Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qx3hcahc3z
Target 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye
SHA256 a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc

Threat Level: Known bad

The file 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:39

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:39

Reported

2024-04-04 13:41

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}\stubpath = "C:\\Windows\\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe" C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65782627-3DC2-4ab2-9F09-78420C969855}\stubpath = "C:\\Windows\\{65782627-3DC2-4ab2-9F09-78420C969855}.exe" C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07902000-F022-491c-B968-7A01A8B7FDC3} C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}\stubpath = "C:\\Windows\\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe" C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90} C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}\stubpath = "C:\\Windows\\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe" C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683} C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3} C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}\stubpath = "C:\\Windows\\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07902000-F022-491c-B968-7A01A8B7FDC3}\stubpath = "C:\\Windows\\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe" C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F027BE9B-853C-47da-943B-B4E9B045E1C7}\stubpath = "C:\\Windows\\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe" C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}\stubpath = "C:\\Windows\\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe" C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02} C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}\stubpath = "C:\\Windows\\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe" C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B6B830-878E-461d-9A5D-979B7B9AFA72} C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF251A6-6B71-44d7-9C3C-0A31E7321906} C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}\stubpath = "C:\\Windows\\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe" C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65782627-3DC2-4ab2-9F09-78420C969855} C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F027BE9B-853C-47da-943B-B4E9B045E1C7} C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB} C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2} C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}\stubpath = "C:\\Windows\\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe" C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
File created C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe N/A
File created C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe N/A
File created C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe N/A
File created C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe N/A
File created C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe N/A
File created C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe N/A
File created C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe N/A
File created C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe N/A
File created C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe N/A
File created C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
PID 1956 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
PID 1956 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
PID 1956 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
PID 1956 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2504 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
PID 2088 wrote to memory of 2504 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
PID 2088 wrote to memory of 2504 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
PID 2088 wrote to memory of 2504 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
PID 2088 wrote to memory of 2608 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2608 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2608 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2608 N/A C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2528 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
PID 2504 wrote to memory of 2528 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
PID 2504 wrote to memory of 2528 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
PID 2504 wrote to memory of 2528 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
PID 2504 wrote to memory of 2516 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2516 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2516 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2516 N/A C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2472 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
PID 2528 wrote to memory of 2472 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
PID 2528 wrote to memory of 2472 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
PID 2528 wrote to memory of 2472 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1940 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
PID 2472 wrote to memory of 1940 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
PID 2472 wrote to memory of 1940 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
PID 2472 wrote to memory of 1940 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
PID 2472 wrote to memory of 1612 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1612 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1612 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1612 N/A C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1656 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
PID 1940 wrote to memory of 1656 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
PID 1940 wrote to memory of 1656 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
PID 1940 wrote to memory of 1656 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
PID 1940 wrote to memory of 344 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 344 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 344 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 344 N/A C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2460 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
PID 1656 wrote to memory of 2460 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
PID 1656 wrote to memory of 2460 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
PID 1656 wrote to memory of 2460 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
PID 1656 wrote to memory of 1376 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1376 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1376 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1376 N/A C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1464 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
PID 2460 wrote to memory of 1464 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
PID 2460 wrote to memory of 1464 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
PID 2460 wrote to memory of 1464 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
PID 2460 wrote to memory of 2588 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2588 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2588 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2588 N/A C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"

C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe

C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe

C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23B4E~1.EXE > nul

C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe

C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF25~1.EXE > nul

C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe

C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65782~1.EXE > nul

C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe

C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27A73~1.EXE > nul

C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe

C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07902~1.EXE > nul

C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe

C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F027B~1.EXE > nul

C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe

C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DB8~1.EXE > nul

C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe

C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5AAEB~1.EXE > nul

C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe

C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C823~1.EXE > nul

C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe

C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B6B~1.EXE > nul

Network

N/A

Files

C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe

MD5 36b79d330b1d71ada09236c47c67f8cf
SHA1 d1939977766e962f336a21f61e5378cb9362f0cd
SHA256 73b2ba53274fcc5a5dd439e7789d4f5d9c0d153bd84d218d297da362cdb19b73
SHA512 31d09766e14c48d99d76aeac802b89c63f8ef4caea63147f31e3179bb65a3aea6ba182920d13215cc7c00b582906b866332dd7312d33e546cfa0ae41b9cbcfde

