Malware Analysis Report

2025-03-14 22:53

Sample ID 240406-1pmr2aca2y
Target 2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye
SHA256 fe5dc33f5d985d768e6081fee1137dbe48c1a2f600ccb520eb1a7c5f12ee2c0a
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe5dc33f5d985d768e6081fee1137dbe48c1a2f600ccb520eb1a7c5f12ee2c0a

Threat Level: Known bad

The file 2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:49

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:49

Reported

2024-04-06 21:52

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433A0F89-7C70-4446-AF9F-14D140036A5D}\stubpath = "C:\\Windows\\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48D6A7D-D667-45b9-BB51-C887689B29A8}\stubpath = "C:\\Windows\\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe" C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{314EF48D-9736-46d8-AD21-41B03B51E9CC} C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB1469F-2307-4244-97E7-7357B8CCC461}\stubpath = "C:\\Windows\\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe" C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06} C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}\stubpath = "C:\\Windows\\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}.exe" C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5344F4-FF70-470b-9F3E-E727F0730595} C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAA4006-3982-449a-BC47-F29153BC2087}\stubpath = "C:\\Windows\\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe" C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58380FC6-1ABC-4da7-AE5F-F813DD49E982} C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B} C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}\stubpath = "C:\\Windows\\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe" C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB1469F-2307-4244-97E7-7357B8CCC461} C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433A0F89-7C70-4446-AF9F-14D140036A5D} C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68794E2-D491-486a-B22B-478749CDE1EC}\stubpath = "C:\\Windows\\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe" C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7128AACB-189A-445d-BF4B-E7F92D7431F6}\stubpath = "C:\\Windows\\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe" C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{314EF48D-9736-46d8-AD21-41B03B51E9CC}\stubpath = "C:\\Windows\\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe" C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAA4006-3982-449a-BC47-F29153BC2087} C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}\stubpath = "C:\\Windows\\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe" C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68794E2-D491-486a-B22B-478749CDE1EC} C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7128AACB-189A-445d-BF4B-E7F92D7431F6} C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48D6A7D-D667-45b9-BB51-C887689B29A8} C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5344F4-FF70-470b-9F3E-E727F0730595}\stubpath = "C:\\Windows\\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe" C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe N/A
File created C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe N/A
File created C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe N/A
File created C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe N/A
File created C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe N/A
File created C:\Windows\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}.exe C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe N/A
File created C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
File created C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe N/A
File created C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe N/A
File created C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe N/A
File created C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2520 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe
PID 2672 wrote to memory of 2520 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe
PID 2672 wrote to memory of 2520 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe
PID 2672 wrote to memory of 2520 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe
PID 2672 wrote to memory of 1804 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1804 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1804 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1804 N/A C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2428 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe
PID 2520 wrote to memory of 2428 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe
PID 2520 wrote to memory of 2428 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe
PID 2520 wrote to memory of 2428 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe
PID 2520 wrote to memory of 2480 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2480 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2480 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2480 N/A C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2400 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe
PID 2428 wrote to memory of 2400 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe
PID 2428 wrote to memory of 2400 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe
PID 2428 wrote to memory of 2400 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2484 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe
PID 2400 wrote to memory of 2484 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe
PID 2400 wrote to memory of 2484 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe
PID 2400 wrote to memory of 2484 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe
PID 2400 wrote to memory of 2732 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2732 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2732 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2732 N/A C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1920 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe
PID 2484 wrote to memory of 1920 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe
PID 2484 wrote to memory of 1920 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe
PID 2484 wrote to memory of 1920 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe
PID 2484 wrote to memory of 1956 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1956 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1956 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1956 N/A C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe
PID 1920 wrote to memory of 680 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 680 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 680 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 680 N/A C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1448 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe
PID 2328 wrote to memory of 1448 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe
PID 2328 wrote to memory of 1448 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe
PID 2328 wrote to memory of 1448 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe
PID 2328 wrote to memory of 1572 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1572 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1572 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1572 N/A C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe"

C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe

C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe

C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{433A0~1.EXE > nul

C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe

C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B6879~1.EXE > nul

C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe

C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7128A~1.EXE > nul

C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe

C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E48D6~1.EXE > nul

C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe

C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F534~1.EXE > nul

C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe

C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{314EF~1.EXE > nul

C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe

C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FFAA4~1.EXE > nul

C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe

C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58380~1.EXE > nul

C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe

C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1C200~1.EXE > nul

C:\Windows\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}.exe

C:\Windows\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1CB14~1.EXE > nul

