Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1kdnkabg6z
Target 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye
SHA256 ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c

Threat Level: Known bad

The file 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:42

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:42

Reported

2024-04-06 21:44

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76BB640B-575A-428a-BE82-C5786FAD51B9} C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1} C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}\stubpath = "C:\\Windows\\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe" C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}\stubpath = "C:\\Windows\\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}\stubpath = "C:\\Windows\\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe" C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552C4C99-FF3B-465b-BA8D-2677E978339B} C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4} C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09BEC34-7243-435f-8B72-74C5DBC25840}\stubpath = "C:\\Windows\\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe" C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E} C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966} C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B} C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552C4C99-FF3B-465b-BA8D-2677E978339B}\stubpath = "C:\\Windows\\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe" C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}\stubpath = "C:\\Windows\\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe" C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F} C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09BEC34-7243-435f-8B72-74C5DBC25840} C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76BB640B-575A-428a-BE82-C5786FAD51B9}\stubpath = "C:\\Windows\\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe" C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B755DF5-4E59-4cca-897E-FB39F787FD9F} C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}\stubpath = "C:\\Windows\\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe" C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F} C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}\stubpath = "C:\\Windows\\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe" C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}\stubpath = "C:\\Windows\\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe" C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}\stubpath = "C:\\Windows\\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe" C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe N/A
File created C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe N/A
File created C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
File created C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe N/A
File created C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe N/A
File created C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe N/A
File created C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe N/A
File created C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe N/A
File created C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe N/A
File created C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe N/A
File created C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
PID 2248 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
PID 2248 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
PID 2248 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
PID 2248 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2612 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
PID 1352 wrote to memory of 2612 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
PID 1352 wrote to memory of 2612 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
PID 1352 wrote to memory of 2612 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
PID 1352 wrote to memory of 2636 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2636 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2636 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2636 N/A C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2352 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
PID 2612 wrote to memory of 2352 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
PID 2612 wrote to memory of 2352 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
PID 2612 wrote to memory of 2352 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
PID 2612 wrote to memory of 2388 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2388 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2388 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2388 N/A C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2800 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
PID 2352 wrote to memory of 2800 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
PID 2352 wrote to memory of 2800 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
PID 2352 wrote to memory of 2800 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
PID 2352 wrote to memory of 1032 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1032 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1032 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1032 N/A C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1780 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
PID 2800 wrote to memory of 1780 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
PID 2800 wrote to memory of 1780 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
PID 2800 wrote to memory of 1780 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
PID 2800 wrote to memory of 1996 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1996 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1996 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1996 N/A C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2640 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
PID 1780 wrote to memory of 2640 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
PID 1780 wrote to memory of 2640 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
PID 1780 wrote to memory of 2640 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
PID 1780 wrote to memory of 2688 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2688 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2688 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2688 N/A C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1796 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
PID 2640 wrote to memory of 1796 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
PID 2640 wrote to memory of 1796 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
PID 2640 wrote to memory of 1796 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
PID 2640 wrote to memory of 1972 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1972 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1972 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1972 N/A C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2236 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
PID 1796 wrote to memory of 2236 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
PID 1796 wrote to memory of 2236 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
PID 1796 wrote to memory of 2236 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
PID 1796 wrote to memory of 1772 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1772 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1772 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1772 N/A C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"

C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe

C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe

C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77CD1~1.EXE > nul

C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe

C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CDBC6~1.EXE > nul

C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe

C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{552C4~1.EXE > nul

C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe

C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5084D~1.EXE > nul

C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe

C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D09BE~1.EXE > nul

C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe

C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76BB6~1.EXE > nul

C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe

C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B755~1.EXE > nul

C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe

C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D1A~1.EXE > nul

C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe

C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8BF~1.EXE > nul

C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe

C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27DEC~1.EXE > nul

Network

N/A

Files

C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe

MD5 8119276d91f4b40b60adce6c21f71219
SHA1 b63287e100b2cfa3116a0d3ef2db616f691cdcbf
SHA256 cf6f4ce7e613fcae276d50ca2f69f367ddd8f02b65c97cb973b6024579293e95
SHA512 11ea2c286f28e0252e89aaa0927f7b439a86fcfbd68ff31b01c0f62f951019ea14a4b2dd063d310a4a8a540a1952a9ec437ee21d4543ea37c485217b90ed0d2b

