Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qym42shc5s
Target 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye
SHA256 9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd

Threat Level: Known bad

The file 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:40

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:40

Reported

2024-04-04 13:42

Platform

win7-20240221-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6B6362-46DB-4512-A5A8-7D07E4C49501} C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}\stubpath = "C:\\Windows\\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe" C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032110C9-AC34-422d-A53A-441348EEEA94} C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0} C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}\stubpath = "C:\\Windows\\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe" C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07204088-DD8A-4b39-9959-77ABA5B0EC3D} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8195CC8F-512C-464f-A280-437245459717}\stubpath = "C:\\Windows\\{8195CC8F-512C-464f-A280-437245459717}.exe" C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2} C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}\stubpath = "C:\\Windows\\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe" C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF789B63-7607-476a-83CB-91E1DC5E07E9}\stubpath = "C:\\Windows\\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe" C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8195CC8F-512C-464f-A280-437245459717} C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8} C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B151C70-8844-460c-A4F5-47EA5CC04EEC} C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}\stubpath = "C:\\Windows\\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe" C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A} C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A} C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF789B63-7607-476a-83CB-91E1DC5E07E9} C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}\stubpath = "C:\\Windows\\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}\stubpath = "C:\\Windows\\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe" C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}\stubpath = "C:\\Windows\\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe" C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032110C9-AC34-422d-A53A-441348EEEA94}\stubpath = "C:\\Windows\\{032110C9-AC34-422d-A53A-441348EEEA94}.exe" C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}\stubpath = "C:\\Windows\\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe" C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe N/A
File created C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe N/A
File created C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe N/A
File created C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe N/A
File created C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe N/A
File created C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe N/A
File created C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
File created C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe N/A
File created C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe N/A
File created C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe N/A
File created C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
PID 2892 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
PID 2892 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
PID 2892 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
PID 2892 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2672 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
PID 2988 wrote to memory of 2672 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
PID 2988 wrote to memory of 2672 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
PID 2988 wrote to memory of 2672 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
PID 2988 wrote to memory of 2832 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2832 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2832 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2832 N/A C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2424 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
PID 2672 wrote to memory of 2424 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
PID 2672 wrote to memory of 2424 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
PID 2672 wrote to memory of 2424 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
PID 2672 wrote to memory of 812 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 812 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 812 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 812 N/A C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2028 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
PID 2424 wrote to memory of 2028 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
PID 2424 wrote to memory of 2028 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
PID 2424 wrote to memory of 2028 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
PID 2424 wrote to memory of 2644 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2644 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2644 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2644 N/A C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2792 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
PID 2028 wrote to memory of 2792 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
PID 2028 wrote to memory of 2792 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
PID 2028 wrote to memory of 2792 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
PID 2028 wrote to memory of 2800 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2800 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2800 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2800 N/A C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2156 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
PID 2792 wrote to memory of 2156 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
PID 2792 wrote to memory of 2156 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
PID 2792 wrote to memory of 2156 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
PID 2792 wrote to memory of 2020 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2020 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2020 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2020 N/A C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1920 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
PID 2156 wrote to memory of 1920 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
PID 2156 wrote to memory of 1920 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
PID 2156 wrote to memory of 1920 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
PID 2156 wrote to memory of 672 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 672 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 672 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 672 N/A C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 640 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
PID 1920 wrote to memory of 640 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
PID 1920 wrote to memory of 640 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
PID 1920 wrote to memory of 640 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
PID 1920 wrote to memory of 2588 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2588 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2588 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2588 N/A C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"

