Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qyatqahh78
Target 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye
SHA256 8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc

Threat Level: Known bad

The file 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:39

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:39

Reported

2024-04-04 13:42

Platform

win7-20240221-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF64B707-0AE1-41c4-B072-C6D308180806} C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}\stubpath = "C:\\Windows\\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe" C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD19470-5747-4942-880A-EA1AC2780B88}\stubpath = "C:\\Windows\\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe" C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701069A2-B2E9-4bd2-8190-740A89155C4A}\stubpath = "C:\\Windows\\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe" C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}\stubpath = "C:\\Windows\\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe" C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B67B273-5D11-480d-8A63-C998AAC84425}\stubpath = "C:\\Windows\\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF64B707-0AE1-41c4-B072-C6D308180806}\stubpath = "C:\\Windows\\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe" C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D6E019-9C27-43f2-A8E0-637AC6A88366}\stubpath = "C:\\Windows\\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe" C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479ED959-8E57-4209-A82B-678A006E7D34} C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479ED959-8E57-4209-A82B-678A006E7D34}\stubpath = "C:\\Windows\\{479ED959-8E57-4209-A82B-678A006E7D34}.exe" C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDACB699-91B4-4a00-8E27-5CA6D3255798} C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDACB699-91B4-4a00-8E27-5CA6D3255798}\stubpath = "C:\\Windows\\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe" C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD19470-5747-4942-880A-EA1AC2780B88} C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65} C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B67B273-5D11-480d-8A63-C998AAC84425} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1} C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A404D399-FAD0-4ab6-9AD6-633443E263B2} C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A404D399-FAD0-4ab6-9AD6-633443E263B2}\stubpath = "C:\\Windows\\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe" C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D6E019-9C27-43f2-A8E0-637AC6A88366} C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701069A2-B2E9-4bd2-8190-740A89155C4A} C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC} C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}\stubpath = "C:\\Windows\\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe" C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe N/A
File created C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe N/A
File created C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe N/A
File created C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe N/A
File created C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
File created C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe N/A
File created C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe N/A
File created C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe N/A
File created C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe N/A
File created C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe N/A
File created C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
PID 1668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
PID 1668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
PID 1668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
PID 1668 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2668 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
PID 2524 wrote to memory of 2668 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
PID 2524 wrote to memory of 2668 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
PID 2524 wrote to memory of 2668 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
PID 2524 wrote to memory of 2440 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2440 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2440 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2440 N/A C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2600 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
PID 2668 wrote to memory of 2600 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
PID 2668 wrote to memory of 2600 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
PID 2668 wrote to memory of 2600 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
PID 2668 wrote to memory of 2164 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2164 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2164 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2164 N/A C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2028 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
PID 2600 wrote to memory of 2028 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
PID 2600 wrote to memory of 2028 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
PID 2600 wrote to memory of 2028 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2776 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
PID 2028 wrote to memory of 2776 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
PID 2028 wrote to memory of 2776 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
PID 2028 wrote to memory of 2776 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
PID 2028 wrote to memory of 2904 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2904 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2904 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2904 N/A C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
PID 2776 wrote to memory of 2172 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2172 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2172 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2172 N/A C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 852 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
PID 1636 wrote to memory of 852 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
PID 1636 wrote to memory of 852 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
PID 1636 wrote to memory of 852 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
PID 1636 wrote to memory of 656 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 656 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 656 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 656 N/A C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1180 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
PID 852 wrote to memory of 1180 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
PID 852 wrote to memory of 1180 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
PID 852 wrote to memory of 1180 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
PID 852 wrote to memory of 876 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 876 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 876 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 876 N/A C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"