C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe

MD5 1ba8316b339c048e713544a6e277a9f4
SHA1 24c01ecfdb09578bd776bf1a45775766465531cf
SHA256 fefa335cf3babb286be5cf274fd1696729ba30013dea193a62d6a7de2d19f0a6
SHA512 3d34278b5968cb560808662510ffc408aeae5ead12beda3ee321e93ba5c51021551d0f323cf210479d5136f470a841a1782cb9f70b6d72cb431a097f40b6bcfb

C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe

MD5 2777fa5e1be5c605e5fd6f9440d0baa4
SHA1 e0fba6a706320d4f170c5d696ba30eee8aee7351
SHA256 b76a14689b09ce1bd70d2dd550da3f3a512f1f87636deba606ae1847b9b9cdb3
SHA512 e31cae8fa14a6224d1527d3d03fbbfb36caf6cc567bc1bf67575c437b51e4b99c64f77e928be1a157e28da98041d442be6fd84b4a5941d9e6d650901381a3cdd

C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe

MD5 606ec459a4b6e3bd1207bd9f95b5e6cb
SHA1 2f1b89e60ba4c6eaa489b2913807e64b436bb0f5
SHA256 2b7dd6a4f0c21c7a3d1a7510497696062d88904510d7494b73d6627764776722
SHA512 093d41a0ba1325288a5136ea7b7bddc04b3f8e6e08710203899b280ecad91de908d9e895e2adcafe65e9cfdc3d1b2c0572f9722d667ae1c648fb64dc4509eaa2

C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe

MD5 3456312515fc86c9e6c61185dfe845b1
SHA1 d38203b6777979800a19ec64e7070d0c0c89f337
SHA256 c7270ee7923058514b091f8d35b433884581702aa1646ec2c93afebcba755471
SHA512 d6844cc0026409abc52ee57b97bb046038830fbf9932e868e06dc0e0c7ddea4f1965d99cd383755a93b6c05322783ae41f97faa5038ba40627d13fd91bc079d5

C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe

MD5 bc185c4496e190b3b9195773a4c6cce1
SHA1 48718264dff644847a29d526fcd67f6cde9dc83a
SHA256 7534c9685edfd1c3942dee12f5cd57ebcf7ed58cf1d1e9139f3a3728eadb65b4
SHA512 bd09df3132d134566817d8ad4d5f1d273ae34cca06227e1b3336ae0776966605836a7957617007dcb50fd9e0418eb38be18145395809b980e0a5c76202e5333f

C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe

MD5 5a794c77f05bfa80939af48e2ed512e2
SHA1 1591a153627a0e003b165375e45fff9f3a5544f1
SHA256 5da35fceb0fea8246f18968acf0bd991fc07f4fa129be35a4638538abfa19a04
SHA512 9aad56d130cd778ed884191edd36330d5da47600d313ec922b6db7f3150b18951033b1efbd689348fd7f609331ae28b26872381ed46c853604c8490ec737037f

C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe

MD5 d1a27f97a01b3dd2d390063e96b7fae3
SHA1 e8724a98c3bcd2a980cab66a25eb47a87ab938aa
SHA256 78d24c1cac5b0c701eddec1d08e60f81a101dc27e026c909272cba1276025c45
SHA512 99f1b4f7ffab9c111d3901eb2ae359b7381eda31effe2c42ef231cca45cb4deb4a86d607c48dc3ff06db28e47db5607cb4ea3384f967f3a51476ca1e936468db

