Malware Analysis Report

2025-03-14 23:41

Sample ID 240407-w22phaah9t
Target 2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye
SHA256 f2b44abd30904b50805d71b4f7b02f24df41facc12957cecdeb3a639eaee6116
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2b44abd30904b50805d71b4f7b02f24df41facc12957cecdeb3a639eaee6116

Threat Level: Known bad

The file 2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:25

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:25

Reported

2024-04-07 18:28

Platform

win7-20240221-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}\stubpath = "C:\\Windows\\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe" C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDFAF99-AB3C-4529-8F04-26286F8B8905} C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0} C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}\stubpath = "C:\\Windows\\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe" C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A93BDCD-5226-4667-A30F-2BE209D50C75}\stubpath = "C:\\Windows\\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe" C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}\stubpath = "C:\\Windows\\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe" C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9344C5D5-697B-474a-8997-4EB3EBE8464C} C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5089361-CC2A-4bef-80B3-0233B276184C}\stubpath = "C:\\Windows\\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe" C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}\stubpath = "C:\\Windows\\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe" C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E278EF-4F75-4349-9203-CA828B49CD81}\stubpath = "C:\\Windows\\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe" C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8} C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1} C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12BD913B-9C21-46e0-9954-851E72A3B806} C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}\stubpath = "C:\\Windows\\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5089361-CC2A-4bef-80B3-0233B276184C} C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A93BDCD-5226-4667-A30F-2BE209D50C75} C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5} C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9344C5D5-697B-474a-8997-4EB3EBE8464C}\stubpath = "C:\\Windows\\{9344C5D5-697B-474a-8997-4EB3EBE8464C}.exe" C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738F6632-8380-4cc0-8B30-2018B3D646B4} C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738F6632-8380-4cc0-8B30-2018B3D646B4}\stubpath = "C:\\Windows\\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe" C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E278EF-4F75-4349-9203-CA828B49CD81} C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12BD913B-9C21-46e0-9954-851E72A3B806}\stubpath = "C:\\Windows\\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe" C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe N/A
File created C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe N/A
File created C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe N/A
File created C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe N/A
File created C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe N/A
File created C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe N/A
File created C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe N/A
File created C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe N/A
File created C:\Windows\{9344C5D5-697B-474a-8997-4EB3EBE8464C}.exe C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe N/A
File created C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
File created C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe
PID 2240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2800 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe
PID 2320 wrote to memory of 2800 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe
PID 2320 wrote to memory of 2800 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe
PID 2320 wrote to memory of 2800 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe
PID 2320 wrote to memory of 2592 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2592 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2592 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2592 N/A C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2760 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe
PID 2800 wrote to memory of 2760 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe
PID 2800 wrote to memory of 2760 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe
PID 2800 wrote to memory of 2760 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe
PID 2800 wrote to memory of 2548 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2548 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2548 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2548 N/A C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2080 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe
PID 2760 wrote to memory of 2080 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe
PID 2760 wrote to memory of 2080 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe
PID 2760 wrote to memory of 2080 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe
PID 2760 wrote to memory of 2612 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2612 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2612 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2612 N/A C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2728 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe
PID 2080 wrote to memory of 2728 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe
PID 2080 wrote to memory of 2728 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe
PID 2080 wrote to memory of 2728 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe
PID 2080 wrote to memory of 1872 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1872 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1872 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1872 N/A C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2256 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe
PID 2728 wrote to memory of 2256 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe
PID 2728 wrote to memory of 2256 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe
PID 2728 wrote to memory of 2256 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe
PID 2728 wrote to memory of 2076 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2076 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2076 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2076 N/A C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2428 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe
PID 2256 wrote to memory of 2428 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe
PID 2256 wrote to memory of 2428 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe
PID 2256 wrote to memory of 2428 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe
PID 2256 wrote to memory of 2352 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2352 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2352 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2352 N/A C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1488 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe
PID 2428 wrote to memory of 1488 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe
PID 2428 wrote to memory of 1488 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe
PID 2428 wrote to memory of 1488 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe
PID 2428 wrote to memory of 2996 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2996 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2996 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2996 N/A C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe"

C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe

C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe

C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDFA~1.EXE > nul

C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe

C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6E7~1.EXE > nul

C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe

C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5089~1.EXE > nul

C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe

C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A93B~1.EXE > nul

C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe

C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{738F6~1.EXE > nul

C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe

C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51DF9~1.EXE > nul

C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe

C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8C2AE~1.EXE > nul

C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe

C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0E27~1.EXE > nul

C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe

C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12BD9~1.EXE > nul

C:\Windows\{9344C5D5-697B-474a-8997-4EB3EBE8464C}.exe

C:\Windows\{9344C5D5-697B-474a-8997-4EB3EBE8464C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{916DF~1.EXE > nul

