Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qwjc3shb7z
Target 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye
SHA256 a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168

Threat Level: Known bad

The file 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:36

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:36

Reported

2024-04-04 13:39

Platform

win7-20240220-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67}\stubpath = "C:\\Windows\\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}\stubpath = "C:\\Windows\\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe" C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124} C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725} C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86} C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}\stubpath = "C:\\Windows\\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe" C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67} C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3} C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4} C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}\stubpath = "C:\\Windows\\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe" C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}\stubpath = "C:\\Windows\\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe" C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E}\stubpath = "C:\\Windows\\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe" C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F} C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86}\stubpath = "C:\\Windows\\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe" C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}\stubpath = "C:\\Windows\\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe" C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}\stubpath = "C:\\Windows\\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe" C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E} C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F}\stubpath = "C:\\Windows\\{9B8E65DD-0180-41df-8903-910F8314783F}.exe" C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871} C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}\stubpath = "C:\\Windows\\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe" C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86} C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD} C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe N/A
File created C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe N/A
File created C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe N/A
File created C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe N/A
File created C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe N/A
File created C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe N/A
File created C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe N/A
File created C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe N/A
File created C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
File created C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe N/A
File created C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
PID 2268 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
PID 2268 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
PID 2268 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
PID 2268 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2632 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
PID 3068 wrote to memory of 2632 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
PID 3068 wrote to memory of 2632 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
PID 3068 wrote to memory of 2632 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
PID 3068 wrote to memory of 2804 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2804 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2804 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2804 N/A C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2792 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
PID 2632 wrote to memory of 2792 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
PID 2632 wrote to memory of 2792 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
PID 2632 wrote to memory of 2792 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
PID 2632 wrote to memory of 2188 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2188 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2188 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2188 N/A C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2720 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
PID 2792 wrote to memory of 2720 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
PID 2792 wrote to memory of 2720 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
PID 2792 wrote to memory of 2720 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
PID 2792 wrote to memory of 2868 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2868 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2868 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2868 N/A C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2492 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
PID 2720 wrote to memory of 2492 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
PID 2720 wrote to memory of 2492 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
PID 2720 wrote to memory of 2492 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1196 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
PID 2492 wrote to memory of 1196 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
PID 2492 wrote to memory of 1196 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
PID 2492 wrote to memory of 1196 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
PID 2492 wrote to memory of 1036 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1036 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1036 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1036 N/A C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 1252 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
PID 1196 wrote to memory of 1252 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
PID 1196 wrote to memory of 1252 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
PID 1196 wrote to memory of 1252 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
PID 1196 wrote to memory of 304 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 304 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 304 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 304 N/A C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1632 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
PID 1252 wrote to memory of 1632 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
PID 1252 wrote to memory of 1632 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
PID 1252 wrote to memory of 1632 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
PID 1252 wrote to memory of 876 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 876 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 876 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 876 N/A C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"

C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe

C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe

C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCC4~1.EXE > nul

C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe

C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{604BF~1.EXE > nul

C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe

C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8E6~1.EXE > nul

C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe

C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1665~1.EXE > nul

C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe

C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35EE9~1.EXE > nul

C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe

C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF3D~1.EXE > nul

C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe

C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B8764~1.EXE > nul

C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe

C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4B66E~1.EXE > nul

C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe

C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C8~1.EXE > nul

C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe

C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD60~1.EXE > nul

Network

N/A

Files

C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe

MD5 0675366eb2db2b9fb6c571acc3d3cfff
SHA1 51220fd63562fed5f193cee5e5e15ea9bdb7dc7b
SHA256 c1ac122ee6e70f72d69a735c0807b49eb8a0f7d4ccd75952668cb1918ca54c50
SHA512 84163e2025a22fb50bc7583bf522de5f05a8cf3ffd5e007b5f857fc9bb2bea9f0689761814c1690b0bfb6134b6ea1325a7caa2ea52532b2e5081ab313abf5977

C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe

MD5 56e50e2b967acbb0d24488c0bc2bbaa2
SHA1 1e31b5ebd9426aecb4896f1f69ef0ce1a1a71de9
SHA256 1e34c4176ab4509f9ebab70461b2b15686042126f10a9ff6eb484afc95c4afb3
SHA512 23e85f75881ad209cd167641ffced90a1fb6c8bb916295d13450c4f0cc66efef21ecb5c743fbdc8e62ce5a5f3abaaa2533535cb48a03e81c1c411c5ced91faca

