Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qwysrshh52
Target 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye
SHA256 dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603

Threat Level: Known bad

The file 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:37

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:37

Reported

2024-04-04 13:39

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657} C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}\stubpath = "C:\\Windows\\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe" C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86FF227-920A-469d-91B6-5A0EEE0F28E6} C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}\stubpath = "C:\\Windows\\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}\stubpath = "C:\\Windows\\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe" C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}\stubpath = "C:\\Windows\\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe" C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FF8615-255C-49df-A76D-6F048669F28E} C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB} C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}\stubpath = "C:\\Windows\\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe" C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5} C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B} C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE51290-E81F-4adc-8799-538FAC502141} C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE51290-E81F-4adc-8799-538FAC502141}\stubpath = "C:\\Windows\\{2BE51290-E81F-4adc-8799-538FAC502141}.exe" C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70600684-3492-475c-ADDB-A0522AD3C3C6}\stubpath = "C:\\Windows\\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe" C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53} C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}\stubpath = "C:\\Windows\\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe" C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0} C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80} C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}\stubpath = "C:\\Windows\\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe" C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70600684-3492-475c-ADDB-A0522AD3C3C6} C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}\stubpath = "C:\\Windows\\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe" C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FF8615-255C-49df-A76D-6F048669F28E}\stubpath = "C:\\Windows\\{97FF8615-255C-49df-A76D-6F048669F28E}.exe" C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
File created C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe N/A
File created C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe N/A
File created C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe N/A
File created C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe N/A
File created C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe N/A
File created C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe N/A
File created C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe N/A
File created C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe N/A
File created C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe N/A
File created C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
PID 996 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 3068 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
PID 3060 wrote to memory of 3068 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
PID 3060 wrote to memory of 3068 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
PID 3060 wrote to memory of 3068 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
PID 3060 wrote to memory of 2696 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2696 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2696 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2696 N/A C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2556 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
PID 3068 wrote to memory of 2556 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
PID 3068 wrote to memory of 2556 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
PID 3068 wrote to memory of 2556 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
PID 3068 wrote to memory of 304 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 304 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 304 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 304 N/A C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2756 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
PID 2556 wrote to memory of 2756 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
PID 2556 wrote to memory of 2756 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
PID 2556 wrote to memory of 2756 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
PID 2556 wrote to memory of 2792 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2792 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2792 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2792 N/A C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2452 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
PID 2756 wrote to memory of 2452 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
PID 2756 wrote to memory of 2452 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
PID 2756 wrote to memory of 2452 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
PID 2756 wrote to memory of 1476 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1476 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1476 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1476 N/A C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 556 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
PID 2452 wrote to memory of 556 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
PID 2452 wrote to memory of 556 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
PID 2452 wrote to memory of 556 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
PID 2452 wrote to memory of 2680 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2680 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2680 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2680 N/A C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2672 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
PID 556 wrote to memory of 2672 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
PID 556 wrote to memory of 2672 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
PID 556 wrote to memory of 2672 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
PID 556 wrote to memory of 2664 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2664 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2664 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2664 N/A C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1060 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
PID 2672 wrote to memory of 1060 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
PID 2672 wrote to memory of 1060 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
PID 2672 wrote to memory of 1060 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
PID 2672 wrote to memory of 1428 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1428 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1428 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1428 N/A C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"

C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe

C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe

C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6DEB2~1.EXE > nul

C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe

C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC2DD~1.EXE > nul

C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe

C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE51~1.EXE > nul

C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe

C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26B8C~1.EXE > nul

C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe

C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97FF8~1.EXE > nul

C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe

C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8134A~1.EXE > nul

C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe

C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70600~1.EXE > nul

C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe

C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D1903~1.EXE > nul

C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe

C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D83A9~1.EXE > nul

C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe

C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B16DE~1.EXE > nul

Network

N/A

Files

C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe

MD5 823c5e20a4681a5602878816daa59829
SHA1 fde1443471e9fac0a3a981af0c2dd39efd733900
SHA256 9ba7d10d24df1dfcf27116e3dccac88396de0220609593d0cc7f7414300aa4ba
SHA512 57aea77323daa5ad9b966dc8d5725c4fc606cfd11384c33bf08a52fff9e07c83cf8deff937740c8bd92c35fe028219623e04cc0f4d48828e8b9eb58d6b7decde