C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe

C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe

C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4B67B~1.EXE > nul

C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe

C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{479ED~1.EXE > nul

C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe

C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF64B~1.EXE > nul

C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe

C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{19C9C~1.EXE > nul

C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe

C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DDACB~1.EXE > nul

C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe

C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD19~1.EXE > nul

C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe

C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A404D~1.EXE > nul

C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe

C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15D6E~1.EXE > nul

C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe

C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70106~1.EXE > nul

C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe

C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17AAB~1.EXE > nul

Network

N/A

Files

C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe

MD5 e5be26c98ab05b627390bdf1c4dc7eee
SHA1 dc0a24f3c7cb0762551733d9d9a878fcc0c4fe95
SHA256 f9a3eaf85706ed531951d363e7293b9eb6d4d4b9678e7cd080da987464417737
SHA512 18be4041b48db30ee9d018186bd23e01a490c8bc43ddd04292cf8650be5996fe31450f3c84cdee94f0d6e647f1c8e046e87f518925c825d42264c899963e7722

C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe

MD5 3226383af96f23ed6c15099615c53f2e
SHA1 19074d42fa06d5897a09f34790216041d85b7b48
SHA256 cc243bb910a30e569aa78090f17eeb091794f148676a2cc26f31c5a0b9661298
SHA512 a1167ad30577c1fcdf03520bf2c080d8668e194cefd25fb5a1a2ec629e40e6aab828cc8541a4e775921598377aa11cf63365d7c6b1f21adafa5faaf1126cf27b

C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe

MD5 d67fce81cdf2e9c98df448455fb14693
SHA1 c486e1ae5862356bf2df13b7f49301fc47048482
SHA256 5d1376f9fa78cba076eeee18af7603f9a884bb9b56d2776e01effec66d961d27
SHA512 aefb677d5bad632f03cbf25ecc1971c5b47150ac3839a754ab3a149aa1c3efe1aea5e562ad78427af98b0fc3632f219d6243d0c90fbe374c4fc1fd16fa282ee4

C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe

MD5 17dd7042325e488205f8d6ec8edc5b26
SHA1 076354257e30e86b87f8883f07fe09a0202b85a3
SHA256 babd8dfdc4393202af084096a368352aedae3f0bf70d56858c4c8a99d0550cd3
SHA512 30b44983057a547378ce4cc918afa64f7591bd3baac80ed72538c54e88a2eea2c9d65fe14acedcc0c9843956fbdcd8bcaf756df67760b39e693ad4a1ec5a9b38

C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe

MD5 68362305ab8d8f95f38f1ac17c440b4f
SHA1 f80c550ad1116dbc13609d71a563e9a2374e8688
SHA256 63c41319b2cdbfad7f48bd5052edeb6a955c44bd3b6a094b8acc18469e9d1556
SHA512 079b0ad27aedc5d1885c59c9758bab140f07a7b46604617d7a9f5fe8d4116f30bdf762d054f1d101770b075ecb9158fa5c77d91e27cb97d05a8fe856cca16e54

C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe

MD5 bff04c454bc7598a85700deb7d07aba9
SHA1 69b68dcdcf17228eb97c5f17d274e3a9e29f20a5
SHA256 1258eeb5244f97789ba8f421aa5abf9f2048140fbc462cc61023b572f11af7e3
SHA512 7601dcf95f0decb45ac7c1b4411873b1f9f4e8558ade62b5e63fd6eaa100cdba256c132d3fed31de9ebaf534bbc02ad303da86a85d36989e8c3821cd9560b57c

C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe

MD5 cb0dac43f5a603260c0b9174bba3e51b
SHA1 d466f9751c7d54a238f5bcb2c82ed70e68cc0472
SHA256 a3fdeedd035cd0fc19f11a9c749df3abdfa63a87d096300011417f18cc825ab4
SHA512 fd9ca3dabe46db69081ee4733fddad8c4997bc99231e826446c80c1f42955d6bbece14277acc9030ec4c9addc3779025fb2d14e89ee4b38fad607af011e771b1