C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe

C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe

C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07204~1.EXE > nul

C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe

C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8195C~1.EXE > nul

C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe

C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ACAB2~1.EXE > nul

C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe

C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B151~1.EXE > nul

C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe

C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BA6B6~1.EXE > nul

C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe

C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{971A2~1.EXE > nul

C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe

C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE4C5~1.EXE > nul

C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe

C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03211~1.EXE > nul

C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe

C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA932~1.EXE > nul

C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe

C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E3DAB~1.EXE > nul

Network

N/A

Files

C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe

MD5 963b5dc76b1b4c16f68140a011aed4ab
SHA1 95540dba9559a75acaf966ed900d121d1b4c3cca
SHA256 ef7413a58bc735271a01bf015bd7666dd596204ff8c49e0bc971a5e70152e5a4
SHA512 c59e1dad07ab745a6cacb86c22b20a64126df4fd736649d39a26d4ea11d8635f1701d12b8f03dca83217c48ea89d403d22c28ece4460584638c0aa5e46818eb4

C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe

MD5 0aa94af94d012a22ae41312b6c2bcc69
SHA1 57ae17c93fa21de75635e4a45a0d01bbc443b8fa
SHA256 bfc9fdca8daf9c381adee8edfc80a4b2ccdadf279a8c06ad23b2e561d6c88e16
SHA512 7ea5875cbce0d599dd91cc8f95f4679d5b8aa955ac27981d3ba211a0d2d683d6bcc23a51994660578635550819423c4c92cf3c39536817d4840f80225db9d1f0

C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe

MD5 03a12ae6282b1e6f80df6e4d7fcca052
SHA1 1cb71fb9d95c7ea6a5e5ba1cbdc4bbbad7473120
SHA256 e865dbdc781f578bfde9a348b97fff4682f95a078d9046fd1e9e1eefa894e344
SHA512 d81bc92cba5f1d2353f44d90e5950cbd1181db6da1df338e75207d741d81a001a2c4f4199e4efc744d66067dfb2ebc1adda7016df97f150d7e313049580c3173

C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe

MD5 fad57d1e905fefe6ac0c37099b0e5035
SHA1 52f834e71236b90a1c98b503df70bd2295454d1b
SHA256 96714883ff0d6266e7fc89e8ffea671063925b6426a167e5b7ea449bda0587d4
SHA512 c00a5501f441090f2d86b41cdbb87ff73e1f30946f8a6d590694cfec70e3f016206ebd64a469e2b469470f5297f7a5dcca4b57673467306fe6d0235463e1d09b

C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe

MD5 307747ef145264a084aabce28e773320
SHA1 1ebe63d1aa17e81f2c2a5578a5d0c53601a6cfab
SHA256 24b0e9be63b304dc63235ee25ca908d1ed53cf485179d63b9f062262168c15d3
SHA512 7406d32df73fdfce25ecd8d84aee1f9f1e194f6bcaec9b1a32a39e06c82572ff362e3aaab1a28499967bdaf5e25844546100f1aa876f3d24570b078bc5d93551

C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe

MD5 804ad540f377206941cc9105f3efec5a
SHA1 1c31b87f5709a448e6b815f32cbc4dbdcbf6da75
SHA256 532b252746365237e77f0d0ea6a81eee4c0dd3ce9bed72ab996e8e876e8058b6
SHA512 96cc5c04f0a9cc53bbae70d957b166fa170ed099cee07263415accfe50e5f4270d5a987f9d0b0bfbe2cf4ce90c9d1b25f6d62479eb7f6d3b3bc45d2607728941

C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe

MD5 78ad46e48ef853943d75be4b87bb1fe1
SHA1 679ce0f8263d96ea3937d0e012a591100cc6ee71
SHA256 74cf7eee28d84d01dbe11080b1c10e6b73b95080bd4c046b397f31b01bf8d77f
SHA512 94cae19aa382500f2a8d82d3f26370f1a8ee9f687f65d83a8775fcca38282d38846d991cd7c3cf57e9f25c5e950ba60056ecdc2909efd95dd59b0677604cfc55

C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe

MD5 03b73687c220828e2d0ae75311d0eeab
SHA1 caaeec20a473e1582fd358ad52c5c931ab11cb57
SHA256 3e980cf7e9b4ec71c6dc9bac75063b2d4533176dea4f7ea6a375874c678f6ce2
SHA512 394335769434865218d7c5e6f12fcac338cb0a41de34af19a63b3e0177109b7dc84fd83da46f4a6c40732afe88d171572d6fb7eaa55577f4eda23a47f1a32084

