Malware Analysis Report

2025-03-14 23:43

Sample ID 240407-w1tbqsbc46
Target 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye
SHA256 eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3

Threat Level: Known bad

The file 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:23

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}\stubpath = "C:\\Windows\\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe" C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1D38934-28D1-44e9-AE67-2158241E5D40}\stubpath = "C:\\Windows\\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe" C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F} C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B21AB4-3146-494c-B43E-9B5541D83E04} C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D} C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}\stubpath = "C:\\Windows\\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe" C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}\stubpath = "C:\\Windows\\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe" C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0} C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}\stubpath = "C:\\Windows\\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD14D6EB-1968-4b20-82E4-5159168E442E}\stubpath = "C:\\Windows\\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe" C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}\stubpath = "C:\\Windows\\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe" C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478CFFF3-CD2A-4435-99E9-F3D2B0853296} C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E} C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}\stubpath = "C:\\Windows\\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe" C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}\stubpath = "C:\\Windows\\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe" C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD14D6EB-1968-4b20-82E4-5159168E442E} C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE} C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2} C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1D38934-28D1-44e9-AE67-2158241E5D40} C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E06F327-5D4F-4e68-8387-1D5328A27369} C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E06F327-5D4F-4e68-8387-1D5328A27369}\stubpath = "C:\\Windows\\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe" C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}\stubpath = "C:\\Windows\\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe" C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B21AB4-3146-494c-B43E-9B5541D83E04}\stubpath = "C:\\Windows\\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe" C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A} C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe N/A
File created C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe N/A
File created C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe N/A
File created C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe N/A
File created C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe N/A
File created C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe N/A
File created C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe N/A
File created C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe N/A
File created C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe N/A
File created C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
File created C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe N/A
File created C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe
PID 4500 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe
PID 4500 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe
PID 4500 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 2808 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe
PID 3832 wrote to memory of 2808 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe
PID 3832 wrote to memory of 2808 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe
PID 3832 wrote to memory of 1296 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 1296 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 1296 N/A C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4644 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe
PID 2808 wrote to memory of 4644 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe
PID 2808 wrote to memory of 4644 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe
PID 2808 wrote to memory of 2784 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2784 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2784 N/A C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4488 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe
PID 4644 wrote to memory of 4488 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe
PID 4644 wrote to memory of 4488 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe
PID 4644 wrote to memory of 4960 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4960 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4960 N/A C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3496 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe
PID 4488 wrote to memory of 3496 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe
PID 4488 wrote to memory of 3496 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe
PID 4488 wrote to memory of 3240 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3240 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3240 N/A C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3204 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe
PID 3496 wrote to memory of 3204 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe
PID 3496 wrote to memory of 3204 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe
PID 3496 wrote to memory of 4400 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4400 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4400 N/A C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 4848 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe
PID 3204 wrote to memory of 4848 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe
PID 3204 wrote to memory of 4848 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe
PID 3204 wrote to memory of 4876 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 4876 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 4876 N/A C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4756 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe
PID 4848 wrote to memory of 4756 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe
PID 4848 wrote to memory of 4756 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe
PID 4848 wrote to memory of 3604 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3604 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3604 N/A C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 3372 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe
PID 4756 wrote to memory of 3372 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe
PID 4756 wrote to memory of 3372 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe
PID 4756 wrote to memory of 4956 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4956 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4956 N/A C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4900 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe
PID 3372 wrote to memory of 4900 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe
PID 3372 wrote to memory of 4900 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe
PID 3372 wrote to memory of 3648 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 3648 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 3648 N/A C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2104 N/A C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe
PID 4900 wrote to memory of 2104 N/A C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe
PID 4900 wrote to memory of 2104 N/A C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe
PID 4900 wrote to memory of 2796 N/A C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"