C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe

MD5 631dcae8ee24c26f4d132915534ac58e
SHA1 c8b74c0492b64cbdf930352c2f981c028a50606e
SHA256 c0d7248458053162b770ad6288c9deba702c96a8db867e3b7191d3082f49bd21
SHA512 29a7f5b0e40ae93544ae4ebeedca314ee1270719c7957a07628cd54a9bb2a0ef12218abee6a6f6099c8d67ffbbbd33f1a4afa95a56c764c63d3dc707260af71a

C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe

MD5 175762126b01ee2af13bc19992adca7f
SHA1 507283c6fcab8f2077d1b26edf172fbe85bbaa4d
SHA256 09ae4b444b5ef98429db90bb27ad97a431ef4054caf740d6db85aca19e2f3a24
SHA512 48ccd3609849cc828ef5d38209a284c377e99b8a226e94354c78da261cba467a751094751ecfed4aa1ba420f7533c488c822bf4671a233d9f36ca99ee9d51a00

C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe

MD5 3cc8b0be906cbfec30eaedad70b9e906
SHA1 4684f270f371121426e3a69f1a2f1d6e0d0791ee
SHA256 b81a031479a692272ae90d96433cf8d5fa8a8c78942e41372e4ad6ea17c3170e
SHA512 6ba765a4e9d95ef129b46b3729de62ee837aa01c662903f6e26e466437f4b042ff282a6434c92f19b731b0f692a21025646930eec2b4e51c8beed6304a540761

C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe

MD5 2b28276f4fa8f5ef87731c1297055929
SHA1 cbcd9b340ffd3eefaab22de1ea8166c32416f194
SHA256 60893155b1007113497698a212a05f9353fd395cf75549e040d3af852b14c88b
SHA512 32490c2ddc1969c21c758fa1bf5f0195201b95534274b0f0a11b9a1b14e88715365478b233ec68f4a5829795d34893de37867a2a2b51574b07345d49378c15bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:39

Reported

2024-04-04 13:42

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}\stubpath = "C:\\Windows\\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe" C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE68C556-2AA5-435d-A805-A18ACEA765AB}\stubpath = "C:\\Windows\\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe" C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED177511-98E0-4335-9B3F-E7A560115E6E}\stubpath = "C:\\Windows\\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe" C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}\stubpath = "C:\\Windows\\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9} C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}\stubpath = "C:\\Windows\\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe" C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}\stubpath = "C:\\Windows\\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe" C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E} C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9} C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943DE360-9E0A-4ce1-947A-CB6C9B63413D} C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07} C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83} C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}\stubpath = "C:\\Windows\\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe" C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE68C556-2AA5-435d-A805-A18ACEA765AB} C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80B0CB7-6FE6-4650-B1C8-766FB1754837} C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}\stubpath = "C:\\Windows\\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe" C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED177511-98E0-4335-9B3F-E7A560115E6E} C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}\stubpath = "C:\\Windows\\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe" C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}\stubpath = "C:\\Windows\\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe" C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA} C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}\stubpath = "C:\\Windows\\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe" C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F9756-6101-4e5d-92B0-A173F53D34DB} C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}\stubpath = "C:\\Windows\\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe" C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe N/A
File created C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe N/A
File created C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe N/A
File created C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe N/A
File created C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe N/A
File created C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe N/A
File created C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe N/A
File created C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe N/A
File created C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
File created C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe N/A
File created C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe N/A
File created C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe
PID 1528 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe
PID 1528 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe
PID 1528 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 1228 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe
PID 4000 wrote to memory of 1228 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe
PID 4000 wrote to memory of 1228 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe
PID 4000 wrote to memory of 1792 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 1792 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 1792 N/A C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 444 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe
PID 1228 wrote to memory of 444 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe
PID 1228 wrote to memory of 444 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe
PID 1228 wrote to memory of 1616 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1616 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1616 N/A C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 2240 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe
PID 444 wrote to memory of 2240 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe
PID 444 wrote to memory of 2240 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe
PID 444 wrote to memory of 996 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 996 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 996 N/A C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 316 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe
PID 2240 wrote to memory of 316 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe
PID 2240 wrote to memory of 316 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe
PID 2240 wrote to memory of 3964 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3964 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3964 N/A C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 3228 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe
PID 316 wrote to memory of 3228 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe
PID 316 wrote to memory of 3228 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe
PID 316 wrote to memory of 1960 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 1960 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 1960 N/A C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3392 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe
PID 3228 wrote to memory of 3392 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe
PID 3228 wrote to memory of 3392 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe
PID 3228 wrote to memory of 3280 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3280 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3280 N/A C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 1808 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe
PID 3392 wrote to memory of 1808 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe
PID 3392 wrote to memory of 1808 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe
PID 3392 wrote to memory of 4100 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4100 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4100 N/A C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe
PID 1808 wrote to memory of 3020 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3020 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3020 N/A C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4932 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe
PID 1208 wrote to memory of 4932 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe
PID 1208 wrote to memory of 4932 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe
PID 1208 wrote to memory of 944 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 944 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 944 N/A C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 1528 N/A C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe
PID 4932 wrote to memory of 1528 N/A C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe
PID 4932 wrote to memory of 1528 N/A C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe
PID 4932 wrote to memory of 3104 N/A C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"

