Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-w1cc8aah5s
Target 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye
SHA256 6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca

Threat Level: Known bad

The file 2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:22

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:22

Reported

2024-04-07 18:25

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F7331A0-22A3-4d27-B823-055FFA12AC0D} C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}\stubpath = "C:\\Windows\\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}\stubpath = "C:\\Windows\\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe" C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95A02336-7808-465a-945B-FC0D58D8A9D0}\stubpath = "C:\\Windows\\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe" C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1} C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72} C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4DCF4-16FB-4520-B476-3FCE91156985}\stubpath = "C:\\Windows\\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe" C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C44764-5C87-4468-A42C-D836DF05A5D4}\stubpath = "C:\\Windows\\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe" C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47D746C-470F-4e7e-9D13-F2BE78D394B6} C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2} C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95A02336-7808-465a-945B-FC0D58D8A9D0} C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}\stubpath = "C:\\Windows\\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe" C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA393A86-E956-46ea-925B-787B479810E4} C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19} C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}\stubpath = "C:\\Windows\\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe" C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA393A86-E956-46ea-925B-787B479810E4}\stubpath = "C:\\Windows\\{CA393A86-E956-46ea-925B-787B479810E4}.exe" C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9} C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}\stubpath = "C:\\Windows\\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe" C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4DCF4-16FB-4520-B476-3FCE91156985} C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C44764-5C87-4468-A42C-D836DF05A5D4} C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}\stubpath = "C:\\Windows\\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe" C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}\stubpath = "C:\\Windows\\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe" C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe N/A
File created C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe N/A
File created C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe N/A
File created C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe N/A
File created C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe N/A
File created C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe N/A
File created C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
File created C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe N/A
File created C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe N/A
File created C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe N/A
File created C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe
PID 4720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe
PID 4720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe
PID 4720 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 3916 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe
PID 764 wrote to memory of 3916 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe
PID 764 wrote to memory of 3916 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe
PID 764 wrote to memory of 3572 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 3572 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 3572 N/A C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 4848 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe
PID 3916 wrote to memory of 4848 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe
PID 3916 wrote to memory of 4848 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe
PID 3916 wrote to memory of 3296 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 3296 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 3296 N/A C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4320 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe
PID 4848 wrote to memory of 4320 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe
PID 4848 wrote to memory of 4320 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe
PID 4848 wrote to memory of 4492 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4492 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4492 N/A C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4524 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe
PID 4320 wrote to memory of 4524 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe
PID 4320 wrote to memory of 4524 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 1560 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe
PID 4524 wrote to memory of 1560 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe
PID 4524 wrote to memory of 1560 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe
PID 4524 wrote to memory of 4816 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4816 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4816 N/A C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 4716 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe
PID 1560 wrote to memory of 4716 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe
PID 1560 wrote to memory of 4716 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe
PID 1560 wrote to memory of 4672 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 4672 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 4672 N/A C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 1628 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe
PID 4716 wrote to memory of 1628 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe
PID 4716 wrote to memory of 1628 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe
PID 4716 wrote to memory of 1824 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 1824 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 1824 N/A C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 3732 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe
PID 1628 wrote to memory of 3732 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe
PID 1628 wrote to memory of 3732 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe
PID 1628 wrote to memory of 2952 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2952 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2952 N/A C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4568 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe
PID 3732 wrote to memory of 4568 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe
PID 3732 wrote to memory of 4568 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe
PID 3732 wrote to memory of 1792 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 1792 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 1792 N/A C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4976 N/A C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe
PID 4568 wrote to memory of 4976 N/A C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe
PID 4568 wrote to memory of 4976 N/A C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe
PID 4568 wrote to memory of 4112 N/A C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"

C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe

C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe

C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7C3~1.EXE > nul

C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe

C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D47D7~1.EXE > nul

C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe

C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC529~1.EXE > nul

C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe

C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95A02~1.EXE > nul

C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe

C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E9F~1.EXE > nul

C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe

C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E42~1.EXE > nul

C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe

C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CA393~1.EXE > nul

C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe

C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F4D~1.EXE > nul

C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe

C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59C44~1.EXE > nul

C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe

C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F733~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe

MD5 11d2b39fccbe57dca31891393a28d152
SHA1 4c33468352fba8a30eedac7e8c8d763c4c569208
SHA256 36aad4d4de6a7b1675775b0b6360b768c5e8142258c2b870ee5f201e7deb2235
SHA512 d50f8261e3ad14c9c01b411c16083193f39c0b40ce454f8d70b389561f82133184984d353ebb1e241dce04936c833be471a7255351067c8031c21eea102fe84f