C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe

MD5 7ca9dbc2743ebf88d6a047e019c94550
SHA1 79f34246006be021ec01d7f087cb5a21b71c0c0a
SHA256 d7a97f111875869d2e67811f7d19b7d9e5479fc47bd8f0988d29d5d19a8002a4
SHA512 5884303716b423376a6ccb8526d290e872b4886f1fb70f14b99a0858cd566d71d75052ad95b30896947a29772a66583141b7204ca2a9b3139e07e2f5d04138fb

C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe

MD5 d8082e1fb1ad8dfbad4444e90265c173
SHA1 3c9cd35a4bd6eeb9875d3097fbce64c8628abb7d
SHA256 2d12105fa4f585b2106f8e9cfb7bb5be3fcda084f367437e69815dfa40519be5
SHA512 e681f70f6a6db6c7d9ad61a1ca606a674ee9cea75f3e9bf553b3e16da8549ecabbd42c421d6d75731e00aa2330ede1bd3376fbde75813be1c6819e2b5f2748d3

C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe

MD5 c29e441448ba725cfe04f36dbe0270a0
SHA1 947fa7cb93afb1e03424db044647587ae75abfc2
SHA256 f7b4d05b685fa0759a97cbd6180794da78c4e91d860e913e9ace5a7bef87b439
SHA512 5603eddbf0e4b10620d8ce80551e153bc609193e0bddde27c6292884b3351da1e673049fae047a2b4e30e19f13cda1e02758a64f18fd00e47262541fe4023237

C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe

MD5 9368918784f91ff17d6b67c6d4f1e256
SHA1 76d2e7554374fceb7c98e90835f48da3d0382ee4
SHA256 e732887af2a1cf0474280aa0cc79638549685bc133c5bed6bdeedb916a433908
SHA512 0105010c8d6fecf22b5dfd99ba08bf8a73ff0c5218912941cfd9da573011f7154c6265580d5ec4995a77fb5ee85b6723ad6c099af96cf6a6169b8b144eebb398

C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe

MD5 1c9704de3a87a2fe157564ab75d5f8f6
SHA1 23efcbae6bd563aaa9724e1895de374db8de8cca
SHA256 b0d406d986cc8dea963670ba30d921f7e6a94aed2b0c45207fa0ddfc365ab2f5
SHA512 eb25996d6ccb1de29e238bdfbb484ca784afee15725394f9bc34b713726a51c7f75e9f0b866f81159737dd4e0e32cee02b4d04938eb5147f6d827baa5d5daed0

C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe

MD5 9af7a6a0181cada47cda5572898e1f34
SHA1 4dbcd378953937a6a1aa7bcd29eb8a51eca8af79
SHA256 1f56cec93c7d22b67466bbb5931cf8045ab59410fff96d3f2134e5605354629d
SHA512 ffce8cf660ac8476d5d2daa2bf3be7726174ae0fe314b5e8fbfac68b507b9eb2e919c7303ac4c71ac21c89ad802274f77ec4395a8e004a4bf344af299eea3d18

C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe

MD5 cba1ec6d6f4347665cda465a237a6d80
SHA1 e5177b45bce3c4ef78d51c4edfee766cf4739d0d
SHA256 77993e3659edc3a5e79fa66187d8c35b60a909241ebc8cfcf68141d62c29684e
SHA512 bfdab196c942fd0a0847d98e39c03e5657d085d06599127ee589316e892e89059da455dac6eb4fc418f94aa0726def34991f8c5dac8630de775349b1df632127

