Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qw33gshh55
Target 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye
SHA256 9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b

Threat Level: Known bad

The file 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:37

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:37

Reported

2024-04-04 13:40

Platform

win7-20231129-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}\stubpath = "C:\\Windows\\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe" C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}\stubpath = "C:\\Windows\\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe" C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77A1454-F23A-4dc2-A284-7D800C7B708C}\stubpath = "C:\\Windows\\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe" C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{213237EF-16EA-4f8e-B83E-CDDF85EE4139} C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}\stubpath = "C:\\Windows\\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe" C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}\stubpath = "C:\\Windows\\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe" C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BA95AD-07DD-4b72-8192-81D57F4EDD92} C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D} C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}\stubpath = "C:\\Windows\\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe" C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77A1454-F23A-4dc2-A284-7D800C7B708C} C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6958DF70-2E70-47fb-B333-8654538B68C7} C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAF96995-C120-43da-9B5F-A1398B1DCF9E} C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9} C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28} C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}\stubpath = "C:\\Windows\\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe" C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2} C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5} C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}\stubpath = "C:\\Windows\\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe" C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}\stubpath = "C:\\Windows\\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe" C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC54689C-C80C-4a22-9ACE-AFCA466F3050} C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}\stubpath = "C:\\Windows\\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe" C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6958DF70-2E70-47fb-B333-8654538B68C7}\stubpath = "C:\\Windows\\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe N/A
File created C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe N/A
File created C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe N/A
File created C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe N/A
File created C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe N/A
File created C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe N/A
File created C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe N/A
File created C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe N/A
File created C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
File created C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe N/A
File created C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
PID 2360 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
PID 2360 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
PID 2360 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
PID 2360 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2584 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
PID 3016 wrote to memory of 2584 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
PID 3016 wrote to memory of 2584 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
PID 3016 wrote to memory of 2584 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
PID 3016 wrote to memory of 2660 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2660 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2660 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2660 N/A C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2052 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
PID 2584 wrote to memory of 2052 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
PID 2584 wrote to memory of 2052 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
PID 2584 wrote to memory of 2052 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
PID 2584 wrote to memory of 2940 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2940 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2940 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2940 N/A C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2528 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
PID 2052 wrote to memory of 2528 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
PID 2052 wrote to memory of 2528 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
PID 2052 wrote to memory of 2528 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
PID 2052 wrote to memory of 2924 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2924 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2924 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2924 N/A C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 320 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
PID 2528 wrote to memory of 320 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
PID 2528 wrote to memory of 320 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
PID 2528 wrote to memory of 320 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2672 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
PID 320 wrote to memory of 2672 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
PID 320 wrote to memory of 2672 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
PID 320 wrote to memory of 2672 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
PID 320 wrote to memory of 2780 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2780 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2780 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2780 N/A C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2348 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
PID 2672 wrote to memory of 2348 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
PID 2672 wrote to memory of 2348 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
PID 2672 wrote to memory of 2348 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
PID 2672 wrote to memory of 2676 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2676 N/A C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1996 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
PID 2348 wrote to memory of 1996 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
PID 2348 wrote to memory of 1996 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
PID 2348 wrote to memory of 1996 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
PID 2348 wrote to memory of 1628 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1628 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1628 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1628 N/A C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"

C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe

C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe

C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6958D~1.EXE > nul

C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe

C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{931C1~1.EXE > nul

C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe

C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97BA9~1.EXE > nul

C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe

C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF96~1.EXE > nul

C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe

C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF30~1.EXE > nul

C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe

C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F682B~1.EXE > nul

C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe

C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC546~1.EXE > nul

C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe

C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC61~1.EXE > nul

C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe

C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{99C52~1.EXE > nul

C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe

C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C77A1~1.EXE > nul

Network

N/A

Files

C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe

MD5 ac1dbb4a6bc9fbf6357a9e9037d745bc
SHA1 35b31836d22f9b7c9add2589594e08339bda5e31
SHA256 10e77337af218aee20dbe7b9edf37850df85d975fa07df0d5a81dc263d415384
SHA512 a0d4bd35f6f98590e78d546bca87c1bc2705d81c2fc6290bb1917e49cdad77b3473c484a380bb857f2e250de78ee5f25833db9649c5a605d3728695c7e3ab456

