Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-2dhjlscg8z
Target 2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye
SHA256 52a79c90cd58b1febc5c11273e84525043956d9f180d2c03880f359c9ad488e8
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52a79c90cd58b1febc5c11273e84525043956d9f180d2c03880f359c9ad488e8

Threat Level: Known bad

The file 2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:27

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:27

Reported

2024-04-06 22:30

Platform

win7-20231129-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73A4299-3C11-4fb9-A2FF-19067D243214}\stubpath = "C:\\Windows\\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91F9934-511B-42a1-B517-2FA46485CE90} C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C8C6E84-94CA-4a19-B958-257437A93A98}\stubpath = "C:\\Windows\\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe" C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}\stubpath = "C:\\Windows\\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}.exe" C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23C76E1-1570-41b6-B085-BCAE77204B49} C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}\stubpath = "C:\\Windows\\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe" C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91F9934-511B-42a1-B517-2FA46485CE90}\stubpath = "C:\\Windows\\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe" C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A104FFFB-BC76-4723-9BD1-48854F8242D8}\stubpath = "C:\\Windows\\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe" C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92E6477-716E-4670-AA5F-26F689C704DA} C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92E6477-716E-4670-AA5F-26F689C704DA}\stubpath = "C:\\Windows\\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe" C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C8C6E84-94CA-4a19-B958-257437A93A98} C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{793D6D19-3AE0-4ede-9575-18A8399D0210}\stubpath = "C:\\Windows\\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe" C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A104FFFB-BC76-4723-9BD1-48854F8242D8} C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A902C1F5-6482-401f-9C92-86F7680E412E} C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF} C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23C76E1-1570-41b6-B085-BCAE77204B49}\stubpath = "C:\\Windows\\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe" C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73A4299-3C11-4fb9-A2FF-19067D243214} C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{793D6D19-3AE0-4ede-9575-18A8399D0210} C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D} C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61995F87-D38A-4546-A854-0FFC9894503B} C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61995F87-D38A-4546-A854-0FFC9894503B}\stubpath = "C:\\Windows\\{61995F87-D38A-4546-A854-0FFC9894503B}.exe" C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A902C1F5-6482-401f-9C92-86F7680E412E}\stubpath = "C:\\Windows\\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe" C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe N/A
File created C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe N/A
File created C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe N/A
File created C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe N/A
File created C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe N/A
File created C:\Windows\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}.exe C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe N/A
File created C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
File created C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe N/A
File created C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe N/A
File created C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe N/A
File created C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe
PID 2332 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe
PID 2332 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe
PID 2332 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe
PID 2332 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2564 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe
PID 2320 wrote to memory of 2564 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe
PID 2320 wrote to memory of 2564 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe
PID 2320 wrote to memory of 2564 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe
PID 2320 wrote to memory of 2632 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2632 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2632 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2632 N/A C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2680 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe
PID 2564 wrote to memory of 2680 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe
PID 2564 wrote to memory of 2680 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe
PID 2564 wrote to memory of 2680 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe
PID 2564 wrote to memory of 2784 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2784 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2784 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2784 N/A C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2544 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe
PID 2680 wrote to memory of 2544 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe
PID 2680 wrote to memory of 2544 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe
PID 2680 wrote to memory of 2544 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe
PID 2680 wrote to memory of 2864 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2864 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2864 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2864 N/A C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 320 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe
PID 2544 wrote to memory of 320 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe
PID 2544 wrote to memory of 320 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe
PID 2544 wrote to memory of 320 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe
PID 2544 wrote to memory of 1452 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1452 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1452 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1452 N/A C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1608 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe
PID 320 wrote to memory of 1608 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe
PID 320 wrote to memory of 1608 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe
PID 320 wrote to memory of 1608 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe
PID 320 wrote to memory of 1572 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1572 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1572 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1572 N/A C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1860 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe
PID 1608 wrote to memory of 1860 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe
PID 1608 wrote to memory of 1860 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe
PID 1608 wrote to memory of 1860 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe
PID 1608 wrote to memory of 1260 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1260 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1260 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1260 N/A C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2876 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe
PID 1860 wrote to memory of 2876 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe
PID 1860 wrote to memory of 2876 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe
PID 1860 wrote to memory of 2876 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe
PID 1860 wrote to memory of 620 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 620 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 620 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 620 N/A C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe"