C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe

C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe

C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93ECB~1.EXE > nul

C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe

C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FD14D~1.EXE > nul

C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe

C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38CCB~1.EXE > nul

C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe

C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{478CF~1.EXE > nul

C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe

C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02BB0~1.EXE > nul

C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe

C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35A60~1.EXE > nul

C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe

C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D53~1.EXE > nul

C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe

C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D38~1.EXE > nul

C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe

C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E06F~1.EXE > nul

C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe

C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D45A~1.EXE > nul

C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe

C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3C3~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe

MD5 92260aad30abc24d4d2867afaa505ce9
SHA1 1df1f4a694af652584907a3c5b345974f3e40428
SHA256 d631c247f56230d194dfbb762a4d951125faa05408a76401198c0ea07f202516
SHA512 bc37a39f597c411bf76f71d69ed1c7be85a1407b1be167e8efb676c6d42851b7ad52b0b7b4962a8f2a14be9da10e949f7cd3cd9340a8481fa15a2f98bc6da336

C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe

MD5 5615a4d17c4d6cea9351113073262b88
SHA1 fb56aaa89c14305a18f4abfec4896be05c088f95
SHA256 cc14e8a1b82f9129745fc36b4fe11d05d09ca7f5df995ec9d8591fd8b6fd3563
SHA512 2eb625299608ee3fc8f4dfa51bdca07a1479acdc4c0fd8c3ad11f74f1e64a0184e1d2ad1a3cecd7c1d7fe4e7860c1dee4fc7e758bf8f482231bfcd96251389a9

C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe

MD5 018533f2a5c4df62a711ab7d535812dd
SHA1 7d2c4954b2eff5890e64d0c9a4acb200fd2d8ea7
SHA256 a870090c75cbebdfc8e7baf15e263a851dfcd8d9728d07ac0d523d479e429a0b
SHA512 1c07886fdfc9d82ac2a89a4f43eb67e09753b37109d3704580a2836eb7e3b0e265418928630ee28060625c5564f5178fff5bd5753ddc6808e52f44838e14ba8a

C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe

MD5 14523da205c2d3bdfc27917b8654c3a3
SHA1 25eeba50e052500db4f644c47b029347ccb82543
SHA256 1cadcf5ce6457158444b2829d10dc8a65f0c88498ad31e1162ecb64744e93285
SHA512 1e21566c55ce16a1001c617194175cb60eea1addd3054d62827ca4e298809b3e09e8545c0ef13ee23cb594e47bd3fae45ae6484d0e145e95096b51d97e8c4bc9

C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe

MD5 442ba02b0fc60d8ec9025a3de7a40621
SHA1 e2e971882a86c71df35822ef6cedd79e1c6dc4ac
SHA256 a7212fb19199a9cd6a538ff07e0ef5a4b90f8fe59e91dd03307aee9343ecc462
SHA512 982e6a79d31fc13e75ae0d645dff4ab7570581637576943d8e32769dc7aec51a6511c169e03fd37e74eca36d42cfd33270cc454fe05779eb9e816c825a65c38a

C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe

MD5 a820386440c8597080a7510793a4d722
SHA1 e84cd5a5136f5f475a9cf0e32c9e97ba66390c35
SHA256 0b8e69fb07a8d2684462ebabb3b8170f52f1862682eda6c27a2b3fd0431b5ab8
SHA512 7ec013fc6217686ab8fc755a911123ffa4fbb99cb3564344359bc12ec80a3b60fa944f38287cbbda0a90b8f3b02d4d4eb626d1497ba2517d460c29feab61d27d

C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe

MD5 123fe34a2bd0b0bee2518ac2b0e11567
SHA1 b6887013c8ec63f52c769d0ce24936eab057e8a0
SHA256 987b7f223f4a06e63dac73ef1a934ea2073c24b23a30d346dfbe008a82d277c1
SHA512 164ff8cfeff64213cbb428b5599d2bc8e4cd3349b260bd41b32150db8e80acb87287eee2593350df47b5b7d143ee390916e395efc519b938fc23e2c1c7a2861a

