Malware Analysis Report

2025-03-14 22:55

Sample ID 240406-1pz3cscf86
Target 2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye
SHA256 dcd40847a9c5b28a3c737f245c6cca76fde0ae1d55b9552a84c38d8d9e020f20
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcd40847a9c5b28a3c737f245c6cca76fde0ae1d55b9552a84c38d8d9e020f20

Threat Level: Known bad

The file 2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:50

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:50

Reported

2024-04-06 21:52

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A991EB8E-EF7A-456c-918F-002769D75A0B}\stubpath = "C:\\Windows\\{A991EB8E-EF7A-456c-918F-002769D75A0B}.exe" C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6482E5-71A6-45fc-84A9-7FC5642C7002} C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17095BDF-038D-4370-9131-EF6E168BA25C} C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A4BFA3C-3045-4160-8C30-30F6012EF89A} C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41} C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283D5F0B-0B65-46b5-9419-892C88A95EF1} C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283D5F0B-0B65-46b5-9419-892C88A95EF1}\stubpath = "C:\\Windows\\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe" C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27266D31-0FE2-477b-9837-E267A221C852} C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B1895D-BB0E-4327-A414-491EDABD057F} C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B1895D-BB0E-4327-A414-491EDABD057F}\stubpath = "C:\\Windows\\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe" C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}\stubpath = "C:\\Windows\\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe" C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14} C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72797662-1C6B-40f2-A9E0-576DA821CA6D}\stubpath = "C:\\Windows\\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe" C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}\stubpath = "C:\\Windows\\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe" C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C730D9-B377-4598-99E2-07B3A75C27BA} C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}\stubpath = "C:\\Windows\\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe" C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27266D31-0FE2-477b-9837-E267A221C852}\stubpath = "C:\\Windows\\{27266D31-0FE2-477b-9837-E267A221C852}.exe" C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A991EB8E-EF7A-456c-918F-002769D75A0B} C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}\stubpath = "C:\\Windows\\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17095BDF-038D-4370-9131-EF6E168BA25C}\stubpath = "C:\\Windows\\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe" C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}\stubpath = "C:\\Windows\\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe" C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C730D9-B377-4598-99E2-07B3A75C27BA}\stubpath = "C:\\Windows\\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe" C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8} C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72797662-1C6B-40f2-A9E0-576DA821CA6D} C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe N/A
File created C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe N/A
File created C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe N/A
File created C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe N/A
File created C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe N/A
File created C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe N/A
File created C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe N/A
File created C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe N/A
File created C:\Windows\{A991EB8E-EF7A-456c-918F-002769D75A0B}.exe C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe N/A
File created C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
File created C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe N/A
File created C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe
PID 968 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe
PID 968 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe
PID 968 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1836 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe
PID 2264 wrote to memory of 1836 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe
PID 2264 wrote to memory of 1836 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe
PID 2264 wrote to memory of 1788 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1788 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1788 N/A C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3760 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe
PID 1836 wrote to memory of 3760 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe
PID 1836 wrote to memory of 3760 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe
PID 1836 wrote to memory of 3488 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3488 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3488 N/A C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4176 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe
PID 3760 wrote to memory of 4176 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe
PID 3760 wrote to memory of 4176 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe
PID 3760 wrote to memory of 3528 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3528 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3528 N/A C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 2020 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe
PID 4176 wrote to memory of 2020 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe
PID 4176 wrote to memory of 2020 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe
PID 4176 wrote to memory of 3432 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3432 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3432 N/A C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4560 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe
PID 2020 wrote to memory of 4560 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe
PID 2020 wrote to memory of 4560 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe
PID 2020 wrote to memory of 4336 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4336 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4336 N/A C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2408 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe
PID 4560 wrote to memory of 2408 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe
PID 4560 wrote to memory of 2408 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe
PID 4560 wrote to memory of 1528 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1528 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1528 N/A C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2396 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe
PID 2408 wrote to memory of 2396 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe
PID 2408 wrote to memory of 2396 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe
PID 2408 wrote to memory of 2480 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2480 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2480 N/A C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4428 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe
PID 2396 wrote to memory of 4428 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe
PID 2396 wrote to memory of 4428 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe
PID 2396 wrote to memory of 4788 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4788 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4788 N/A C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1640 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe
PID 4428 wrote to memory of 1640 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe
PID 4428 wrote to memory of 1640 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe
PID 4428 wrote to memory of 4772 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4772 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4772 N/A C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 4012 N/A C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe
PID 1640 wrote to memory of 4012 N/A C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe
PID 1640 wrote to memory of 4012 N/A C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe
PID 1640 wrote to memory of 3940 N/A C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe"

