Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v46kssdf8z
Target 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye
SHA256 8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6

Threat Level: Known bad

The file 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:33

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:33

Reported

2024-04-04 17:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E} C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9B1EA3-258E-47e9-9482-F33E461A8426} C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3CE716-1338-4ca2-A9AF-56151A556E65} C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}\stubpath = "C:\\Windows\\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe" C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E10020-54FE-4ef2-82AA-528F280B51B9} C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F} C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}\stubpath = "C:\\Windows\\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe" C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}\stubpath = "C:\\Windows\\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe" C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9B1EA3-258E-47e9-9482-F33E461A8426}\stubpath = "C:\\Windows\\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe" C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D979789-F38F-4b5b-BC2D-19478E84D207} C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667D4632-5CD2-41af-8AE4-C3431B1C70D5} C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}\stubpath = "C:\\Windows\\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe" C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AC986D-ECF3-45be-B750-D3D1110EDD66} C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AC986D-ECF3-45be-B750-D3D1110EDD66}\stubpath = "C:\\Windows\\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe" C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{092E74B0-8CA1-453b-9474-C9849FDD04D6} C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{092E74B0-8CA1-453b-9474-C9849FDD04D6}\stubpath = "C:\\Windows\\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe" C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}\stubpath = "C:\\Windows\\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B49C12-D985-40ae-87EF-8C9DB894EB6E} C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}\stubpath = "C:\\Windows\\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe" C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D979789-F38F-4b5b-BC2D-19478E84D207}\stubpath = "C:\\Windows\\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe" C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3CE716-1338-4ca2-A9AF-56151A556E65}\stubpath = "C:\\Windows\\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe" C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA} C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E10020-54FE-4ef2-82AA-528F280B51B9}\stubpath = "C:\\Windows\\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe" C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe N/A
File created C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe N/A
File created C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe N/A
File created C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe N/A
File created C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe N/A
File created C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe N/A
File created C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe N/A
File created C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe N/A
File created C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe N/A
File created C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
File created C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe N/A
File created C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe
PID 1944 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe
PID 1944 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe
PID 1944 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 1136 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe
PID 3868 wrote to memory of 1136 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe
PID 3868 wrote to memory of 1136 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe
PID 3868 wrote to memory of 960 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 960 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 960 N/A C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 684 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe
PID 1136 wrote to memory of 684 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe
PID 1136 wrote to memory of 684 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe
PID 1136 wrote to memory of 2328 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2328 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2328 N/A C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 3124 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe
PID 684 wrote to memory of 3124 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe
PID 684 wrote to memory of 3124 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe
PID 684 wrote to memory of 2304 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2304 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2304 N/A C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2260 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe
PID 3124 wrote to memory of 2260 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe
PID 3124 wrote to memory of 2260 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe
PID 3124 wrote to memory of 1696 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1696 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1696 N/A C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 5060 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe
PID 2260 wrote to memory of 5060 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe
PID 2260 wrote to memory of 5060 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe
PID 2260 wrote to memory of 4084 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4084 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4084 N/A C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 228 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe
PID 5060 wrote to memory of 228 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe
PID 5060 wrote to memory of 228 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe
PID 5060 wrote to memory of 4672 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4672 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4672 N/A C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3224 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe
PID 228 wrote to memory of 3224 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe
PID 228 wrote to memory of 3224 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe
PID 228 wrote to memory of 3528 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3528 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3528 N/A C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 3948 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe
PID 3224 wrote to memory of 3948 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe
PID 3224 wrote to memory of 3948 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe
PID 3224 wrote to memory of 1464 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 1464 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 1464 N/A C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 5000 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe
PID 3948 wrote to memory of 5000 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe
PID 3948 wrote to memory of 5000 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe
PID 3948 wrote to memory of 2612 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2612 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2612 N/A C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2804 N/A C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe
PID 5000 wrote to memory of 2804 N/A C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe
PID 5000 wrote to memory of 2804 N/A C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe
PID 5000 wrote to memory of 908 N/A C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"

