Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1h7tmabg2z
Target 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye
SHA256 f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b

Threat Level: Known bad

The file 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:40

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:40

Reported

2024-04-06 21:43

Platform

win7-20240221-en

Max time kernel

163s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA} C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}\stubpath = "C:\\Windows\\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe" C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852} C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30BD1FB-9454-4021-BC8A-807F2B48262E} C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289F9504-EBFC-49d1-B678-6B78A87086CA} C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0} C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0} C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0510C931-7787-43f5-86D2-F76C23F61058} C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}\stubpath = "C:\\Windows\\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe" C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419DB5D-EA81-42e4-939A-0C03F53CA380}\stubpath = "C:\\Windows\\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe" C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}\stubpath = "C:\\Windows\\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe" C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E766309-DD79-40b5-9A84-6EE9AE596652}\stubpath = "C:\\Windows\\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe" C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E766309-DD79-40b5-9A84-6EE9AE596652} C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EDCB23-44F4-4da3-B945-B35B3D0236B4} C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289F9504-EBFC-49d1-B678-6B78A87086CA}\stubpath = "C:\\Windows\\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe" C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419DB5D-EA81-42e4-939A-0C03F53CA380} C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0510C931-7787-43f5-86D2-F76C23F61058}\stubpath = "C:\\Windows\\{0510C931-7787-43f5-86D2-F76C23F61058}.exe" C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D208725-A94E-4af5-8FD3-D4F616AD043A} C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D208725-A94E-4af5-8FD3-D4F616AD043A}\stubpath = "C:\\Windows\\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe" C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}\stubpath = "C:\\Windows\\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30BD1FB-9454-4021-BC8A-807F2B48262E}\stubpath = "C:\\Windows\\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe" C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78484906-3E05-4eb6-B854-DF5D89173846} C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78484906-3E05-4eb6-B854-DF5D89173846}\stubpath = "C:\\Windows\\{78484906-3E05-4eb6-B854-DF5D89173846}.exe" C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}\stubpath = "C:\\Windows\\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe" C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe N/A
File created C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe N/A
File created C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe N/A
File created C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe N/A
File created C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe N/A
File created C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe N/A
File created C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe N/A
File created C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe N/A
File created C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe N/A
File created C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe N/A
File created C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
File created C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
PID 2336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
PID 2336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
PID 2336 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
PID 2336 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
PID 2512 wrote to memory of 2556 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
PID 2512 wrote to memory of 2464 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2464 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2464 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2464 N/A C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
PID 2556 wrote to memory of 2496 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
PID 2556 wrote to memory of 3008 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 3008 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 3008 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 3008 N/A C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 324 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
PID 2496 wrote to memory of 324 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
PID 2496 wrote to memory of 324 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
PID 2496 wrote to memory of 324 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
PID 2496 wrote to memory of 2768 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2768 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2768 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2768 N/A C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2780 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
PID 324 wrote to memory of 2780 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
PID 324 wrote to memory of 2780 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
PID 324 wrote to memory of 2780 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
PID 324 wrote to memory of 1756 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1756 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1756 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1756 N/A C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2660 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
PID 2780 wrote to memory of 2660 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
PID 2780 wrote to memory of 2660 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
PID 2780 wrote to memory of 2660 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
PID 2780 wrote to memory of 2348 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2348 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2348 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2348 N/A C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 292 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
PID 2660 wrote to memory of 292 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
PID 2660 wrote to memory of 292 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
PID 2660 wrote to memory of 292 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
PID 2660 wrote to memory of 1396 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1396 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1396 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1396 N/A C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1780 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
PID 292 wrote to memory of 1780 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
PID 292 wrote to memory of 1780 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
PID 292 wrote to memory of 1780 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
PID 292 wrote to memory of 1668 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1668 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1668 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1668 N/A C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"