C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe

C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe

C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA648~1.EXE > nul

C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe

C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17095~1.EXE > nul

C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe

C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3A4BF~1.EXE > nul

C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe

C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07C73~1.EXE > nul

C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe

C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28B18~1.EXE > nul

C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe

C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6D958~1.EXE > nul

C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe

C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10D8B~1.EXE > nul

C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe

C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72797~1.EXE > nul

C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe

C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5104B~1.EXE > nul

C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe

C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{283D5~1.EXE > nul

C:\Windows\{A991EB8E-EF7A-456c-918F-002769D75A0B}.exe

C:\Windows\{A991EB8E-EF7A-456c-918F-002769D75A0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27266~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{DA6482E5-71A6-45fc-84A9-7FC5642C7002}.exe

MD5 3da43fc55a53df731c4d652702b042ac
SHA1 d84c482c495b44850fa64edd16d02b7b7c317a54
SHA256 1bd71534a7154ced989bd0937203b6789750068f47737aef7e8a5cfa67a1c484
SHA512 5521cbc201c12a7a2678f61edea0577636cf2799029f28ed1ccecba3175b0943ad39000acfdc917c6b82083e11adefa0fb6f6ecd51918b33e0f73d5f1d2ce6c6

C:\Windows\{17095BDF-038D-4370-9131-EF6E168BA25C}.exe

MD5 40bd8b99c0eaac006802f5347008f1f0
SHA1 23baf5f288b77fa87f08aead993e4a0917d6c2bc
SHA256 d6c9084606402ca600c2a2015ece42a0c9f52270fb2f3ae30b0996a0084b5e13
SHA512 5abac55fa45df8ec1412700fb479e1c93b179debd15ae9ba7e59f646efd3b038c70c0838447f25f8e8eae4cd965481743e1858e13050dec5598599d1e2dae34f

C:\Windows\{3A4BFA3C-3045-4160-8C30-30F6012EF89A}.exe

MD5 45ccd188a5928f0c54bc33c36eeaa446
SHA1 956c52b3b399a1e7eec4d047f26f3611d103d2fc
SHA256 8521b63e7aa3a69eb0bde9c0d0dc8cc6a4beea446a9e5fc14b9d488135904719
SHA512 b962cd40f59347521e2af0d9cb0e8a547b41ab29f858c2b07d6ca084b3d9813528d0503996d3ea5770180461872f47e971f141de48fa4115b078776a2024f748

C:\Windows\{07C730D9-B377-4598-99E2-07B3A75C27BA}.exe

MD5 250df096325155ac05d73945497adc49
SHA1 2465dfbc69982263b02cbf4f2c509ca637a2e505
SHA256 77dc56f5e16177c418492f2887a04e554d20bcec02e3305a695283d28b2c8afb
SHA512 93e4126d037b5898d2dfb5c8cf427bf3211e719f49b7738e7e241ae195c48207bac887ee2d146b10a1699910ef6045647854910127c010dbd220519474f9e481

C:\Windows\{28B1895D-BB0E-4327-A414-491EDABD057F}.exe

MD5 28ed67a14d09941b451f80320efd54e9
SHA1 adddba7259efe7b14fc9c3e0e0c94d3871dd4f0e
SHA256 edab4cbf821f7bc14a69be402507205e48bdc0af71444871b9d8a1c9a97e23f8
SHA512 262936ab080172ae00766dded1fc5fac00b3359a259ef5be2e14f5bcf8490b68479d6a0b02355252fe62e2bb38616a70943cfea532b9e682d8ba2d903bd3ed51

C:\Windows\{6D958B0B-4851-47bd-8402-FCA2FA3FF8D8}.exe

MD5 9b94e7fa35c49dda0acccec383e18bea
SHA1 afe19229fe9e00a25323c908357e22eaa3720086
SHA256 9bd192f31da2dce2e36d821f133e93c6d9d725cdce460fc866e8bfe49702d4e7
SHA512 2c7ac4dc7eaaae89f2d2b2cfa90c1948261335bcc2995685452018e3c7f5fe0f78e828371d31e6b44873bcf644cd47ab5690ce58a96f3791f9a0494e5c4456da