C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe

MD5 9c2f2f509f99f1c65ab5a6acb39577be
SHA1 cc7b02403c6b64c5df1db5ec953d1f31ca2d92ac
SHA256 df67aa8384d4a989519ad37a8db51bacfeb9c508bab62ab757606c68622ca043
SHA512 3f538ecfce67675f4691a8bd6499927aff0e30e034d60fe6d9ac17192d5d59083c7f596babb32382ef610502b8d6cb44a2cbb5327359b4e14cbc5b2b9da77721

C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe

MD5 48e9864c0274f38911f85897ece73dc7
SHA1 dca3299dbc9b90d970bb643533728074ddd34adf
SHA256 29995756ea34e4c7e95ca305a43e7ef7a657b0388b8a8accc5f85ced5305d2de
SHA512 54f681b97f9d7c240f4c059ef23a0fcf5088e3b2e776cf2abf8443f6d238f195a6afe35aac1af81b5d76055024f2a235258ee290890e7776fade1ebd2de78b0e

C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe

MD5 1a3463c86dc47b8e3b7a08415f17ba8f
SHA1 cf522569ee19b9cbd01073c7f69b5eb401e68f7b
SHA256 92ecb194a1b6b69cd33b9df3550d01893c537f44b5b98cdd1692ec5d991760b6
SHA512 7df35cdf3e7f7f689825fb459bf6b5180658d7caed0fc1c6dea580910047a35c31c451dfcc41d21c7bcfcb7b55b2dbb5196a18e168d9d7f57bb1bff9656d173a

C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe

MD5 46659071465ad25003ca428108e8a1aa
SHA1 e72089fd87126428f42a5c35a20803d5c6878fd4
SHA256 a9b88315fb44db2caf71a19558a307b6ef2a1fe7164a009b548c9bcdbddd0d9f
SHA512 4728873cd520fcf475fae94162e229422e81ba99c7c759e7b81094d28a5469ada238db78bda44eba01d1fc3eecb9fd4159f294e1ac210cd0b9f9952a1e7aa129

C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe

MD5 9d65985176fa7c7a73849b2dca00282a
SHA1 73e6a7e78e518dfc462a532f19fc330587f922a8
SHA256 c81c59e91a1a43222377f0c2d58df56574e60aef7358ab4f68d3f24be9ac840f
SHA512 985aeb80a929b783f9cf9de9a0bf2cc64e92b828ae14dc692060f2666f0e34204748f80fadac860171dcb14b0b7cf475f9fbc86c54751c41aca40b2759a45b74

C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe

MD5 b4a68855b2466caf6f589a8fd78fbe43
SHA1 58dca2683abbfd5be7c85137af0ef95f35e83cdb
SHA256 49e7fb2b3e71ec31b6ab8a717375ec5fe4b7a9ca42b21dabfd80e4fd9c9ea1c3
SHA512 e8f1b33aec5c6fd9e16f14ee78bb899e6e4f8bbff207a8a6e412c474f202b3ac592070022239876b4b04ce8cd6e99db4320335a4bdc42c7ea123c4ccaa4c6c6b

C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe

MD5 ca0c0aaaa15bec83be9205e867c0dfd3
SHA1 4f0545343a507f12c2427c0c67b0de4e04852b6a
SHA256 35dc19832fef9ddde93b696d8fbc4376ca428d536270b2343e778766d17ceefd
SHA512 cfa984fc847ffea01d2c79b96a3cb8540bd5ba7efb11af33adfbc3176da38c2ec5e1745af62109e11b26b9ca3f4037a82136474825b5e2552e8b6feb66f1d2a8