C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe

MD5 aeb2d598e5fd784dd5561cb2241cdd50
SHA1 71a5b5cdde4382fc6bc681fba7845db5aa71d69d
SHA256 d6fc2cd581787c92637bad8b0d96e02a4246a6c95fd60d8ae6371519728af390
SHA512 02c1ca96f36012699169651b70a16651240dab315aa5f76505f7442fe49862b81a6dfbb5749107b4d75be07d44e986c58ac306f3731bc0e2b9a0a8ac7c3e7e9c

C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe

MD5 da725d5820d7701b85259420e2c5d1be
SHA1 6c28b43d342ff99346c0cccde8cdcd6807dfdebf
SHA256 9ee69bc3cd7f5eafda81114450e5dde78fa49a706fc3fd1f928abfe664183edb
SHA512 fa2c2b2afd2368283f5e15390c0f69e4cc0ca26399def9e828c90a36b44c64ddddb56b9fd65660383bfface7de4bcd901273d0687470dc6525a127ccdbd80070

C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe

MD5 4bf78308bd1e33c5e1c074a09b9fb11d
SHA1 59ff47694d0af6e607f7034090ec3c3e7ffa62b1
SHA256 9a08d6f358a51a009a70d50cc8c9938eb42146f7065872b814a315ad24274312
SHA512 c3191121a07daa4b3db1cdec931368ec44eed154ad33b0689ace6774f75c5a17b3851e0dc2e940b97492d6ce5e882e4a51857360346f5a23e9194eb9e2df1cc5

C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe

MD5 286ab9b667d8074db6752d0c1355ab40
SHA1 4d5fe0e2cb7665099223da5ea83ed9b4f5d20057
SHA256 7ef0558fc551ce111f0199e5ac75f563f13a2989d1382f8fddb1a9434c683330
SHA512 712915a6b311a6cd0a07bea844b5795e9095a305c16107a6acd91ea02673bb3e5b8d7c95c6e8ad5a3c3e117219d20565d57fe1067ae8075a1437a4546d4cd117

C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe

MD5 588285051dc56f5a5ec984e9ba7d02a4
SHA1 9cb312a748d24c64bdddd2c18c825d1f93a3ef6e
SHA256 12a5f741a1208315534a47ea8f6ccf70d13b29731c20f5994b0be8ae104af8db
SHA512 d99ad375277357efdfd1113ec62c570ca08ebe6fd62a63f3503a4b001a0f6d0a1a588605e559bcdc6e560ba78ff97a7d267c91c11e448f67816f6ac191d7a013

C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe

MD5 7ea02d42125db7ee910d83d79bf156cf
SHA1 d7926357bb6504f6d4587fbcc8d22ea3326eb041
SHA256 eb9b099fc3032894a4d11489514768319b17b926da7c7f498a193f929a024128
SHA512 8cfbef2e511fa80cf392b630557cd57d095928908e32371c7c6b121579037186c8e2db507fceb42d62fcdce5170a5dd17ab6a90d458304681781d12ad1dc7376

C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe

MD5 7db792a83234830699c224538837fa11
SHA1 4ed50f2469d62e783215e074e45aed5aea240309
SHA256 63bb5463cf4cd5ff19007f62678207a3aa8d0616b817e32b41cffb8179e65a11
SHA512 02eeee89253764be1c7fa86ee99dff149110a2f3c1ef5d06e02fef5af5a559064b6072e430eb3cc960abdd884fc37743dd3b5dbffe4f6814aceb5db0e76f851b

C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe

MD5 d3bc993d26367e8096229b164e19a83c
SHA1 1cd59af8fb0fdb571c6c56f765398d1f8ee0990b
SHA256 f695d946ffc8335645e8c3abf6fef47acfb0b07dacd54af93724be713b6861ab
SHA512 bd0e24beb6adb71852d520ac570b7b0117ebc0c3951581e5f7ad299c287919fa86c65f15f33734329e4d2c7ad3bb470f9be0db745dfa628d63076ba01c90b4f0