C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe

C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe

C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C73A4~1.EXE > nul

C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe

C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{793D6~1.EXE > nul

C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe

C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D36FC~1.EXE > nul

C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe

C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F91F9~1.EXE > nul

C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe

C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A104F~1.EXE > nul

C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe

C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C92E6~1.EXE > nul

C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe

C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61995~1.EXE > nul

C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe

C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1C8C6~1.EXE > nul

C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe

C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A902C~1.EXE > nul

C:\Windows\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}.exe

C:\Windows\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E23C7~1.EXE > nul

Network

N/A

Files

C:\Windows\{C73A4299-3C11-4fb9-A2FF-19067D243214}.exe

MD5 7d49f03036cefa5a8457298bda2f8f10
SHA1 9a2b30394cece47ea9e6cdb7a4d646ea73e1eb04
SHA256 4356178226a530303f609bbceb2f9671ebfffc9dd98e19e0f971c3e08121e65f
SHA512 842aec60054d5802296343907e09c35bd25f70fe952c2ad4c722f071b10e50e97fc81ba9bd7ca31ab59788fb29934f7d6e6698e83a5ea52407a05c1985b4cf63

C:\Windows\{793D6D19-3AE0-4ede-9575-18A8399D0210}.exe

MD5 d3b50e50e94cb576efcde4a1f76dddb2
SHA1 c091faeb9de1f8537e960ad468d5c614b854e00e
SHA256 a63156cdb7f77141549ae5d117e60bcb1aa1e576caf1230bf5492e5613cb701b
SHA512 8dbca7e4592d7d5b71ed965f18e84a302cbd18240371e0a1d946aa1e15592bb8127b5da867e89dd6aaf7ab6e1fd341fcc2de194b9c3e14b6f4fc003f2adc70a4

C:\Windows\{D36FCF26-C950-4cc0-BEF8-5E4A88C0127D}.exe

MD5 f830e76777ca7dc17264a65f488bc9a8
SHA1 4ef17671ac1b40e4f7cf2f97a46296dc9d6ea471
SHA256 6c7d29f33cb58fb7f8542dba5a6676e758b864e259fb992a303f1d82794fe00b
SHA512 97ae41746e92ce5d1b090ce8b1fdc16e3e37a465d93bb2b5953c8ffb3c932315c0a7159e572a35d9fdd66ba08acb7cd876b89c6a3b2546d926a187992371c623

C:\Windows\{F91F9934-511B-42a1-B517-2FA46485CE90}.exe

MD5 fd4d89337b9960f939bf2755a70fea80
SHA1 317a20866d64e8397860b21955584af3b63fa210
SHA256 28cce2e846ea44f7f55c6e0d4655023c0b01956f60275301f2cba2ad9a8d8e85
SHA512 e01031b9512fa183899b1c802da3695e5dffa519c727fc152ab3f6079d8480ec371076729b3ab5618b9ba5aeea2ca5b288b997794fae5a038944234961bae737

C:\Windows\{A104FFFB-BC76-4723-9BD1-48854F8242D8}.exe

MD5 849a1a3f0e6e6cf5016f21bf2dad288c
SHA1 f169976c477600cd8e57502013da167225a31bd1
SHA256 08679df6c3353c91676337e261feda3e72e0e57cf63342d990a78d5555d143df
SHA512 68af76f5e0702c5ffd18cd91412683f999353d87c30a7f6b4295fa8cd7f4965017b680b3105acb38fa8cfe5c8b06f195ebb2b42954d3d6c84d9904ea89f2ed0d