C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe

MD5 1a134122948bc0a143d270d9385b9991
SHA1 86b3eb9eb7270719590583081f59e98df1c20270
SHA256 78f71561a34333a3e5ffd68f081a240d2b372412f7bcac8c73d00596960a083a
SHA512 cc7f9f3a6722ca178e0afea37d43d34dc9259502dea893651d499a5d42259b20cab07481c42313676f0bba1aa7a7fe5e007bbcd35021a788d8f0fd1f5c581896

C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe

MD5 3c5bc08e41d16bff58112fda5ac89c2a
SHA1 b96a7f49223af9d81b94ffda515223deaa1bb6ae
SHA256 42c7345af68ad97ecf77420032c835b954ce146c857bc81d5455701f004844d3
SHA512 761002131c0be192c331c9ba49f336268e9ad12ff56a92f0cf236874387ee60ad19be6542be88f4f34b22d23384676fcff88327f595b82a0d9611f4275cbf1a1

C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe

MD5 077f99d63f0d55e0023f83dbb5d19fc7
SHA1 28a7c1d934b78bd587f7fff48b93384b63c76519
SHA256 5fd0624c7be6c38fbeadcdf4c4839f41d1c3771956d17eecb6f7a7c59541c222
SHA512 a305189b72c63560cc96d085dd4af7af63803e97e004fd322123800fe90ca8d8f4c5809caeb363920be71ba26df5c6c70d1304c64892b2db43b9e62a2cafeb3b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:37

Reported

2024-04-04 13:40

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC} C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C} C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}\stubpath = "C:\\Windows\\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe" C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F} C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C} C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97B0985-0F06-4b52-992B-F31C88FB01B7}\stubpath = "C:\\Windows\\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe" C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3F62D-3199-460e-9EEB-D130135ABDF1} C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CB1547-B572-45f8-9406-159F82C674BF} C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}\stubpath = "C:\\Windows\\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe" C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6} C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D} C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3F62D-3199-460e-9EEB-D130135ABDF1}\stubpath = "C:\\Windows\\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe" C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA9E892-03F8-4e26-A4C5-F564798DACD9} C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}\stubpath = "C:\\Windows\\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe" C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA} C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}\stubpath = "C:\\Windows\\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe" C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}\stubpath = "C:\\Windows\\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe" C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}\stubpath = "C:\\Windows\\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe" C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}\stubpath = "C:\\Windows\\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe" C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97B0985-0F06-4b52-992B-F31C88FB01B7} C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CB1547-B572-45f8-9406-159F82C674BF}\stubpath = "C:\\Windows\\{18CB1547-B572-45f8-9406-159F82C674BF}.exe" C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}\stubpath = "C:\\Windows\\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}\stubpath = "C:\\Windows\\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe" C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B} C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe N/A
File created C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe N/A
File created C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe N/A
File created C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
File created C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe N/A
File created C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe N/A
File created C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe N/A
File created C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe N/A
File created C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe N/A
File created C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe N/A
File created C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe N/A
File created C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe
PID 3112 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe
PID 3112 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe
PID 3112 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 1456 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe
PID 2984 wrote to memory of 1456 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe
PID 2984 wrote to memory of 1456 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe
PID 2984 wrote to memory of 872 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 872 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 872 N/A C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 1672 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe
PID 1456 wrote to memory of 1672 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe
PID 1456 wrote to memory of 1672 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe
PID 1456 wrote to memory of 680 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 680 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 680 N/A C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 4172 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe
PID 1672 wrote to memory of 4172 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe
PID 1672 wrote to memory of 4172 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe
PID 1672 wrote to memory of 3400 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 3400 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 3400 N/A C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 2700 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe
PID 4172 wrote to memory of 2700 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe
PID 4172 wrote to memory of 2700 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe
PID 4172 wrote to memory of 1012 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 1012 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 1012 N/A C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 4400 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe
PID 2700 wrote to memory of 4400 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe
PID 2700 wrote to memory of 4400 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe
PID 2700 wrote to memory of 2056 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2056 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2056 N/A C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 400 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe
PID 4400 wrote to memory of 400 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe
PID 4400 wrote to memory of 400 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe
PID 4400 wrote to memory of 3356 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 3356 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 3356 N/A C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4832 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe
PID 400 wrote to memory of 4832 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe
PID 400 wrote to memory of 4832 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe
PID 400 wrote to memory of 4324 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4324 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4324 N/A C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 3768 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe
PID 4832 wrote to memory of 3768 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe
PID 4832 wrote to memory of 3768 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe
PID 4832 wrote to memory of 2168 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 2168 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 2168 N/A C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 2668 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe
PID 3768 wrote to memory of 2668 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe
PID 3768 wrote to memory of 2668 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe
PID 3768 wrote to memory of 4980 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 4980 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 4980 N/A C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2504 N/A C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe
PID 2668 wrote to memory of 2504 N/A C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe
PID 2668 wrote to memory of 2504 N/A C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe
PID 2668 wrote to memory of 1028 N/A C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"

