Malware Analysis Report

2025-03-14 22:55

Sample ID 240406-1sqyvscg66
Target 2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye
SHA256 513daa66e0e661c795c71c3edd5813884cf5f491f35eadf2ea7b315616b4688d
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

513daa66e0e661c795c71c3edd5813884cf5f491f35eadf2ea7b315616b4688d

Threat Level: Known bad

The file 2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:55

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:55

Reported

2024-04-06 21:57

Platform

win7-20240215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A128A76D-2ADB-42a0-A9BC-FA696E106711} C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D42573-A596-4575-B447-7B26EFEC4D6F}\stubpath = "C:\\Windows\\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe" C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5} C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}\stubpath = "C:\\Windows\\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe" C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D344A416-A513-481f-8592-F33853B67C08} C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}\stubpath = "C:\\Windows\\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe" C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE} C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}\stubpath = "C:\\Windows\\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A128A76D-2ADB-42a0-A9BC-FA696E106711}\stubpath = "C:\\Windows\\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe" C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}\stubpath = "C:\\Windows\\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe" C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB} C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}\stubpath = "C:\\Windows\\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe" C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50016100-3F94-46ea-9A8F-3DA37099E160}\stubpath = "C:\\Windows\\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe" C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12} C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4} C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B69E5D-7645-4370-98E0-F6AF6B67F231} C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B69E5D-7645-4370-98E0-F6AF6B67F231}\stubpath = "C:\\Windows\\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe" C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98} C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D42573-A596-4575-B447-7B26EFEC4D6F} C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50016100-3F94-46ea-9A8F-3DA37099E160} C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D344A416-A513-481f-8592-F33853B67C08}\stubpath = "C:\\Windows\\{D344A416-A513-481f-8592-F33853B67C08}.exe" C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}\stubpath = "C:\\Windows\\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe" C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe N/A
File created C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe N/A
File created C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe N/A
File created C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe N/A
File created C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe N/A
File created C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
File created C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe N/A
File created C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe N/A
File created C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe N/A
File created C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe N/A
File created C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
PID 2488 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
PID 2488 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
PID 2488 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
PID 2488 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
PID 2496 wrote to memory of 2520 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2520 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2520 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2520 N/A C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 384 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
PID 2408 wrote to memory of 384 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
PID 2408 wrote to memory of 384 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
PID 2408 wrote to memory of 384 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
PID 2408 wrote to memory of 2200 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2200 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2200 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2200 N/A C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 1612 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
PID 384 wrote to memory of 1612 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
PID 384 wrote to memory of 1612 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
PID 384 wrote to memory of 1612 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
PID 384 wrote to memory of 2632 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 2632 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 2632 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 2632 N/A C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2764 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
PID 1612 wrote to memory of 2764 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
PID 1612 wrote to memory of 2764 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
PID 1612 wrote to memory of 2764 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
PID 1612 wrote to memory of 640 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 640 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 640 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 640 N/A C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2224 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
PID 2764 wrote to memory of 2224 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
PID 2764 wrote to memory of 2224 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
PID 2764 wrote to memory of 2224 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
PID 2764 wrote to memory of 1460 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1460 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1460 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1460 N/A C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2376 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
PID 2224 wrote to memory of 2376 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
PID 2224 wrote to memory of 2376 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
PID 2224 wrote to memory of 2376 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
PID 2224 wrote to memory of 2472 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2472 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2472 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2472 N/A C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1284 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
PID 2376 wrote to memory of 1284 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
PID 2376 wrote to memory of 1284 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
PID 2376 wrote to memory of 1284 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
PID 2376 wrote to memory of 2040 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2040 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2040 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2040 N/A C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"

