Malware Analysis Report

2025-03-14 22:56

Sample ID 240406-1re5zaca8t
Target 2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye
SHA256 cd267688b8897852723dfa2a577eb83aba648659011693bb4c999a74dbdc0e6e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd267688b8897852723dfa2a577eb83aba648659011693bb4c999a74dbdc0e6e

Threat Level: Known bad

The file 2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:52

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:52

Reported

2024-04-06 21:55

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}\stubpath = "C:\\Windows\\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe" C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}\stubpath = "C:\\Windows\\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}.exe" C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B254D774-9411-4b05-B500-98E5211BC002}\stubpath = "C:\\Windows\\{B254D774-9411-4b05-B500-98E5211BC002}.exe" C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2} C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C1DD04-313D-49bf-B6AB-24B8508B78C3} C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}\stubpath = "C:\\Windows\\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe" C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26} C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D} C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}\stubpath = "C:\\Windows\\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe" C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B254D774-9411-4b05-B500-98E5211BC002} C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA7CCFA-6CB2-4252-888D-5064F8D97310} C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B} C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}\stubpath = "C:\\Windows\\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe" C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38064917-E724-4894-AA15-295EBE6069F5} C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F} C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}\stubpath = "C:\\Windows\\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe" C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADC2434-940D-43b5-B246-18EF59CE0DA7} C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}\stubpath = "C:\\Windows\\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97EBB6DD-5164-46f7-A227-093ABDC0A763} C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97EBB6DD-5164-46f7-A227-093ABDC0A763}\stubpath = "C:\\Windows\\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe" C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38064917-E724-4894-AA15-295EBE6069F5}\stubpath = "C:\\Windows\\{38064917-E724-4894-AA15-295EBE6069F5}.exe" C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}\stubpath = "C:\\Windows\\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe" C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe N/A
File created C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe N/A
File created C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe N/A
File created C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe N/A
File created C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe N/A
File created C:\Windows\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}.exe C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe N/A
File created C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
File created C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe N/A
File created C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe N/A
File created C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe N/A
File created C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe
PID 2012 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe
PID 2012 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe
PID 2012 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe
PID 2012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1716 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe
PID 2980 wrote to memory of 1716 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe
PID 2980 wrote to memory of 1716 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe
PID 2980 wrote to memory of 1716 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe
PID 2980 wrote to memory of 1760 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1760 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1760 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1760 N/A C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe"

C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe

C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe

C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D1BB6~1.EXE > nul

C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe

C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{338EB~1.EXE > nul

C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe

C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97EBB~1.EXE > nul

C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe

C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38064~1.EXE > nul

C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe

C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D58BE~1.EXE > nul

C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe

C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B254D~1.EXE > nul

C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe

C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F3A25~1.EXE > nul

C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe

C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{29C1D~1.EXE > nul

C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe

C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0ADC2~1.EXE > nul

C:\Windows\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}.exe

C:\Windows\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C2F2~1.EXE > nul

Network

N/A

Files

C:\Windows\{D1BB67AC-F3CF-480c-B9B9-6FBF8392879D}.exe

MD5 d9b0b8917c4841bdb5182ccd4fe0f59b
SHA1 f0706058b566945cbbeb8a74755ac2fbaff69678
SHA256 345a4b60d92e2e26a4410991fe2976c5c0727d984b8cd14a3545c3f2dbc16851
SHA512 6bd3e24fc0ecd6ee14bf6b2473af0521b7fff236f1ae7bccdfd1ab755c52336a4541cf380ef5bdd1d658a86697a3bccb7d1b62d43ac1c5dafff37c344d5088b2

C:\Windows\{338EB578-02D7-4e1f-83C5-E4EEF5FD7A1B}.exe

MD5 f368c81c59dd6efb2b54e7eeb718ed15
SHA1 422d8c930c82195eba51a44b0435fab7a238831e
SHA256 1fd77f1a99bb1461b3bd66007828f5968c3cacbec8112778a67d7832871d4665
SHA512 6e669d9892b8361acbf0f9cbeac4ee6ff1da982b5c59e8ec35780174ce487c5307b051f0e7c1401db323c95c49f076bcd8af8a9fe65a1d254b2349f27ba1960d

