote to memory of 2900 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2900 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2900 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2900 N/A C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1576 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
PID 2296 wrote to memory of 1576 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
PID 2296 wrote to memory of 1576 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
PID 2296 wrote to memory of 1576 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
PID 2296 wrote to memory of 1892 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1892 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1892 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1892 N/A C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
PID 1576 wrote to memory of 2656 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2656 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2656 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2656 N/A C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 860 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
PID 1328 wrote to memory of 860 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
PID 1328 wrote to memory of 860 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
PID 1328 wrote to memory of 860 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
PID 1328 wrote to memory of 2044 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2044 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2044 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2044 N/A C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"

C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe

C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe

C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26252~1.EXE > nul

C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe

C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A18D~1.EXE > nul

C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe

C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E55~1.EXE > nul

C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe

C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D74B8~1.EXE > nul

C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe

C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AEB4~1.EXE > nul

C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe

C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC49E~1.EXE > nul

C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe

C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C91D9~1.EXE > nul

C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe

C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{631C7~1.EXE > nul

C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe

C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8410~1.EXE > nul

C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe

C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{69FDD~1.EXE > nul

Network

N/A

Files

C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe

MD5 07c3ed2e72668fce068b4869fadfff8f
SHA1 b8dcee8dc234d0bc8f8ac08c256e2fabe9d5f186
SHA256 d1c530863832d83ae41f96822c9156c1252546def4ce37d7abb3f713a9c3bf9e
SHA512 9e71e21b6589ab490b5d79e22ac1cc56a4fbf60db413a7502bbc54bee4338f5a9ce65f2f8fb12bf34d96dec0c5d5af1f4db66a53605297ffabd257a26af85ab5

C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe

MD5 b1b1c0a2d5f1512d7d662ad3486bbe3c
SHA1 a6b4ef4c620a2b165c85a32f51ce7fcb65d419e0
SHA256 07b0248220b0c56ead77c5ab93c27962aa27b4c389d7cd9db834fa1a65c81617
SHA512 8c026f9e0e9ebbf44a641ddc6d8e9d05a1bd6e582390481cd97fd097ad831ed6dda9b4e897e4e5f3cb44e0f9ed7d27ba56d0cfab5857f6ba4bd2f382e4441e2d

C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe

MD5 7cfb1f2328ce4abce9f52af540ba636a
SHA1 97637fb809edb50a61e6055a625013cd0086f6e3
SHA256 097e0c657e2ba2b18554383d59bd7aec41b5d652425d4e0617d9c584cc308d19
SHA512 7cd68888940f7dc52b1df4e76549f20b4fd2d6400100e428c72a4e90b1a2cfa61881e474642b6ab1ec87c88faacb5df5edc7c4bdc80913514912307ec1d2181a

C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe

MD5 2a045127c5c9408f9470146cd02e3574
SHA1 b905bd8b87fd399a1299e6265978990c48f38652
SHA256 b0bee28bd095769053c8b59bb396f117501f0c4bdc2f436fd852eb88f8c8637d
SHA512 6e9c42107e399a12996b72cf8a71d1320644cdbf885efb2b7e01d0875a75db8a6408f5594a0e9f7a5fb607c3ddb5e9707cffad658559fcf46b4ee377452fcd6b

C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe

MD5 3cede7d47d80a1f8e31f215623d9d88d
SHA1 738ba58478f61a1a73db6dd2e13a4e7c5098ffad
SHA256 07cdfc96e719a073b8b0fce92888276c9e6e6d0f6e600cebf2589ef1c70b74a4
SHA512 d7ca52b0fdbe3e0c158bb479c78b4a25cd1471b1cd9bf3e3d36dcfb756c660895dd3cebe170697101f6bbffd18cbc1f727062f13aaffb85dec087a0d05d11014

C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe

MD5 4799fda54b8450077fd1bb3e13a95fb5
SHA1 38a5e167f4bdfb39c2014b913b36e26805241d19
SHA256 089b71b37bf9f60deb972c7aa479f648996cd95f60eb2abac493ace681f3890b
SHA512 8df51659ff1068ab0fdb0c9046b24f3fc9b2e63bb36972a01127fe4c3d03fda38dce124fb04987b268f2f983c3141b99e8752ffce1f0b771e53fb98f85074aa5

C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe

MD5 aa412ab46d73210f82c5c420c7e28e31
SHA1 f0b44f94b19d7df6108155f4566158f0416b7898
SHA256 9dd4c88499d50b3155bcb602e105ddab4a5b4bdae91119bc44733a788f5827f5
SHA512 1c53c81b4693509a2f07e5e962f7781b09c8a3a1e8be20b947c0bd5b6c808941ea3240a3dee571b433d3345aa67c757528266cc0f4d4eca26b8db80e1768c963

C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe

MD5 3a4d18e664dab7705c160cea9b03ecc7
SHA1 912a1f8503e85ae2a42cba6d76501eb85a9aac26
SHA256 db1c9c2c773f897a49d8c8c53a62e98051922753b46f53be9b3c50137fd6b287
SHA512 c7360728b7ceb86dd687e6c2eefacacd9c7ce75671d71fafc5ec3c0cac631ad2c968a751516c7cb863aeb695fdfeb019c93d4db9bb84ad0bdc74f9cc9ffce67f

C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe

MD5 0e072c946c60f04a244aba03ec6d5957
SHA1 896d01122e8d16038af8a7d7104fdbc5c7730123
SHA256 950e28ade2258e11e380f7b95d532e319646337154003361f09a38846ff1fb8d
SHA512 84cfd12e02dff8dbaa83e83ddc2e64c21918c7dc92a1591f440d125b73239558d7ff23edc815ec725de2b19002aac5c1183e3b7319a7cf7842d7ff225a1b43f6

C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe

MD5 1e5dce9a86b44be8c43d7bb9e9a524a5
SHA1 85950bff1f96a1a1ac7b3c5958ce7d359dcae2de
SHA256 347175f0886af87ac79031d0927427b1d08ef6a327db139badd21cba2a1a2946
SHA512 94bb9e71a1701cff0c6067ebb905490ca76f3ece085739c0eb1b7c1f9bfc5ab7896e8caebd01671a9930e91e09b3215b0b045b97b0f8a8c816d1e92e13d93acb

C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe

MD5 121a5b728854d8bf292d6499a06d7dfa
SHA1 71303ffbba8e2eb27ee889ed385cda15132c1162
SHA256 46f536cdd881a04e42fcf943133a9f68f47ead5f5caa57e6886d6c8204e815c8
SHA512 32c74e7cecdd655efdd5fed5e51c7aba8296ce2391621bb6385d7707ebf9b1761c30733aa94c7fc3216691e0cb6fdc5e4757bbcd58fe043f3a7532c6240ebe55