Network

N/A

Files

C:\Windows\{8FDFAF99-AB3C-4529-8F04-26286F8B8905}.exe

MD5 6adee3e65e73a875863328d89a13e777
SHA1 6d10c41136d5ba69108911082ff45a6a8b8044cd
SHA256 7cae4c9741eaa6a67c83cad3720977a42c107c586b0e3eb5991a7c681e90baf3
SHA512 e205feeccc076a4524af52c3f7e1c7ca7d64cbe80818150ad89bc8ff79f60c22a0b8fd0813443db6c2b1542f84bacccd16f5ae91f4e836b26d2b1f4e8145704b

C:\Windows\{BE6E7768-4A1B-4f36-A39B-41C25A1222D0}.exe

MD5 87eb92cb28c0a115d2729f85fa7be151
SHA1 e29fa740b63a0e48f56456e8279718e70659e375
SHA256 356a554cf40bfd31d651a5394322e863e1cd094729e1cae923f3197a9c8e35e9
SHA512 e857f882ff28f82901fa91ddb46de698534eccac2ddefc3c1d338bdd4f80140d6f911018ef7d40f3985fe9eb98c4385a4c0d7c29f2eef50ffd9325b12633b21b

C:\Windows\{C5089361-CC2A-4bef-80B3-0233B276184C}.exe

MD5 bd88dda2104a1d1ecd698d7378a4c27a
SHA1 d4fb5fe3297dd3e741ee6a2825a9478e99fca3d9
SHA256 be5553c1d863c591d154d5e9c93734b8c1a60a0a21a00f502a447bc2617f2c65
SHA512 8a51cbf0393d9da4a854665fa191b6bff1577bebb25eb92df7519244dbbc1b14ed27a134aaa1977606e234d7aa73d51071e134e2ffd4ed7aa6a4cffdab0fa7a3

C:\Windows\{0A93BDCD-5226-4667-A30F-2BE209D50C75}.exe

MD5 845f237651078b636ce0569e4020a90f
SHA1 db3161efa2b079a991a8f28e7ff4c846d43cc0f0
SHA256 0e5ffc6a5b8b0a8c3a3571cff7c082cbb463164f229a5eea6a592f999039bfcb
SHA512 3645f0d1c74ce80a5664218664521f7dc8e927b61b709fe41b2af871a05af85908be4ad90be8126bbd2e2ca10f941d079741660983994207b1ef57464a7bc38e

C:\Windows\{738F6632-8380-4cc0-8B30-2018B3D646B4}.exe

MD5 f89706ff978e6aa87eccc16ed2bcc70e
SHA1 25836889a332759ca49c4e073aef95550c268468
SHA256 fb8d454bfd32d4abe340d2afb8070f2079f94d5d360350864e5dfc73e1b8b4f8
SHA512 6a903529381cf5a036f0ec9d0e30edff4c7717d4a63bc6ed94acfeec6ee703eaa64997dfa7ee53f477adbae9115398d53da6075f9a9d42cf32948b621fc27627

C:\Windows\{51DF99B2-AD6F-4a42-9A3F-23A83D6378D5}.exe

MD5 0bf927be15da6677435bf93b4b8c44e4
SHA1 67d6af7dadbb467479635ae3294d7e32262f0f06
SHA256 a7522371c4f4d90647b0608d7ba0a1f879271b5d276a37688dc859f9a285f888
SHA512 a8c7acd3f49c8d8c95a768b5274e257abd5be5c8ad8dd069c31ff5aafcaf829c44117961f72ad7a9a0df985349aff16b687c21322c6cb787ec4a7983578abbea

C:\Windows\{8C2AEA60-DD0B-43cb-AF71-D85EEE7D2EE1}.exe

MD5 43dd7c0c3d1b5b02482da1710ec15de5
SHA1 c1de811b2111c77f772a40fda46e3c604af624b9
SHA256 5eb440ef5e554f1fbffda4a7ad4753385aad02d2d26982903c9ed0690b90b389
SHA512 e8beb5f8c817b7bb3309e3f5dc1756e7c20a5f42669cea1b45196685eab8160b1cbe7364a040d4c6b3407f648cd4aa208b47077254d4b8877fbad99a9ad9894a

C:\Windows\{E0E278EF-4F75-4349-9203-CA828B49CD81}.exe

MD5 43a8089cb8d356d2e03687186a9b5b67
SHA1 2b80e7b2a2b4dee689f1804845096efcb08163b7
SHA256 fbc917b6308e53ce4ad49025aa744f16727765661e43d40e8658d1328054ebdf
SHA512 811a351f81d503ba227d362fea77960a4679d2d11df836773414587c70fd73d444502c670b3b0e5e45254b9f4cc9092253dc9b02e394b42a4fcf1c6e9551ab01