C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe

C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe

C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C9C~1.EXE > nul

C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe

C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93B49~1.EXE > nul

C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe

C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{057AC~1.EXE > nul

C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe

C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A4E2~1.EXE > nul

C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe

C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EE9B1~1.EXE > nul

C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe

C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D979~1.EXE > nul

C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe

C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE3CE~1.EXE > nul

C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe

C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{667D4~1.EXE > nul

C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe

C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE339~1.EXE > nul

C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe

C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E10~1.EXE > nul

C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe

C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{66AC9~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe

MD5 955ca86c0b5ebf9a90e7af5aa77918ff
SHA1 3a59ec0452d0e4e60b376c3a74281a2d214f15c3
SHA256 84f1f15d00a4dfe6c7575f1eefb3373b8462f855ed85a159547d7850668454d4
SHA512 edb78c2fd0a6393a474ad92fc22364dcb36b76fc87f04a01873febbcf4a5226b369e051ff6db28157d08b34cc1cbcfe93094c0990dcaf8905258b7d2011c1d08

C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe

MD5 b26f9d0cc20f089e6a1dd999b421c11e
SHA1 d44204abc6c5e8e38ce25de210b0ebfa58f36123
SHA256 39595f1d295f80908905a670a20252cd621e123455614dd367d6c1ec5756eb97
SHA512 7d10856eef38524a06348701ebf494079849865f2af2ccfa4e07313f49f6e9a321d43f9b7e14b20341d4a764ec1aad0c4e7a23ac3eaae901d09cdb62ca7079e5

C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe

MD5 b812e8c07891bcf8e6705946fa913d71
SHA1 c5b3b5ca65024da265a08dfbd5f459f37d45d55b
SHA256 bf05ce008809de972af858d4b64500f910da2aabfc93b97f1d81e7ff1d7a3978
SHA512 c2b0522d2a784151c21b6e930caf0d65bdfb483e0e4aea6f40325a0e363ccff2d0e331abe941e011f6309ae9689fd7e255b05a8dfa7541fff26201efe7e243fd

C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe

MD5 0e49ca9b2454e613cb41cde232c23b32
SHA1 10e8f4ca83f66e85fc14492d9fceb3dda37190f8
SHA256 cca1e922da4c1a962a275d39dc5410a2a0f14382f40da40ef497d78180159d44
SHA512 0da03b67de79a6f67efd7d567092949bb8fe33485f43e18f679fc27b8ec2c5df81e2e79266c0ffbc519140b1f525d6e3e3126721395ff9dd42f970262b96e136

C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe

MD5 2db6cdfb9b530e7f031d2d559c812d6e
SHA1 f94b2d82c451fe7bc0e4136efbe059a1ea689b3d
SHA256 f5520f710cb388d1e8113c359e8377f427454eb51630735982285ea3806985cb
SHA512 79160371e35bab305822b3204ebb1f0882dad8cdb1c7309c42b701539933d19d7862b07c4ad470bc2d785f821a1364f7e7a2a6eb4dff08a1ac9dec163fa955f0

C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe

MD5 4dc2ea789329ad2178234de573bbef84
SHA1 a71e9af490b9e4439d3e1058fabcafb2b39fac0b
SHA256 25331edfbccf181ea520d2c986808f5515c85e176429f2f10498bdedf2ea9582
SHA512 aea055da68103b41f868e6416035d3e6965d9fe8f70880fe58f846fc152755ec134882474bef572039ef02f8d9241d7179c0c88d16c57aa5c581b773f5daf06f