C:\Windows\{97EBB6DD-5164-46f7-A227-093ABDC0A763}.exe

MD5 d4e2b0854ca4477f8a1be4808ac5d43c
SHA1 221cdd19b9cb13331f0388b2277a7898f5a38b5b
SHA256 53f80542ba1db2e00cdfc05b4ff8fcbdc74f7d7e168787ba5bff077ec78a7d89
SHA512 d47f42a680a79816966766c5ed23093c5fbcda89cf20687c831e4fa8a3698b07a5c64aea80be77c0490b1a55fafb3cbe45aa34926e5511e3ee4b5e1802c7aecd

C:\Windows\{38064917-E724-4894-AA15-295EBE6069F5}.exe

MD5 5202851c442379f9ddddfa706f881426
SHA1 e24a5b9e1e9d11661a48e0e0e2b51e2a87104ba4
SHA256 0d79b36fedb8a3c8cfa523b7fb742afff2d68b8bb0d72810793961a1ac74ede6
SHA512 8ad6f61bc41263026f8e7c9e3bcc656a9f769a61eebdd550f117a5a8c5106c5dad105c3234312a52e5badccc0b90c1d60b1e4da481268a7ac7e69500ee7f82f4

C:\Windows\{D58BEB16-9CBC-43f3-87A1-46FC01D9F55F}.exe

MD5 8523d8ac47d2df295d640029d3126912
SHA1 4c104a5eeab6fcc587bf07a7e84f26ed5ae43b6e
SHA256 e9c8d7ec8b4331a44e1a311f799dd3cd4742a0fa0d461d837b61e6ee959e0973
SHA512 93eddd9e5cbb85ef88b6ab9606708a9ead80cdba33fee020dc1e380473dbcdb18d461428a3504f16bf3ae74644cf912ecd7dbee6365eae2527cf5ceb8a29f10e

C:\Windows\{B254D774-9411-4b05-B500-98E5211BC002}.exe

MD5 e98efc3aa6a64cfb00770e595197e1fc
SHA1 eb559e86768a30a16d4483ed169fd657517c4099
SHA256 4491f6a5769e089165fb4251bd4212f3988f75d018f6b406fe54bed5119c1cdd
SHA512 79d09e2e049136dfe6e9a5b2a2fcbf80ea121cd3c36bebea3908e2e0d6bccf78865da3eb2965cba0dda6a14dad7ef4db789cfe04ced5999bafee22df688b4d45

C:\Windows\{F3A252D8-2360-4c73-B1F4-6F0ED02DBCD2}.exe

MD5 69c2a9fea5729b058dd974ae128980de
SHA1 9f202efe37bb0311610275c196b051e767cab3f9
SHA256 3da498b3c8ed370416179ac4365787877da60629ac506528406795274c895360
SHA512 d1b2fcea0a4032f217c5258b96b34e4fb6c586953e40e36c1c7421755146e5f8e1c95e586f9bd730ce93c4c8029d8831ab4f05aabb3e2d0d7c0b312ba623fd08

C:\Windows\{29C1DD04-313D-49bf-B6AB-24B8508B78C3}.exe

MD5 7f4edbe6575209698a39919c0f6c59cc
SHA1 b161fd79cc0ece8e3f06e2fcce7eba5e000e52ff
SHA256 c8d9529af6a83fd415822ac52fceca5013118e19d6fccce07d3527ce52442752
SHA512 5c108a87e9acb4e0bb154833025a6dac4f3b654a0cae65c807fcb2b169ab21f972bc8d19c4d206a64a86106e914bf7eaeac3fea7b9fab1c4bbda15e3c65143ba

C:\Windows\{0ADC2434-940D-43b5-B246-18EF59CE0DA7}.exe

MD5 cb216defae9618b5b2bd691dcf8866eb
SHA1 d1dad666b5b1b10b8856169275951e39d8538479
SHA256 f9156656556bc79fad94cad041790d80ed8bf36457d030d9b66566c75195f6c9
SHA512 e275a8062d2abf104d805e392005eb1433884577036484391fd69498c43f20946602420da687f0fc46102db803b038627861462b9d1c23b41e37606120d4158f