C:\Windows\{C92E6477-716E-4670-AA5F-26F689C704DA}.exe

MD5 175223c624a5494f1c14e81a7d736aff
SHA1 52947ef802526770e4f3e13171eb767414898c51
SHA256 953891382fb85a1652c1a5fbf07f1c9d3fd9a0cf602dd2d123761194c2df26fb
SHA512 0d8f1184f95b2bb122f6a80adf899fbc3d58afbc0836953be713271265ff46b14c19c7aa36a55b3e50cacf3ba0e8df2a1c138e51f2783c651def21d969883847

C:\Windows\{61995F87-D38A-4546-A854-0FFC9894503B}.exe

MD5 041540e24581b55ca2ede5b89e1761d9
SHA1 d04cb5d5ef4323044ec9a3db8c97673ab7bb3b6c
SHA256 221e75487d643589f8683cbc595efd71d65b533f162236531f28cbd6bd3b6b49
SHA512 322e368aa4a54e35ed639af8251e8cc99cfa88a09eed74e2e56786cc28023161fa11e520490ac88b51873d9275c9c5f4ba795264c9eaf90eab8417a19d343f14

C:\Windows\{1C8C6E84-94CA-4a19-B958-257437A93A98}.exe

MD5 c4818c476bb4c345df9bf8154569fb13
SHA1 25b5f7ff011fdbfa146125d232cb4db7a10be54f
SHA256 4a9f2eca737ace5a98da9c72b99339cb26bedb9e7c87639b4906ba6e8a237391
SHA512 86777dbb2f622de7927eb75d5c7d91e104addb5af7a24fe3b004412aa4ae83b116b5246f61d69800d5f38eefcf543bed20d70aae9b1272367e3051417828df30

C:\Windows\{A902C1F5-6482-401f-9C92-86F7680E412E}.exe

MD5 32dd1cc642784ec4b2af876030694160
SHA1 09bf82482e4b754355a9347b240ce5ba5c73441f
SHA256 4e7bc9a768fdb8f7ed5f34e256a7a710d6717a5bbd566dbfe4ee6337e93987ff
SHA512 ba1b28ef5b1f30505f1d75d85237f30c6c80fee5066405bc377a7956b416463cbf0d173aced47201b4d6b1a4a072c123b9a830473b0367b796f70697e3a08669

C:\Windows\{E23C76E1-1570-41b6-B085-BCAE77204B49}.exe

MD5 1a53105af0389c011bbdfab2abaed33a
SHA1 b288c162d7d9b618e0dfd5378ffd8f6806e7a652
SHA256 f4f3abba5d146898a80caed70439b51d7e9037472aa47f39085b1ccef2b72ceb
SHA512 9bb69ca7ee8c5c0a2ec9834bec60fadc01a1448a55dadb0bac1f8867bb408648fb21a0339bd6b325d2888b627b927d2877d09730360cea3c231cad34bd683722

C:\Windows\{09B4584A-B2D4-47be-B958-A2DF0F5E0FDF}.exe

MD5 c49c04bbd2313d08b26df6b32708eba2
SHA1 7b89765e1c1ed1a61678efa83dcf4483aa06eda8
SHA256 112aa8f0315356358e47ffb6ac9da90a70a9985e1623af5fc7b5c511b6c3fa83
SHA512 4feead08da3e47f8e7b5ef6c3453260fe950e405b3cbf12e6278114bb5b898e0b18fe8897e3e972da64f99e85c3383029878eafcae5f6d897de0451b4d0a8c86