C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe

MD5 f7fb956999653c261c27295a0a3d7edf
SHA1 41e51c1f0529987f83b62d48813f4d4952bfd5fe
SHA256 d9f2f990b6dc806da9360ef1fd3c69f7e496b42ff0569ceabe05acb20af7230e
SHA512 d9a5e36665a574575880405043c5a732ebf14d8a39ac43d3152c579001decc849276af2f9b3b12529f4bacbb10bb9916acae3da9953a4d1e155daaae631a4662

C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe

MD5 cac6a19afb5a85b397b20ab2c55667be
SHA1 b89070a24d8a33bbb3b799856fc8d0a91e6a1cbe
SHA256 16856d1e09482f808f79cf63d00b82ef093fdece23a340bacc88bf90d6579744
SHA512 5d0310eef18cd25d12256079739264b6987d3c96035949652a66de5fd2ef5f74672f7db5aadccc72be8e553812f343bfa3f43c1d381d3b5cb647a74496ec7e37

C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe

MD5 6f709c40613213d9697bae4d07aefd52
SHA1 8e40d14cfb7d59ff4615e2d95d87d8049b21e905
SHA256 029b9bacec91a9e24abec7a8ed75620ca94d4fec3624c29c42cce5fb2f431914
SHA512 68dba71f7058d705c47a3ee0748f4ef5b4bae067340758332703658c7444c9c2f0b028f313aa96080de1247d79ca0cd21c61f0542ccc4d874eb3d2f451ef7570

C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe

MD5 9cc922f34c35da7811305abe5d5d9d8a
SHA1 20a187ed0742238eba88cd2f6e954acdbf4ce93c
SHA256 1d8f18a26802c29a40ceae2225eb93d02efcfcef78f757bf19b1e912463e6ed2
SHA512 9d1a9650813d040eefcf6e1a2f746226feeacdb2355b940ab6089301c380730b71a31455d60ed794e92c817a27c950dd9e0d5b09cbc389d9feb1d0073b6ad303

C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe

MD5 5de47c55a843866b26900c5e72b932db
SHA1 80d5e75394f7b8f0e7baeb9c652ff95476e9f2a3
SHA256 fd8f7722f687e73dc8fb222e2bb62b573375c79f242ec08de4c6770948a6407a
SHA512 e01aa63e36ce4b6057b8be4533f2fd3fdac0631ebafef1e10ecedeb4c82910848b5f180e1cf06d806b17a630e05adacd34e718933979c9a0111dca8ae8efe78a