C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe

MD5 b79783a7182f5c7031557d98e3e79bef
SHA1 e376f07929ccf6b06f7e18dc3dc78e9e27c980c5
SHA256 8893998f9145355fe7051ebfdce77b01d2488b546e279ad91af114aff8d3e937
SHA512 0c709f93656b8660b55f73b90beac1bf8951072e701fd86ad88bde7c4ae159ff609425ede530c9f5b485e46177ae4fd1ea5354db21d307462efae7ca58ccd046

C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe

MD5 eea200ab71ba0ff81fb96bb6cad11538
SHA1 82669fb5cd75a323ac92ea78213adf3ade36e12e
SHA256 d668d722711ca94a99aaf69b1d578a9dd9eabc7fddca00f704c1cc2add19de54
SHA512 6ad812b850dc15a641d565e7fa0731c42364e2790efe4f2bd0d2cece5c7b3013dc7c4ce2eb015e53bfeb41c44bcb6a0cd02e7d99d68d562d4402a3d1aabe7761

C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe

MD5 c11423d5a54c00037d1a5b4d19fdb531
SHA1 f8b6b3a22eca8f315158bdfcf09429a159b052b9
SHA256 b10192135acd888895fe3f6bab0a44ed2f06522521ac6153b4eb3ea5fcd64968
SHA512 12526c6e05f21df6e38482e68b0c83d8ca7c3af39a5ee5ed2781dbbf4e39fbc42e08d57f72a099a5920ede934e453750b35255710368dfb66d569e23b4ead6fa

C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe

MD5 f6e4b2d6e2dea2d17563ad4b6fb697ff
SHA1 a0e35b5913c5bf802738ca58f812193f788570dd
SHA256 43a6f449e8d573f68f9462c16f0769e5fb4a41e09491f6468dc26b26601483da
SHA512 2cccbb3395d5922d394e2ff43833ee1ec237495cdbba1377540d407db3457a0ce9ca4642a9a5c77ac999e7c208a39645a800cb7a9786428d8bf4aacc913804bd

C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe

MD5 4a11989bf4353c1a27d15beee5438d59
SHA1 efc5d170b56be7564d0782ba1fa752641fa0a113
SHA256 d6af72a489964c8afd0d2f340590b2d334089a9dd0109543da376f327ff45a2d
SHA512 834deaba0c12277706f9441174cd6a0a2bca10867f170baeecf78b975da1a37f8984fca3d5724ee34e6f7098a6be75cec47ec6f23b14982d31eca8dc6b914f71

C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe

MD5 b27c86063d111ba48a6e5f6ec5cf1528
SHA1 d09f8f32e69b2edb501233df06c776df5a1979f6
SHA256 cf2f91ca33764e7066120e12ba1640accd50629fcd31502c81a163c18b1de98e
SHA512 5679ab49c1f301438565ffba6014f18c868f1f59c8885dff218e67ea42711e81ecdcb143b58a5e8bdd5e596cbffd262fc40fc8f1a7a9db5badeba055189ef7d6

C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe

MD5 8869666a938433ecde66844bead44af0
SHA1 345556f4bea6f7d869537af803f7095e0563d021
SHA256 7fb565d6f9fa817d6ecb5b17ca6bf6d16e16966604f3737b3a946b070127774e
SHA512 7593f375385f6d0c443811768804e3ba38f654d0e018b668afc5948e2268b080811281135a77b7b888112840c9cc0021b79e6bfb7c356afa5c6e147fe5f0b9ac

C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe

MD5 b5e10c0a47bc761fd755e8aad08a9520
SHA1 52d96215d832c45e6b25b0629a9474c841b4ee48
SHA256 d0df1486908d612e9953b046ed4b5348377a3ca16655a765a392447ad38559d4
SHA512 06d5076fac92caf32acc9ef73874a1dc7cf3d1ad1e05643fe9ed983ef83683f2d220add8ac85465a86a1a239c7143a4165e4a1a46ec12df55e0eb003bc52ccf2

C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe

MD5 40e419d87af1172b6eff3d04d6ceab03
SHA1 cfb743bd2c67bbb3baab81527f1c00507a4d8984
SHA256 12da1d069f2eeaa344d5919549ed0d8bf0c9ddaccb131e6880016dd2cbadcc63
SHA512 58c48acff61304c9f4fafe8c77c6b3c9bee9c42f5ec7d38d62505b64cf725f45c9641a1902a9dc42967b1a118497835f1d0eae529b5d25b657c6a6f3e57a52d3

C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe

MD5 685614506e1e41cfc951ac56ccb37de1
SHA1 c7621451c55831f90872d771338eaaaca3a4dac5
SHA256 549922d1bd43b1c0654e1089b5e391e9847633a0d29a0d8af437b5df9d48dc2f
SHA512 ff920a4b57f8d1f5d0e4d767cb99aaae99824dda8c3e59f37dfc20459feff7a41ba8793f16b760f5e2a6bed50786ced2645fa5926d5eed55b0b2212bfdc172d4