C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe

MD5 b40d8516cce15d0b25ded870dfe9b5f3
SHA1 55fc7ca87901de75369828bccda5d9f36aede7f1
SHA256 53924cf3d25ecdd57c4173a708d8380cb0ccc0965e53e30041b3af591d6f712b
SHA512 191e048d5833d84a57ebe977cfd655770a3099eabf83996d6464013261cb15e66cad742a956d4318f56ae37ac45b9543401e973eec84c8909c5ae993b6c3b125

C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe

MD5 9d0c2979ff128d053dc04a36e72c10c9
SHA1 85640199fd2e0f8760ff1f1c7fe0df40fe8af4db
SHA256 34120f7fe0f3bdaa60f23d3e72e7b223c39f9e284053906eb5fed67c8bc6565e
SHA512 bfba589570a736ffc40c6fd54deb7c52bc08d4d4d25b2c935c884685b9ba83f111d962b07552db3a4b1409d26d80c9944253d95fa1ff1b8fe4209f9f71d79492

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:37

Reported

2024-04-04 13:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26} C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00AAA7D-4694-4436-9E58-B37222213553} C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D65A68-DCF9-4abe-84BD-2E378B4D760E} C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF39B152-4D89-480e-B0E9-02C15422758B}\stubpath = "C:\\Windows\\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe" C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}\stubpath = "C:\\Windows\\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe" C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53404B33-473F-4be6-A7D1-D5DB573439F3} C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00AAA7D-4694-4436-9E58-B37222213553}\stubpath = "C:\\Windows\\{F00AAA7D-4694-4436-9E58-B37222213553}.exe" C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D2B2551-0A85-4331-AAA6-B34BAD220293} C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D2B2551-0A85-4331-AAA6-B34BAD220293}\stubpath = "C:\\Windows\\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe" C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF39B152-4D89-480e-B0E9-02C15422758B} C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}\stubpath = "C:\\Windows\\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A06BC06B-4F29-43c4-86C7-AA55F106565F}\stubpath = "C:\\Windows\\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe" C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629E476-A30D-4cdd-A735-B579DD2A307D}\stubpath = "C:\\Windows\\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe" C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}\stubpath = "C:\\Windows\\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe" C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B81674-4271-4b43-A106-7F75F63955D7} C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{781E4282-4994-4391-B342-15B572088883} C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{781E4282-4994-4391-B342-15B572088883}\stubpath = "C:\\Windows\\{781E4282-4994-4391-B342-15B572088883}.exe" C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0028D2C-C8C8-48fc-B227-46F3007D79FC} C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A06BC06B-4F29-43c4-86C7-AA55F106565F} C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53404B33-473F-4be6-A7D1-D5DB573439F3}\stubpath = "C:\\Windows\\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe" C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629E476-A30D-4cdd-A735-B579DD2A307D} C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1918BBE8-CB09-4cc6-92E1-D0887A785C23} C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}\stubpath = "C:\\Windows\\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe" C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B81674-4271-4b43-A106-7F75F63955D7}\stubpath = "C:\\Windows\\{81B81674-4271-4b43-A106-7F75F63955D7}.exe" C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe N/A
File created C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe N/A
File created C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe N/A
File created C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
File created C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe N/A
File created C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe N/A
File created C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe N/A
File created C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe N/A
File created C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe N/A
File created C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe N/A
File created C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe N/A
File created C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe
PID 3456 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe
PID 3456 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe
PID 3456 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4232 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe
PID 2012 wrote to memory of 4232 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe
PID 2012 wrote to memory of 4232 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe
PID 2012 wrote to memory of 940 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 940 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 940 N/A C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 2648 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe
PID 4232 wrote to memory of 2648 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe
PID 4232 wrote to memory of 2648 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe
PID 4232 wrote to memory of 2080 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 2080 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 2080 N/A C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1180 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe
PID 2648 wrote to memory of 1180 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe
PID 2648 wrote to memory of 1180 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe
PID 2648 wrote to memory of 4556 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4556 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4556 N/A C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1820 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe
PID 1180 wrote to memory of 1820 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe
PID 1180 wrote to memory of 1820 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe
PID 1180 wrote to memory of 452 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 452 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 452 N/A C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2996 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe
PID 1820 wrote to memory of 2996 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe
PID 1820 wrote to memory of 2996 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe
PID 1820 wrote to memory of 2360 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2360 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2360 N/A C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2240 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe
PID 2996 wrote to memory of 2240 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe
PID 2996 wrote to memory of 2240 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe
PID 2996 wrote to memory of 3472 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 3472 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 3472 N/A C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3384 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe
PID 2240 wrote to memory of 3384 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe
PID 2240 wrote to memory of 3384 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe
PID 2240 wrote to memory of 2172 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2172 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2172 N/A C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 5000 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe
PID 3384 wrote to memory of 5000 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe
PID 3384 wrote to memory of 5000 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe
PID 3384 wrote to memory of 2908 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 2908 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 2908 N/A C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1980 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe
PID 5000 wrote to memory of 1980 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe
PID 5000 wrote to memory of 1980 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe
PID 5000 wrote to memory of 1072 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1072 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1072 N/A C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4760 N/A C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe
PID 1980 wrote to memory of 4760 N/A C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe
PID 1980 wrote to memory of 4760 N/A C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe
PID 1980 wrote to memory of 3924 N/A C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"