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87} C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6420383-AB6A-4459-9096-2E40920878A7}\stubpath = "C:\\Windows\\{E6420383-AB6A-4459-9096-2E40920878A7}.exe" C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}\stubpath = "C:\\Windows\\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe" C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}\stubpath = "C:\\Windows\\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe" C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64038816-6A41-410c-830D-3310D11BCF74} C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D45D587-C400-4b07-9134-FCC176FC66A3} C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D45D587-C400-4b07-9134-FCC176FC66A3}\stubpath = "C:\\Windows\\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe" C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F} C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A} C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}\stubpath = "C:\\Windows\\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe" C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF432A0C-D213-4d50-BB60-63F4C97E296E} C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF432A0C-D213-4d50-BB60-63F4C97E296E}\stubpath = "C:\\Windows\\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe" C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA} C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64038816-6A41-410c-830D-3310D11BCF74}\stubpath = "C:\\Windows\\{64038816-6A41-410c-830D-3310D11BCF74}.exe" C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}\stubpath = "C:\\Windows\\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe" C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6420383-AB6A-4459-9096-2E40920878A7} C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E27CE6-1188-420c-AEF7-6047D39942AE} C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E27CE6-1188-420c-AEF7-6047D39942AE}\stubpath = "C:\\Windows\\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe" C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5} C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}\stubpath = "C:\\Windows\\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}\stubpath = "C:\\Windows\\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe" C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02} C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe N/A
File created C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe N/A
File created C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe N/A
File created C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe N/A
File created C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe N/A
File created C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe N/A
File created C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe N/A
File created C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe N/A
File created C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
File created C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe N/A
File created C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
PID 2460 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
PID 2460 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
PID 2460 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
PID 2460 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2472 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
PID 2608 wrote to memory of 2472 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
PID 2608 wrote to memory of 2472 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
PID 2608 wrote to memory of 2472 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
PID 2608 wrote to memory of 2852 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2852 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2852 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2852 N/A C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2660 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
PID 2472 wrote to memory of 2660 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
PID 2472 wrote to memory of 2660 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
PID 2472 wrote to memory of 2660 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
PID 2472 wrote to memory of 600 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 600 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 600 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 600 N/A C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2716 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
PID 2660 wrote to memory of 2716 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
PID 2660 wrote to memory of 2716 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
PID 2660 wrote to memory of 2716 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
PID 2660 wrote to memory of 2584 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2584 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2584 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2584 N/A C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1656 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
PID 2716 wrote to memory of 1656 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
PID 2716 wrote to memory of 1656 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
PID 2716 wrote to memory of 1656 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
PID 2716 wrote to memory of 1624 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1624 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1624 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1624 N/A C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 948 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
PID 1656 wrote to memory of 948 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
PID 1656 wrote to memory of 948 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
PID 1656 wrote to memory of 948 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
PID 1656 wrote to memory of 1780 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1780 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1780 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1780 N/A C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1608 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
PID 948 wrote to memory of 1608 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
PID 948 wrote to memory of 1608 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
PID 948 wrote to memory of 1608 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
PID 948 wrote to memory of 1456 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1456 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1456 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1456 N/A C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1128 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
PID 1608 wrote to memory of 1128 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
PID 1608 wrote to memory of 1128 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
PID 1608 wrote to memory of 1128 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
PID 1608 wrote to memory of 1440 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1440 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1440 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1440 N/A C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"

C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe

C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe

C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8470E~1.EXE > nul

C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe

C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7D93E~1.EXE > nul

C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe

C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51A55~1.EXE > nul

C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe

C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64038~1.EXE > nul

C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe

C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D45D~1.EXE > nul

C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe

C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9E609~1.EXE > nul

C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe

C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A26BE~1.EXE > nul

C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe

C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF432~1.EXE > nul

C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe

C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6420~1.EXE > nul

C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe

C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFFD~1.EXE > nul

Network

N/A

Files

C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe

MD5 f4a8e845859d14c6ffadf3779ef2e731
SHA1 fb67091e6b293fe97b01448f1ea676b81b6e92c8
SHA256 1b74d76ddd26a36b6b04fa1305068177cb74621e6996ced4e3b442bb4b0813bc
SHA512 584e1956516c4635fd3377a5046db617d5c96af7dd8b30fe70dcdd984927d42778d8515bbdfa1c349d61801507b760b06b04d08bc11f9e067533008ff1f33881

C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe

MD5 65f7c2942d872112124195b593d9433d
SHA1 9c07dbb1e374a0e37284ccabecf294d0ff02a168
SHA256 9051c6af65f837a55ca1f54fd651933e0b04c4ea119180c4d8312c64bae64560
SHA512 3ff17a6b09e4597eaf7e8830f83bcafdf88dbf2efdb69a9f00e2fcc0def078ae9824659392c31b12f7caa4ddfcb0ce8b7503366ed082004e7d7e36e0207b6e37

C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe

MD5 ecb1a9eb50098d769eb13c67a7511256
SHA1 337e7f7804c208048d47a1e8a7ae12b29ea42e66
SHA256 d2422ada1c1385300f8a878db5b8ed31d8985aa69a438e308475527b24b7fce9
SHA512 4b0f32ad0aada592fcc5ee22ac3997c2f47b1792ce9c8ddbba8da55b814c5bedd15f28092942eff62048fbc7bee8ae78d496ac0ced34572027e72b5eddfce86c