C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe

C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe

C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA95~1.EXE > nul

C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe

C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{943DE~1.EXE > nul

C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe

C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AECB~1.EXE > nul

C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe

C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98A3E~1.EXE > nul

C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe

C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE68C~1.EXE > nul

C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe

C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B80B0~1.EXE > nul

C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe

C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3F9~1.EXE > nul

C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe

C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED177~1.EXE > nul

C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe

C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C30C~1.EXE > nul

C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe

C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DF~1.EXE > nul

C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe

C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3E952~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe

MD5 66eecf4d401cc2718de59b9e225f164d
SHA1 20a421429315b8d67b7b516b82e1471f695063f9
SHA256 3037e2178f243b78f299e4b5f75781ec819a285c94c0562c641c1d30ce2716e3
SHA512 1c1934155138418667f456c4a89a1845284c0816faafabaf6613e16471206000cf5993599b8da8d0f204ad6c69d3931c90f0433beff52cb254eb5efd0daebfd8

C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe

MD5 af44ceec6e77a99373e44367a12a160c
SHA1 e898d18f9097495ed274dc9f33822de8175d2b29
SHA256 3df5dec7b25321840d6e85577c7a5bb72ddf206b43f3fc04dea9c90547967fbf
SHA512 1d01a2ce45edeaeff86c74bf4df520bbfad450638132597b3fc777888c6468d633609112641f2ec511e9c008385b33a6221d31ccba00a1cf6170b4381f2a96c4

C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe

MD5 e30828cefcb9c56b1c483c9bdaf13b34
SHA1 7fcfa18e0b17cd7046248a641158ef0a1da25c65
SHA256 227c87434478730831fc4b648cfe1cc3acd33bd97241025a1f8572dfd12b4b17
SHA512 0e04dedf1772715d5fe7ff96a024de1f3eb96d2c03974022825741e976f6ee9b862926a2e0b61cf6e7f8da1dcbc487386d3152ac2853408c7ce24783fe61d810

C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe

MD5 cdffa5a0ded1161dd098fb6ea3702e37
SHA1 367b5561f2341c162bc1b3e14074f935f580b4a0
SHA256 f3697e35376252d73c4b701d79a98521ec8a6e2f7d1483c814f2fe6daf376c26
SHA512 622920ebf0202557e61027c5ee464a6727518a5919914769c63474724fc210e900b606ae2cb34d4dabd5b0a220ed1a8ad527f85400fe8a4135c48702ef037790