C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe

MD5 34fb909ad609b13ee3daa35a99c873b2
SHA1 de387611134d7e4725ff103ddf0992d393d95d37
SHA256 c796f6da61c8579bdd5b6eac472b7a51589304ee9c94bcf801f22fb3601f40c2
SHA512 bb1106c3a27dee637a2fb38104d83d863fda18984af1fa87e704b9406574b03efe13e2048d90b3babad3295b49309b5c92307f376825c63f56e61ff7d1322840

C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe

MD5 a1fc6ab812dfad7e48b4feac80539371
SHA1 32492210dc4ae2c77b4eb9d950f326bd116235a4
SHA256 d2de389109edd5717ba1df530db1dfc338239a56f5ed7593c58ab4f6102b4ab0
SHA512 02451eb93e5bbbbb8de4371da589089370cbf2098529539d80a2ce8da05b4a2eeb167349dfa67c1208d96c166e0bf4ab7bb36ec3e876e4570f77858ac4328167

C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe

MD5 a157d7c774553e1b30311f41f7dd1bbf
SHA1 41602061ff4327959b777d13d62cf4cd76095512
SHA256 b572aa5c03475fc2578f78aa153e4b9e4ff8d16aecefc70f97b0170d868e9f13
SHA512 b26049a12117b54554b915b5ad6d3a6db8b6d6fe0870e667e903752164e20d2416033b3f1feaa790ae36ed1a86951378cc3fd0693aec52a78bb9059b40b69f50

C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe

MD5 b092c683792194635b29a52de32a0f98
SHA1 b7c3550c33114e3a61c12a898e162dc93c2658d5
SHA256 59cb80853b8ebabcb9bff0d701c353e76850d1870b132d90e9183ae330135bd7
SHA512 89653b9f4c69149eaadaff8b17d8c53a93e586bff7df7d0e92e416082b204cf8cf98615e0cf8ffd96458dfd36174ad65fa089252f98cb194e4fc73ae0690a2f3

C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe

MD5 a52714442065a2d688dc9f64a039b659
SHA1 daaf60b3561163bc1593263ac8568ff319422163
SHA256 64f1244b34f6666f0e89c6ed7b8d64d28a518590bc4ba577827839ce7738a1e8
SHA512 4bec2ac3cb2a774cf057965929dc4ea1186d3140f9f66157006c73210224ff0b2079a54906e6716b7d2f35b42a6717f7b7bd0ac3b01cd3f3f6d660bd44d68d46

C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe

MD5 c27e58a7d6aaadb450283217e9b8b3e7
SHA1 3ece90233252ded4b564826b037db395b9c6a225
SHA256 e7b1a6eb6b529df898adbcd8a90f18447a77b75452d72d418e7ad3e8aec9e879
SHA512 0e9f7511057f7b53f7a68c48bbdfaa396b413d9fabce58d5f4ccf4c612d26aaac8fedc147f17066675511e98958ca97859a713fb964ce734d8155a961b910176

C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe

MD5 cba567da7c2781c136d6b41dd3bcfc5a
SHA1 4db1a940af3aefd68a6f77301480ea2ecdb5f28b
SHA256 b145bb067e58fdb9e16b0b64371b27601722183a31ec738e4d67b89c227fbb0b
SHA512 83eb9bce1647de624fa8487cb25f392810889373fa7c5c85e9eb169d3fc6270e2caec04b6c1f2371e17e8bf1f03a6fea7fc4e9141965581b46ff108fe7905955

C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe

MD5 a1cd3f99cfb4b417d3c6b7754a1ff522
SHA1 4fb281ea818fcd5d1050043b95961a39110c679f
SHA256 9d5f1f544ff5756603f1f657c1e0602a72add7a469fc41999f4504b9c26a2239
SHA512 53412b9fd5810fd38a3c26a739a169fb60ddda251b4247b8af74add0fbe19075f7196f976123672777a764343e24d3a91e0be4576e222e817793cf3e99cb64c9

C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe

MD5 09641c994c8200aa5437f719f04eb09e
SHA1 9bde1f6fd87230b7db3674e60f74b4e1da2ae2d3
SHA256 39b2c06abb9b0bd18c7e231ef66816940e54e9e87b4330c7af42935dad7eb035
SHA512 16f5e937e298558720f46ffcab51b33b54dad8f96c58c6fa593b947c4288c21a9b9870c067c1a8c746dcd008cf0f326ddcbc236b2d0baa37fce9add86a9a58bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:36