C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe

MD5 cf131a7cfa7e3bebae4a9ba0ba54168a
SHA1 04d078bec5baff0b34825901f841821f009a26ed
SHA256 dddb9316cb33e238711de14e2fd66ccce74936c4e101a18f1aa35a801c7fed45
SHA512 a10ea3bfd703328e8fe3a07204fa641e9c795cf7eaa46db44ebe832f077c366bd53c18f93f740cf6708d1b4404176eac9afb99812a9f2a9ef4dc256358a043ea

C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe

MD5 e1658e689b8aaefaa4c0ce1b796b468d
SHA1 874a3058b8c2f83ef20fa91aee893538e64a652c
SHA256 6e31d80fb7bb8c07421895c3198379726c719e91143470bafc1c97cc3e749c1b
SHA512 a171bb392ad7c4c3425f52821cfa9b70a5c71281eba26e9ddeefb1767a59c6d2b858480d1d4664b4bcede8591af1bddf36fafdddab0c3645c2bc5f7b04733cf5

C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe

MD5 74b93cb2a248b6694f252db76176d62a
SHA1 97b5d3acaaaf7af3f7ba9fe73a34cb931257d579
SHA256 812c3fee92c96a0513677a64a0b123ac04ab8a9ee76623c32b5f66c6d300b682
SHA512 f745f8e55a3d6792290fa506136524a8e6906604dec6a9b4a8eb4b75d0e9270761eb90b5d81e52071a5d8eabdeef27e9cff3fc3b16a39360dd302bb6da8cfbe9

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:39

Reported

2024-04-04 13:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493} C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B} C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC49627F-2E9A-4d49-BFAF-235B2C826019}\stubpath = "C:\\Windows\\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe" C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134EC873-14C7-4224-A6CE-00ACF8741AC0} C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}\stubpath = "C:\\Windows\\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe" C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}\stubpath = "C:\\Windows\\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe" C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3} C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8} C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0} C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}\stubpath = "C:\\Windows\\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe" C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134EC873-14C7-4224-A6CE-00ACF8741AC0}\stubpath = "C:\\Windows\\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe" C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC49627F-2E9A-4d49-BFAF-235B2C826019} C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436} C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}\stubpath = "C:\\Windows\\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58713D09-73AC-4eda-A452-AEC46CE74E13} C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58713D09-73AC-4eda-A452-AEC46CE74E13}\stubpath = "C:\\Windows\\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe" C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}\stubpath = "C:\\Windows\\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe" C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3273E874-44BD-4edd-B26C-2744E3FAB38F} C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3273E874-44BD-4edd-B26C-2744E3FAB38F}\stubpath = "C:\\Windows\\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe" C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352} C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}\stubpath = "C:\\Windows\\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe" C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}\stubpath = "C:\\Windows\\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe" C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}\stubpath = "C:\\Windows\\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe" C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29A60B6-4A70-4c08-9EAB-9B89A863D987} C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
File created C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe N/A
File created C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe N/A
File created C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe N/A
File created C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe N/A
File created C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe N/A
File created C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe N/A
File created C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe N/A
File created C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe N/A
File created C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe N/A
File created C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe N/A
File created C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe
PID 2724 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe
PID 2724 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe
PID 2724 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1864 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe
PID 1392 wrote to memory of 1864 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe
PID 1392 wrote to memory of 1864 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe
PID 1392 wrote to memory of 3084 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 3084 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 3084 N/A C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 3268 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe
PID 1864 wrote to memory of 3268 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe
PID 1864 wrote to memory of 3268 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe
PID 1864 wrote to memory of 3396 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 3396 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 3396 N/A C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 4752 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe
PID 3268 wrote to memory of 4752 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe
PID 3268 wrote to memory of 4752 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe
PID 3268 wrote to memory of 4204 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 4204 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 4204 N/A C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 3796 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe
PID 4752 wrote to memory of 3796 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe
PID 4752 wrote to memory of 3796 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe
PID 4752 wrote to memory of 2872 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2872 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2872 N/A C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4180 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe
PID 3796 wrote to memory of 4180 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe
PID 3796 wrote to memory of 4180 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe
PID 3796 wrote to memory of 924 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 924 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 924 N/A C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 4720 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe
PID 4180 wrote to memory of 4720 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe
PID 4180 wrote to memory of 4720 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe
PID 4180 wrote to memory of 3392 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 3392 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 3392 N/A C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 1400 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe
PID 4720 wrote to memory of 1400 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe
PID 4720 wrote to memory of 1400 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe
PID 4720 wrote to memory of 4320 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4320 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4320 N/A C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 3396 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe
PID 1400 wrote to memory of 3396 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe
PID 1400 wrote to memory of 3396 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe
PID 1400 wrote to memory of 1952 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1952 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1952 N/A C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4484 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe
PID 3396 wrote to memory of 4484 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe
PID 3396 wrote to memory of 4484 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe
PID 3396 wrote to memory of 892 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 892 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 892 N/A C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 3712 N/A C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe
PID 4484 wrote to memory of 3712 N/A C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe
PID 4484 wrote to memory of 3712 N/A C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe
PID 4484 wrote to memory of 224 N/A C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"