C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe

MD5 111162c84d901bc212885dc8f249cf4e
SHA1 9208a50843e3912ec6d85ca169bbb85e27d04f92
SHA256 69832c4561393c61ee8e18838c196ad28c17aceda0b98d2f26dafd5f4c2f85bd
SHA512 1e7974f7e35c98ef99d22ecd7f932d8edfe39511dd17e64cc2d2889a81a5ef589fa25dce2aa7e5b9d7f4ee9cc976fd934e9ebce5ab0e19ce9c59889dd1be4bb9

C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe

MD5 b6088433a1e8736b2b36cc234083d9a0
SHA1 a8da3b01587d46be5fa37f05756da964cb9f098f
SHA256 f0d13d6787d356e68963a958c65975c39896496c951eff14548f8ebb650abbdb
SHA512 083f4a48073c3aed476d1eee438cde4567d22b41635b110a4b525cecd9061de6f5a419e65ce05e5dcb540129fa1bd0580417a79af915c4d7b89e4b093d462083

C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe

MD5 d18737345fb01022d0a7eaae66263216
SHA1 a52d9a2b0cb5a58df0489fb39ff9c7df0e6142e1
SHA256 3344280daba79487c6994273cf4f66f46a11b11d4993383507d721370ad79435
SHA512 af826e2d6d2b1329a468c4bdd507e0a10b0b399424ec6cede32972c504fb1772f5e2d0d38b3d562db31700eb35ceb1583e187c3341ac735d2afc6824754d62f3

C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe

MD5 3ae4ebd7b33f8eafb4ea748023eadd55
SHA1 4f9d0f146f707acb7af22dfe67579a9a9fc78af3
SHA256 9bd6c4e20f92720a9dd433b9ea370e9e3cddb939d8fed79692b64c12afc72037
SHA512 7eac2da62a105c16fbc905405766e813cf76a083a0916c2f58508ee6717d296926d4fb54d017616aa16a567e42755e10a1c47929c6ae9391587c8f8e6d2c69f7

C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe

MD5 a8d036e89feb6b0765a27ac67325dc03
SHA1 31b3d343f53b2e98fbfced37d2875d6baa9e21f5
SHA256 d3a46413b6406856a57d1a70aa5a1c58e64073057bd8327869dc05504324f9fd
SHA512 8df5769ccfecf6fab534f9188d3df089c6a3e35eb1308ae4a8d805cbeaa586a96bc222f7d50b92310fa644bfd1ca351a62775a0de45627cf021fcb81fe67def6

C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe

MD5 47b667981450518d2c8e9f0ff892c062
SHA1 504897c7fd300c4e466b684a8d53500aeb74eefd
SHA256 e5e921c38f39004b7d39312d0eb83753ef3558fcebde3e32eae656ddd8cfe742
SHA512 a3991942177ca9100aa0dd2eef0d16c1a6e52b219d482c7d4124fdc25208c65a6751569d8bc9c378e649147f955c1b51c0f717d008dc2da8b56170acf095b909

C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe

MD5 e307704289028fb784de1db813f66783
SHA1 34e3932ed4153bebae990430b1003ed8e8d23beb
SHA256 3e1c608abb879529464271e94b5112b424fce00e803a6b3237f91ae4acc3bd7e
SHA512 369780a57f5f4b40aa6f3f553d59a250ae14571425ad1f1d6712b09c71626624f0b451ca4ae1978ad41a8f1fb782cec4000b444aecd54578253b606d3c454f2a

C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe

MD5 2531d19880f913c9921642937494bf0a
SHA1 d942afb92c4d29a91cc592e4fe79e590a788bdac
SHA256 485b6c9b4f4a3f4f05400905fdc4b401eba9ed143585a8dde92495006b8531f1
SHA512 21f38c05cb466e2127eaf4a1926253ee67f84a724d8205b8e7ab9d9c9ea23875fe3fd59d9fd6ec93cddd49762f128467924a2466d384ab02035d0e4dfbbde6e2