C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe

MD5 80244c62aae49a587c36d162434a8faf
SHA1 2c9c0ee44ca9b047825a2ec72cfddcd49f6e3a21
SHA256 3c804664cf2ad066e0c4e809b6011f8c71c0065bcc3b03f00ca8c512fe7f7553
SHA512 e461fef0fa32e12e398b1e8bc499d81522ce44a0c00be32bc6e0b45af7dc7b994dadfbb3dc3ba9c3e44f4b9db98bc24c05f4f025e5c3ff6214364901597539a5

C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe

MD5 817cc53b342c9a1ec5fd9fb343d3ce8c
SHA1 e429828629e60325dd34e9356dba54f52d8ad0d1
SHA256 4f1930a2e1365fbf02528f3451062647333384394dee2dffe0e2544bf56f4a49
SHA512 a2a029ccdef36704cabfb2aea835bdce2ba2eeabd65baa24fe7adca14a021f8323a8230ca0cffb683261da7cb188bb549098e661052808fde6546e8e6a0e605d

C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe

MD5 aefc4e8ce9a560a9b3f7be7cb8a5ed9f
SHA1 336ebcc8e16e5ff458879f0e5e1e6273688e2fd0
SHA256 43c7ab22ed6db1c732cb02112473a323b1f713d1c12786036e0cb24740e565c0
SHA512 80da9337350a1b2804cbef69f0a3612fd5fe3ac4c683bc95ee4b39524e2abab735508cd83cd326d767ac1cc6f420742eb870ca4ecdb24a96ae4f2b2d782e5485

C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe

MD5 140ea78a1743d77d052a2b424df28335
SHA1 ad2ab35bcec072709eb9cb2648c7628c9dad47b7
SHA256 b2815ef9ae13c1494a68dcbf7bc99863c423980109c970f938e0b0422a89d869
SHA512 a313676fe14dcb1b4435b18eacba68cad8492591d1ca9b08f378d24e0b8e722a0903f073f222a85180c35de095376e7ce6baa80933bca4a6f4dd938d58ecbda9

C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe

MD5 a4d3e2ee12857b7b662be60653af74e9
SHA1 11e1ae4ab46a9890bb58f374c41750edb812cfe2
SHA256 f3e36653fe43082bde45f0c7b511e793d4ff73c8fa5ced1d1f5f53a744b15d29
SHA512 e236e1cf707f3ea03b88e30b199768fdbd744ce4c4d37a4faeec3a4a792913ad9a0487546e4785f6ce77eeed617709151a3e831e4426c98dfb1f4799951cf907

C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe

MD5 e3e4ca8fb903d13c21b49504eaf95157
SHA1 4357b3d701f20f7657c71e775a31d00229b05a22
SHA256 6dee847731881d5e9298879cd535f7758862e28b67530a81675f4991b69a3f76
SHA512 1b6a9d5fbb965dcc96bf32de25c66acbf63e823d892f2ce76ac961c7555041dd276e46a25e021f398830639ce889c23af57f06158c24c00810e515eccd32b733