C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe

C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe

C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{794CB~1.EXE > nul

C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe

C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17B69~1.EXE > nul

C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe

C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A128A~1.EXE > nul

C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe

C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D6B3~1.EXE > nul

C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe

C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D42~1.EXE > nul

C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe

C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50016~1.EXE > nul

C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe

C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0187C~1.EXE > nul

C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe

C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D344A~1.EXE > nul

C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe

C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5651F~1.EXE > nul

C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe

C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4D65C~1.EXE > nul

Network

N/A

Files

C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe

MD5 f52fde8708ca932c4aa813902d63ddfc
SHA1 e64dfdfa9119941a985c4274713404a080ac48a6
SHA256 3db4108483a3a246b754cfe5bb839a271c4e848f73adbd529db851a62aaa0193
SHA512 a3ebaf65b14605caaecb63eea54423cb49c8a738f12ea1f72c0fb17a6d00f23911b65454bf25bfa62aa78690876a207ac2176f77884f3896d49f79bda84b8b00

C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe

MD5 4403db0c5bd7a9a0d5e1eda901dc2e48
SHA1 100b5e21cbdb8825f79f84080beea80aa95cd99a
SHA256 3dcd608574ab253831d8989b7e13db72223c479c8fe66bfb807c393c587d08f4
SHA512 6953ba206119672f1906cd75a6b6a7e14a688f7e84ae6dd8ea946501bb7e3329bc5b3b534e19a81d8a62d6d043afa459b4a28372fc4ebaa3b5c65c81aa563c9e

C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe

MD5 7bac4e90f313affa74a99335a9c436d1
SHA1 26b33d8632fb8592c449c9094ffef359992bf6c4
SHA256 5ec36199b50e701e3d1758ce8c7c2559f3784c4618809818455b031e0606c975
SHA512 84f51af8edc0a3a6876b4199dba768347cec697790b8b285ebc021ea9a00fe9c2546fe21228e2a2c053dc3f37680c532a62dbd3c0b7f02d207d876aaaf570c1d

C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe

MD5 85b21a21b54617c7dacf067477db937b
SHA1 1e6fa75099fd563436919dde7f6c878cedc5a81f
SHA256 d835d5c90cb8fd6824a95792bd8d2482f3a8d4fb627b984b6d0739995ce5322c
SHA512 c91106a22a17c87cb72b54f13267999aaba084de6822a1b612b1ff054ade480e59b3faacf1839ae7248d13caec931b19352cb1ec4f91ae2e48c1598ff35ee59d

C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe

MD5 1eb0673b499ad9720074f9120313c9ec
SHA1 7394fd23da4071ec591a5a89a0f019407179352f
SHA256 4a8e01f121269b8e06d1ad945acbd66dcf907e15d9967fed796883f4dacbc0a7
SHA512 fbd78ab89b037632465e2ff79347a4ff2f2042604e0495458a1dab2200fc4ea70488df98e867f1dbe5a2b7efb21f7cf2bad2e55c37a129058634606d5fde5ab3

C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe

MD5 1cd66f9a22ac0b7a20a574b61ddcefd5
SHA1 e94b5e17b47dea87f07cc3b2fcaa88780d687f1e
SHA256 9665e76b2843872bcfab998c949863a73cf46533b925a8ee53e27424fdc77059
SHA512 3947083a054026b3af7d2a4807b8d9c1a8414ab88a2c948d6bee44ab0f2746070a111f53979d11ed7a4b3c7f5d09b25578394a224bc1346d32059592c4b86219

C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe

MD5 ed7166ca1c271551bd3bf7395489e8a9
SHA1 4e3be09cf5a9d0f006081ae9be2d73c6a0583f34
SHA256 d281f2cb1c7aeb38a0da9c0c19f9f71967c822a3024d283c93ccc0d85fe02c0c
SHA512 1332445e48c8870a6b07120c122b667ed9920ed769b38aa35be233d9cbf3fb28c403c392f96e386259ca54c66c5b2a5dbd5171dcd874612f948e49fdb55cb109

C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe

MD5 85cd7e7432187e95971b5ce96d40eabe
SHA1 f5f7927bd2322a238ea7a52746b7b9ad86ca4da7
SHA256 341fcc2b302e3bbb7013180994aa1b49ae917c2c81f57ee34a10ad7f73687d68
SHA512 5335627b2417011b07e3a60c884224b1f447c0d17d22281e5057a3cf5beeb2927fd7719df39d193d5447bd22310dc688b70f8687f550cf5c1e7d199922de04ee

