Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-wefhraea4x
Target 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye
SHA256 c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da

Threat Level: Known bad

The file 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:49

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:49

Reported

2024-04-04 17:52

Platform

win7-20240221-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73} C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}\stubpath = "C:\\Windows\\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe" C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37} C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}\stubpath = "C:\\Windows\\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe" C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}\stubpath = "C:\\Windows\\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe" C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415} C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A} C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA} C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415}\stubpath = "C:\\Windows\\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe" C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A} C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D} C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}\stubpath = "C:\\Windows\\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe" C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34} C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}\stubpath = "C:\\Windows\\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe" C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}\stubpath = "C:\\Windows\\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe" C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}\stubpath = "C:\\Windows\\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe" C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC} C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}\stubpath = "C:\\Windows\\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe" C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B} C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}\stubpath = "C:\\Windows\\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe" C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34}\stubpath = "C:\\Windows\\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB} C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe N/A
File created C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
File created C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe N/A
File created C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe N/A
File created C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe N/A
File created C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe N/A
File created C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe N/A
File created C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe N/A
File created C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe N/A
File created C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe N/A
File created C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
PID 1784 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
PID 2056 wrote to memory of 2796 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2712 N/A C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2416 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
PID 2796 wrote to memory of 2416 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
PID 2796 wrote to memory of 2416 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
PID 2796 wrote to memory of 2416 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
PID 2796 wrote to memory of 2476 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2476 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2476 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2476 N/A C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2016 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
PID 2416 wrote to memory of 2016 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
PID 2416 wrote to memory of 2016 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
PID 2416 wrote to memory of 2016 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
PID 2416 wrote to memory of 580 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 580 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 580 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 580 N/A C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1480 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
PID 2016 wrote to memory of 1480 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
PID 2016 wrote to memory of 1480 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
PID 2016 wrote to memory of 1480 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
PID 2016 wrote to memory of 2660 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2660 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2660 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2660 N/A C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 2768 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
PID 1480 wrote to memory of 2768 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
PID 1480 wrote to memory of 2768 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
PID 1480 wrote to memory of 2768 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
PID 1480 wrote to memory of 528 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 528 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 528 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 528 N/A C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 748 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
PID 2768 wrote to memory of 748 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
PID 2768 wrote to memory of 748 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
PID 2768 wrote to memory of 748 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
PID 2768 wrote to memory of 2040 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2040 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2040 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2040 N/A C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2468 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
PID 748 wrote to memory of 2468 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
PID 748 wrote to memory of 2468 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
PID 748 wrote to memory of 2468 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
PID 748 wrote to memory of 2684 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2684 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2684 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2684 N/A C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"

C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe

C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe

C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67D77~1.EXE > nul

C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe

C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{21D7F~1.EXE > nul

C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe

C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0246A~1.EXE > nul

C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe

C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B07F~1.EXE > nul

C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe

C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40F7D~1.EXE > nul

C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe

C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A4020~1.EXE > nul

C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe

C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B4~1.EXE > nul

C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe

C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3A856~1.EXE > nul

C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe

C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25CDC~1.EXE > nul

C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe

C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF97A~1.EXE > nul

Network

N/A

Files

C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe

MD5 798b37a5ec6d1894c64137cd814ce2ec
SHA1 0d2f774073bf7f6cfe5394c154b0c558ba3d16fe
SHA256 7abefc5775f08409d124fd389511d52109fadbc58582b6fc99f173dd337d8c9d
SHA512 bacef93bc354bed6c545b136db76c8d97a4efbc92567488143028d7f45065e70a671373a379d7c7690c1790ffb9eb5617a2f9f44975d61642697110e9c48bfd8

C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe

MD5 cac5499d8d7f46de07a2698e4b1fca86
SHA1 19d9c4bd117e85ae37723d2a2afada8c31a1662b
SHA256 3e8305fd5178bbb5d310610a4eb810fc13056054b2fae005473a8899c4a1cfbe
SHA512 86cf60343b8a7876dae1390bea60043480a01a34238dd4309522f99edaca75bc6c4ad6812af5b16e9391c1ababff3d0a56742b0aa4d631ca87763700fa73d1e9

C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe

MD5 db7aa5b7695086d9774eee3006e63e8b
SHA1 ce387f701380657bd05dd3deec5b17f7df94d022
SHA256 e87fbfe6163185ab64b517e82db03e844a8fa94a67a49d9fdddabc632da4befc
SHA512 f4d4d650dd90f257b5ae3a73e424ea6f268a02e664c5ebbb8c633cdaf282d914270bf6baa63a6431f81e839389f8dcc2f3ba1d20af7250d6c67d2857601af27d