Reported

2024-04-04 13:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}\stubpath = "C:\\Windows\\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe" C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA}\stubpath = "C:\\Windows\\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe" C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871}\stubpath = "C:\\Windows\\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe" C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5}\stubpath = "C:\\Windows\\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe" C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C} C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D} C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D}\stubpath = "C:\\Windows\\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe" C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}\stubpath = "C:\\Windows\\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe" C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C}\stubpath = "C:\\Windows\\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe" C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}\stubpath = "C:\\Windows\\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63}\stubpath = "C:\\Windows\\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe" C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}\stubpath = "C:\\Windows\\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe" C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D} C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB} C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096}\stubpath = "C:\\Windows\\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe" C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49} C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2} C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5} C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA} C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096} C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C} C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C}\stubpath = "C:\\Windows\\{C7130592-EB19-432c-8743-F6518207F74C}.exe" C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871} C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63} C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe N/A
File created C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe N/A
File created C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe N/A
File created C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
File created C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe N/A
File created C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe N/A
File created C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe N/A
File created C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe N/A
File created C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe N/A
File created C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe N/A
File created C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe N/A
File created C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
PID 3412 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
PID 3412 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
PID 3412 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 3508 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
PID 5092 wrote to memory of 3508 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
PID 5092 wrote to memory of 3508 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
PID 5092 wrote to memory of 60 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 60 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 60 N/A C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 1428 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
PID 3508 wrote to memory of 1428 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
PID 3508 wrote to memory of 1428 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
PID 3508 wrote to memory of 1416 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 1416 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 1416 N/A C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 4220 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
PID 1428 wrote to memory of 4220 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
PID 1428 wrote to memory of 4220 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
PID 1428 wrote to memory of 4172 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 4172 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 4172 N/A C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1796 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
PID 4220 wrote to memory of 1796 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
PID 4220 wrote to memory of 1796 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
PID 4220 wrote to memory of 1628 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1628 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1628 N/A C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2072 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
PID 1796 wrote to memory of 2072 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
PID 1796 wrote to memory of 2072 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
PID 1796 wrote to memory of 5080 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 5080 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 5080 N/A C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4924 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
PID 2072 wrote to memory of 4924 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
PID 2072 wrote to memory of 4924 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
PID 2072 wrote to memory of 4524 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4524 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4524 N/A C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1600 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
PID 4924 wrote to memory of 1600 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
PID 4924 wrote to memory of 1600 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
PID 4924 wrote to memory of 4640 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4640 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4640 N/A C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1832 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
PID 1600 wrote to memory of 1832 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
PID 1600 wrote to memory of 1832 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
PID 1600 wrote to memory of 4264 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4264 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4264 N/A C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 4340 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
PID 1832 wrote to memory of 4340 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
PID 1832 wrote to memory of 4340 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
PID 1832 wrote to memory of 404 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 404 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 404 N/A C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 8 N/A C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
PID 4340 wrote to memory of 8 N/A C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
PID 4340 wrote to memory of 8 N/A C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
PID 4340 wrote to memory of 5064 N/A C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"

C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe

C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe

C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C22~1.EXE > nul

C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe

C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{390C9~1.EXE > nul

C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe

C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC3D~1.EXE > nul

C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe

C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E889~1.EXE > nul

C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe

C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35484~1.EXE > nul

C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe

C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77B3B~1.EXE > nul

C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe

C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B397~1.EXE > nul

C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe

C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C7130~1.EXE > nul

C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe

C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65EEE~1.EXE > nul

C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe

C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9967B~1.EXE > nul

C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe

C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55FB7~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe

MD5 8265fb2d362699c97111cff330ad8e99
SHA1 732b6e88493dfd42c8502a55a7ebd156d63c8d06
SHA256 d666db23ac50e90cb6c6e1aae3dd6fd901ef87cadcc1b6e9c9c1a26f28c53be0
SHA512 ee36c12d09b45ac823bb6ca59cd511209b1c0a8d72e28962acc02ba1eeef81d47892011fec4805b1252892692095d571af2c84c714b683617a5e9e2d692610bb

C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe

MD5 e526e4a2593f59769311affc3b0b02d2
SHA1 6cd30dfb0653a25cc40c42e277f1a88fcab3d281
SHA256 0543db4016a12599366efb1db45e8ec74a4c9b7cfa327c0fa21a81492c9ec718
SHA512 6d98799e34814e9bb9740511775c99887deebb680db862516b9b6808cd99a0d1a7818f52fd59ff50d28a1de79655f12fb7ee47a8f6d01cbea3338d4ed373d1fd

C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe

MD5 844d50c4c89bede9dd276f51c24af53f
SHA1 965852716b051501f6eaf7138c1ff81a211e0288
SHA256 c91720460de24e0a068b17c1268527ee68b94a72baa343a77a8cadb81452d440
SHA512 d40600664461506fbe5f92c31828a17b33ef6247fc5e3007b7b283d3f9be7ba0803482ce3cff257131802d02e3683d3a5aa8df91eb6cebdcf6e7b9a55c4a075c