C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe

MD5 5843f3b40c5f7a08b8591892d1510d2e
SHA1 c40d4f05d28a6eedd8e8f99e4724666b799e10f2
SHA256 840b6f5541f7818ae99362a9d63d010de5b14bc89cbaf67ac8d7605fd27867e6
SHA512 6ec042498498693a97b7e174b48a5dd1a31c57f280a88b0a1af44d85027db04e4ae28addaec0597ac7b0cf8cd9a9a25eb12f628db2717d09ac139d4ec8e0ad4d

C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe

MD5 b1cda8170903a169d17e7f466db07af7
SHA1 0a1a41c83513077d1ab997cc27b40cdc4809ff8f
SHA256 bbe7c2cb5522c4335eba15a41b7d5c840a1ae3d1a9a7065b81133ca835eed867
SHA512 42b66d38567245ce3c386b877999f57b90394625c118b8bc70bda1a2e60acbc18c3abfecc8d4b873ad9943b34c022510f9142c6d1e5a339e5bf366960844f71b

C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe

MD5 0b1728c0b7c36e2870dd0d73c13cda56
SHA1 df3146cde969762d5201af0c0e863ab8a2b2cdc5
SHA256 733da23f027b73cfa04b53c4dc97df40e4aafa28810398b10e4d7973711af094
SHA512 cd5bc9d4ebe9f2fadced9b8a6c1460adceb67002ff57cb2cd3a890bcab3724bc938f281b06b08afa5189e4840476ed7e80d6d87a38d2ef3fed5b88c431a78462

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:55

Reported

2024-04-06 21:57

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CAB263-0F51-4f35-BEDF-1E73F24828C3} C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD} C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}\stubpath = "C:\\Windows\\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB} C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59FC855-73C2-43e3-9B34-4190443FBF6C} C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}\stubpath = "C:\\Windows\\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe" C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2} C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CA11DF-868E-4fc3-B7B9-D38F25577971} C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641C9218-F79D-41da-91E1-97F114414075} C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641C9218-F79D-41da-91E1-97F114414075}\stubpath = "C:\\Windows\\{641C9218-F79D-41da-91E1-97F114414075}.exe" C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37726F-A66A-4c83-8877-C97CC7B5000E}\stubpath = "C:\\Windows\\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe" C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}\stubpath = "C:\\Windows\\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe" C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}\stubpath = "C:\\Windows\\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe" C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59FC855-73C2-43e3-9B34-4190443FBF6C}\stubpath = "C:\\Windows\\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe" C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}\stubpath = "C:\\Windows\\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe" C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8} C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C489379-F0FA-4e81-9A8D-944578CB2085}\stubpath = "C:\\Windows\\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe" C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}\stubpath = "C:\\Windows\\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe" C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37726F-A66A-4c83-8877-C97CC7B5000E} C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA} C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}\stubpath = "C:\\Windows\\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe" C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}\stubpath = "C:\\Windows\\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe" C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C489379-F0FA-4e81-9A8D-944578CB2085} C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA1B5B-617F-4129-90ED-16E6FE5336E9} C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe N/A
File created C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe N/A
File created C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe N/A
File created C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe N/A
File created C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe N/A
File created C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
File created C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe N/A
File created C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe N/A
File created C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe N/A
File created C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe N/A
File created C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe N/A
File created C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
PID 3532 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
PID 3532 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
PID 3532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1980 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
PID 1724 wrote to memory of 1980 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
PID 1724 wrote to memory of 1980 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
PID 1724 wrote to memory of 400 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 400 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 400 N/A C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2580 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
PID 1980 wrote to memory of 2580 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
PID 1980 wrote to memory of 2580 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
PID 1980 wrote to memory of 4008 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4008 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4008 N/A C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 1908 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
PID 2580 wrote to memory of 1908 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
PID 2580 wrote to memory of 1908 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
PID 2580 wrote to memory of 2324 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2324 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2324 N/A C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 4064 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
PID 1908 wrote to memory of 4064 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
PID 1908 wrote to memory of 4064 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
PID 1908 wrote to memory of 2680 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2680 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2680 N/A C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4132 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
PID 4064 wrote to memory of 4132 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
PID 4064 wrote to memory of 4132 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
PID 4064 wrote to memory of 4456 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4456 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4456 N/A C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4316 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
PID 4132 wrote to memory of 4316 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
PID 4132 wrote to memory of 4316 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
PID 4132 wrote to memory of 4528 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4528 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4528 N/A C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 2176 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
PID 4316 wrote to memory of 2176 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
PID 4316 wrote to memory of 2176 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
PID 4316 wrote to memory of 4516 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4516 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4516 N/A C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1064 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
PID 2176 wrote to memory of 1064 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
PID 2176 wrote to memory of 1064 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1316 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
PID 1064 wrote to memory of 1316 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
PID 1064 wrote to memory of 1316 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
PID 1064 wrote to memory of 1264 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1264 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1264 N/A C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2400 N/A C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
PID 1316 wrote to memory of 2400 N/A C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
PID 1316 wrote to memory of 2400 N/A C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
PID 1316 wrote to memory of 1688 N/A C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"