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:33

Reported

2024-04-04 17:36

Platform

win7-20240215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C} C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}\stubpath = "C:\\Windows\\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe" C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}\stubpath = "C:\\Windows\\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe" C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E0A43C-986F-462e-B69A-CAA8537BA389} C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4} C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D} C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20} C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83D0614-1609-401c-A06E-0DA0917E7D45} C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}\stubpath = "C:\\Windows\\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe" C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758F56F4-711C-4465-B5FE-A8771FB66D9A}\stubpath = "C:\\Windows\\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe" C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3} C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E0A43C-986F-462e-B69A-CAA8537BA389}\stubpath = "C:\\Windows\\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe" C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7E2A90-4EB4-4893-990E-F02213A61194} C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}\stubpath = "C:\\Windows\\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe" C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0519F1B9-D84D-4363-8E04-A3E6DB66A217} C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}\stubpath = "C:\\Windows\\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe" C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758F56F4-711C-4465-B5FE-A8771FB66D9A} C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}\stubpath = "C:\\Windows\\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83D0614-1609-401c-A06E-0DA0917E7D45}\stubpath = "C:\\Windows\\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe" C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7E2A90-4EB4-4893-990E-F02213A61194}\stubpath = "C:\\Windows\\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe" C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A} C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}\stubpath = "C:\\Windows\\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe" C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
File created C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe N/A
File created C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe N/A
File created C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe N/A
File created C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe N/A
File created C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe N/A
File created C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe N/A
File created C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe N/A
File created C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe N/A
File created C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe N/A
File created C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
PID 1920 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2528 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
PID 2556 wrote to memory of 2528 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
PID 2556 wrote to memory of 2528 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
PID 2556 wrote to memory of 2528 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
PID 2556 wrote to memory of 2604 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2604 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2604 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2604 N/A C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
PID 1588 wrote to memory of 1488 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1488 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1488 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1488 N/A C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 1684 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
PID 1580 wrote to memory of 1684 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
PID 1580 wrote to memory of 1684 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
PID 1580 wrote to memory of 1684 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
PID 1580 wrote to memory of 2144 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2144 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2144 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2144 N/A C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1016 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
PID 1684 wrote to memory of 1016 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
PID 1684 wrote to memory of 1016 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
PID 1684 wrote to memory of 1016 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2288 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
PID 1016 wrote to memory of 2288 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
PID 1016 wrote to memory of 2288 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
PID 1016 wrote to memory of 2288 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
PID 1016 wrote to memory of 2200 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2200 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2200 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2200 N/A C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 852 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
PID 2288 wrote to memory of 852 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
PID 2288 wrote to memory of 852 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
PID 2288 wrote to memory of 852 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
PID 2288 wrote to memory of 1204 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1204 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1204 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1204 N/A C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"

C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe

C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe

C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7F6C4~1.EXE > nul

C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe

C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64B80~1.EXE > nul

C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe

C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CBC~1.EXE > nul

C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe

C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E83D0~1.EXE > nul

C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe

C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E0A~1.EXE > nul

C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe

C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1F7E2~1.EXE > nul

C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe

C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4854~1.EXE > nul

C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe

C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0519F~1.EXE > nul

C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe

C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FBEDD~1.EXE > nul

C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe

C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{758F5~1.EXE > nul

Network

N/A

Files

C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe

MD5 3f01a96b6ebc755ad8b7644b760fc764
SHA1 bc2b89e57d46362a5c2a49e1791de6bf6200b9df
SHA256 9b92706254858b8f7fc4f3f88daf15ba86853e998f082fa844ce38626a8f5169
SHA512 8b3a3e9b5432a4ff9162d50714540b5e419e772ffc45efdeca333622d53af9ad92e7d95b24c47c87ebaca844d40971492869980c9a7f079435c139ab085ef7af

C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe

MD5 65f3c3b3fe7b806c668a3af05c1e3c44
SHA1 be8a500768aa774a995291b75816292def1d8a79
SHA256 3db9a4496db7506362261a7693158a6432975f490f969726ef2960181167d8e2
SHA512 1092facd80067f0471f65baefd81eb0eafc518e54b7cfe5654987810b4b9bfa129c4e12eabf6d42d806efbcb6099224e2e9d23aee3516524ebd2442531551694

C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe

MD5 a60b04d447e00af3f92f38e078be0917
SHA1 41a4892a6bc8902d36cfe16039b6e9a8d7f513d3
SHA256 fe698b8fe395bcdf7f03bf267114b6664cc5717d8faac2944d8c86c08c93cdac
SHA512 848dcfc190b6a4c723f7bb10ace0497c1cb4317de909307ed447414a4f2e16589c1a5bf2f241f624b9a670a83ecf253ca97c4f734c7f71469912f6b1e5c78b24