C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe

C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe

C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0028~1.EXE > nul

C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe

C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5746D~1.EXE > nul

C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe

C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A06BC~1.EXE > nul

C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe

C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53404~1.EXE > nul

C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe

C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F00AA~1.EXE > nul

C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe

C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9629E~1.EXE > nul

C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe

C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1918B~1.EXE > nul

C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe

C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04D65~1.EXE > nul

C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe

C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81B81~1.EXE > nul

C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe

C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9D2B2~1.EXE > nul

C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe

C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{781E4~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 251.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp

Files

C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe

MD5 efd6d767e4f57454981d415a47670337
SHA1 7f97b0423d120fc070667c33915227a4629d7008
SHA256 c1d2738cbe617f84cb3e47967e8cd8e9cb93f58b27acbbdd88fb76842f9e3095
SHA512 47326d522833a0cdcda8f9e4226a101b3e120a0570ed075838bbdfa0619a56e54efdcab884ae3ab0049ce5e84273d5baccd62c40f433e5d6e83bba0772e0084d

C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe

MD5 a2545b19f93d994754edf811546212f0
SHA1 94de568cb62922fdb27a416ec2e15a627df3ca38
SHA256 55f91a17e6455092ddf42e8c24d14e6678814e135194addcb1250dab0da2f729
SHA512 a51d50190283be94ef24b873cbe0909384a0d3bddcc45f37da7693272047ff145aa8cacce42efa904feb800b19a88242ea2f63d0d14e73231513af54541ae87d

C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe

MD5 38edfa87fccb3960a152c36502cfc34d
SHA1 a2f95c2795b0142da540b69f4b178b16a0e4acb9
SHA256 09647d3d07fe8b9c813f924a5187a00f9e765a6620f5ee1112245aa375a0dfaf
SHA512 ebdfa1fd858187c1b4a1a43d3c9c062fc7a890efe5bafd89d0bc24daa5a320d0aeb7759251d587e1152d3c5a425154a096ac079401abb6712c92ef4326e88050

C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe

MD5 b9f4480a11a2b2058c4518d0609a59e2
SHA1 87c4fbb5a6e900104c5dd81709e951c6d27846b9
SHA256 f0cd7d0cd45762253e8df0b36c2a49dea9ab4931640f1f48bafce356b7e81202
SHA512 5b0dcab864e75b5a9deb6a6f3fa0880fca39ae71e827e12b6bd3837fe8ebf627261dff1a580c66c025867a173079f39980c64b34b88732006fb1569e87c31b35