C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe

MD5 61222317d009b4b6cac9003d1f166e08
SHA1 24da2b0e6b15468c9b45f0ce3071e9cf2c9a6998
SHA256 7d2811fe8a42c3a0f60accac941a0c68e7f02e6dc5102eb4b85695ca9069c10f
SHA512 e367a7e16f1c9dce20516cf4dd46de19274a0e6649f6ff8c320bd3ad0ddd3021481ba900f22af1092ab9ce8ffbee2d041fbf8ab0757f224f588841651be26a9e

C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe

MD5 ecfa67ca309dcd91067482210fbc5acc
SHA1 4ed2fd71943e7201a7299588877e6bc15a340be3
SHA256 8e9ad34c2b3bd026fdb5de263d56d6c59aebb7b29a5bc5b14fa0a40518a4216b
SHA512 88ecdc92cd85d885d2f2babc2f4e5e2c423c8f9d70f6b776d443f8259b2d1093fdd54c0b4e7ef8ee73117f5523985812ac687125691207c6ebc0e841b71e64fb

C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe

MD5 81f52e039898ec0933e7b58d350ae348
SHA1 1cd8cbdce585b3c78a714d12e48d8dfb05c8f9a6
SHA256 14a099c3994ca6bd0202ca995999e65c3b4025245514292c6850aac8662e7ded
SHA512 c1ddb2b4fc2c57656f3caf08605236efe1dd938e1586af5942a2aa6076d6f61f65e4c719e37c222118636853fb22aaccb168e1ddb61cbb0ca8b79a558550fbd5

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:42

Reported

2024-04-06 21:44

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5873103-31D1-41b1-89DE-A08D98A4033E} C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5873103-31D1-41b1-89DE-A08D98A4033E}\stubpath = "C:\\Windows\\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe" C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBE1B83-E263-48be-B221-FF8B6966EEDC} C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB} C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C} C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A3783E-94BD-4885-A11C-C39147543A1E}\stubpath = "C:\\Windows\\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe" C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}\stubpath = "C:\\Windows\\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe" C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}\stubpath = "C:\\Windows\\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe" C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C} C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}\stubpath = "C:\\Windows\\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe" C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643B98-6781-4d9f-B07D-D48BE14C3EFD} C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}\stubpath = "C:\\Windows\\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe" C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBC5147-3ADE-4a23-9190-916DE8470E1C} C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}\stubpath = "C:\\Windows\\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe" C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}\stubpath = "C:\\Windows\\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe" C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4} C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}\stubpath = "C:\\Windows\\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}\stubpath = "C:\\Windows\\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe" C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96} C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58074FD-FD34-4583-B801-BEF67A2C0E23} C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}\stubpath = "C:\\Windows\\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe" C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58074FD-FD34-4583-B801-BEF67A2C0E23}\stubpath = "C:\\Windows\\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe" C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9B2563-BE57-46b0-BE42-3F10123ECA81} C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A3783E-94BD-4885-A11C-C39147543A1E} C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe N/A
File created C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe N/A
File created C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe N/A
File created C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe N/A
File created C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe N/A
File created C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe N/A
File created C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe N/A
File created C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe N/A
File created C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe N/A
File created C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe N/A
File created C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe N/A
File created C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe
PID 4784 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe
PID 4784 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe
PID 4784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 4316 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe
PID 3000 wrote to memory of 4316 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe
PID 3000 wrote to memory of 4316 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe
PID 3000 wrote to memory of 1192 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1192 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1192 N/A C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 628 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe
PID 4316 wrote to memory of 628 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe
PID 4316 wrote to memory of 628 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe
PID 4316 wrote to memory of 4104 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4104 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4104 N/A C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 3388 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe
PID 628 wrote to memory of 3388 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe
PID 628 wrote to memory of 3388 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe
PID 628 wrote to memory of 5100 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 5100 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 5100 N/A C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 2128 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe
PID 3388 wrote to memory of 2128 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe
PID 3388 wrote to memory of 2128 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe
PID 3388 wrote to memory of 696 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 696 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 696 N/A C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 784 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe
PID 2128 wrote to memory of 784 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe
PID 2128 wrote to memory of 784 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe
PID 2128 wrote to memory of 4668 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 4668 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 4668 N/A C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 4240 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe
PID 784 wrote to memory of 4240 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe
PID 784 wrote to memory of 4240 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe
PID 784 wrote to memory of 2872 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 2872 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 2872 N/A C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 4976 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe
PID 4240 wrote to memory of 4976 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe
PID 4240 wrote to memory of 4976 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe
PID 4240 wrote to memory of 4232 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 4232 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 4232 N/A C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 1620 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe
PID 4976 wrote to memory of 1620 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe
PID 4976 wrote to memory of 1620 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe
PID 4976 wrote to memory of 392 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 392 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 392 N/A C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1584 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe
PID 1620 wrote to memory of 1584 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe
PID 1620 wrote to memory of 1584 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe
PID 1620 wrote to memory of 3524 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3524 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3524 N/A C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 4368 N/A C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe
PID 1584 wrote to memory of 4368 N/A C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe
PID 1584 wrote to memory of 4368 N/A C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe
PID 1584 wrote to memory of 1500 N/A C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"