C:\Windows\{4C2F23E4-9BB1-4c67-A542-6BB8D77C1F26}.exe

MD5 21571565e2c5cf93a8ec3369ec1a2e7e
SHA1 dc6086766f125bce80d30b63044699fdc1a07b6f
SHA256 748522ca7009eb1bc5bef76d3366d6ce6ff5d286ca0d2ce15e3b71edd63e814f
SHA512 9a273ead7d090237560513bbd557dda72e953f88267738cb4e12f2f11f8530021b370788305c9799f96a93a37cab9b4b489cf30df08b69613228ffdae8536adb

C:\Windows\{CFA7CCFA-6CB2-4252-888D-5064F8D97310}.exe

MD5 e3e9b804007311630c2f9fa00d838222
SHA1 1807c390b687301289976de84d9a5ff1b2c6debb
SHA256 c99af48a3ee402fe6e89d3b5ec8ebfb85149d0ac9378bdaa54c00bc23a645c72
SHA512 7c3ec83b0f288d0f49a7183739992a5ce1de67ca7d9712f9158806a999d46ab9335479849c96474ad3c857033369130b33d8013fe433f83e4a5342e29026c703

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:52

Reported

2024-04-06 21:55

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}\stubpath = "C:\\Windows\\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F25754-B73E-4293-9F33-FB00283D94BA} C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495} C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF} C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}\stubpath = "C:\\Windows\\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe" C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8} C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}\stubpath = "C:\\Windows\\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe" C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A66D627-C7EB-4bff-B098-5910E1C2D85C} C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}\stubpath = "C:\\Windows\\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}.exe" C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854} C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784A513C-5F07-46f4-B179-DE54A5B98B8F} C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784A513C-5F07-46f4-B179-DE54A5B98B8F}\stubpath = "C:\\Windows\\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe" C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85FB04A6-9ACE-4829-A331-696B594A0F62} C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}\stubpath = "C:\\Windows\\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe" C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B52724C-1B48-4af0-BB20-7954E52F35C5} C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}\stubpath = "C:\\Windows\\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe" C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}\stubpath = "C:\\Windows\\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe" C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B52724C-1B48-4af0-BB20-7954E52F35C5}\stubpath = "C:\\Windows\\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe" C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5} C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F25754-B73E-4293-9F33-FB00283D94BA}\stubpath = "C:\\Windows\\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe" C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{551B6FD3-DC28-44ba-B752-7E570ADFAF26} C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}\stubpath = "C:\\Windows\\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe" C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85FB04A6-9ACE-4829-A331-696B594A0F62}\stubpath = "C:\\Windows\\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe" C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E} C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe N/A
File created C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe N/A
File created C:\Windows\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}.exe C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe N/A
File created C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
File created C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe N/A
File created C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe N/A
File created C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe N/A
File created C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe N/A
File created C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe N/A
File created C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe N/A
File created C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe N/A
File created C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe
PID 4876 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe
PID 4876 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe
PID 4876 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 4476 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe
PID 1304 wrote to memory of 4476 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe
PID 1304 wrote to memory of 4476 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe
PID 1304 wrote to memory of 2596 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 2596 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 2596 N/A C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3932 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe
PID 4476 wrote to memory of 3932 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe
PID 4476 wrote to memory of 3932 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe
PID 4476 wrote to memory of 4852 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4852 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4852 N/A C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 828 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe
PID 3932 wrote to memory of 828 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe
PID 3932 wrote to memory of 828 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe
PID 3932 wrote to memory of 4060 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 4060 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 4060 N/A C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 3996 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe
PID 828 wrote to memory of 3996 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe
PID 828 wrote to memory of 3996 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe
PID 828 wrote to memory of 676 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 676 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 676 N/A C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1904 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe
PID 3996 wrote to memory of 1904 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe
PID 3996 wrote to memory of 1904 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe
PID 3996 wrote to memory of 4760 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 4760 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 4760 N/A C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4308 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe
PID 1904 wrote to memory of 4308 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe
PID 1904 wrote to memory of 4308 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe
PID 1904 wrote to memory of 4672 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4672 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4672 N/A C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 3556 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe
PID 4308 wrote to memory of 3556 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe
PID 4308 wrote to memory of 3556 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe
PID 4308 wrote to memory of 4100 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4100 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4100 N/A C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 1924 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe
PID 3556 wrote to memory of 1924 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe
PID 3556 wrote to memory of 1924 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe
PID 3556 wrote to memory of 4632 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 4632 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 4632 N/A C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2304 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe
PID 1924 wrote to memory of 2304 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe
PID 1924 wrote to memory of 2304 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe
PID 1924 wrote to memory of 3428 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 3428 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 3428 N/A C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4876 N/A C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe
PID 2304 wrote to memory of 4876 N/A C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe
PID 2304 wrote to memory of 4876 N/A C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe
PID 2304 wrote to memory of 1224 N/A C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_d9c25d9566029572ba4babd9bd80c292_goldeneye.exe"