C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe

C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe

C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{30495~1.EXE > nul

C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe

C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27A98~1.EXE > nul

C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe

C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C59FC~1.EXE > nul

C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe

C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B6CA1~1.EXE > nul

C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe

C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6CFD~1.EXE > nul

C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe

C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{641C9~1.EXE > nul

C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe

C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85CAB~1.EXE > nul

C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe

C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FAEBE~1.EXE > nul

C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe

C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2C489~1.EXE > nul

C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe

C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05CA1~1.EXE > nul

C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe

C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF377~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe

MD5 e5335a269fff04e6fb993a35d5b90b5d
SHA1 ec656c9587fb41bbd46c982e9d5a2895848b7c04
SHA256 31206c9bf3674b71389de425045390f43c9c230c8146adad80e1fc5dcd7f7731
SHA512 5820cb47023ba228b363719a7c5bc7bbf4a2c99638f9896b51b64faf2b64e7d54667c37f31b4ad9eb7e9265e0ef91413e8f7abb2df5b003b1f4ceed652d55652

C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe

MD5 8103fedd9c1e25e74fdcb464737bda18
SHA1 3699aeb822c71d0ecb67243e5cd0b0dcfc1aa6e9
SHA256 4840353668481ce0907355be0f5e311b02a04ede6fb08fb1ffdaa6221e26b14f
SHA512 075473ecba40281daec4f86a367bb186a7c5a280da890fae1046b2989dee8aac22e7b34be400a1504cc69f7bda733916d16d141d784ade32ab412dc841d47014

C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe

MD5 5be2be4f5918a00100f1616b33244806
SHA1 d7f9d84d98d9409cf47b72feefc44b0772b08875
SHA256 c5ed516f613cea5d8cc4136423b0c1748bd598da3a0c8b937c5266e5d2ca8218
SHA512 f875467017ba02281eca48d4d190c361402aa5b2de0aa00b66b055d987faf40a086f84eafe224fa9c776b6419d0da34f9816a2662c4306b50368fa4d1ff28364

C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe

MD5 3ad5075ca370b58ec7bc5b13fed6d804
SHA1 79c76fa91503097187548adbe125ab7c392c6f85
SHA256 a4e3959c08a60e00c8e2693a1d8a85fc8e74fb5f00f99a17b08ff02c3eedee9b
SHA512 42218e69651d80b4d1768cf46f3c0803984c8f96bb3d6080085f4ac92cef8080f265c8c15df7ff3b1773427dc3074346ae78b3335834b3c9244c5a4fa99b99ea