C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe

MD5 9fbc6ccae42d24ac96aa3d4fc68eeaf3
SHA1 12166e5ccf5f6132c8e6469d432b2e5c9487bc21
SHA256 f79ddc955e9741e0f8ecc11057a82a6fdb99ba494b716d249c47551811d81241
SHA512 3295b8d4a0562344c6acb5dbb66597813ddd3d2a9ec7d7adbeaf330c052118258e2afd14cb00209099fcbcce20fb7135e76308855af712c978af577a0d9b2ea5

C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe

MD5 c5ccbc5ee89aea588b524d942ee03a2f
SHA1 8781e754a25ca036f3b349296bb01c8021f4b236
SHA256 886cd89cf2969aa13236b1bc3402815f762d5a621e0e13fef184267ada09606f
SHA512 76c5bb2d51d1c839f86e9d6dd3909ba08c47d1b88cb5dcee145c6f2b4de59ec0b288cbc91e2037ddc3b3a60cd266b409721b61b1ae5617ebe154a8ce36d9093c

C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe

MD5 a1273f46227b4e757098b20c35cb53c3
SHA1 801a04bf7de8115408d0215c166e11868886c1cd
SHA256 73e9c6b778f01d11e6bfb30a846fd51af219466d130627239d579012c9f2f37a
SHA512 ed36743e618cec74b651d38b6c42cf65fde3d14c5a4c8af1cd7180009f6a40d56e876a68e42a9f701da1ca5de0fe994fa3b9b1e42c3a7332717f21c0f8f09957

C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe

MD5 6350e1b5b1ae3574fafaf564160ebc70
SHA1 250c3862efb21834c3ecaf47e8566e75b41dbbb1
SHA256 cf05edbe421a3bbee08f6f146eb384a605c42adf8a764d109de1b9a69aedebe0
SHA512 4174a8b9670875ce4a7b791f2333b8dfb68ecfb27ac440034d8778d240297ccc6838599d3946b7cdba57a7e74e6dc711f0c89c887ed5953e4120e330ce1f4592

C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe

MD5 45437f355196faf835ea5416c7db2c51
SHA1 fd2d5d061f49e625713c32eb96020ea7e3c7f01a
SHA256 1d23b586fc15cc5c57e3fb8e4877786605874abb3b989953611f3e8c5b6cbc88
SHA512 2215a8bdfce6197cf5e26d97316190669fb1de000edd2505392089b845dbecf62b0227700c8573f6f0daf5843b7bcf1bce61db1c70128742c13b8fe00394b625

C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe

MD5 2e706ee3fd9da98ba0ef0e2bbede2b92
SHA1 08fd3cd7c6cba9c60534093c9b1d6061341ca470
SHA256 e30c37b886079a605c55ffc78468e498024b539ac856b23d55cd5c11ae8881c0
SHA512 e9b9778864b62583e69bd965de358dc38a260da7fa1ba08594ae77dd42c4d6c3f07fef3707cd92df59b0f4919b3b5c8a24fe0f7c7b51185412467f2a7be1e59f

C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe

MD5 80381f9ac50e64ab0493c081315b6eb9
SHA1 3bcf1b50614b62d89cab23b3a2b808f3a6bf09b7
SHA256 21190f29e8894cc0e71e4ddca2a56e4897c977d05052d1e987cdfc58ce53ec83
SHA512 f4c96620c3a0928d021e2a780ff53a563479725bbe32ea712dafacd7de509fc171567e008c6298776095e5c978979737c25f92ebb3237decf66047ea0a9057c9

C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe

MD5 7a3ff86e790b353c3a26167391dd4817
SHA1 29e40afecb7c11d759b51f62ee778a48b93b9a5f
SHA256 125d2c028bc0492cf44ab4c1c88219fb0dd4f55e96b1c48f808c47dc3e81970b
SHA512 4d745518f64bc10d0defe3c252ea1aa869df28901fd7e369446aa03658aa88afc61518fd2eae3d58307c18b93bd66660a4ff163003e48ba29084565f32e06414