C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe

C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe

C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8DBE1~1.EXE > nul

C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe

C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94643~1.EXE > nul

C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe

C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FBC5~1.EXE > nul

C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe

C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10A33~1.EXE > nul

C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe

C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59FA6~1.EXE > nul

C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe

C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5807~1.EXE > nul

C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe

C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C22~1.EXE > nul

C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe

C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9B2~1.EXE > nul

C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe

C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1DB~1.EXE > nul

C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe

C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{62A37~1.EXE > nul

C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe

C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AA87B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe

MD5 7569f0e99dcc1f8dfaf49a4b81e30b19
SHA1 90b3674e924d0777d75dc2a2e63292a6fc09561b
SHA256 e2add24ad35a517f1d97e3add6470db553238771d20644685888a8ed46aaf6e6
SHA512 2f9e0bebbb9a0710a33eaacc4b6acf3c95e40a38370b830bd7878453e8909c01ef5e4b3692eb71c6b4c7ab2c8a0e5c886f3a72d7e345e6ef673451b28aba92bb

C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe

MD5 cd12d9f7fa73b6e961ecd6a3a3cc48ff
SHA1 938c651111b14c13ecb04a00458532a66bde57ad
SHA256 6cae6410e5f5b84ecf2d119a8f8faa3588cc1c61f1bbadf6041e656615485679
SHA512 2299c5cc17ce951f44d26ab16734e7900075f432ece5fbaed8e22bd5670f56bac9ec40f3d882d8fea5e0a84bd701ef2a99abf514674c6eb11e185ad3ecc5bde1

C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe

MD5 8640c6e630e04837db90d4b7d3e52ea4
SHA1 f796f43766f1f754d0908f87c709a50e552971a9
SHA256 1df5b4c69186780d93a1565c3106ab961490d8cfad06b15009dcf8b1f4d5b3ca
SHA512 28dfb9ff2571dcc3429c61fea867cf35687ab11cc84b6631c04255cc7948257e93880adee3486a5924ef84de461491229b4425e0fa455eabbaedcfb1e1435c36

C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe

MD5 76e2c9c89fc9018b6341ce6703d90972
SHA1 839ae26f4a7ce6da90075f04fa9a0e13a71339a1
SHA256 fc58a08dd58c46f829e56f6c5509fbfbf8cec6a4a1ef55af138973372d0508df
SHA512 1a60858f8204c90a89a654b3afdef6686318ff015320cd2546355a1a65f686d9caad525c07b9eaab105f1a802fb6ab84ef322b28bcd91bbe98b240199c062074