C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe

MD5 d483b89cb4f6d4b8fd5a8335dcc7a0f3
SHA1 2075abe6509c5bcdd0aae7adbb1755df436edc49
SHA256 c3721e7798fc5ca40f1dfc7d83f4276433b08ad40926fd0f16230b983130bac4
SHA512 e5fb251d0a87628fbfd6ae27f9f0bf8535d441101795d9fa9d6e26c487a1a266a952ebc1562b8cce035a99f2e52a18c89ab54704f395bf6ded3815294e5845f0

C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe

MD5 cea25b498077a23ed2c17343e6074acc
SHA1 16f24ac8ac75238895e9af936aa5f4d67281647b
SHA256 6089aaee336f57def4afadb9492892de7314c9bfede0ce38807b864c76e17bf4
SHA512 778c6dbe8fb6b3fdf0cd884f16d2caa22b4d06fc6d39e3b70bead7093f8a7e9302e84678fbd338c686846700c6ecd1890418a570a64138e6a8e39bd4cb2844d4

C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe

MD5 12bcccd9444bb6221de6441de11dad82
SHA1 20968c1cd024ba741aef164acb60d68314d400d6
SHA256 31e2dd275513bfe5ce39b43fe3e082710aaafa08a53c7178e538c0e85cf0ec01
SHA512 7d615609abeb3f298da6381004d9c6e421cc2419ff7265c282cbd91737d4b9438ec299ac8a83b36b4ef8418934ecd65fd921ea3c2538fe087b2b169d213c3aeb

C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe

MD5 57f57a7eefcd2b10b298cb3901da8cfa
SHA1 6681442d56079990ead67be77ee8f41393c7e8c4
SHA256 792d25ec4b27b97e02a61059baf4dd82d2c988e03c97edfa8a57f6f8d95b3ca2
SHA512 dbb0ac5fac4b6352dcefe072e2f115b06c328f4696290234968d0a3f04ec246347a820478b8263f3fb81ce798264ec91003a71599a7c323c25732b3514a6534b

C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe

MD5 7941e23059e3d610f8e728b148b38256
SHA1 f5dc5bb7715e702689f887d8026e9aeeac01e42f
SHA256 51af5bbaa8e72224b856bc1927b6aa68c2cbea4426b59768ede6b37290c8f49c
SHA512 87186d913cad726b250614283ef56a48981f5eda04b1b3b2691b3e9333ef5775c4f824f78cce862076d50ffd2cb0b7d9dbb7494b8d64d5bf9b247ab4139afd55

C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe

MD5 51d6972bd13f374904d2425fa9260fd1
SHA1 5f8ec7f8a516dc33eca8c167d20241c21f14f38f
SHA256 446dcac08e7116c135c311ecd0ebc6f30b2790be5a3a4f653d424242f2632377
SHA512 4e837cf159a8f052bf5d8bfdddf191fd54522af62b15427c3be6417d3ef4cfb386e3c4a2bf80112effa0809bac5bbdae0353a89ed1a11b5d97fae41476d4a781

C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe

MD5 9a613d3c95f31a3e480d351f8d8645e5
SHA1 bbb9682bdecb70f4650c19c1b5890ba6467297d2
SHA256 15b55173db355edf7a58a1320c4aecd3e3e467b429b57efe82cd706ea8370d21
SHA512 1138bd7ab3fef6a77420ef1b3471bfd9f7eb33070796dabf9b0eeb73de6df5f8cd2f2898ea57a5b3febecfe8bd2b2a39a3972e06d26302d4cfe750bd9c19a009

C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe

MD5 a95d460006ccf8acfade824368945f59
SHA1 327c70eda9699e50aa41bab1368aa20909ea1dd8
SHA256 760679e993412bba2781ded187b6e91aaf8403ab1b5d84d51770e1b6419558a3
SHA512 d22b0495550830a107cb1529bac2271a91e4a074fae9f2342af800559dd56ec874bfa5827f1e738a1c4389211037be737a9efe6893e478511770745261d2c154

