Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r27tasce9w
Target 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye
SHA256 f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73

Threat Level: Known bad

The file 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:42

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:42

Reported

2024-04-06 14:45

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}\stubpath = "C:\\Windows\\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe" C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A} C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E}\stubpath = "C:\\Windows\\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe" C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D} C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}\stubpath = "C:\\Windows\\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe" C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656} C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D} C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4} C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}\stubpath = "C:\\Windows\\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe" C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}\stubpath = "C:\\Windows\\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe" C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8}\stubpath = "C:\\Windows\\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe" C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72}\stubpath = "C:\\Windows\\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe" C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9}\stubpath = "C:\\Windows\\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656}\stubpath = "C:\\Windows\\{908FD874-865D-4f44-87FA-699F30C32656}.exe" C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E} C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}\stubpath = "C:\\Windows\\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe" C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9} C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A}\stubpath = "C:\\Windows\\{6745D736-4401-43cd-A530-9210F5AA488A}.exe" C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4} C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72} C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC} C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8} C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe N/A
File created C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe N/A
File created C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe N/A
File created C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe N/A
File created C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe N/A
File created C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe N/A
File created C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
File created C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe N/A
File created C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe N/A
File created C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe N/A
File created C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
PID 2152 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
PID 2152 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
PID 2152 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
PID 2152 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 280 wrote to memory of 2636 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
PID 280 wrote to memory of 2636 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
PID 280 wrote to memory of 2636 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
PID 280 wrote to memory of 2636 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
PID 280 wrote to memory of 2736 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 280 wrote to memory of 2736 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 280 wrote to memory of 2736 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 280 wrote to memory of 2736 N/A C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2564 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
PID 2636 wrote to memory of 2564 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
PID 2636 wrote to memory of 2564 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
PID 2636 wrote to memory of 2564 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
PID 2636 wrote to memory of 1756 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1756 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1756 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1756 N/A C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3000 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
PID 2564 wrote to memory of 3000 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
PID 2564 wrote to memory of 3000 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
PID 2564 wrote to memory of 3000 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
PID 2564 wrote to memory of 2296 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2296 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2296 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2296 N/A C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2968 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
PID 3000 wrote to memory of 2968 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
PID 3000 wrote to memory of 2968 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
PID 3000 wrote to memory of 2968 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
PID 3000 wrote to memory of 3024 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3024 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3024 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3024 N/A C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2676 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
PID 2968 wrote to memory of 2676 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
PID 2968 wrote to memory of 2676 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
PID 2968 wrote to memory of 2676 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
PID 2968 wrote to memory of 1528 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1528 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1528 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1528 N/A C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2696 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
PID 2676 wrote to memory of 2696 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
PID 2676 wrote to memory of 2696 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
PID 2676 wrote to memory of 2696 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
PID 2676 wrote to memory of 2780 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2780 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2780 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2780 N/A C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
PID 2696 wrote to memory of 1804 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1804 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1804 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1804 N/A C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"

C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe

C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe

C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0211D~1.EXE > nul

C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe

C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{908FD~1.EXE > nul

C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe

C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9C87E~1.EXE > nul

C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe

C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64E3B~1.EXE > nul

C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe

C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6D1~1.EXE > nul

C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe

C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6745D~1.EXE > nul

C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe

C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{99373~1.EXE > nul

C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe

C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{24607~1.EXE > nul

C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe

C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BC2~1.EXE > nul

C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe

C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul

Network

N/A

Files

C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe

MD5 dce4e8e727d3ba1fa933a84a8c3bc6f4
SHA1 f71f7aeaf2fcbc11906d07986270b64963e9a773
SHA256 69c91a240a6619c6a8259d457d7558d03778022bf999059ab1dfbd88e7c6263f
SHA512 3ef90d9df5dad8dabfe50ca7bf3fb830a5a377d95028e8d2df31cf7592d8bc3730232cc5cef4491553131d612ff243f1a01f2c14fcd2740635df56f43172d2f4

C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe

MD5 26d51f31bee81c85057055998cc7d4cb
SHA1 01846bd8ac7cb096045fcdb203fbf9b9418e41c8
SHA256 27e560f0abf4d09864dda1df5471043ecbc67a9facb255cc39b5fb8f8a31b698
SHA512 9aa0ab6a7fc8acf2b2ee717030470dfd6e6e11a07b38117bf8d972d91ac32702909607fd9479d1734b743a536a622d64ed9a52bb87dc569b4a5501ba9ce6d7fb