C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe

C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe

C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31EDC~1.EXE > nul

C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe

C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D30BD~1.EXE > nul

C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe

C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{78484~1.EXE > nul

C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe

C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{289F9~1.EXE > nul

C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe

C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC01F~1.EXE > nul

C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe

C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D39C0~1.EXE > nul

C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe

C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1419D~1.EXE > nul

C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe

C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0510C~1.EXE > nul

C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe

C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A7573~1.EXE > nul

C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe

C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9863~1.EXE > nul

C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe

C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4D208~1.EXE > nul

Network

N/A

Files

C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe

MD5 7689595531ea672dbb29fac6fc052269
SHA1 8fb0df82a8e0faa68a63b6052e794e4dc981bd56
SHA256 5fb6ad8d732b2940743f5cddf5f1051e15220671034191c858190f868306e582
SHA512 482ac7cbc2db29a39c9469a9fa1de57f0e874ec5f21e5926ed9059ac9ca66b9fc2daaff92411cdafa3d4ff9fb698f189faff4eb8859403c25cdfa50cd0e6451a

C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe

MD5 0fe3c75beadd952595bf8c8a70d22c72
SHA1 9854e9640bf1aa0e536f7754afabefe94743bf7f
SHA256 11ec3f7804e0c156266614a38543c6c8f39388b9b817ed882679d1b5c0d7fedd
SHA512 396a975fe11a2c3794103f44bd2c4029657a7323bd0737891c5f98b24777ac50e2f01bb6c60be3e389c56c8ef401ef284deeb561a49dee35152ed81e936624ce

C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe

MD5 7b50aaa143a9c4498534114e1f56e450
SHA1 351f12aadcf0ee7fbffd57f659fd2c3b81c75b95
SHA256 f5c33997049d86571e3d695fbeab04ed9413f927a3f412badf0cd601e8ce377e
SHA512 ced64ee9780770e4300e8e21494ad345d0d537d2a3f01ecaa9342ac12a915a624d33c1bbf1d2da54afdeb351bd6d6c5fe96fd05a1db71ed9f5c1525e49128400

C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe

MD5 383e2866d8cc201072cdc493ed1a02ca
SHA1 ef1556be60261314b0780daf445c62a4b85f3180
SHA256 0838341c9fadd825f2e67576c17881b48f407636513ec708272de0edd31e173c
SHA512 02ec7e662b2279a4525f46805d9f9c25d06e9ca512a764758b3cd557ec6339c8df73a3c343f7c1ca7330ed4055b29b95103c3a959e2cb65421649a133edc5e31

C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe

MD5 62d4a4a8d65ff93857cfc66b7b6c679d
SHA1 8f5aa31fedaba9233253bb898d7e0fa9e736c42b
SHA256 b4d7c0f451d67c85f0b5108d0ee6b9163853092e708db3234e579aa8db4daaf7
SHA512 6594cd104181029febcf8fcb8a27f4f081cf6491aaf2ae4fdf03e768577ff17f2a79347a2bb27c6346bc214887f9b95cedf31625e3744ebf0fdde36b54d81d45

C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe

MD5 b09eeb1d16ceba63be8408082137da1c
SHA1 4b81fc0809084593e377bc4a068742e458714d84
SHA256 17bc719d37008d954d6080a8cc6ef8718012314b23272164f4157e8c651cfe95
SHA512 22e1cd90af383d5e627fe7b2114dc78832e99303b59452619da3f0175e87d45884b3d3b462f56dc96e59ba50bc8f6b6c22c22d8b42310e876bbb6a2f02c5a06e

C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe

MD5 0524e94e140a4f10ae9208f42b9790b3
SHA1 626aedde7aef8026797980014c33429a7a97b27a
SHA256 f711af600968c46e924dc61d4a8c11315b8ffc753d1abfba2d25b58a587efe3a
SHA512 461d0b8aae01da5b9fcf0dd491ceebb93e47054ab736a104de692c700b99acfb74a15e1da18795ac11da8648e61c114b12b382063f1de6b5c57213be57c2f656

C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe

MD5 962982c8da1afd70ef63c7cd2d731695
SHA1 669316b28babfaeab874f4612380df9110fd04cd
SHA256 08775147dd00f2d1376a759d71d7705b425762b0138b274ea640f26787ad16dd
SHA512 88b7152438e571e6fedb018fd301acfd55719a5b704434750c32ee449eff5008843257f96f6e183e1184d8d91ce52218d127dca481a1c0efe01def5ac86e5765