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:49

Reported

2024-04-04 17:52

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536}\stubpath = "C:\\Windows\\{8C4F2825-2B7E-4a58-B284-188481186536}.exe" C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439} C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}\stubpath = "C:\\Windows\\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe" C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38} C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581} C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810} C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810}\stubpath = "C:\\Windows\\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe" C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4} C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C} C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2}\stubpath = "C:\\Windows\\{47626205-076F-4679-A319-F56900DB60E2}.exe" C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8}\stubpath = "C:\\Windows\\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe" C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}\stubpath = "C:\\Windows\\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe" C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8}\stubpath = "C:\\Windows\\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe" C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439}\stubpath = "C:\\Windows\\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe" C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C}\stubpath = "C:\\Windows\\{7327239F-91DB-43c0-8952-30548D4F149C}.exe" C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E} C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}\stubpath = "C:\\Windows\\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536} C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8} C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8} C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581}\stubpath = "C:\\Windows\\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe" C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}\stubpath = "C:\\Windows\\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe" C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2} C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1} C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe N/A
File created C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe N/A
File created C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe N/A
File created C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe N/A
File created C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe N/A
File created C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
File created C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe N/A
File created C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe N/A
File created C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe N/A
File created C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe N/A
File created C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe N/A
File created C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
PID 3100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
PID 3100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
PID 3100 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
PID 3420 wrote to memory of 1016 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 1016 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 1016 N/A C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2088 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
PID 2320 wrote to memory of 2088 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
PID 2320 wrote to memory of 2088 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
PID 2320 wrote to memory of 2124 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2124 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2124 N/A C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 4404 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
PID 2088 wrote to memory of 4404 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
PID 2088 wrote to memory of 4404 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
PID 2088 wrote to memory of 2624 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2624 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2624 N/A C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 1740 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
PID 4404 wrote to memory of 1740 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
PID 4404 wrote to memory of 1740 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
PID 4404 wrote to memory of 4976 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4976 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4976 N/A C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1464 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
PID 1740 wrote to memory of 1464 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
PID 1740 wrote to memory of 1464 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
PID 1740 wrote to memory of 3772 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3772 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3772 N/A C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 4704 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
PID 1464 wrote to memory of 4704 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
PID 1464 wrote to memory of 4704 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
PID 1464 wrote to memory of 1484 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 1484 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 1484 N/A C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 4328 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
PID 4704 wrote to memory of 4328 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
PID 4704 wrote to memory of 4328 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
PID 4704 wrote to memory of 5092 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 5092 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 5092 N/A C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4652 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
PID 4328 wrote to memory of 4652 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
PID 4328 wrote to memory of 4652 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
PID 4328 wrote to memory of 4344 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4344 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4344 N/A C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 1124 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
PID 4652 wrote to memory of 1124 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
PID 4652 wrote to memory of 1124 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
PID 4652 wrote to memory of 1876 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 1876 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 1876 N/A C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 556 N/A C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
PID 1124 wrote to memory of 556 N/A C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
PID 1124 wrote to memory of 556 N/A C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
PID 1124 wrote to memory of 3464 N/A C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"

C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe

C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe

C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B06E0~1.EXE > nul

C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe

C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47626~1.EXE > nul

C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe

C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE503~1.EXE > nul

C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe

C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{749A5~1.EXE > nul

C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe

C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4F2~1.EXE > nul

C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe

C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9838F~1.EXE > nul

C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe

C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8BD~1.EXE > nul

C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe

C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E4C~1.EXE > nul

C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe

C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF021~1.EXE > nul

C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe

C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B899B~1.EXE > nul

C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe

C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B797B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp

Files

C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe

MD5 bbeeb1fe07132072d41e48cf20d5af1c
SHA1 4f72a2e1832643cb51f0fe3363c4ec4d65716eee
SHA256 b10c769f001f108fc67ffdf3bbf639df68d5beec5afe04464df2cbd2b096d243
SHA512 4d0b6e869b3d77c9e57bc8bfd57dce70d3e0b6cd257c58c889aa6517a58b387fc9f2f2b5a3fc8c5b9a64c2f5575fa70299e35a8c0b842ee2cc69bb4a9cdd3763

C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe

MD5 3a0ba1bb161ac9b5a21e1284868c8906
SHA1 0c8b1791729ec52dec422df49bcee41802ac9775
SHA256 a55fd6b732eaeb577c8e8a1404c7fdf3ddd2e7542e5ab9ddfbbb1a5e9e19c8c4
SHA512 152910767439e1ccecd41a57205b96a03e9a7496bfb7d589463be7f26974e0e3de8f5a93af6efc9a18aa23ee0eddb78894744ad0535c68d834a8d5069079d5cb

C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe

MD5 8a2283a479a1a61e5f4c379a22347a04
SHA1 dbacf57cedb3bf50ddb68cc6d1b56104482a90c5
SHA256 610aec70006a57b54fb5c610242034563ff092abbd3dc81b4086eedc8479ade4
SHA512 cb01ab652a0cea1a4554aec1b230612d8362b561b8baf874e0152415f0c153c06eccb8e1270200aff7cf4a0d716a9b6c288e291728187aaf2a38c34445c99e93