C:\Windows\{10D8BD04-138E-4855-9DB4-2B5E8D3CAA14}.exe

MD5 085910de75371c307d3d7d399fcedff5
SHA1 2d671bb10db9deec20487114cfc151c1cb57e79a
SHA256 9efc0f657d615da3670327d69d0538541c90bf4f369c6e6d92676b7b57ce8405
SHA512 a2697bc17d475d505728e318c319aebc4c98ad098d2161c2b8bc31e3c6ec6b0dda35fc0be215216c8690272b4acb7f72948190751134d7cb0fabbdd6dcdab3c2

C:\Windows\{72797662-1C6B-40f2-A9E0-576DA821CA6D}.exe

MD5 60314c152d3be7e705d2bde6451590f0
SHA1 bc25168d3f3b31a6c115ed26706cd082dc0c09cc
SHA256 1002866ffd1a36ea586028a6db9b8957aad44be22777c5b7ebcc07dec9a8a2bf
SHA512 147f87faaf1e7147b809104de14bfc7348341257817eab5158631ae7881f57f53e54b2eb59ca66c4f78ca4ecdb2358e61d58e30c8344676ad7df5be2b56165a1

C:\Windows\{5104B4B5-D493-4bf3-99D7-ECECFD4C4A41}.exe

MD5 114478b868a431f13cf1ba866621aad9
SHA1 7dfe79c944a35be5bdd6adfa965b62e42ef3e08d
SHA256 f9b3961f98b4f35717ffd6a617ea139c481fe5f59d1f6660825598894552bd2d
SHA512 01d3f7562e36c5cce1a726fa53d2e7969125784c3ca1d58c6c9d60bab440c956ce02572676003d9efa39e5565793b22a4d34617b750a225accdfa8eafb73d299

C:\Windows\{283D5F0B-0B65-46b5-9419-892C88A95EF1}.exe

MD5 d4350b74f7a70ff762bcc555f5706950
SHA1 3b9cf345bd42febdd9c8bf890afe865c93bcaa26
SHA256 51c519a676840b0898b5af8ebef9aea97f4971ae6bda157931b13ee9d7fd5df0
SHA512 6d18f9dc865a00e6bdbb816fc9ea4d2fea7b0c06959da7f9ab98ab83985aed1242e0ccbb2f2fb730406e2267f425dff3a77e038f36fe71d2d6dbde6e67d1990f

C:\Windows\{27266D31-0FE2-477b-9837-E267A221C852}.exe

MD5 739a72a2a1c42a3ae9482cb19dafef62
SHA1 2c4214f3faf189e3c5ea2fba01da7d2157737448
SHA256 8d7decc1c29173520c2345acbebc6970ff7134b4cdcce72ccb7ca20d6488bf35
SHA512 5ae3f39ecb5fcffde13798f12702193acb146d9d0aee92a55218887429475240123ee3429c9727645ba65fc0fc1da6d29c52bcf9839a00f88fd4351b6a58f102

C:\Windows\{A991EB8E-EF7A-456c-918F-002769D75A0B}.exe

MD5 95e918120c50e99b981308b5f57222da
SHA1 8d01f465b211d3bb11f535950e962e01f26b041f
SHA256 e1be01c8a58eff2ecc5ab35f56decb3a344deb028d1d6c2e3b1d2b8f364e8ed5
SHA512 652c92ec046b454f25a4fabf95e71241608ee8db018f997826e7e559a864b43a684d42608473147d0440299b733d2e9c21957c1e81ffef4e65daa87bea4c2992