C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe

MD5 9a60153d16a63fb17944c59ab0b694de
SHA1 1a2b9457b2584e7e631091a04f1d70e222804cde
SHA256 f7e798f31bea8ca86b5b272883cb38c506fe76cce9ed5437a05322e552ebc402
SHA512 ce25dbfc1a1c53c9fbdaf3d820d65f0f0e582078e97b26ebb2d18349ee5286b0acb8b31a13ba6f7d6068daa0796a78acc748bbfef247a6344f4bf2fb6dbe165d

C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe

MD5 24fc97171619e6a892af1aa6a60ad421
SHA1 564485de8d3ef0a333f80e70d6ec0eaf38a94721
SHA256 53e4a8811aa1ef84e8c8f96321ba9f3b65b694f3312ae14443e65ba91712f271
SHA512 fc510a331c3f94f9fe343116cdb6fc592aaf819826e6bedf6a328ee9321dfaa25896f5d365fd9dbe9e09a598740aed49c1c1620ac7cc030ba91a2dd10d8c1dbb

C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe

MD5 8f18f1106410cc241aa6e22a444b5535
SHA1 70141f1019add2cce2fcd3c6ea6afce727f1ec48
SHA256 f7f28ccd94520285daf62799b364bf7519d333d9f726216b3aa6caac0510115e
SHA512 f74e7ff539c4acce91b7f17a61c9a99080d4501211488294217f4f51342e7cc5e2ec446aef0805c5f6cb81e07530cef07f1d2135d7836265cd074d8c5d6a02d3

C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe

MD5 32e536437cade2f388f78ac411f54c1e
SHA1 4586bae80be4f17e14aa68540a12ba3668d5f8ff
SHA256 1e0c8272234b4b55c2e76eb7d284e8b27c91c3b97afdc5e8617a432620499ef5
SHA512 b67448bcceb057dd7e58cf147968fc45bc0bacc5b29cbb4ea2f728fb7204de9a5bfb2846adfcf76d79e4a128948d3f0fb410be5b1431e0bc1e7312f536bc8879

C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe

MD5 bd26f557f376d3f9d301c038503e106f
SHA1 d9a40c33dbe30ffee391dccaee58ee33784d9bc2
SHA256 3935db407a0dcc76247589f3f86205a68922cd367128ea4fb7ab4c7a4ab0ceae
SHA512 dc7a5d6dfd436d23a31fb1803114c378cd8b41dc5911ff80fcba2b713f82f350101eaa692bda0b2a07d8f6d757f783a20b45420772b97f2c0f51239ca357b3c4

C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe

MD5 e152146427e118b2230e15424b91019b
SHA1 2b6a2403214715a5607eb067ba2895010f1bdd34
SHA256 69d19b2e9cc74b7ca079b03c8cf7d99e96bd7840191562e98d9ded705f6e26a1
SHA512 c589533548512f1ad900115692acde76b40efd5728bb0c5039f8fbbd7e74b89fdf16489378af69243b68b6a63028756ef45c7f10b61b7ab437511a5e42644a36

C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe

MD5 7a13ac389293950deec8fd8b40f7a535
SHA1 e5a102cc35eebd1ee8cfa1aa46e590a1c7d4c888
SHA256 2bf4fce610797f3873c472ffc10c5916b6c214d62623ba54807acae575cd6f5f
SHA512 82c5931785da4ab26e96913baf354a0658d479a9ab5f6bb1b5ee4048d3cff49f8418696b6b738f5373028450b078bb5f4eec2121eaf88d53435c9b12e565c8da

C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe

MD5 478958ff58825f015071757f8d75448d
SHA1 fffafab9988ad965e02dbdbcda4020956419cda9
SHA256 92d64707f479a711c1d23b3b7ca1778e0aa86fc026182f7d1d0342c1dc7bcd69
SHA512 da73e7008c5b11e1effe45c2b085ff5a26a593b0ae9c3aea8dd2810064e5b9d194da365fb49e1a717cae916f055b3923c9264c737c50e613ad7fca03e06a63ca

C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe

MD5 f9f7e8a3221ba80b83e66a6852836a0a
SHA1 03d8e2a8708e9e6dba6884970eba44736b063c71
SHA256 ef71a3882825a498b765195ceb699591b1e7863f429736d68fa132b5a25cf678
SHA512 6ebea0766dfd240014ce86b6653fad34ebf0d384e08645a9637bd970495925953322cf4f3a4a874b063eadc0e1cc27fb704ce40d71b28e2d7a79417ae4c3b3b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:42