C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe

C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe

C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FABE5~1.EXE > nul

C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe

C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2A7F~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe

C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58713~1.EXE > nul

C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe

C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7BB~1.EXE > nul

C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe

C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{89503~1.EXE > nul

C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe

C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A6E48~1.EXE > nul

C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe

C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{312CE~1.EXE > nul

C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe

C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B29A6~1.EXE > nul

C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe

C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3273E~1.EXE > nul

C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe

C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{134EC~1.EXE > nul

C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe

C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC496~1.EXE > nul

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 146.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe

MD5 7fa99a1b13dcfdf38860fe66096360f5
SHA1 c5d6f11e99928902aa2efa8794ea0c7930809ae3
SHA256 0f49c54332066c3fbbfa36e8c6e9561877ebb1c4076eb619172dd6120a5fdf60
SHA512 dc34abf652e104d42cdea2e8393f2d9d62e41410f92ce725541f378f26b1b1a7777de402c92ca3f143212591f64d857123e651b38d8113f20c336cde47c0ddff

C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe

MD5 a2b469acc741ff446ed07b19c9fe2086
SHA1 9ebaca265e9a8079971731d103405817c96dc5f3
SHA256 5c25a4e27277a720be1c29023447bec5bd576a2e34220a59680512a8f8f56afb
SHA512 12c24b7063f373aebd8456614806e8efad6f41be8b79daa641cf839a31596b172c9fcf906e07ec0078abf7e7d13167fe57dbbcc4ef3691d780f06aa1d5f5a8ed

C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe

MD5 fb286c9ab84cea71bf8f7782df0c2786
SHA1 d27aeeb9165a88cddf33cd522ec24d8b17e50f39
SHA256 4dcaf0464314cdacb6a0fc0329a01008e8acd9c8f4739add2d7efd76ef41630d
SHA512 a7e2ccb4b6995c76eb83d92ae2b7a5e6ef2fc450cf239f1c93da8e92d80161e5f1cab9daec2c9f529ec6703cbd2a38fcbb6a51ad6a23333b0534b5bcadf86739

C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe

MD5 9c23c000ff24d2de75f109d08b7b5717
SHA1 9ccf169df18dd046e2140d13861eadbf6672fe9a
SHA256 e10d42099f1f2162fc42d3212295334a3580a81ba9a9835208c40cf1cab8a235
SHA512 cc1fc7ee863521037eaed556b33f2d5df935485073d7112a3ded7fce848488ea191abc0f6fe10c0eb97298976a7defb3b2d13b44e8112def89eedd61371b2c32