Network

N/A

Files

C:\Windows\{433A0F89-7C70-4446-AF9F-14D140036A5D}.exe

MD5 23e4508d0cee339f09e1b3659aec4df4
SHA1 d6a8cdc21d6ebddcdb52cf2742c262cee0e1cb0e
SHA256 76664623389c643a2792f9c453e5a85b0a5989aad565b719857ce843f412c588
SHA512 57eaef3569744b93e5f6fdc8ae4685b07a38af555a156bb8bc7b3e1d10b27223892ca1033da6e9a26f5003e335fd7ce5ee4df318931e007e60cce774effa216f

C:\Windows\{B68794E2-D491-486a-B22B-478749CDE1EC}.exe

MD5 ac7bfd52efffab9733ce5228db154e0c
SHA1 01ae51896ad39bd975a53de612d67606330b779f
SHA256 0649020a0219e134245e9c3aac5421e6144f2e3d4be6b3a18feceb0ce6647536
SHA512 51135616b834c5d1115301b2a83b62ad7de0fca508ed86a3e1825fe59f90a812d1eab6e7445c601301f096427b2bd5f1904af7bc992caa9ffc1e1597aa32bd04

C:\Windows\{7128AACB-189A-445d-BF4B-E7F92D7431F6}.exe

MD5 0ba2d6ce3865f36614351ea29239fa9c
SHA1 c4265c252f83b2117b24db681e5b7eeab7b5c692
SHA256 94a040d1e0398c0615f9dfe03a0fdeaeda7c6c58c0aa089bf642f2b050d5a190
SHA512 03e81545eb54b6d076d0239ced011a8c8027462d5e1c995cb02ffb6db9c314011e260db8b74d197817a456836c75a29fe8e0c2d088788b1071ea294f1ac611ba

C:\Windows\{E48D6A7D-D667-45b9-BB51-C887689B29A8}.exe

MD5 b6b6520bbb3960604c2e70a2408948f6
SHA1 220ccb415f20a209b5ee92235d97df066e128679
SHA256 42484f25523be91c6f3dadf59d8e1b6f5db499c0a2deb044a8cf8bc28ac6f981
SHA512 aec92e57b84408046fb52dbeb9d707d29f2d710a12249c48e4a6b4329065cbfed62541aee51a98ba981ac0fa8f8ed5eebc5871321fadca785e314b7b9aa4a46a

C:\Windows\{0F5344F4-FF70-470b-9F3E-E727F0730595}.exe

MD5 1e0292c1ed71138700e91263f65d3b46
SHA1 1ddb59051fe162206ff385a2d304e54523886129
SHA256 50885f9e88a6720d91b5c38188b296a4aa573ff0f64fbae8200b205afbd35a31
SHA512 55ee356bde7b55796912f01b5e89ed312c6b19b5c90518006e2e852beb92e0d6df82a417edcd0864906338adec07d07a0806cb6553f660a315425a173f010086

C:\Windows\{314EF48D-9736-46d8-AD21-41B03B51E9CC}.exe

MD5 8ed68166b074f272f5b4c9670d99d674
SHA1 8f83d4fc6b5c325e7f0406b41c23557754e55d8d
SHA256 5750c15d1ec8eeaa69ad1da9b46333e692decaf621237ae36acc113165f6e528
SHA512 a8a6cac8257b513339085a123f9deb51e45d3f100d78052c4547b721a209f72b81116b5aee35f1abab2fded6374cd1f3e30ab65f143bdd2f201de273fb9dd951

C:\Windows\{FFAA4006-3982-449a-BC47-F29153BC2087}.exe

MD5 900db0172d9f94eed55d0d66017d95ee
SHA1 9ea8a952fa376db1476ad152ee47ef068675f910
SHA256 99acbba77138c2de939ba100d16cba64cc4697f81a2ce458f74c073d9f79ef9c
SHA512 8f5e99f68fa48b0c6025aea40ab61803c6f01fe54321bf73bd3eb9e24fed20a9425609c9a0c5b4024270268e6feba9281e6f05c9130937b79cf2dd0a7e7e8079

C:\Windows\{58380FC6-1ABC-4da7-AE5F-F813DD49E982}.exe

MD5 8ac25d5e627a1d674ef6c2816e6f1fe4
SHA1 edd7cdc108666086e5a78ec39a9f6339fcec454a
SHA256 db36176d1003ef8e5f747863b77ec673a77680d9d4a8254a501cdf9b4de8c0b2
SHA512 7e24a5d908ea3474bd1f5ce8b39a4da8617c7a0797e06036757d8970b1373ca23484d54dd38419dc71b04e66dd85863b5b33a174bccd87769053eb53a5ef7510