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:27

Reported

2024-04-06 22:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}\stubpath = "C:\\Windows\\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe" C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00663BB-D996-4142-AACE-543730BE8B68} C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00663BB-D996-4142-AACE-543730BE8B68}\stubpath = "C:\\Windows\\{F00663BB-D996-4142-AACE-543730BE8B68}.exe" C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C051199-7AB2-4348-B14F-CF1B4990DD80} C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C051199-7AB2-4348-B14F-CF1B4990DD80}\stubpath = "C:\\Windows\\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe" C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DD95E06-A945-4b26-8037-0011F32207F3} C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}\stubpath = "C:\\Windows\\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe" C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4} C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E0E6F3-9649-410b-B928-097D671875A6}\stubpath = "C:\\Windows\\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe" C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08} C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91480EF1-8E90-4b6a-B42F-A3AD75167093}\stubpath = "C:\\Windows\\{91480EF1-8E90-4b6a-B42F-A3AD75167093}.exe" C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B} C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4BB5B75-378A-400d-BCDB-5C7319264343}\stubpath = "C:\\Windows\\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe" C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4088481E-AA99-487f-86D9-15F0BEF75E26} C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4088481E-AA99-487f-86D9-15F0BEF75E26}\stubpath = "C:\\Windows\\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe" C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{319A43B6-52DA-4afe-885F-F11CD142BED8}\stubpath = "C:\\Windows\\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe" C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91480EF1-8E90-4b6a-B42F-A3AD75167093} C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DD95E06-A945-4b26-8037-0011F32207F3}\stubpath = "C:\\Windows\\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4BB5B75-378A-400d-BCDB-5C7319264343} C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}\stubpath = "C:\\Windows\\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe" C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E0E6F3-9649-410b-B928-097D671875A6} C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76} C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}\stubpath = "C:\\Windows\\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe" C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{319A43B6-52DA-4afe-885F-F11CD142BED8} C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
File created C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe N/A
File created C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe N/A
File created C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe N/A
File created C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe N/A
File created C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe N/A
File created C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe N/A
File created C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe N/A
File created C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe N/A
File created C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe N/A
File created C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe N/A
File created C:\Windows\{91480EF1-8E90-4b6a-B42F-A3AD75167093}.exe C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe
PID 3092 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe
PID 3092 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe
PID 3092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 1600 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe
PID 4556 wrote to memory of 1600 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe
PID 4556 wrote to memory of 1600 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe
PID 4556 wrote to memory of 5088 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 5088 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 5088 N/A C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 4356 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe
PID 1600 wrote to memory of 4356 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe
PID 1600 wrote to memory of 4356 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe
PID 1600 wrote to memory of 2556 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2556 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2556 N/A C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 5008 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe
PID 4356 wrote to memory of 5008 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe
PID 4356 wrote to memory of 5008 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe
PID 4356 wrote to memory of 3596 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 3596 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 3596 N/A C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 3124 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe
PID 5008 wrote to memory of 3124 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe
PID 5008 wrote to memory of 3124 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe
PID 5008 wrote to memory of 4892 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4892 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4892 N/A C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4900 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe
PID 3124 wrote to memory of 4900 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe
PID 3124 wrote to memory of 4900 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe
PID 3124 wrote to memory of 2924 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2924 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2924 N/A C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4288 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe
PID 4900 wrote to memory of 4288 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe
PID 4900 wrote to memory of 4288 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe
PID 4900 wrote to memory of 4812 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4812 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4812 N/A C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 312 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe
PID 4288 wrote to memory of 312 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe
PID 4288 wrote to memory of 312 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe
PID 4288 wrote to memory of 1416 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 1416 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 1416 N/A C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 2480 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe
PID 312 wrote to memory of 2480 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe
PID 312 wrote to memory of 2480 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe
PID 312 wrote to memory of 2588 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 2588 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 2588 N/A C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 5100 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe
PID 2480 wrote to memory of 5100 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe
PID 2480 wrote to memory of 5100 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe
PID 2480 wrote to memory of 4192 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 4192 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 4192 N/A C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 3008 N/A C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe
PID 5100 wrote to memory of 3008 N/A C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe
PID 5100 wrote to memory of 3008 N/A C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe
PID 5100 wrote to memory of 4676 N/A C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_449a61fbd25d2670a25cf31d7d7f9ac7_goldeneye.exe"