C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe

C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe

C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9FFE~1.EXE > nul

C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe

C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49C48~1.EXE > nul

C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe

C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F85~1.EXE > nul

C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe

C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{45D87~1.EXE > nul

C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe

C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38BCA~1.EXE > nul

C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe

C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CFEEA~1.EXE > nul

C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe

C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E2CEC~1.EXE > nul

C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe

C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E97B0~1.EXE > nul

C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe

C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46D3F~1.EXE > nul

C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe

C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA9E~1.EXE > nul

C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe

C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18CB1~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe

MD5 55556e162fec5b2baac0e2b2abec3536
SHA1 98cdec607f1be48561b4c3b8dd13fc5395c65fd5
SHA256 3c2c0707201e587d6d3be7a88f8dd5395dfabe369202312adaf7d5ebe32ca1f2
SHA512 2126cbf2805da9acc6f100701d4d87a72a69d91234749c353c2f882a1bbde5ec76689c93bb32322fd768acf7db897f5b966e725c4cc8c659730bbe64ed14144f

C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe

MD5 41abaddbe122caf9d89cf44b9faddd29
SHA1 ef97b0a981120981b7c1bcecd5505cb4406c73cd
SHA256 f1b706c722e58810795a2e37d9bea13b20437dce9640438558843f72213277f0
SHA512 69d097ae22815aed606cccdb227adc083129bb4fec3cf056b4faf02a1261ce81eee595a1b1beda38c00e7852c3819c0c649630c56552b7b9d23f60066c946e3f

C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe

MD5 ec37941a1f6f4c73308eec43bf5b2b63
SHA1 a84a804e0103dcc7fa31494a3c4d6bacc68bd197
SHA256 52e01ac0e00af9cdad1ad05910ff7ac2a33c79e656a76fe1f37afaadcbad6447
SHA512 30b6cb8d1adec4eddd36c7596a8504f03c0d1118d50872e1f67d5e5e592f933988c3c80cc88830658020316f5d3ca089f52ed8e173d3ef556506eb8c7279808f

C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe

MD5 d96d6e0303a8b12143690387ab509f40
SHA1 52cf0707b9466e592d8ecd2781517a1b7b26aa79
SHA256 f7bf77c8763af2f3af4919fd772895d57f31386dd9c5a7c7975ad9ddbb02cdbb
SHA512 dd39e2443ffb810c0ce0f90d6b692bd96a074f650218deac413569a21c85dbae32a47fb02c2ac142b5b7d27d218339ce24ac018cc047ba819b5f49eb793d3543