C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe

C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe

C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{987BB~1.EXE > nul

C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe

C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34F25~1.EXE > nul

C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe

C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{551B6~1.EXE > nul

C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe

C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9691A~1.EXE > nul

C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe

C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{784A5~1.EXE > nul

C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe

C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85FB0~1.EXE > nul

C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe

C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91BEE~1.EXE > nul

C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe

C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F8D6D~1.EXE > nul

C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe

C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9B527~1.EXE > nul

C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe

C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6F4E3~1.EXE > nul

C:\Windows\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}.exe

C:\Windows\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A66D~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Windows\{987BBBA7-1BFC-45a3-9AFD-A6D70B835854}.exe

MD5 55f48b4c052b793c9fe1a1050d15189f
SHA1 cda1102c0249762cbefec9328f1a683c10e97e0c
SHA256 9a893ab96c73ca738aac97dd43067d9cd6569bd7319b2a50d408b76f79d19f36
SHA512 7daf30aefe29acd19017ee704957e439fc388dc57de99c5afa62791a2c6f355073e8f2b1e30939b3072e266cba4381a39f054c645be8b24229028e6553fe5bf4

C:\Windows\{34F25754-B73E-4293-9F33-FB00283D94BA}.exe

MD5 c422c9134800101732cdd918f13bed2f
SHA1 2a82726cd06fb5fee93dcd254bb7ab9e2ac891d3
SHA256 a11dfafd74797697462d83f2571ec1d3057084185b5534a85bfa84c01ddd2830
SHA512 b23432113200224c6b9a699bdeb4b98d6a261f10fa986d4753214fe945b1daf7751b24926d462f7915de3fa03ed927009dbbcabde62c8f1e733e8e420039589a

C:\Windows\{551B6FD3-DC28-44ba-B752-7E570ADFAF26}.exe

MD5 d99fce343533c2d893999b61e079638b
SHA1 ab2e1913724d48d520c63d9616fa146544d9324d
SHA256 821e2ecf304a1a3fbe5958c9c9fb6f47aeafd9358f95fa01f3032cb472134e2e
SHA512 76cce7b3718115b9219c5c622ef4d5931b77b26fb5a80662bea355090ec7dffe0ed836a24c1e2181e154fe8fbea7f669e63274ffb97f59116c810c6d3aab6cf9

C:\Windows\{9691A96D-D92B-4908-8D9E-CFAF2E7B3495}.exe

MD5 013c23b011348c692b38eb949c3e30b2
SHA1 c13d5dc5ac22486347d191572d7b75d300b0c2f4
SHA256 ea70b639ece50c68327304cd04ca64726fec552ecc8d88244b0e447b4cbb1fc5
SHA512 9b34373b9c6113cbb46a75516d83254c47182943aac6cea49a45a2645118cb261cefc3862403ac2ec46dc2243285f9e551d4f5a03009c1e9f6780b4a2fcd2e38

C:\Windows\{784A513C-5F07-46f4-B179-DE54A5B98B8F}.exe

MD5 d3eb54142c1d94cc9e3f76d01a82329e
SHA1 3936632d28482cdd0805db783f46760a4d6de393
SHA256 2dac653905ecadd097910e0cfa73b7e64a9b1797824e3ed6291aff4a19290db4
SHA512 58f5e1c2198cdcfcb47381d8a53dd3135af5ffbc05322ecb2d0cb9b704533dce0f16d70bff4449dd323d0dc79b7dd599b97adffab86e772d9a7ed5f535d2c0f5