C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe

MD5 23c6942b3c53d4e39c196efad9662465
SHA1 80134f769f3db41ba293a18ca5f79a6a5b0fb412
SHA256 2859b788901e2dc8af921a99a01df3b87d9bf825935de556208e45a26a5db3d6
SHA512 0a45d736ab500d95cfb4465c7a6322110118fc29f6049fd452eca1636653791fe15b85d9f952bdaaac884fac41ea0fde716da3b113d8b2ae7013ea4529177265

C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe

MD5 1ab6781c23aaaa88997d67176b7c52fd
SHA1 69cea32e4839fe91ddc69181050a0bc920094d3c
SHA256 eda45470074110f80234f19ff7974f35e8d014197dac9429bf7e4582467fb4be
SHA512 4f0fa06266886658e66ea4fa854d18ac726c1e3194f90ba7f37a359ad7a852abe0e23ad96e0f2cdf653827595ed66503343edfe78d7e7aa40f75d576973d2d06

C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe

MD5 fad800facc29938f76e1ee926a25407f
SHA1 83fd88182035f6408001177bef87cfee78534a54
SHA256 ead50335570b7bdf3de932b15a0aedecad8dad344a799d93de5d03d25cda4116
SHA512 9006260d88f8594aa4aa29b6cc42be667fae9e758317c6593f0f9d4c1760b2ded3a82ab43264c428d68e66a6db809ef93d2813c075038b6da7c41e62c93758d2

C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe

MD5 977ef1cdbcb78e597ce72b239dbd08df
SHA1 40413f9afc2eed244a0c736cde105bbfcc85ff0d
SHA256 ea22d994b8471e7796cf4435ca4d12102a0cd76d8f572ea8e9f8766acd083e15
SHA512 3eb2f15dc1f4fa8ad9761b32212ea815ce371394365e9b3963aa6e3647df20f3433349bc0c0d9a7a5eccd6793b301c144800d4f55f758191a0c28c4c6ca6ec7d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:40