C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe

MD5 4ef4b1bb048e2366cca9888888845065
SHA1 fd90bca1781a8ab43827d38fb63b4104c0a38f85
SHA256 8046e03a15521890fcfde48929dc5d1bcf42df6ec58ebb3eaf64c032b1a26c64
SHA512 4b15f79cc7abb515975593ee701d6166e2feea69cec07dea7cf8a14569efeade836de844421c78c938267400ccec77a3b8322fc27f4d2033ed37e675ebd6d058

C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe

MD5 efdd2ed4c8eb69b467fe63489da18f7c
SHA1 d00006428cdd92377a94e7b3ddffb3efbc4a0720
SHA256 07a130aad3469a8fe520a963409f04d0d2c741a1a2e0147a8efd775051f848be
SHA512 ad6d8811c55c35d0c76d1ceb68e6d335503e83be7ea7231835cbe56ba62ff3381e582324ffc913c27ad5f7923abc19656368a2db00cba7568693025181a4be17

C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe

MD5 ec4af289c61c289d6098753668b2170f
SHA1 228774804e1f74a660dba9107f337448831e1df7
SHA256 6475da04b8bbd6a0be87c4cc682b499f18f2c5bf32d2e0703b39f9f87c7296b2
SHA512 7377b3c2adca235c404645d767c43b5427d9a06c3281745d4e1e75727a8bb2e0f47525264cb4abd9a29712ed38fe07e408606bfe0b80a80c53487fe9fe8a343e

C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe

MD5 54f891e79fb1113bfafb9a7920f58f7b
SHA1 cad301e4ad54bd74facd6305b1346725e6a70500
SHA256 b664a416a29b36a123dd8e3a2c60c81dd7f5c6fed8fe47adcbea0625715f3f92
SHA512 122edeb009466bb45036092da15a72765c8fa903e577516fac1e075cf24efd88aa566b0616c3ba8cf129af40497d87b8c53d47300365c37aabda6931d558d337

C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe

MD5 407110a478ef158962a99ad11c8b4a2a
SHA1 3af48962c5ecc0e2321ae388d0c8203ec13bfcda
SHA256 106c6c418a4ffcce6443c673994765c56b9713b79b4d18684ce8e7ebab6f7f05
SHA512 465773220871c8b207bbc7c643eddafe52cbf717d603deaa3463577018e7f4f0563b89b61fb270964f8e08b3605010f55e2208f393f5bd1e5e8dcd63fd9fd42b

C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe

MD5 67a9b676c2a33d31a29b44294e841505
SHA1 768ef1b50fd193f1d1170e448da0139f1b964127
SHA256 c0bd39f11f9d3a568c107094a6804a5b0eca2274b079313c911593c9c205f8a2
SHA512 9738ce91a09f65f433e2f459eb61cb189e4e1f709827c6a059a383794f5637d05a0c11ee94f5569b6c933bf72a57f985fa96fe07584b3e05e98aac6d52399fb6

C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe

MD5 1accfb19b813188153da23bf2eb1fd36
SHA1 4bacc4e3faadff2dc8ed75a7e9cc87b185ced2ea
SHA256 60546a252eb2dbb75eee4c638236b8d743142519cfad6288b8bed3d383ec1177
SHA512 04197b451cb32c357d60f2d82345912ec1d21aadae15826cef023e9b27b5056b7e9f54c249d2710470a5467315423e46d53f7d1cdda5abfd8702568335f9eb4b

C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe

MD5 b328a2946e09bb4293f535fa4c86db4d
SHA1 6a29e7fdc13c2e799e70d311a2cd3fe393770325
SHA256 e83368b1da504eefb132b35b615b56fad788fc8dc0f55df2fc21d528a92b8770
SHA512 5f6049be238773536e409566f7c69d202562a815a073271f19c8693cf9e9e2dba638949569e8f92d3ce39cde3df5436d1e79e0ea379662a9824b04934c906ac2