C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe

MD5 8b404d9b600bcc1ee62c08d77167c396
SHA1 dc75790484692817320bfc9da1eb9d3c0a7ea4e1
SHA256 deaa14017d304d5db3b6986c691220a779b28fca32a5954b21abb9e005e5e35f
SHA512 9a252da99de9190fd0fc9cb0144e02bfd633255ba46583f4628de384b59be8dbb4f1ad32a42a5903d2c8a207db8f3b2e7ee17952acd94cf193df98484d43142a

C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe

MD5 13ebe2192a03339802aa57a6a91e9ac0
SHA1 f4605319e28d45594b16be3c3e8a5819ee3b6ad4
SHA256 a58bab623c4aee6ffc0acd3aa3d071b9d83332523fea3ca4d2a4318a3065bba5
SHA512 867f5dfc6dff9157893ab6260f64abbbc0e07c10baa019402114ded4681810beff0c47a5094af8563b802caa35f85d0c27d87ba08ece9ff2849140f21d415435

C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe

MD5 fc44709c80b4b0ea239262396eaeda8f
SHA1 12e22c6e7128675c65ee0973bfad44aed5084e0a
SHA256 0591e33c93f4ad1490d9c3fcf82e0d9031a403434de9233e499eac493939cbd2
SHA512 99b131beeb4eff75d45b4f11b7f7ec04cb97857fba9f837715f77af6c592adac6567a17a24f36db5990d794f89291691ae4aa7c5460835c36c50052f4d2e9758

C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe

MD5 43b4263342c96c25c18673876c7bd1a6
SHA1 e4ac2781bee86ecee7ca17897721fb26be4b63f0
SHA256 6e44ae73bd44288eba7203d1af38364dea3a15d811ab4fd16a5cbd09d8db4137
SHA512 557c0a63036cde0a440d0528bd9bd22ab043c39d272f5bca8f8b2ac18a1e523f38feb6dd0458016ce86a13cd990121ce70d27a55be5bc2cc62a17bd5d2c84d8d

C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe

MD5 8df644c8ce934f0658a1b090a8b60135
SHA1 90c195f26893a62c79f35845176c46ad6246784b
SHA256 6f6adb49282080df9fed16035d647fffdabc5a2d1b824e52939186a98ce3b741
SHA512 d3e22bff79035845da04b048293e7a61428e73a0ea64780ee20931b82d14cccff645a43d416c108d48cfde6c95bb55dba5c0f2776a2e2a0844f166606f9c3a33

C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe

MD5 6e6fb211f921abf8d847ecb17e993ee6
SHA1 5c5e3fa624a0aa875476f3818fe041656506e365
SHA256 10b8478d7cabaca7738c776a9bc25d321a3390cc478cda6e4587a50982d1395c
SHA512 8c4317df5c8136a12a058e7151569bcb0ddb78afd53530af209c88ff832c821b961dee66f74f9e34f8aefab030015cb4e8b1f1b1d83a1bcd18659946e6c2c8a9

C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe

MD5 9a5ae08cfbfaab489aec55b628da0ef0
SHA1 030dc45a77c4cd3c18195a37688c93540d48e191
SHA256 a96caaa577c50660a489477668259175b94162b1b3960b4b6cab83cd0898c9f9
SHA512 1f2e6af11391fd8098a6af5c5a8407d2311f73d775d46e9bcba5e8f3d8d16b0801a3f3073653e555394cada3af7d5b4d1c9c099629c1d4e20037a1775c64c0a2

C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe

MD5 0a2d7fb2800e4328e0835ed84484b856
SHA1 6db18d268702f1d755f5a669be3e843670f8f076
SHA256 8addf6dd0acac8521ebd55d7dc7e86ac381f4d61d66918beb5ab36c3386fc640
SHA512 c71bedc69d7689da7d717c9baec39457f05857e8f091ef93fe41b42243e7f01f05340e6dad2b169fb28dd7711118d665eca4774b161766ebbef39fc268e90d6c