C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe

C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe

C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD95~1.EXE > nul

C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe

C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28DEF~1.EXE > nul

C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe

C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4BB5~1.EXE > nul

C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe

C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40884~1.EXE > nul

C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe

C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11283~1.EXE > nul

C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe

C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E0E~1.EXE > nul

C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe

C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE85D~1.EXE > nul

C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe

C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D0F~1.EXE > nul

C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe

C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0066~1.EXE > nul

C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe

C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{319A4~1.EXE > nul

C:\Windows\{91480EF1-8E90-4b6a-B42F-A3AD75167093}.exe

C:\Windows\{91480EF1-8E90-4b6a-B42F-A3AD75167093}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C051~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Windows\{8DD95E06-A945-4b26-8037-0011F32207F3}.exe

MD5 9c6c33d51c76a1c0c8b14c18fc909e3a
SHA1 f88a8b4aa213534980feb38e620c784c1aec96ee
SHA256 13e8a820ab242c4e0c972e0028edce18a1189ca50c2cc1286673aa5c8db398d1
SHA512 d13a7239c376fb578d1066416d81a23f99826d7e26ea303ffcc994efc8d47b0a76a67643cefa3e2c749f30d81a370f7de836f43b7285d01283139da463990c7d

C:\Windows\{28DEFAFF-0C4B-4708-9EA6-35D7C67A674B}.exe

MD5 32c223caa290d3d251903bb7e071ae2c
SHA1 9d42d52f237e86b4633db5ff4fdd1e4d207081bf
SHA256 30e530035fe43955c7cf279d4bb54b9a3abff93af368b80f51db3744cff7f958
SHA512 3ea93571c301590837503c506a0c800da74ca02344e6624c4050abbe008c9e2f14f6400cac3f7ccdc11afac5618770dbe1842a204a69e598feb7524ace0da2e7

C:\Windows\{E4BB5B75-378A-400d-BCDB-5C7319264343}.exe

MD5 c58c8c89f168ca79318d6398fcddf646
SHA1 d19949f462ad673f413c9ec9118d6b0410873286
SHA256 2a7263a9962593b1c5c104a959791785314120b426cfc68bec88606c727dcf5a
SHA512 da5bd0d46dba33e569c461accd7af8adda68423af16d38babe6158d4ebe3a1340e5094554a3bce74f12618c6679a22c8cb4af584a5e63008224e0110d6704bf4

C:\Windows\{4088481E-AA99-487f-86D9-15F0BEF75E26}.exe

MD5 cd3bde737b78f4cf022c54e7b7deedd1
SHA1 eb287689fcd9ab9b28c62546f70c8e34924a1177
SHA256 c18e59ba75408a95d26e483bb86a2307f34f4bf7d3e1cdc49f4d810e8fd24dca
SHA512 ad9b961e282597dc8838ca7e6772cae8706d64ea0bd5176b3952817bb8577eebe5303e70095f0188ea2fd0ed1fa1cdb2a08d909934dc27d7a2f0de0b7fd9ca82

C:\Windows\{11283ED3-1CC0-4a4a-A3D5-98822334A3A4}.exe

MD5 844e0f168a7306348a5181746fa74752
SHA1 b6d88b5e39df7eaa8f8c311ce430b929831ba001
SHA256 81703cde7fd4ca675d048f11acdf9b22a9fcbca78d766cbbe32d94a678a14661
SHA512 98259e0f1c719071658dd5c1f931a713b513741394bf5b262a10eeb0edde92e51066ad65a411170d6c188eb25846e0e0f7f56ef7e77ce0fb22776b4646b80e24