C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe

MD5 35344cdd4fec8f2c620c6da727ed50ac
SHA1 1ac019fbb4242bd5881049b6333704eeb9dfcc49
SHA256 fab9206fc22ca16e011794b1b55d7dcf1fffe13004a1241156e8126009827910
SHA512 9006b18e4edacefc3eb56ef4442e4769c1064b1913f5500ae2ce31c584a5fdb1e30095b5a8de8103d8efd54718749ca579e37e3248ef7aaced72df04daf6ea38

C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe

MD5 0fc5bc411ec863b8ef31b6105aaea5a5
SHA1 fb310ee022b23cbc48a7e7dde5834419aaa0ddbb
SHA256 c98f63875a59f1c63dd73bd0d0e1c0b10ed0d364b6562d3e8573de188cd7cc91
SHA512 a416e6f4036d1bb4ae13d1296f4b674a141c24f84853aeab059224f5490bb48d65dca0d0aba50610a88b863f7171a46a95b1e4a47604372e91d8442361c923f5

C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe

MD5 56136e7b56ee670856de4e9cb2190a22
SHA1 e09af0e74ce9936050582e981a2323232ad82917
SHA256 689fab017550d5934070365e508756dfe1363e4097f762f04661df00f298a185
SHA512 e0a6abfd52de2836dac9a77d669b832e68020fc26a8e6c0c638e1f7f944cd7a0bc56f90ceeb0c9ebedc71fd65f913f935466d45f0a54babd5c8013131847adbf

C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe

MD5 5ce82a24474f84095401df53af2c2f9d
SHA1 f7cd20893e52f00561e983d2e5cc7e2f43727f57
SHA256 f590d702b28b564c8f8163c4f78270b96d95afee5b9a400f0ecb6f98376c23c0
SHA512 15b91f48403e6ceed4c85d760c0cd7927f2952d2fc776da31917c4e6379262cb6517421df3701a8706aef3280a08ba4d7fae32b1fc07fa8b610c7692a5756a1c

C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe

MD5 f2ed789e1fb177aab40e689a93be5694
SHA1 c87de8d8c8285906c23102853853ab87da2e643c
SHA256 1598692a5290601c6207a36251d20c67bd312e9f36a7d5f7b61a139ced3e7818
SHA512 29ecf5451ff7f358747eb5ff76fcaf14883f7ebef0f6cc9b2beea86f68f5eeea387b8420067b91675eaff965b620c4584b39e945ba3cf91b2f7f8d84b2ffeec1

C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe

MD5 a94caab3bd875a3af5ee1ea3d0df44c4
SHA1 1241f19ddbe7907ba77aa5d87d3c03c9cb7ebb59
SHA256 5e25989b231fd4d3c3372b8c0f5b53883bb4212c108218a81263a7445cd0039e
SHA512 2dbcd8c870ee8289180ca8167b5eb9f4a7aec3cd3abc4ad37dfdc8afecc96af8c05602d3d6f458bb1bea0fc8df5e46034b95364af81bd67b6f610e39f7ccc17e

C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe

MD5 179a47cd9d052db77702998b9c38b260
SHA1 c2166afb47f43c535cdeaeea91412730d48a86ed
SHA256 ab62e9ad08bda5ed2e7694e081bf7798f2e0c532594692359e35ed6b116a3f25
SHA512 6934cef31e3033f21808245b61ade6af6c698530770cbe8b18afe132ed2a278e40055be969e013f9fbda0cb6df92e12fb098c64481c4cb4bc7f3956a770771ea

C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe

MD5 3d35c5ea4e2c7278f8952c282a3b946e
SHA1 955cda7fef39bece44bbb5ee4e7d775715928657
SHA256 a97378bafddac5e66e300a2f88874c459fa0aef360b0de4d4d079fb8fe464225
SHA512 dee3c78a04cad2145c8537e712541ff89e4c84e2f79ce219b11b89358a3f0a424470fe04a18befaa1dbb34dd548eed425ab95d5cb49c5e8cf37e42699ff27289

C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe

MD5 30f036fad0105ddd7dbbfc3d94e7be4b
SHA1 c3145437d0bd8253bfc0316992673d117098cb9c
SHA256 e5bd663b089d25e4d5022ab38afcc28d7f530e269e1e0b83947b013389d7574f
SHA512 d36685449d3564c720d6f9d0d974978e58fb2739ea7003fbe65c7f497e9fa30f6989bbe6a78be1c6818d38828e92aaca475aa77e0e7ee7fd91c4543a6e9b6ca6