C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe

MD5 266050b0429000b5c7b46ea36a48ea56
SHA1 cd61a72c78cabf3d567e6764853999ab7175794f
SHA256 1ea58499d6c5f746b768041f7e7c1135f495a34cd53a10c3e58172984f94d98a
SHA512 393c7d913207b9ab53c88964af7e335a84755b59a6cd571ad3b8135e03c283f4d8f8ee2e03ed6f4bf5879cda573e48e15fac82a07da7147fe8d8f06cde0d13d9

C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe

MD5 7bde490f92506b270207842ddd9b50a1
SHA1 4870d1bf313f422a979ac980e69413f762626ea3
SHA256 f768a2fee3859324d2b4f97e9aa6945c6795e9ff787384b4add100d86d1f49fe
SHA512 4e8ad0721515b218573ae87dcfb55c08a7afbd5fc41948bdec6c6bd27434a798c77faef29e7ce9cc9b90cabc7dbde3307ff3dd6006630e11b332bec2f63d202e

C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe

MD5 496d2a05ebfb3c469ebb8f7b1ed09a8c
SHA1 64f9955dd37dc487cc086e1f64447896483f3c96
SHA256 f61c5fc72399b1a60924503f3485288399f988d740eec8d47ab3f3839f500113
SHA512 3f0969103ecf51969a1d9e89be69d9044bd700341b2d5dc85a00579d4240968a7d2e679776e02ccfd5531fb5e06561a94e619c251b9b3741e3b4124af8069103

C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe

MD5 2af684362148e8668723d9f866d8eda3
SHA1 e4de2164d0df780cafe97296e9939435af71d784
SHA256 d35231bb1bc1ceb5549cb180ba3769ec43cb19dca93230e63cbe57f9b2573d9c
SHA512 028dd2fbfccd3f60de3cda979f7a485db8780eca2617ba89ec0d2ce03f0c3cb46c41f531a8f82144e67dafd79ae592bb9dc49524040a42369c92e0332eec12f1

C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe

MD5 dadd9905d8d1a8a1d978ca571124964e
SHA1 3967a07404972c490968704715e8b55954fdf8ee
SHA256 ed68b7363b5d45092fcd99e5486e98fa4eff55bd71b383953d9a91d0107e7d3a
SHA512 d6482c02e20a3be4fa566475d6fb3a7cc427ea40f7cb79e47d5290b10a26fd30fab7ff3f9b90930fe236a6c60ed32db250c86da9af9c987151fc232c63aafaaa

C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe

MD5 cd7a50628e66e4596dcb0f9ba10e43bf
SHA1 d7c22edc336f57e834d153de73b5f904ec2c84db
SHA256 a7fba4653fd9d9b6da899775863468a91d79d46f68e1b840190ad689c41d89c7
SHA512 d21f615501c0f8adeedb9487f65078db19720eb83853d5e5b4e7e97cf8c97a2354ce71999acc4bb7719ddf59b6ef3be970b6ecb2635aaed76a31458616f70fb4

C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe

MD5 33f38b59f55e7a9b2abb800a0a756297
SHA1 12321646e8f9afac759520984ad4bd63e5bd9b76
SHA256 31d4f863a0ec42963782462e5b30cbd0a1ada48cf554d218913f79edd0c57466
SHA512 f25cddcab63a789531d050febf0e59fc95ba139616ff12335157ff08987672531211088cc03859fc05154c1ecef573ea5eb17a07a327419adcdcc19506b940fc

C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe

MD5 6be44d31e500ba4d085abe3bf1e0cc39
SHA1 e1069ebd6712574841328017806c9c2d4792e613
SHA256 e97a73b971a4a2764ce0d89c03af68245d63451262ab1bd5c9dd798dbb018767
SHA512 5fd2d49296be3185c0f1f8ad70535ea978f58a6f3230f6a09c068dc2820f8cd97d261357c8ccda72d368fe623fcff512f72a35ae9d282367a6ee04b16a1db07f

C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe

MD5 c3698d11005c279eed9cb1e1cbd22c1d
SHA1 f7560a045e60567a39de102cf0e7e772c3cebe2f
SHA256 5bc9a3ca9e861700db6614edbddb0f2c4834b7e1cacecc87a2ad482969ad7009
SHA512 b8534deaeea5084dad30c019856c4c629f2c8a5baed0f743f706a7965459b674023808393d7010ff42bdf405dac7d49def616065c96926c4996fe9765d69b456