Reported

2024-04-06 14:45

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246}\stubpath = "C:\\Windows\\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe" C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5} C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5}\stubpath = "C:\\Windows\\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe" C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A} C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2} C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23} C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}\stubpath = "C:\\Windows\\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe" C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC}\stubpath = "C:\\Windows\\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe" C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7}\stubpath = "C:\\Windows\\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe" C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}\stubpath = "C:\\Windows\\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe" C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7} C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7}\stubpath = "C:\\Windows\\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe" C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05} C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923} C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923}\stubpath = "C:\\Windows\\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4} C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}\stubpath = "C:\\Windows\\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe" C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}\stubpath = "C:\\Windows\\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe" C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7} C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C} C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}\stubpath = "C:\\Windows\\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe" C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}\stubpath = "C:\\Windows\\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe" C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246} C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC} C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe N/A
File created C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe N/A
File created C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe N/A
File created C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe N/A
File created C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe N/A
File created C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe N/A
File created C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
File created C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe N/A
File created C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe N/A
File created C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe N/A
File created C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe N/A
File created C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
PID 556 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
PID 556 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
PID 556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4892 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
PID 1812 wrote to memory of 4892 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
PID 1812 wrote to memory of 4892 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
PID 1812 wrote to memory of 2516 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2516 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2516 N/A C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3080 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
PID 4892 wrote to memory of 3080 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
PID 4892 wrote to memory of 3080 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
PID 4892 wrote to memory of 3168 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3168 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3168 N/A C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 3328 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
PID 3080 wrote to memory of 3328 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
PID 3080 wrote to memory of 3328 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
PID 3080 wrote to memory of 1800 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 1800 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 1800 N/A C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2644 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
PID 3328 wrote to memory of 2644 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
PID 3328 wrote to memory of 2644 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
PID 3328 wrote to memory of 2124 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2124 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 2124 N/A C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 3036 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
PID 2644 wrote to memory of 3036 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
PID 2644 wrote to memory of 3036 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
PID 2644 wrote to memory of 4292 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 4292 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 4292 N/A C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4196 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
PID 3036 wrote to memory of 4196 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
PID 3036 wrote to memory of 4196 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
PID 3036 wrote to memory of 4792 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4792 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4792 N/A C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 2920 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
PID 4196 wrote to memory of 2920 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
PID 4196 wrote to memory of 2920 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
PID 4196 wrote to memory of 2408 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 2408 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 2408 N/A C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 644 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
PID 2920 wrote to memory of 644 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
PID 2920 wrote to memory of 644 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
PID 2920 wrote to memory of 4316 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 4316 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 4316 N/A C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4388 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
PID 644 wrote to memory of 4388 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
PID 644 wrote to memory of 4388 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
PID 644 wrote to memory of 3960 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3960 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3960 N/A C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 4132 N/A C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
PID 4388 wrote to memory of 4132 N/A C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
PID 4388 wrote to memory of 4132 N/A C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
PID 4388 wrote to memory of 4736 N/A C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"

C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe

C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe

C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BBA~1.EXE > nul

C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe

C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61E6F~1.EXE > nul

C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe

C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A59D8~1.EXE > nul

C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe

C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{88A40~1.EXE > nul

C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe

C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3FF~1.EXE > nul

C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe

C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{314C4~1.EXE > nul

C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe

C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15EC8~1.EXE > nul

C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe

C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9959A~1.EXE > nul

C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe

C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{570DF~1.EXE > nul

C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe

C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B3276~1.EXE > nul

C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe

C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D210A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.211.222.173.in-addr.arpa udp

Files

C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe

MD5 560739613c1a854cb343dcf04aa4acce
SHA1 ee5885b9c619c9ff6183286450a6a1d5f716f1f0
SHA256 cd690125196f4855d8f2bd122f5b05e05584f0ef1cee3589c4f6eb52c4e462c2
SHA512 fe5467c92c855efd2699b76cdd40a1eb13047c74e283241fd48177a03aef8c928b9813455a1ba4430647a35689faf4ab77cbbdca4e3d191c3cbc206a4ce362d8

C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe

MD5 515cf1649174f66ab4eee6b997b49b62
SHA1 81f2b1fbe71575017c26db5945114e5bc0c66fb7
SHA256 167fc171af80760c75d224e812600ad08e0392876451da957955993e5aa30ed3
SHA512 36cc0ab66659689e60d4e8e47b00effc88bfcfce42909c0bfe2c16902764405a745d708bf41b07f3759d3dc1afb6b6fb403bacaf3061d318e184314407809a00

C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe

MD5 d4a60d4081a06368a51298af0d52be7a
SHA1 e545eb93c7a047482aafb8788bec0e7759bbe7a2
SHA256 6d311f2b7e26062a3d27cac84e6f4d793503e4b3f303923b2cb056a861eba1db
SHA512 25787df952015e4211da8e7d4150227c601f617483ede520b645279583f0def2ad31f40c43f2c8d57683e63430171d107150b1980a8b6cf26393005b9d144e8c