Reported

2024-04-06 21:42

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{430C0D23-6441-441f-908E-103B561E44D7}\stubpath = "C:\\Windows\\{430C0D23-6441-441f-908E-103B561E44D7}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6434B841-0202-4607-A9E8-7C037F2850E7}\stubpath = "C:\\Windows\\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe" C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}\stubpath = "C:\\Windows\\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe" C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0} C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}\stubpath = "C:\\Windows\\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe" C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E} C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}\stubpath = "C:\\Windows\\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe" C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D54A8DF5-6FD3-4588-A326-7B20F770469B}\stubpath = "C:\\Windows\\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe" C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7587AF25-E249-451d-BF08-00CDB8CF0F2A} C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{430C0D23-6441-441f-908E-103B561E44D7} C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6434B841-0202-4607-A9E8-7C037F2850E7} C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88181780-0C18-4c7d-97DC-59C8EAC165FB} C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C66E93-6B3D-49ec-B317-0430026ADE94} C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749} C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}\stubpath = "C:\\Windows\\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe" C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C66E93-6B3D-49ec-B317-0430026ADE94}\stubpath = "C:\\Windows\\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe" C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D54A8DF5-6FD3-4588-A326-7B20F770469B} C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}\stubpath = "C:\\Windows\\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe" C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA} C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}\stubpath = "C:\\Windows\\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe" C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0413D311-79DF-4b3a-A516-83117C660534} C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0413D311-79DF-4b3a-A516-83117C660534}\stubpath = "C:\\Windows\\{0413D311-79DF-4b3a-A516-83117C660534}.exe" C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88181780-0C18-4c7d-97DC-59C8EAC165FB}\stubpath = "C:\\Windows\\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe" C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2} C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe N/A
File created C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe N/A
File created C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
File created C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe N/A
File created C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe N/A
File created C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe N/A
File created C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe N/A
File created C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe N/A
File created C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe N/A
File created C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe N/A
File created C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe
PID 1464 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe
PID 1464 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe
PID 1464 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4532 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe
PID 2060 wrote to memory of 4532 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe
PID 2060 wrote to memory of 4532 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe
PID 2060 wrote to memory of 4392 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4392 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4392 N/A C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 2024 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe
PID 4532 wrote to memory of 2024 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe
PID 4532 wrote to memory of 2024 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe
PID 4532 wrote to memory of 5080 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 5080 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 5080 N/A C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4864 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe
PID 2024 wrote to memory of 4864 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe
PID 2024 wrote to memory of 4864 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe
PID 2024 wrote to memory of 408 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 408 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 408 N/A C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4536 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe
PID 4864 wrote to memory of 4536 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe
PID 4864 wrote to memory of 4536 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe
PID 4864 wrote to memory of 2156 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2156 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2156 N/A C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 2452 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe
PID 4536 wrote to memory of 2452 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe
PID 4536 wrote to memory of 2452 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe
PID 4536 wrote to memory of 4060 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4060 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4060 N/A C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4388 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe
PID 2452 wrote to memory of 4388 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe
PID 2452 wrote to memory of 4388 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe
PID 2452 wrote to memory of 4832 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4832 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4832 N/A C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 4196 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe
PID 4388 wrote to memory of 4196 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe
PID 4388 wrote to memory of 4196 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe
PID 4388 wrote to memory of 3784 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 3784 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 3784 N/A C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 3052 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe
PID 4196 wrote to memory of 3052 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe
PID 4196 wrote to memory of 3052 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe
PID 4196 wrote to memory of 852 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 852 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 852 N/A C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4200 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe
PID 3052 wrote to memory of 4200 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe
PID 3052 wrote to memory of 4200 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe
PID 3052 wrote to memory of 4304 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4304 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4304 N/A C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 440 N/A C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe
PID 2480 wrote to memory of 440 N/A C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe
PID 2480 wrote to memory of 440 N/A C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe
PID 2480 wrote to memory of 856 N/A C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"

C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe

C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe

C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{430C0~1.EXE > nul

C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe

C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C12F5~1.EXE > nul

C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe

C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6434B~1.EXE > nul

C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe

C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1C36D~1.EXE > nul

C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe

C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EB124~1.EXE > nul

C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe

C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0413D~1.EXE > nul

C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe

C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{88181~1.EXE > nul

C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe

C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15C66~1.EXE > nul

C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe

C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3462~1.EXE > nul

C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe

C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D54A8~1.EXE > nul

C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe

C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7587A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe

MD5 c97f744563f30f2cff976e20081defe6
SHA1 a4f58ee0e54e0127e91d0e699117c722e2167f35
SHA256 0fcca0dc8400e420cbdc7db070f9a611f7567b18f2d71fb8f89d32527edeffdb
SHA512 e7c077613bc05ed7a75aa5ee38f0e8c17ed5732b5125d21841224c68757effacb4334b18cc99e65b032943bcbf1f510f650ac37ebcd4fc7b71154a1d6991db68

C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe

MD5 f265abb664ef4aa60c0f4078ff0be588
SHA1 ce6077253b8d5ff646428af05d8378d436512a99
SHA256 20f70f72f4ad740061c0e4c517c01b5b3693166517a8d1805dd1b55942e146d3
SHA512 ea2f02146e228299cf3c3b96858a9afca9481a7380f0cd5109c35cbe846d8087c7661f71872a10c29e43a2c4e6689a0b56d6012a8c09b0413c66446e8b359fc3

C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe

MD5 f03ea52bea24c3a0d1a198cf81de8092
SHA1 0e6b5d171389f5327d9990becf623c59ab754b0f
SHA256 f27034159c845de8f32061bebe252063eaade31a8366883a6a8c95803fd5dcfb
SHA512 ef1c87dc9bd9c5394ed9336a05cc36f0375930c75ef7911f8ac4baa20cf6cfa238785f572b1fd3982f56b2da161b8dc0505175a7d139255edd8c33e553945680