C:\Windows\{1C20002B-50C4-4a5f-97B5-3D2BEDC3072B}.exe

MD5 041a7bdddd96b93f917559ab1feed3bc
SHA1 e66c402d4a4e9963fa543db2a2a35c9e337e96b4
SHA256 9e56c820bc89187dd220df1dec9068010ef000cb3c95d5617c0010104b46a67d
SHA512 9bc1cca17e7e19bdc7f4b5a08dfa1206f044a754436c6e8f6fedf7dc80e25804499a9d1ba9e6e9e2b1c98bd321a1a036048a4b1593848879bdb7dec63672c6d5

C:\Windows\{1CB1469F-2307-4244-97E7-7357B8CCC461}.exe

MD5 a500e05c6bf765d4c0d56207b1548e58
SHA1 73475d674bfbe09a4b644a4983b591b6861922f5
SHA256 252ab4267bce1bf64a08eac22713b14a8673cd3d38b2d94ff5f64a1693cbbbb9
SHA512 d9ab9aefe79e996f72d322d5da2beabd6b886248dd41e85424a8a0b6d154f0e902c8a3b03be862ffdb00c42e668bd908fb7c1a79b6fd495f3256de239f19fd4d

C:\Windows\{2B6EB316-DA63-4edb-A2C4-51B6BF7A8A06}.exe

MD5 7528713aa3e80f9db5a4d1538e1a8a01
SHA1 df60b07ae5564da448bf85c360818ed0425401b5
SHA256 bb73593ee9d5a8a00115349611df18ce6a3b8eb6a2fa3bbc8a080501a84c3287
SHA512 ad4a5f0d9955b6fe08d9018675ea196a47121493718673dd2fe72aeb102977093beacb5519a6e5b4e0e0c245696a40902e6375bd8565f1f849fcd5a86aa39fbf

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:49

Reported

2024-04-06 21:52

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A94B2B-6D33-471d-AB3F-7262E10CA612} C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7192EC37-0374-48b1-B868-459EED5B0D38} C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375B8483-7473-44af-AB5C-E625E73CA48A}\stubpath = "C:\\Windows\\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe" C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E} C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}\stubpath = "C:\\Windows\\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe" C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}\stubpath = "C:\\Windows\\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe" C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407EA85C-1635-4a9d-A23D-ECB665EC0158} C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407EA85C-1635-4a9d-A23D-ECB665EC0158}\stubpath = "C:\\Windows\\{407EA85C-1635-4a9d-A23D-ECB665EC0158}.exe" C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7192EC37-0374-48b1-B868-459EED5B0D38}\stubpath = "C:\\Windows\\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B55704-CB48-486d-BA95-A6BA26ABE361} C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC57594B-E5B5-4c75-843C-C3E83875E0DB} C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375B8483-7473-44af-AB5C-E625E73CA48A} C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9C6365-E956-474d-95D4-230628C74E49}\stubpath = "C:\\Windows\\{3F9C6365-E956-474d-95D4-230628C74E49}.exe" C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF} C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985} C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CD6108-5369-4d1a-AFB6-294242C2745B}\stubpath = "C:\\Windows\\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe" C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B55704-CB48-486d-BA95-A6BA26ABE361}\stubpath = "C:\\Windows\\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe" C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38} C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}\stubpath = "C:\\Windows\\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe" C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}\stubpath = "C:\\Windows\\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe" C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CD6108-5369-4d1a-AFB6-294242C2745B} C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}\stubpath = "C:\\Windows\\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe" C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A94B2B-6D33-471d-AB3F-7262E10CA612}\stubpath = "C:\\Windows\\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe" C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9C6365-E956-474d-95D4-230628C74E49} C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe N/A
File created C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe N/A
File created C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe N/A
File created C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe N/A
File created C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe N/A
File created C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe N/A
File created C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe N/A
File created C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe N/A
File created C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe N/A
File created C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
File created C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe N/A
File created C:\Windows\{407EA85C-1635-4a9d-A23D-ECB665EC0158}.exe C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe
PID 4976 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe
PID 4976 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe
PID 4976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 5100 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe
PID 1896 wrote to memory of 5100 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe
PID 1896 wrote to memory of 5100 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe
PID 1896 wrote to memory of 4648 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 4648 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 4648 N/A C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 3244 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe
PID 5100 wrote to memory of 3244 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe
PID 5100 wrote to memory of 3244 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe
PID 5100 wrote to memory of 2732 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 2732 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 2732 N/A C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4636 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe
PID 3244 wrote to memory of 4636 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe
PID 3244 wrote to memory of 4636 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe
PID 3244 wrote to memory of 1288 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 1288 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 1288 N/A C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3648 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe
PID 4636 wrote to memory of 3648 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe
PID 4636 wrote to memory of 3648 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe
PID 4636 wrote to memory of 1412 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 1412 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 1412 N/A C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4796 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe
PID 3648 wrote to memory of 4796 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe
PID 3648 wrote to memory of 4796 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe
PID 3648 wrote to memory of 3684 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 3684 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 3684 N/A C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4444 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe
PID 4796 wrote to memory of 4444 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe
PID 4796 wrote to memory of 4444 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe
PID 4796 wrote to memory of 4496 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4496 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4496 N/A C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 4960 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe
PID 4444 wrote to memory of 4960 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe
PID 4444 wrote to memory of 4960 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe
PID 4444 wrote to memory of 1176 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 1176 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 1176 N/A C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 3216 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe
PID 4960 wrote to memory of 3216 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe
PID 4960 wrote to memory of 3216 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe
PID 4960 wrote to memory of 1744 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 1744 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 1744 N/A C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 2396 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe
PID 3216 wrote to memory of 2396 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe
PID 3216 wrote to memory of 2396 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe
PID 3216 wrote to memory of 4888 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 4888 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 4888 N/A C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1668 N/A C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe
PID 2396 wrote to memory of 1668 N/A C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe
PID 2396 wrote to memory of 1668 N/A C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe
PID 2396 wrote to memory of 4700 N/A C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6e4bf03ad7424a7337bc3edf06cf0f4_goldeneye.exe"