C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe

MD5 dd44912abde6bae5a8788a21ec18f32e
SHA1 fd951d9cd432c6de0a64adac38d5802909a1903a
SHA256 728ca5b32a4f68d428dfc29a5be763c514f492da43ad0870e4f8f14d1b26d138
SHA512 06ad759d8a94cffa8a9344083372a46219d6a19ac06da8b7b5f8db51ec5e997b23cba913ae2127912f6ea3fee5618768ffa84fbc8a5b16c396df630b402a394c

C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe

MD5 61b1e983912a7fb22b4e6bcc8a195514
SHA1 35800dc9e1f91d6e007a6225e29cacf1c33e427a
SHA256 de8849e03a90b14fdd402dba6caf6441cb08c0ffc546a2b31f792dbeeef5d290
SHA512 65eb4246899a1b521ada3d0bb4eae173fd6ffdb8c6c954e4ff02e3f35d29b8aa91210a25503af421902c8f7bd576eb11f3ff2e7e1fda63856afff8c3c7539b14

C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe

MD5 937db7ecd920cc71be64d74b68bc523f
SHA1 4049ca279f241ca6cb40e78af5765b32c8e79e42
SHA256 5b30ded4e5c7192be22fab5c659ca2f6912801b5fb20db8714d6ade10a8127bb
SHA512 e9f4dedaf5c7b18c72b23836fabced5123764728bbb6d4a69260dbca28dc4f107acf55f2af7dc9708987bfb2897a89126ede7e7455b30cd823d31eb524516d06

C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe

MD5 5503d5f3700cf9ef57f377d4bc48722f
SHA1 efea76922870236a26f1375ed07fbc1061193a6a
SHA256 69e599be5f867b97d069fe636bb9908b33518660f9bbd6904f16a209c92a20e2
SHA512 bb9a2a416bbba7f759e66ba0df6539c4d36d19228129d1ff848c1195a92e9b470ac64f4678dd3a8e4759e5eee562822ad97708e733cd8f8f4cde2302950b2f41

C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe

MD5 16456c392ab1ac15cf3ea1eeb72b9227
SHA1 71b72d4e3d395b9c7489011dd31ad89d949d803e
SHA256 0ed847e66ec013aa65e177093696f4e63745f882a19b859a27769b2fd8e9158a
SHA512 ee069f6c7bc2b4514b981d9b60f7ef470bb04edd10b9f24619dc614868aeeebad0c50929ebe009296c2a25cec19c0d69448cdb9f26e5b6db078ec387f8e95132

C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe

MD5 61a20dece937e23d96f1aa516302ffb3
SHA1 4a1881523e1532385369997a71073ff642f5f497
SHA256 69bfe42ef18fac805f6dff8652732142196bda7fb9735eff25a309a803eb710e
SHA512 7b619e82f44ff0c19238a1ab21035826c9cd5bb2f652705878e2ad781a53955ed13a33f9c43bfce862159fe2821a98196fa7bd1bcd050d57681154d423181656

C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe

MD5 23c8650632b111ac326025c4fa49be96
SHA1 0561e1213302ee8242dc87069e8665aeb0bbb026
SHA256 7d883f07b0f9833e21c3c0d8100eddc31731116c6256c85fe1eb93c788e82bc8
SHA512 ce9305f14b0e5dd0072b15b445838d333510762e1c0c676cb86f9e545573bf5b0992fd0712d2bcf0507e9dfe05b985407d263e2d2c9ad8b1229e96fd62e90649

C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe

MD5 c7f39e8aea732518075331a8772c1c33
SHA1 21719fa4700e734529936c598d9fcb0ae5afb43d
SHA256 1570ff7449c35e53b15e78481ffb88b5a6a1e93cb4a8444781c484a17e9a4a98
SHA512 43fc2691f9fb08599a6828da92dcd8b83efdf325004a3a848c2009f5e75e24a5203998ee45ccae2bfabec08e65576edd9084d1ae5845c37e4b70f2794a5deafa