C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe

MD5 11cd1945fddc484ee65da0d2f0d375b3
SHA1 9f316915b5480e5223d2bf6fb53dd8f01140d390
SHA256 8ee9a81fbcd8012befcdf6fb50948bc6e84d7781ae3443fa34a8a58a8206179c
SHA512 81c7f408066d67d646e013026eef97b8ac88b8e2e22da2d6190ead13c0ec93dc53701041bad4a073b0def8e97689d1de1e2089ebd33c8f6eafa6a62c48a52012

C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe

MD5 0a6aa30f9ba14b7adfe5bd6e9daa7897
SHA1 f6183d3ebba58a3715c266f0f9ca41f675839abc
SHA256 58a5ec88709001ed7b6eabc17e9c2432708cb35220fa3d081b0a75bd2c15005e
SHA512 e0a1ef8c6978da2b0a4c5fa9ae625d812ebfc188a05a01af527c2f3138b1d356c2616c74fc0adcfcee9aa8e18f616ec3e3664e6bb07d12e12172f03de29a6cfb

C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe

MD5 04a1b0b472cc08050a8fe4ce5bd8ea0c
SHA1 bb77aa24d45d944bb2ceb3e9624997e0e599b005
SHA256 23a9f3e2467a3a5b4121809e4d7079f10c869331702f3d39d04abb5b95ef2b0e
SHA512 5ca62b9722bb56a808fd89a44a9d7251ff988e8ff5b5527e4a800d834e5452a4644befa75538524f0a49c4e308c2b919d7ecbe22a7eb9040fc12739e7eb65b61

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:40

Reported

2024-04-04 13:42

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F74C34-5E87-47d2-81C2-BC939C416253}\stubpath = "C:\\Windows\\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe" C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E005216-E643-48f2-97EE-350E040BC522} C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E005216-E643-48f2-97EE-350E040BC522}\stubpath = "C:\\Windows\\{4E005216-E643-48f2-97EE-350E040BC522}.exe" C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F} C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC762C9F-B672-45eb-B51B-C46ABF197EF6} C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}\stubpath = "C:\\Windows\\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe" C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41} C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC90A403-C3EC-4c4e-83F8-204E07142636} C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF42C359-D683-4e51-B245-1A35A7545B1F}\stubpath = "C:\\Windows\\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}\stubpath = "C:\\Windows\\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe" C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F74C34-5E87-47d2-81C2-BC939C416253} C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6E145EC-617A-4364-8079-41BA74D37EFA}\stubpath = "C:\\Windows\\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe" C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02DF97-FF65-4909-A883-144C95653DBE} C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF42C359-D683-4e51-B245-1A35A7545B1F} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E366FC-EB05-4056-8BF6-AC4B5290932C} C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E366FC-EB05-4056-8BF6-AC4B5290932C}\stubpath = "C:\\Windows\\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe" C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC90A403-C3EC-4c4e-83F8-204E07142636}\stubpath = "C:\\Windows\\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe" C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}\stubpath = "C:\\Windows\\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe" C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6E145EC-617A-4364-8079-41BA74D37EFA} C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}\stubpath = "C:\\Windows\\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe" C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}\stubpath = "C:\\Windows\\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe" C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBC99A7-0D2A-4500-B867-6273722B2ADA} C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02DF97-FF65-4909-A883-144C95653DBE}\stubpath = "C:\\Windows\\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe" C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF} C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe N/A
File created C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
File created C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe N/A
File created C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe N/A
File created C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe N/A
File created C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe N/A
File created C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe N/A
File created C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe N/A
File created C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe N/A
File created C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe N/A
File created C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe N/A
File created C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe
PID 3984 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe
PID 3984 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe
PID 3984 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 1216 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe
PID 3692 wrote to memory of 1216 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe
PID 3692 wrote to memory of 1216 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe
PID 3692 wrote to memory of 3988 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3988 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3988 N/A C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 632 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe
PID 1216 wrote to memory of 632 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe
PID 1216 wrote to memory of 632 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe
PID 1216 wrote to memory of 1092 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1092 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1092 N/A C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2504 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe
PID 632 wrote to memory of 2504 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe
PID 632 wrote to memory of 2504 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe
PID 632 wrote to memory of 2628 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2628 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2628 N/A C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 3112 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe
PID 2504 wrote to memory of 3112 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe
PID 2504 wrote to memory of 3112 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe
PID 2504 wrote to memory of 1620 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1620 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1620 N/A C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1872 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe
PID 3112 wrote to memory of 1872 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe
PID 3112 wrote to memory of 1872 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe
PID 3112 wrote to memory of 4788 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4788 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4788 N/A C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1348 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe
PID 1872 wrote to memory of 1348 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe
PID 1872 wrote to memory of 1348 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe
PID 1872 wrote to memory of 2256 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2256 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2256 N/A C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1156 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe
PID 1348 wrote to memory of 1156 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe
PID 1348 wrote to memory of 1156 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe
PID 1348 wrote to memory of 3672 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 3672 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 3672 N/A C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1200 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe
PID 1156 wrote to memory of 1200 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe
PID 1156 wrote to memory of 1200 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe
PID 1156 wrote to memory of 2032 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2032 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2032 N/A C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 4328 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe
PID 1200 wrote to memory of 4328 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe
PID 1200 wrote to memory of 4328 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe
PID 1200 wrote to memory of 4512 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 4512 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 4512 N/A C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 376 N/A C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe
PID 4328 wrote to memory of 376 N/A C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe
PID 4328 wrote to memory of 376 N/A C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe
PID 4328 wrote to memory of 3984 N/A C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"