C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe

MD5 a586f376f66a51ce3a5df320aa88fe91
SHA1 1999eab26f7a6341127ed6e834171ee2d94f5c10
SHA256 23feb323c0690bb181cf9881bcf53b8599e981e83964191a76ac78083a767929
SHA512 c9971f38b7da2a6f5b58214466931dc814166d2c1c006b9b0588a007f7c94ec42db880c118833e4f93e981b688ae24d746e8259938b74dd2a4f664f5589e3054

C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe

MD5 f641110b9e2a9d1ecf636d46ede57924
SHA1 347e56cc4c368e4427b9ba6fc78fd82c7cf86b0d
SHA256 3aa89df73bd9f5736d21b382101f37debd1a510f08324a3110e7176fccd6186d
SHA512 00a55cefff25212f10e3d18944cec4fc712c38016be49e334709cd325e77ca5e90247a88628a8ba1dcdc30c24c623c8ec45c50564d3eee9ee06daaf0956150b6

C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe

MD5 c8360b1436c2b0047e2c25b7ad72870a
SHA1 ca8330b9fd785edd2a6a0b16bd827b23fe0c2037
SHA256 ec85f8630387720b9682a3962b84ae0ef37313019a8ce596af352d24acaec793
SHA512 c0bd7a95061183a9d8a95340b839ef81794691e3ac53dfde7629a1d1c37a6fc1052d73e47c79c4a82d88a197caa7f052b1a7c6ef8f164bd86b35a04341de8e6e

C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe

MD5 d7ce8c90469ad670259beebebf291545
SHA1 f49cbb10de78b4aacbe6186b98224631b50e9059
SHA256 7dc41607f57490a1b289fbcbdaa2e89c001497589a23ab545bb88815703438e6
SHA512 ef97a7aebe9c0d88269bd17c8490b5996cc9977c0bdaac1cbb7c7f89b6f98a7b208eb75ef6e73c9ef410b7fa0067bb92bfc208b793635a3a4dacba615fd70de0

C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe

MD5 35e03af470e05036187935b09d6872c2
SHA1 2c0d880eb44475b8c82f3b65aab7c894028a308f
SHA256 d58202711d6dc54f9dbca6c178033b59890ec7193b09774cc0bbc473dd1e3daa
SHA512 13e681a7aa6970ae52092ea978075582734c0519355ea1ef901a3bf1065c72f73ad5473e026a852761ca93731eccb7274af090037386a7280b1705da917ae2ed

C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe

MD5 ed815b92164f512a165474248b68cbd5
SHA1 6743c9a8095776e228270f297efee01a80d3ed7c
SHA256 bffb20c14c55e6a6a502e512b97497d956d2131be4eee4f3303ac1be981c9b4a
SHA512 d53af2f2739787c0f5b2bf5d7f68e66a133d7e74c060f9fdec7fdbcfbb5e9bb69b69fa1b014600be6d4e745c61340d20335bcf0d02f04ca15643cbdceda6ade8

C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe

MD5 9015a189a2c9209eb3cac4c88bace808
SHA1 88738743a2164dde6e3792ef7a12bdfe3bfd89f3
SHA256 16bb6b6c39c58c7c977c71cdd5f25b73f1bb0a9c0e76a44db754d4f22f6dfa18
SHA512 3acc57a9cd725d8d0e523e1fc64ebece16371ac2ea8916737d2b4d1cad56bd62a2bd96aaf01d84aaf78bea9ddf5a4fc3e16c604f2576f48f8ccef9d272f5c9eb

C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe

MD5 7b81fdee2b0ae4184841aa56bdc551da
SHA1 1e85ecac4fae1860a0e4397e0c5ac69d1d400b55
SHA256 b1d9f5a3137695c84051168e1b56d308989be8542e4821379151e68932088a36
SHA512 7c74f39ed2ec6ef8a6cb51bcbb27a40e05d24f874d0bc53251d500bdca057f78afe2a20f96781db575d027b8304588b65e18e23e104f96ffd5bd7fbdac6104d1