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:50

Reported

2024-04-06 21:52

Platform

win7-20240220-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE712C21-7F24-424f-A88D-3AE1F5624142} C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E} C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4077E545-4790-493f-B642-EFB5BE2E27C1}\stubpath = "C:\\Windows\\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe" C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}\stubpath = "C:\\Windows\\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe" C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE712C21-7F24-424f-A88D-3AE1F5624142}\stubpath = "C:\\Windows\\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}\stubpath = "C:\\Windows\\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe" C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}\stubpath = "C:\\Windows\\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe" C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4077E545-4790-493f-B642-EFB5BE2E27C1} C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB} C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}\stubpath = "C:\\Windows\\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}.exe" C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138} C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}\stubpath = "C:\\Windows\\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe" C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}\stubpath = "C:\\Windows\\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe" C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29} C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC47F080-8A79-4cba-BD26-760B7D06DFBE} C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017} C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}\stubpath = "C:\\Windows\\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe" C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}\stubpath = "C:\\Windows\\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe" C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A} C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}\stubpath = "C:\\Windows\\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe" C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652} C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7} C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe N/A
File created C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe N/A
File created C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe N/A
File created C:\Windows\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}.exe C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe N/A
File created C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe N/A
File created C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe N/A
File created C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe N/A
File created C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe N/A
File created C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe N/A
File created C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe N/A
File created C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe
PID 2856 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe
PID 2856 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe
PID 2856 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe
PID 2856 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2532 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe
PID 2948 wrote to memory of 2532 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe
PID 2948 wrote to memory of 2532 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe
PID 2948 wrote to memory of 2532 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe
PID 2948 wrote to memory of 2448 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2448 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2448 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2448 N/A C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2460 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe
PID 2532 wrote to memory of 2460 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe
PID 2532 wrote to memory of 2460 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe
PID 2532 wrote to memory of 2460 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe
PID 2532 wrote to memory of 2588 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2588 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2588 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2588 N/A C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2296 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe
PID 2460 wrote to memory of 2296 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe
PID 2460 wrote to memory of 2296 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe
PID 2460 wrote to memory of 2296 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe
PID 2460 wrote to memory of 3012 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 3012 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 3012 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 3012 N/A C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 1248 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe
PID 2296 wrote to memory of 1248 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe
PID 2296 wrote to memory of 1248 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe
PID 2296 wrote to memory of 1248 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe
PID 2296 wrote to memory of 280 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 280 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 280 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 280 N/A C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2328 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe
PID 1248 wrote to memory of 2328 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe
PID 1248 wrote to memory of 2328 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe
PID 1248 wrote to memory of 2328 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe
PID 1248 wrote to memory of 2176 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2176 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2176 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2176 N/A C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2476 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe
PID 2328 wrote to memory of 2476 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe
PID 2328 wrote to memory of 2476 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe
PID 2328 wrote to memory of 2476 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2032 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe
PID 2476 wrote to memory of 2032 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe
PID 2476 wrote to memory of 2032 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe
PID 2476 wrote to memory of 2032 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe
PID 2476 wrote to memory of 2452 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2452 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2452 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2452 N/A C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_baacb51cfc744596fc87e7895d866fa7_goldeneye.exe"

C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe

C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe

C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE712~1.EXE > nul

C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe

C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAFA~1.EXE > nul

C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe

C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA2D~1.EXE > nul

C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe

C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{746B0~1.EXE > nul

C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe

C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC47F~1.EXE > nul

C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe

C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F654~1.EXE > nul

C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe

C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4077E~1.EXE > nul

C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe

C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EAC99~1.EXE > nul

C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe

C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F1D~1.EXE > nul

C:\Windows\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}.exe

C:\Windows\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA6F~1.EXE > nul

Network

N/A

Files

C:\Windows\{CE712C21-7F24-424f-A88D-3AE1F5624142}.exe

MD5 e84bde898e8004cd1ad4412f2883def4
SHA1 8f70e45d7ef4e590c67ed408363367720ca30b3d
SHA256 da51a59c2372706cedcfc360616cdde86381f25e41057bf5cf2dc173a399e44b
SHA512 5aedb7c08f20395f97b3a3d14489e70f26d4076a3fce3d3b9f82511890c261f7606ffd82808b148abfa50f1c094dbc6aba2f599e4c87b15d7cba44ed796ff94c

C:\Windows\{4BAFA134-06C4-4bb3-9460-B262F3A9A32A}.exe

MD5 b9f56cb40c6ac59511f12a455bf6d0e0
SHA1 d9d958f0dd20eac602295823de4231f07bd58449
SHA256 8661586dc3ab7532d76d7b412019c09fbc210fc74b6cf0fefe8e31a738d767c7
SHA512 b41e174f9534c58882b11e75f272c810edd6d6c2796f84a4d35a303dcf5f4d07c8cc7c55482c3d209bb6d21c7b256fa013f311e64a4898d404c3b75f74b8a28b

C:\Windows\{1EA2D188-4A53-4b21-84C2-0D1DDC02CF8E}.exe

MD5 56bcd1079b7750baed3f19f5a0482915
SHA1 3281dd9e94ad37b0d0863ff8fbbbfd7b230e4a9c
SHA256 50e3c37e994169e3df25173ab60d8483e9f1d799bb9000fa4596cfceefbb8571
SHA512 64195a3a690926d01afd4f2d1616f20bb7de754b698491a8d4832001bfaa4b596ce1dadd545f647cd896c8114cffd66f0583ffa05e2d9d6da0ce598cc708fa78