C:\Windows\{85FB04A6-9ACE-4829-A331-696B594A0F62}.exe

MD5 5763f7cf21439ca85f010afd7b757857
SHA1 db10641d142bf43fba3e3229c415fe09b0971cd3
SHA256 82773357e1115eddff07b2941b28d1904f285ab6877437d552606a7068e1d62b
SHA512 618ed44552e2abcef6d48c07ae2f9b45aaf627b8f8792cc02d9d4fb9b469becb3b449cbb89229d25fef351bc81f45ad58ae029b8fda565cfa46fa9dda55b7c8d

C:\Windows\{91BEEB67-8A52-4f2f-847F-F9C5388BF2FF}.exe

MD5 267eb54851112e7b5441c4fef6d85b72
SHA1 ab723c26b427d28eff96dc438e6d45638778c863
SHA256 6447a894f1a8eca9407e835bf0301aa5b07296f751b5426995776ca817db2de8
SHA512 a3319a3b5b2ba5945aeabfdef655ef3eb6c4e3421867a6bb2d88acee8b42a8de3fe8ecbcfae429ef11a07f1b98da28910cd5f6400b3cff2f92cc845aede83262

C:\Windows\{F8D6DD88-BFD2-4fab-A877-885C8378AFA8}.exe

MD5 d9d7c680768b4b10c0617523c10b7010
SHA1 755bb599eadb5b6c46de76aec4782ba4366d08af
SHA256 439fe5a92f0a6c24e59680f88be0b7e4658c0b053e0ae6cbaf96abbd85c1dd77
SHA512 0bf6ce6029460a7c4f812f37a630e9bace6566c1cb1ba798ce0811f103baf6127e7387e1ba7c7468cf6c95946933987e9c238ce2a83cc0672c85bb1c738c9bab

C:\Windows\{9B52724C-1B48-4af0-BB20-7954E52F35C5}.exe

MD5 bef9efa838554621242bf3310c51d392
SHA1 e80856dd915b8ced40f00fd7add20cd8734898f2
SHA256 9471398cd7d365110d46eeb24ddbf93351f1405e03de1c9df144c51325057523
SHA512 68659b068868a70ea19d6965721c29e0314f9fb9af5bcd7ddcb4e221ed1db3235db7f30a6dab37cd00f8d8ca87145588489da4908e485049edd5391f0405906c

C:\Windows\{6F4E3B53-2A07-4752-9191-866CCBFA3A0E}.exe

MD5 78f82e612ab9d7b0e726c0533dab9bbc
SHA1 14612b54332eec2f70f056d5468f678fd8ef78a6
SHA256 e7f8ee170b4a239c04b7a6f32f095b19dd24ced397ae81fa0f178f97c186ab8d
SHA512 0d5ea2334746091d81cc9e78f8c8d4a9fcd5eb52e9eaebbedb86203623d79614251a85b8000a3aef7ffd48b1643c412ca673068f9183d98e3befb7bb377ad114

C:\Windows\{6A66D627-C7EB-4bff-B098-5910E1C2D85C}.exe

MD5 41e1ad85542eca2fb4092097be931f81
SHA1 a9cd0dcec24e175c7b6bd02f3dada588e82c3e71
SHA256 2c436722bff3ca30b4ad5dd6ead83336a2222180d4794b2532d38b227bbadcc7
SHA512 51add3f143e14f742ed0805ddf096ed4511c32a75ed0dee12340a7f7af48486e6a97397bb0822d5d2c285b1d3ebf6b35994e044d84142efbf7760a97c2feabba

C:\Windows\{CFAF503B-0438-45b3-B4A9-D64F4BAC55C5}.exe

MD5 f1ae9b64e191d0cbd680443ee2f763f0
SHA1 8feb01e46e4ca9bc9a35fa634d52888d4dc8faa6
SHA256 f4b71b1dc426ce5b9fb2d5a8d0078bda76d6646d44a691ecc48f67974bca08fa
SHA512 ceab1dc43873742718cfdb4f9afd15e7fcf0901dc3a88ecf736757c6ea1c271ac9aeaf14e44798d005a82003ed098bda7d8fbfd0b742868d312d670f1dbe378d