C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe

C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe

C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7192E~1.EXE > nul

C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe

C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76B55~1.EXE > nul

C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe

C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9982D~1.EXE > nul

C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe

C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{375B8~1.EXE > nul

C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe

C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72D22~1.EXE > nul

C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe

C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34A94~1.EXE > nul

C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe

C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC575~1.EXE > nul

C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe

C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3F9C6~1.EXE > nul

C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe

C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FB4B5~1.EXE > nul

C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe

C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD91~1.EXE > nul

C:\Windows\{407EA85C-1635-4a9d-A23D-ECB665EC0158}.exe

C:\Windows\{407EA85C-1635-4a9d-A23D-ECB665EC0158}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6CD6~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Windows\{7192EC37-0374-48b1-B868-459EED5B0D38}.exe

MD5 d5253172b86a76084e04e3dc98ba38f6
SHA1 2770af1bc4c9b948036a376a944bef1728d1815d
SHA256 ad269b9cec6e140f0c7d09b4ec80b6fc63754be6ade3beecb61d628dab67fead
SHA512 3ef830e2abed84990821c9fee8975fb5f9f90275a9aa7575a3f214b42a639a8f628045945c2238ae81fd8d3bce36b54eb1cc68aee3e41920542c63a03f5eaac7

C:\Windows\{76B55704-CB48-486d-BA95-A6BA26ABE361}.exe

MD5 df5339e87f7421787189d46dabd539ab
SHA1 8f1f5cd03c65274f465f2880ab46c45e62e1047b
SHA256 1a5c26ac4fa3de642f7f40b34070c379682f747f01780f86b52cdd7a0c1619a5
SHA512 00d588ac4004220e99d986e7714170a7aabce444131f2a8f81857ce8035c2778d5ae8261ac917669fd078bf3757dbbd89aab8dde486a286dbeb3c2d73f1b57bb

C:\Windows\{9982DAA4-A9B2-448f-9874-BCCD70E1EF38}.exe

MD5 f6bfef9fd71731fd56d808bcd3f951b7
SHA1 f02ac852f83e61933343d58faddd614382d44075
SHA256 6d415d140ad8bc75e6f3a7cfa45ba4fad106f7da9a1034d8424c3f8c6cf2f277
SHA512 27d40ba48597a635cd9d270f5b7b578f56fd216e12fe9ab26ddd13cfee363958e871cd106595957f787f5a2017b74bff44957758699ee0862a8f04a58d5cd11e

C:\Windows\{375B8483-7473-44af-AB5C-E625E73CA48A}.exe

MD5 91bee7ea56ad14ae9905801c13d39c90
SHA1 89afa3de3668d0db77f92448f3fc15da241b5809
SHA256 4ecb448d4e86c51395b5e443455a6b87af50b2209317649ac95d1db9fdce5c63
SHA512 a8ed1204d71d682c2d71b8eaa951bcdb53b7f9f3ed5617327d3b5ab572b64c69a794fd9a393bbe3d216b0b5aa1cb4a3e7882e6a5648ade721e1f66fcfb65c913