C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe

MD5 1cbe4a0e2ce6871092134ed317cb531b
SHA1 52adb2591c0a5e5a3598adfd50ad978f7e61c5c3
SHA256 2fc5d7dafd068fb676a6f3ad30d5cc6488e97a8457623e2fc30db06863ad0053
SHA512 a6b2815f520b3b019e93f2c1a9033e348025b0fe75946c1171fd697438629ace38f9acd1df6f1b74d59c0879ce7cbaf794213d8a89a226101a530905f1b616de

C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe

MD5 e8565404476a8525c1f31e0978ff77ef
SHA1 2fbb72315619ac27282d5c7f6d11317e1138098b
SHA256 fdce23f2ec65c90162aded8948ebbac507946b7b1e399b59bfc7c27f9436cdee
SHA512 c53ba42a5f50ffee06aadce6e3fce9a81509ce0e7dcee0cd00d28970f30094b6e2b98f1bea5a282841079439af1948e98fa291d21a2ca7ea75a58c94778de28d

C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe

MD5 663954763a906b6c594f6e371adca4e2
SHA1 015ca656705548d487960118b75ca2ca8c074663
SHA256 8d715a26a955946593d1a6d1d4654fa2c27816a29cfbaf26ed8ed6dd275d7483
SHA512 260b71e15811c2d2eabe237877594789ce88f7a011885f68d317ab1a6f1b98f019d51df494b1a3ed3ef6dfddea824a7a97b1bc9011e6732b2132a7f50910814e

C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe

MD5 c8589c8f4b8a62ff9c64ef60de7ed761
SHA1 b39d592fc3f95b09baa27dbeb4935e2e23bfc7bd
SHA256 f1add54aa081fc67e36669e2387e40a62b490a87801a2211325bd3a84f5dd07e
SHA512 8a7d331784aa0d721a6c5c5ac89def1e0774284f900627af57f8c60f6306561034fdfdcf65e55c634f22286617e8f1453b7ee03eafdbd959429714c45ed503a9

C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe

MD5 55612e29a628c1191295c3b0a046ea87
SHA1 fa4ac4b192d99fcb5122e6b3dfb704b920872c61
SHA256 7dc772877c3a07e24986850b21d8a9e9e55e17e2283fd84fb9e2abacca06805d
SHA512 b687b3948eb96f345dae64b7183e306844bad5ac2b99ce8a7a4ed7a38ba80a7e008ab8979fc12b096f406a37e62018bdc57578eb34fc4aa347c0907e4622a88c

C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe

MD5 56399d0f5d937db9505dfdd0b48e6462
SHA1 272823c72609121ebfefc4d1a39de8bfe30c5a69
SHA256 c908df214df08465e8010b890e37a74e76560e4a54ff2bb1a1c48e6652580af4
SHA512 ec98e2fd42af99b0fd4d9d30a6d4ab4ce4518a4405c57b2eb486760b011b513c7bf48f42bc3c949cbe19b53b93cc65b1fa19be5cfa4dd3aa1b4479c2cc299000

C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe

MD5 2d915cdf9398d6e3845d08de15a7a75a
SHA1 e7dea7b0f2cda9d2a851eb4546c360c71ca4c72e
SHA256 1f1dab1527e1a192fc628dd692ab35d7677e12d275e3c0b79cba9715f70daaa2
SHA512 d4d54dbf173b6f7b347c356abac0c3c4d933acf99362a6a80a0016aead3670046e60d7caac92021145f9858145aaedc7cbee5a0f07d6a6f0d214245c9c2c3ccb

C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe

MD5 ef667aa1ca198307a663f8607179f9f1
SHA1 925c4473fa65e1ca5bc352644a9ba150d2580bbf
SHA256 39ae2142c5e2676c7f0e55c8a38fb2a3f0be14a5fc94c63b26f806e1283f4177
SHA512 10de51d608544da2de08b6d6614efcc024f12009a22d96bc642a7a2b9081322fe426e2b9a403e48c80904836e1ccdf7b609b0583697912a0671b5e664767e960