C:\Windows\{C3E0E6F3-9649-410b-B928-097D671875A6}.exe

MD5 4bb6bd311d3bb6cd7086c6b08bd88236
SHA1 096f49f85e1e9a427b3fd1ba84ba4e22a056f2c4
SHA256 b734fa12df2234e041730f44f44178139a6cee899795aae8cf60bba21223b78d
SHA512 142afcfb4ad3cc90439f4405ffdac128fb9258b38da7f66137a9ea06691a86f9f18c98fd2935110cd2bdff65c8645b482253acfd8ceaf3d195dea5f5408eb1cf

C:\Windows\{FE85D3C8-218E-4ffd-A04C-F10BA8036A76}.exe

MD5 369128c4811e013f8df93a745dfc5b42
SHA1 de4e9106c029cd565f22fa83c9ff7b073b38bbe7
SHA256 7a8894a086afea582c35a57d7e9dd0cc7ba675b26d1af5688c4d563c55453596
SHA512 07aa27c108aa6f0bb3db25fa10040781b0e5b11518f803edce7a38ea4c7f72f08e394f51c3cc913d56109d8eef3326a0197bf848a1f8fd493c7ff6dfe8223dee

C:\Windows\{A1D0F834-5F3E-479a-BF27-89F5F01DAB08}.exe

MD5 1c6fca17a6307f5417bcf2c0a263196e
SHA1 ac45080497d987d18cec58322267383598051b4d
SHA256 d3263f789b90fbf1e5b7921dbb32252666c6c5c54046706406e5d5278f1b1c9d
SHA512 fee2510a565894ee0eb96d982f93fdd03274fd377bdfebc722b7dd59848491e2e89843bc53d22004ded9dd129ca5a8e42d2ff24ff4827e76810faeddb33144f0

C:\Windows\{F00663BB-D996-4142-AACE-543730BE8B68}.exe

MD5 4cbda0f95720ffa8451b3ca220b3c15a
SHA1 fd92212f6c2c83139fc5b4128c22737969eb5b28
SHA256 b14aa3c5e6c84799360f8f286abcf965c3fd8ae96b49bdd602fe259f7906eefd
SHA512 e0279039b919e395a53ec563af7c11718a0ce50cbe4e62fa4dfa41cf9f8d6c436ea41eb3ad15f2d05976f2569557664de77bd308b8ccb9a2cfc05d1dc7d5271a

C:\Windows\{319A43B6-52DA-4afe-885F-F11CD142BED8}.exe

MD5 2794948fd4c59fbd62542ac7343c1991
SHA1 6443abd190912cf0fc881bbf51870a5e416ece25
SHA256 f2f7a50d79d96c8c452108df095110245ce184600746508f0214ce7b1c334700
SHA512 be520944050e805ae93d4b2390b0326972e42cd6e8cacd81283978ba0e57f37bbf7df4201871e03950983ae5ac9969b5925ea00ea99669d3ab73fd7b96fe953f

C:\Windows\{5C051199-7AB2-4348-B14F-CF1B4990DD80}.exe

MD5 aba77787396016568118d8bd42fbf7bb
SHA1 89a6962db1eb5e4655ef2897b05e5140194f804b
SHA256 b0605c7a56061502b24ce513049eba5e85bf298ef34cbbc5c5a512abc662177f
SHA512 09b8bc8517bc7c7c18c2570970d634df201fde09730fee064b8d63471e7cb698ddbc55b0b6b8bbbe60233628fc0e57ab04d65518d4f36d71fdc384ecf3a6f41b

C:\Windows\{91480EF1-8E90-4b6a-B42F-A3AD75167093}.exe

MD5 70c7f0bbec9d78b85c538d39c289e4e4
SHA1 ebf19ec4e65d2400386c9d47c0cf21b8c0a875c6
SHA256 033f3a10270e9e5681f38167f55729c7adb630fe7fa751ee468c8b5731591341
SHA512 b3fcfe764d30b3752a78d73b9773713ba60308b5afc331d160d89d83e0b2d0dae59fce87c237f9a28d152617daf353b0b20c9a0a6886f8f3adf4cb2167fbee9c