C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe

MD5 e6e51094eca4bedd2f1b13ef454742e7
SHA1 ea4b92e5978de3b7bff9ae8690b5c210fe18f0ca
SHA256 4c3702b1416be1933faacde794ee9f03e8b2e27bfad410ad6024048ac5320193
SHA512 d92aa36823aedcb0a35cafad4fe088780fc0edeb0ac46a3508f945c89a7a41a394fae5e5eac3a36553c04979f860e3c02076ed657c952b11079438d70e2523a3

C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe

MD5 fcd8d8bbaa1f5855a41c6fd8ceacad22
SHA1 c1baaa1cd66315929754756ea800b2fc8f4fbd5d
SHA256 342f98550d67769a421208462a929687da787109d4b9866e0e87e5be88ec661a
SHA512 7443fdfbc7ee7016c0edd373f396bc01a0df7c4052cdb8e775a193647d792c25b2a1231b1a095c45e4556692b40d2e55a1f6f7e9c525c5b30b2a8c646ea86030

C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe

MD5 a39610067739f57b48e06ee2c5f34a8b
SHA1 20e12a6e21abaf6b95aa9bfb9bb86bc091107e84
SHA256 4cc0271100a268d1c2143804a5fcf311a676fad922214740fd8023eaba0ffd06
SHA512 0c7a5ab84d11fd57820c91d25853168ceeb28837f2680009ae06a61bf70e3eef731236d8df0f25b7e1b2a383dbb09fa60602a2cc455b63ccc2fa1037e5272e36

C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe

MD5 531304c7fdb0bc8146f104a4adad9675
SHA1 d3875494d4a02c85e5a8632672511fd6425f594d
SHA256 cfa3ce881589ad94b0f0ae036c1c7336e9486adcf62e75dd8e68aa03e6000cd1
SHA512 efb1880f5262204bd516b46b5c7ef3b0ab4efbe2f60364d476d2c4758349236285ba89092cfa2535417ad9f32b418ecfddd87edf722b57d46fbcae88cfce2cbe

C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe

MD5 6ec5b5d358618dedf62e751bf3890bfc
SHA1 28ba1d595367c90c92d1723e9d1bf3d757fb4cf7
SHA256 bd14821c89f79e9493eb5d05292b6148478e899a6032a2e4e9d65efdbdea174f
SHA512 4cdd674e0043e75facc512f2b9a27598249701bd0403ece77b9746ecc73a828ba7b6574aa22a883280c8259ae2583a5763cfe47dcf9987791041cd434b7570a8

C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe

MD5 4ff75fbdc64938bcd263958fa0849402
SHA1 514edef1ecd7a1ac5309762e8b347647e701b3c3
SHA256 d7521de6bfa8716a0038671cf2ad885f7443a4c0c9b82045298f1d88f17090da
SHA512 0324cfed26ab15f715f53bd5936fe2dabe67440e4991d6c83bc23b84558947d4dc4d9124ac78641969f14c91bbf25276c5d1c290f273341aa8de83a88073988d

C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe

MD5 d8fd1cb7d56ac0a840dc966f4cbbeef8
SHA1 00f097c0072e79955342cfd60c250bce455bba0e
SHA256 328496c062585ad67b235829978f827d8ca4fa56208b4f3fa4d1abc3cb96bb86
SHA512 cee9d68c81ba051ae9a4ea043433b4ec715de374d51607f0f6da7b2f57eb2750a913f6e4f9596d2a9844f0e6b91161c9c10e21959910b72410300a83ac64278b

C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe

MD5 13d0abda867b2401b429e7ce80bed628
SHA1 be63fbcb6ae198892fa576bcefee57d9fc24a653
SHA256 364dcc64baa86c6bfcf85acbfc6c5f0c3d4887351e864b350916b5a14c743acc
SHA512 8faf821ec28ccce6c9241ecd76d1458ba86cdfcd615dafd3f15d6aec36eb69fcb1c0492078aa5bd51e9041b488ce50057261c04bb6c4dc41e10abf3f4d099a0d