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:22

Reported

2024-04-07 18:25

Platform

win7-20240319-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3D2D6A-73E4-4353-B3D3-79710853549A} C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07E15AA0-838C-47af-9BE8-F985E6E52703} C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07E15AA0-838C-47af-9BE8-F985E6E52703}\stubpath = "C:\\Windows\\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe" C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7} C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24709C6-1087-4996-B4F9-63619F204394} C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B} C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}\stubpath = "C:\\Windows\\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe" C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF} C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}\stubpath = "C:\\Windows\\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}\stubpath = "C:\\Windows\\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe" C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}\stubpath = "C:\\Windows\\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe" C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}\stubpath = "C:\\Windows\\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe" C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019F3C91-6F1A-4f21-87A4-8A5903704DB3} C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3D2D6A-73E4-4353-B3D3-79710853549A}\stubpath = "C:\\Windows\\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe" C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E39DDC6-65E2-4d09-857A-B99563E4B957}\stubpath = "C:\\Windows\\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe" C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54} C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24709C6-1087-4996-B4F9-63619F204394}\stubpath = "C:\\Windows\\{C24709C6-1087-4996-B4F9-63619F204394}.exe" C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327039B7-8EF7-49ca-A627-81846274F320} C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{327039B7-8EF7-49ca-A627-81846274F320}\stubpath = "C:\\Windows\\{327039B7-8EF7-49ca-A627-81846274F320}.exe" C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E} C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}\stubpath = "C:\\Windows\\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe" C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E39DDC6-65E2-4d09-857A-B99563E4B957} C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
File created C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe N/A
File created C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe N/A
File created C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe N/A
File created C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe N/A
File created C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe N/A
File created C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe N/A
File created C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe N/A
File created C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe N/A
File created C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe N/A
File created C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
PID 2368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
PID 2368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
PID 2368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
PID 2368 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 2544 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
PID 852 wrote to memory of 2544 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
PID 852 wrote to memory of 2544 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
PID 852 wrote to memory of 2544 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
PID 852 wrote to memory of 2664 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 2664 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 2664 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 2664 N/A C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2820 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
PID 2544 wrote to memory of 2820 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
PID 2544 wrote to memory of 2820 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
PID 2544 wrote to memory of 2820 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2036 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
PID 2820 wrote to memory of 2036 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
PID 2820 wrote to memory of 2036 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
PID 2820 wrote to memory of 2036 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
PID 2820 wrote to memory of 2452 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2452 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2452 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2452 N/A C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2788 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
PID 2036 wrote to memory of 2788 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
PID 2036 wrote to memory of 2788 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
PID 2036 wrote to memory of 2788 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
PID 2036 wrote to memory of 2896 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2896 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2896 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2896 N/A C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 1116 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
PID 2788 wrote to memory of 1116 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
PID 2788 wrote to memory of 1116 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
PID 2788 wrote to memory of 1116 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
PID 1116 wrote to memory of 2604 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2604 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2604 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2604 N/A C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2940 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
PID 2600 wrote to memory of 2940 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
PID 2600 wrote to memory of 2940 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
PID 2600 wrote to memory of 2940 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
PID 2600 wrote to memory of 880 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 880 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 880 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 880 N/A C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"

C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe

C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe

C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE4CE~1.EXE > nul

C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe

C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07E15~1.EXE > nul

C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe

C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6F24C~1.EXE > nul

C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe

C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2470~1.EXE > nul

C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe

C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12D27~1.EXE > nul

C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe

C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32703~1.EXE > nul

C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe

C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2746D~1.EXE > nul

C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe

C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9B834~1.EXE > nul

C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe

C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{019F3~1.EXE > nul

C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe

C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E39D~1.EXE > nul

Network

N/A

Files

C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe

MD5 da816347c1013cfa70d2ebe71552991d
SHA1 24046358bee3c6e74202bfd40e95bd50bd246bb6
SHA256 821fa7840ac63da0fa1b55efa79f7c11b0044f7f3e01940cafaed3b3bf8ae405
SHA512 9cc80dae8a7595f1f592f6ecc9314783d5d35a39bb6b91b024265d815bff9a70d789347454df351d505bc70804eb77521376ec06d228b93d72c637280b1e1ea2

C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe

MD5 fcc76f62220ac0e273afc83c450419eb
SHA1 472e8b3b030577072e7a236e820535ea9c5a756e
SHA256 14611197552b7b0455564a8e6ac2647758376a91266859b99639dc3523cf6a6c
SHA512 a5cc822187ac9a331d7e19646825ac607577e17269f24bcee55c5ab73af268e1a6c7b1f5a65fba605860aa8bcc5e6e7153cc4f9aa675d0460672233814912e8a