C:\Windows\{746B09E6-05D9-4caa-BCA3-B065BA3CAB29}.exe

MD5 2e053bd860fc883982644aa3206d0b2e
SHA1 bea56fe7dbc1eaff203ea8623c439ce9e3644591
SHA256 33f0d714215ae25c911cd943502338929594afd6912081458157db7a0b0d18ff
SHA512 556af88920d045d51e3be3d61894ab3cf54fce454eb297dd3494e09febfd7936c02e2a351e26981e122f1dc35ae43d25145eb462d13886accaac7103166fde35

C:\Windows\{AC47F080-8A79-4cba-BD26-760B7D06DFBE}.exe

MD5 6d02d4a10180eebebaa9b8da1f0184bc
SHA1 474ec5f0e5e577e383289e56cbd36a50349bf6fd
SHA256 aeaf964d60d69217a04b83131e751fe8dec37330b89c875dfec56cdb76262e9c
SHA512 a424145364ce5fb93b01fb10518cf7dc983870fea1a860fd9081a572ac188c813a5e6478a930d0bb322e47459eea1a3e84da132bc8a737c8daa08c08f3c876ac

C:\Windows\{4F6546BD-3889-4c3d-B7E6-49EDE3BA0017}.exe

MD5 52ea9b806996029fa7a1c313a0267257
SHA1 cef4671beca34ae24caf712ed45e470166be763b
SHA256 a7120767a6b08fb79da58811c38af959c35ae34becf90e7cd14cad9b3a94fb9e
SHA512 104d1d4958b82f15b30ac40b3f639e481bdc58b280910800bd8576f142b6704311b21a4c4f082f9173ebb942dc2feea31b0c59020b76986eac13838d86c03d99

C:\Windows\{4077E545-4790-493f-B642-EFB5BE2E27C1}.exe

MD5 a16524340df7e84c39886b13b33808b4
SHA1 feefdefbb45aedcceff2ee276c61354374f9e65e
SHA256 10beaf8b80598118c500c5c2e17d204af3e84103adb45284b49bf2e9ad307f71
SHA512 e56393bc79af9fe4dcca57cd9e19acdee1baa27ed75a48f1d1e6c54487ea5587cb5c21029f2b04e976d8c53daa6a54a09367c1a2a62db40f6fc2e78dbbec7e94

C:\Windows\{EAC99EBD-C729-4caf-B3E2-4A4F47666AFB}.exe

MD5 b6057e9aa2fa75932d4d884ca6723df2
SHA1 d3970b42e09263ddbf4d8f0c1dabcd2d24d5b55a
SHA256 a50d3dd223076ba38e092dc6d1f6bf4208999dc17721d8c3f3c353eaaaff9640
SHA512 e37dbb191b8e12d02694ec3ada52f366aa0fc827d1300061ca97062a040ca24275d3fc5740aa2ddd37db0e1e86e6ad7e4d59ce0ea53678d8938046b2b4e333fa

C:\Windows\{A5F1D0CE-6DBF-4ba1-B81C-55B46AD88652}.exe

MD5 850058fcb9b959da2390618e47e63fb5
SHA1 d52fc5f5a73c797a7b0c64944aba16f235bd7c8b
SHA256 5f258f1e40ed4a2abf10067bd0ca5b712b351d7cd44f88266d97701dc65f61d2
SHA512 d646ad6b53d330741a392ea25fff995f622e6bd929e8cd3ef5944e824000f9171b7f277bdaab2ed3a796c8e30f9e8788d56fce72edef51ef097381687e4b3758

C:\Windows\{1AA6F3AA-3911-41bc-A5B5-ED6C26CBE138}.exe

MD5 50d3e89b0e60ec749349aabd324101b1
SHA1 5e5bee90205e96105849ba7d4f43d093af7f0b71
SHA256 1623e13e1308403a0d9e28a4dfb5901ec0b1186d16678ec48a9076975bfbff0a
SHA512 8245b652f9454e0d824b8b5d47883700528ab63d00f6d19fab3832946a758d3dde16232bc57f554345afd7373e6caaafe478fd29efc7327a1c74beb7427e58f5

C:\Windows\{AA6C2D9C-1FBE-46a3-BA81-E7BCB9DE6AA7}.exe

MD5 f6aa604ed3e60b4ac5e7a35387f0871f
SHA1 0e66924a2cfd2dabf9c14b3d297ad1b024c1bc9e
SHA256 af50787fda9042f139be432ddd46296131fab05c4896a3ac42e3e7210fb5afc7
SHA512 00a82c5a97ca7d716e51411915a2f4d9f3d7a72a31aaf751b637ea49fecc99ff8f3ab5b69edff3f997ad17006363c502a0fda8573a41aab473c66280818bd789