C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe

C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe

C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF42C~1.EXE > nul

C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe

C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57E36~1.EXE > nul

C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe

C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC762~1.EXE > nul

C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe

C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBC9~1.EXE > nul

C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe

C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7E9~1.EXE > nul

C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe

C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC90A~1.EXE > nul

C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe

C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4A02D~1.EXE > nul

C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe

C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F74~1.EXE > nul

C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe

C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03295~1.EXE > nul

C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe

C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E005~1.EXE > nul

C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe

C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D6E14~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe

MD5 bf2aca766e2fd0efb855d0c20db24e77
SHA1 b5770f95e66ee1d59fb6281bd4d9c6aeb80e0bed
SHA256 42d07d11e7736abc37f9b4d172ff182a6ef6a9b37a1235d34307f821d087015d
SHA512 6e69285aaa032ad96e64395540eb147fc4fb6fdb23d3224c336eeeae93a551b90817288fc301dee8174af0f64a14098283ef2849097bba71320f7bb49663acfb

C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe

MD5 de9628a5389c09fa3456d7c9eb2279f6
SHA1 50b8f3cc0218f46e94228a6ecfb9b55022e17450
SHA256 b772303edda7d7ce24b77328fc0e24632333561fedfba2d4187a4afe17f87e08
SHA512 41c6745fd120fce89db2f6b7c653ce561472086a3e377acb0d9f95807c2997aa6a14f2d3f85ff0ccbf9d20213241817667978833cf865beb863d9b02ff517f96

C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe

MD5 e3c957f7d6edf60e7dd9b00c7f739e57
SHA1 c3e5bf5c41334167c290b54af29c207837695e76
SHA256 67a380c9044e30c6a084f6ef86c8e1d6fca4fad8b791e4fe4d6d898d020050a3
SHA512 342ffc2333f43bd4e22ec3ddc443af51f0058ed8df83e466dec120d743b46203fb03782855f3605473dc9a738b6ee1761cab662885ccfeb34660d62c9f1de873

C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe

MD5 73161a6d1079fde1e41dac6eeee25af8
SHA1 7ff92e3401a82219538c4796cd2b3958f22d9c41
SHA256 61f0334531ffa3ea7fb69fbf6759537b84dc445d484fb02b4149126d82aecc98
SHA512 0e0f4f7c1a15ff791bde019d9336649d42c2397839f5104b9351f333357cf161dbe62aa5db4b2c39a1dee8139f2cfb29172e6e38be9b54b2fa34e2be98d4eee0