C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe

MD5 1fde3609b1406958ac55232dcb790ceb
SHA1 2a227909508ed7f853e4fe6c28670392ce7192aa
SHA256 dac9307c5da0650fac1962ca03685c3d1ec55e599cffd53c91ea72f3a5e069c7
SHA512 d652a5513540b3de3e0b4a5ec4ffcaed8b5c33ff9a0076a3813b0f8bd2103ae11f184625a84182ebbac13362613326f0ae0c6f945291e57002ea882e88566664

C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe

MD5 72956f7583b4efd499fdac84a5068eb3
SHA1 8778ae2a3633d63b10c6c1dc1a68c31b85099a99
SHA256 914d857cbdbf1de98d19586de1293020726d93471adaaab8988e72b4870b4853
SHA512 9b9b34c978f39808d99d64e2100c639152fd71603774014ce51bd90f1866ead672a470cf5945214c4b587d31967e639600472112f30486f7d39a9898668f53d2

C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe

MD5 50723e7a4fd28353870aba299d9cd948
SHA1 27c43a87086108d84a69096cba5d199538739367
SHA256 b8cb78c956bd6e2bb02f8470f6ec378ff6d90fc881b0a1276ce34b36dc14debc
SHA512 6e9705ed361b0e0329d3ffbf3ad859c4685378c9ede859959fba112dd8319ebd10cfc944c19078ed3ee4d170f27abce9cd3c5dcd64cab2fb35bdc3b195f3b85f

C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe

MD5 fe395b08a1e086e0fdee0809a50ced2e
SHA1 13acd9b6533eedf9497b3b17bcb9e125c725be94
SHA256 dcbae200d6bd98a19572fc58ef01eed927a9bfbf2d12431f82b1cc3011cebde4
SHA512 64fc019c751b14ca0ac91a7f59d735e863f2d78a05e29ef4d29fb034da2933d98ce3ca9a272d7400db9f3cb8f5b083549f3311f1b8083accb9e16caad514b3a1

C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe

MD5 1932c7553714c7a5af27e557e2ec31c8
SHA1 fc9f551ce62786b81ac32c182f803ceff6f930cc
SHA256 5bedd2d9aeb3ccb3713325936336ad07f22c83093ede084aca6243ba9adc62d5
SHA512 b2d71c310cf5159015f4b48f9de567ce3c01b7773b09500ca2b052a33abdb8b2eaccc1a7a3ccbf3e3e8463704d68734f1e88b6de70e384ef61780aa3bae7b0be

C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe

MD5 69db0eaa9fb956f4b6ae92c664488c55
SHA1 6c6d36a3ae382dec7f8dc20b7aaf7716297f6407
SHA256 7bfce857dbbcbee79392fe1e1ecf0f50126f4f072fc4ba0f3b20b08c6880c0af
SHA512 e298e75f3cb0b93b26441762d8782523e3f68bc4b75c746da6477892135127e3ddf46039616a2987ad552f97a0155b75ea87d1cf496f19a7ba8c24b7b9bbac60

C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe

MD5 4d9a5b2d6fe64d3fffdd9ff5477bbcd7
SHA1 163c2bb9dc001068b5734f98829a5ca7a00aa7c0
SHA256 c3d479362f38f748a3ff7be1de6f0ae180bca7f16f1a9ad0663cbc89e2e961fc
SHA512 8e9fbcbd476d1060ce8f1ab57a2576c596b63403920e732ce697425e18b94a6ed67c1ce7be44f0581525ccc1e509a836a6e4fbe8cf652ebc11aaa1e4c67623af

C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe

MD5 8bc324a756a2405ecf8b79ccfa59d539
SHA1 f31ba0e561e97d7cdc66a2d67a57f2a2c61e6b09
SHA256 1b9441d222bc07e5b835a39dc01212ac30da0c3f166793b2a68660b0f4d36d19
SHA512 f96d505774aabfedf84d22775ee40567d54aaa7389f1f7660f16fb3417ec47ce233db3d51736adbf64ac2631cec7cb3692d2bc595d058a2e8dea9c27fc0cf366