C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe

MD5 d9d155435f2cd540813ea0f8a35f1453
SHA1 bdc0b89ea420bc24a235e2257370e34d7f123b20
SHA256 970a03bd611cc35293acc6ee094ea1725a78e434be442d1420a8e78b38261d0f
SHA512 04a221fe9420a3daa7653886020356cc2a374840f3960a836da42d1309a8566da612b5a8a53cd8c9625044edd70a445a14c35adafd2b206685c3bd6d3d8d5e6c

C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe

MD5 6d6990a596a8e9fc5fc8093c744b847b
SHA1 d18b8e53ed7ce3c475fce52b534a1a0480672c37
SHA256 7de63034ed618e534fa677829b2fdc03e626194c84f590a70e264581516bf546
SHA512 1a7021f71771025931e94bd21594c3c085022b49d6e480a6c7fbbf94cbba6eaaa0ad65efc6f4eb5b059be6a1ff2edcdd8ef8b7d0d7ab84441f6016e52ca2ac0c

C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe

MD5 4d7474c3aeaf8e85c0324cb950d9b032
SHA1 c2d041b1809492a40276c3c115314db8580fb127
SHA256 3bca392a8d4d07a0f9d13e77f26190116c440325bf42bb242ae8b69383bfe724
SHA512 516eb5a24e63fbdb6428f0df18a051706c15dc6f27743c3fa884ae550fac121707d4438bdd5ffd627e8bd9a1dad16aa808fa5ff819372ef3734073a34349ef3d

C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe

MD5 137289282035a413a86a74e5ac09da39
SHA1 75bd7b4bff84b7196d7d2ff6f1f7768a8d874209
SHA256 2989088fb07460d1dc257cf7903e7776a592be04beafba6a72077a9f728d2ee3
SHA512 9c5c69d2e55b1790ea80daeb6e73985f8006e70a2064c4e6417c76de4cc261fa4d95a63aaf541686ff3d9a231aabab839bbd46e9c140521b98deaaa97bd00b5f

C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe

MD5 e8bc5464718ff27d0e45a6361b34e481
SHA1 0faf46aae8e3726868c0bb57afe47b7d04420149
SHA256 50729c89cd192a5f122c3e8025597ed74f87316295eea30de722ffbb2d782882
SHA512 fd5e2e19d14dd1842feb45650838324b32266ce082e0a6668543ed005bf018630aae3c00d518627191b5189c903e65d7e561d0c8a2a81a9d676b8f946c31f412

C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe

MD5 72c1f258ca58979ec6ce70478daf5edc
SHA1 7d16e46f4d578df35431efdb6a7168d3e31cc2f5
SHA256 4ff65f920bb44c26e9ca0ebc055a7b7adb84374f6340194e652e783a9b774c65
SHA512 3d22644dbc8a277b1b4c9f0313b8c65569d835d09ff283c37dce0012a89d2ee1fa8d62a7c0843b761a8fb78b70df520b10b67aa23cc51efe528adc2e4dc2e34e

C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe

MD5 88fea583604f60b4180925d980292692
SHA1 8a183fa243fd39bc0b42ec91d1aab05612ebde70
SHA256 52458ed9bd7d64541f04079d6c55efea76faa2317df6e016e8aa780056c243ec
SHA512 fae54f84437f6411dd4b6e2ad4b05d68cf7e5c83bbaf8320d8ebd8eaa90cd895f77c0217bf08b0f0f8620c113e8f5c94c24f8ef10cf00604278b9596718a6a86

C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe

MD5 0a937690d89886e87fa356050fcb4eee
SHA1 12d52711b3b67df7cfa3bbeda14fe641c963efb5
SHA256 115a904b7996e652d5695c32d228945ee17d1564a396b77d0964345501e60f40
SHA512 4ef2d401167616c3b01e3284539870474b0db59480e3e1fa3a6cca1f5132bd3297a15a3413aba5e756f581fda21fa8867ef4827de07eec81cbfb0a87e7bb897d

C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe

MD5 262d88851d72d5c3802afe65bacdb0ca
SHA1 50adb5e5ff4317628300ce45bfafbcd679ea6d8f
SHA256 acba00a9f1580c55f4ebc285e485566d6a97d2c34ac6961713516ce5ad1c48fe
SHA512 73f5fce36d240e369fbe71453c5a997ca2f9ae63ed0c69e093f3df900972f9910fde145facefab3b89e5a3d8bbc5df276b822f885321b168309db55eaca95551