C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe

MD5 be27b62d4c28f50ac0d884dcbc59bdb6
SHA1 2159d172a71470cd4cc30ed878e679ea53bcd507
SHA256 7d6238257a54d453c18d19f77196193c29190affe292e002312f54725e9ebdd8
SHA512 e749006b5c74ef3e89952de7842ec6d77cd691d2c8adb781b71a53bf1671b0c4ba39477eee1042d54e44152c4b464199199b388b3a26af14204e0312c1652637

C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe

MD5 ee35f6f09751ffe038424c2bf4b257ef
SHA1 9b97846314a4f425f17e477fe9921347b7944da4
SHA256 aa9b172ce361b78fcf3be4a3701878efad0522527ac8f7eb6dce3e0383ef211d
SHA512 357a28e8f659326188768af7a9a785f09ded536a56d5532eff506595718f577234c86209eee6f833aeafebaf39387217665a3d62f549bce60abdd59fd07764c4

C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe

MD5 e62dc7dadab2112540e858782dd19f3e
SHA1 81442942cfaad4e200da3039877e29382bbd20b7
SHA256 2f0dc54ef2c912d479d9325ee6c81c2a79d2ca13e1268588f0f611e338b02844
SHA512 7afecf91a4f726cd07b239e35692c2fce3dce184a8b4d4b2551388516ac329c0218e508b82b3a374eadbc7980d985a27c415631030b322db33c6d61f17d8bca6

C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe

MD5 9142706754f7c376f04a289ce74658b8
SHA1 f2e440548b6e5de69ec0256f4c126a593c5a3d59
SHA256 8495f01f4b13c00ff0bfc97375278533454407860364b60f91e475ca1dcd4a17
SHA512 ed3a90c768e9b04c63a39e6f2e43993ee5149fa24026a3b4a93d1cac581f89cc6594e2a51e8957daee62e6ca04c0ae86432b2f8adcf2733c75d001d0e6505681

C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe

MD5 22c1485c6fc717ead99f12b5f324a805
SHA1 7dd4aad0516ffb0006615251eb072798fb4a7363
SHA256 ecaeb6925371736ddec78c2c89f5e34773a83f977800e18bd78302ac19c6a031
SHA512 f2fcde8c2666bcd01c58c9f8e5f42f1461c71c0f1bee98adb3852b90070d29eb5ee2fc8ed679fb89c87baa0ef9b5d87c26b3de541794b35f8297d803f4bb7de1

C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe

MD5 1738696c634dcfc09e5a0ae2d69523fe
SHA1 3951dae4354b03633e64d0d0639f9f699b4db50a
SHA256 271d15e1c7ece342ab79a92c4134432eca8a57bbe017451009967b30d03b6e46
SHA512 a33c805d7ee42cf1ec85108dfed0eb80df8c15763068d3b0d45995188b0de34b859c0b782eda35d364c90918fad4639615ea7f1029507a34a9055d93d733dfc1

C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe

MD5 7923f6dd4a07f9c8f83e5d82316e6048
SHA1 cb898f6b588f970fe271a7b571064f757900d157
SHA256 313b3cf4d51d1dc664fab4ce7b1bcb6359fbf0bf68626bd4231014245998e168
SHA512 9665594602a129b7280521dcb654b5cf80368896b310e4ea723df147d2e4aef970af4b00a595566156240cfefa8e979c9c7814c88c5f423dc6e21e404a5b6e7b

C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe

MD5 2da41137f2853677c6f5a9c92772f9aa
SHA1 a8773c29957e049c31c8618993be3bdf1bdf0ade
SHA256 ac2f27fb695d6516f22dc3f6f1be11766cc1d64c682a274410fdcc0ae1ce9a5b
SHA512 a377f5e977e0d17bac3878e0c17e2494533d486325b7eb245027778c70ac856c1e281469b5845a5ef05f63400277d84bd5770a7f0bc2dc605fa7b1ff85c7c1c1