C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe

MD5 4ec2d8c10373c496f77aff3c54e3ffea
SHA1 ac4a3edfabd218da480672a829ed48a6470fc2ce
SHA256 4d6818b7694ac9a2960a9685825c15d45a2d38357d62e33bcc933ed804aeb3a5
SHA512 3d07243823a9d779c9c3cbefefe6932c575e86a44a99dd3de8784fba7406fe9a19f5232ca0d625c8d0bc5666f8985defc6c9a8084cea63e1f5cefc22edc4460a

C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe

MD5 0a1989b04d1f92d1741d4d9c3eef5ad8
SHA1 0600da15f20bc802af832c455d06107e6e3d7d7e
SHA256 eb7ecd5b6eb02d44d797cd9e72e4b1e1c8395b287248ad232d160741259e80fd
SHA512 1a474dfb12e9de9044a3f9e7dda99d7daefb468e89905e272d74207c9a596268f6859e2c9c7d1fa1513e8e0b25475af64cee3e0548fbea877d7a9ebb5afe07cb

C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe

MD5 b17387195f4f5fa928621ba6f145506e
SHA1 1d632f21e5342fc817f29c6d5098b42f683fa6a6
SHA256 1c6d498f3b55eaab7d5534e16721f3d1c3553c9d4100c2e72ac9f4ffea4d7388
SHA512 2782bd4f5d0251b0f1658753bbf8111bc978ab5fd5f18640e67e48ac18240217dd3b91e245095cfea3f4e94348b20b160034d4c6ee7dfca2e22ae9dc6be74ba2

C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe

MD5 ba6399440727e6fde997e76d9edce870
SHA1 484a44d10205bf1e225014551661baf802c5d091
SHA256 87ac8c5685d21226d25e9748c92915aca9788ad7fd2649599cd0c152d5a2d6b0
SHA512 9d54049c61894499d17191e635c418f8671d52a7af48a7ce7b1babb351ad1d3d8db173a90966c7acb26274bed1be8e95210a949ef887526f2542b3b71b340d1f

C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe

MD5 956755c3bd08eacf22f37378fa468ce4
SHA1 9f0e14720df41b06a5f8741307623a7aba27ba42
SHA256 bb642811efa6bc6813056b207e13a1f70140ebd1d1d40a38b84c15a04fa28a11
SHA512 741b42446f74aa5eca458735fb049342a4b7411bfea946b8103c186c0a3d8d5a86e6789a9bef38e7827108011f4ec420b1a6375cdc134cf6b44ddff15746ca50

C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe

MD5 2d7ee6f42bcb302c56fb9405b9964661
SHA1 b11280e53cfa351fc48e755f6f9063464244e9df
SHA256 1b0bb2ecf75f63722f5b054828c5a28bbce5b045e93db71c1039b15658d670fc
SHA512 38e23e44dc62160e73610bfe024ccf89e0573b3fd62e6d37958fc0b45bdc290cb96ee48131efb19c1927a77b48b0a74f6e4441328c557ca175cdf3d1a4201296

C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe

MD5 e52e3649da71475abb261e2dda37fa0a
SHA1 c442fb2123bc7be8e8c69855b3246f10f7709501
SHA256 ccde3e736ea1d2a787cc40d27a3ff31ad8810a2909ecafa44f3f22a5eac03eec
SHA512 6bcebbf23af1c58d9314f42f4905af1fa3b34d13abbaf31ad7d1e0c22d17f39d47d8ca9e946bd657385ad6a30d91cb133e3af82d4ef1778e535a547780ee6e74

C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe

MD5 bf9e801f4e10fa6d8bd791a5df81b479
SHA1 69c9190fe5c56a224b3d970e5b3a05a55cdebee7
SHA256 f626653ceca8c02588f1169d635508a5bef8b895de91a232a4bb0d2a8943168b
SHA512 0fe72330fdde0571d2e8b0a6eeae72891e28d71c92720d246e565ecd9fa0e9dc33177f157df8229382581cc75a0bfe1a0ddf4acdb6954da55206cbf9b79e7794

C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe

MD5 92e021b594efea11035e5a1f6f8f9214
SHA1 b16e290caf89e2ec4a25071e2792744ed0e37905
SHA256 bbc65b7decb29e5f6192c30288a5408ae137288da509617890e7496c8bf72f3b
SHA512 9bc0c096cae020689862937df90c24e0da8354d0c0c1da0d8215d5e9a131b6c878f9a5cc68421f6624ba3f6478e408cf8667abf1df1e6bf283859770b9c41462