C:\Windows\{72D223BE-7FB3-4ba4-A9AF-78027CB4279E}.exe

MD5 7268d4a8224eb7f5096ea8268088487a
SHA1 7d904e94079bdf0b3bcd2bde1d14093fdbb7a11a
SHA256 b81f1a5fd717b0d65ec7776785e2d24b35caf7121b670552e0107578e97c39ff
SHA512 992ec7e251f9508f1623e295cc0ba9b3ad57f2c609a383f900b33af639512ecacf9877927d7432ffc35b9a1037b9a95df79daaadb4ecd2cbc434176f6f1fb7be

C:\Windows\{34A94B2B-6D33-471d-AB3F-7262E10CA612}.exe

MD5 3b604803e29cf2c2b6ef153f99495ba7
SHA1 d72e78c76d544d41faabd7ebc78275632fc54d72
SHA256 c11328443f5b281be38843c0f873d34175127fa96905b78e7b6598fb962af637
SHA512 39306a1280f68e13ffacd4c6064c6050a6f5d881a38658975a80595a1aed7aeff97a82832a74fa2d99d696d02ed8dcdb49dde1f4c99165b8c19e835cf6170aad

C:\Windows\{CC57594B-E5B5-4c75-843C-C3E83875E0DB}.exe

MD5 9a23cc515fd5d1885a7344207f708a48
SHA1 ffab8adb6eb07619835f20042d09af5bbb23ec43
SHA256 343bb5cacfb3fef7d54f8773f4bb45ade9e7257c562dcdad7dcec685e6224db9
SHA512 7e368a73872984f3c708554cf6f4072c6a2969d2d14be2fb17443f865705c9b7df127f16ef8948e6ace005f31b135ece5d09d3f050c9bba96f27996a898690ef

C:\Windows\{3F9C6365-E956-474d-95D4-230628C74E49}.exe

MD5 4c60284adafded2476ef1bd18ed61ef3
SHA1 df443b451abdbb63c70fd2d4b011aa8b99fdf670
SHA256 c4ff356e86ddff612baa5d594c88ccc17d243001651c25723e583ede94c13249
SHA512 2bc4a228a569def0a23ff5fd730d5a70a5aa64c37b20bc9d5272650ee8c66adaeb459b95c6f494306f4e49a40b3cdc37f2c073dad4313592c205a91ac949ac41

C:\Windows\{FB4B5740-6BFA-414e-B4EC-E05DE12DEDFF}.exe

MD5 598d5f931c12dc13c18bc0026ab8e3ad
SHA1 2d99014764d5e1042d60718d8871768c093dea24
SHA256 cf100aacf2428f5476fa5f3413e703d048c6a1e91c45e4d6ec694eddeafee21c
SHA512 cc89ceb50f68a5e6ba6d34d4e8335049d42feab587dac50778a0520d3afb1b5490442fdccbe4a5b6240a7613d3dfa01c9a4165e84218b125fe747b40eba19312

C:\Windows\{9AD91C64-63C7-47f0-A7AD-D9E9C8290985}.exe

MD5 d0af6a6d4b60c886b49e04e89cfbab4f
SHA1 84117911f928c5629eb40f262a7d24f8bd99a155
SHA256 97a959e3b0224380b6d0c5cca1dba5df8cbe63555ddda210cb64350aec8beac2
SHA512 7308eecc2770fcb21f435cd96f7ad63332ade43f9fd583248728c79e0b13ef3cd6cd2f6e2ad699c7186e81951d16a0e1caf7c46af9780dad0f174f660848c9ae

C:\Windows\{E6CD6108-5369-4d1a-AFB6-294242C2745B}.exe

MD5 f711d845659a1a7aef7c64d212f1bad4
SHA1 a016425f29df206706d40d4dcc3b60cf904ddd0d
SHA256 4d7f84b4a10ad540d60439b77d3ce10a6b09b33f1ac0e25e400d88e8cd1ca814
SHA512 7fd13ac88fe556c0ab701bc9185d507ab54de4b68ca4644a9b5931ecd3b4c0a21830fceb30f42b550cd776561669467865c707c560dd15eedf29bf30e6c800b8

C:\Windows\{407EA85C-1635-4a9d-A23D-ECB665EC0158}.exe

MD5 0877e400386f39c4d6c9076d164acd05
SHA1 1b955ee2452e71d4dc78f65d4b5bfc8f72755e8b
SHA256 da8e4b448a70d6d8f489d01d65cac3aded6cb50d961523abdb5b3ed4f55ba428
SHA512 af12e956d54b5c3e9834a8958fb08c21eadcf338161b56394c88a3608c2b54eb7165a863d85939670755820e2224ee3b9781e604d089f91cb94ad2b5656feb5e