C:\Windows\{12BD913B-9C21-46e0-9954-851E72A3B806}.exe

MD5 475d739c75e517c151cdba81153e5693
SHA1 634ed9ecd0e37f7c7a97d779033bf417991b2f55
SHA256 0390165d56be736ad6b57c65a18be9956d427ea0fa04889f06e1aa294669e829
SHA512 5a1de1ec6038e02ffca4f5b7123c1582dc751c39ab35a7d8c8133418af79c7baa420c2da8a7f5603f06e861de524c71bfb6e9f7bd18dfc9bf72162033fbfc576

C:\Windows\{916DFFBD-D3F3-4321-BBFD-5805B0FD8DB8}.exe

MD5 ff87899d59c695f19c10e08342fa7d01
SHA1 274d77950bbc7ab3b1869ff7c7b8030bea72503a
SHA256 0724d9ae6eadd9809515a962f56959abf393fea02c10dc3e6aff66b34429a9c2
SHA512 e7be206365bead63491b4a6963e559d46681d8686e5c31a65de8114c3ee0256ca068e8dc9492c42e5c23c1e702d12e14b59d2205bc34a597ab82d05cb55260c9

C:\Windows\{9344C5D5-697B-474a-8997-4EB3EBE8464C}.exe

MD5 96cc1b5b070da4b3a8185935021275ae
SHA1 9c2acfc247420d84a40b79b2110b517e7a7ea914
SHA256 639661eca2eeeb2a31fb53f1563dcc4e0debc027c9a8642e32563682a84ba3d6
SHA512 4b38735d0ff5e5abd94298832a56f245754e78baf5b0c163ce09883511186fa58f071a7b97aa1a7ed2b4c9a036af62605ac445ecf8a638499348741ddc32851c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:25

Reported

2024-04-07 18:28

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBF8050-BE26-4c73-90A4-C51126F9207F} C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E} C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}\stubpath = "C:\\Windows\\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}.exe" C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0A78D2-5461-44f8-A540-0322FE86175F} C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9164958E-8642-46b3-B634-FF459772C016} C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}\stubpath = "C:\\Windows\\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe" C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B} C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49153064-B613-4a65-B8FA-D361BF1CEC02} C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7} C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}\stubpath = "C:\\Windows\\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe" C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF} C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFADE122-FE7D-43eb-A544-791611B2F26B} C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBF8050-BE26-4c73-90A4-C51126F9207F}\stubpath = "C:\\Windows\\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe" C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B5DCFAC-430A-484f-88E4-367C3F29CB25} C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49153064-B613-4a65-B8FA-D361BF1CEC02}\stubpath = "C:\\Windows\\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe" C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9164958E-8642-46b3-B634-FF459772C016}\stubpath = "C:\\Windows\\{9164958E-8642-46b3-B634-FF459772C016}.exe" C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFADE122-FE7D-43eb-A544-791611B2F26B}\stubpath = "C:\\Windows\\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe" C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC63B36-0E6A-468a-A94A-CF14C88A713E} C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}\stubpath = "C:\\Windows\\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe" C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}\stubpath = "C:\\Windows\\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe" C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3} C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}\stubpath = "C:\\Windows\\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0A78D2-5461-44f8-A540-0322FE86175F}\stubpath = "C:\\Windows\\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe" C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}\stubpath = "C:\\Windows\\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe" C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe N/A
File created C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe N/A
File created C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe N/A
File created C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe N/A
File created C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe N/A
File created C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe N/A
File created C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
File created C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe N/A
File created C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe N/A
File created C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe N/A
File created C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe N/A
File created C:\Windows\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}.exe C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe
PID 2252 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe
PID 2252 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe
PID 2252 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4688 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe
PID 3220 wrote to memory of 4688 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe
PID 3220 wrote to memory of 4688 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe
PID 3220 wrote to memory of 640 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 640 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 640 N/A C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 4168 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe
PID 4688 wrote to memory of 4168 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe
PID 4688 wrote to memory of 4168 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe
PID 4688 wrote to memory of 1672 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1672 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1672 N/A C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 968 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe
PID 4168 wrote to memory of 968 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe
PID 4168 wrote to memory of 968 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe
PID 4168 wrote to memory of 2440 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2440 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2440 N/A C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3208 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe
PID 968 wrote to memory of 3208 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe
PID 968 wrote to memory of 3208 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe
PID 968 wrote to memory of 3804 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3804 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3804 N/A C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 4056 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe
PID 3208 wrote to memory of 4056 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe
PID 3208 wrote to memory of 4056 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe
PID 3208 wrote to memory of 2556 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 2556 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 2556 N/A C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 4596 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe
PID 4056 wrote to memory of 4596 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe
PID 4056 wrote to memory of 4596 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe
PID 4056 wrote to memory of 3248 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 3248 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 3248 N/A C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1872 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe
PID 4596 wrote to memory of 1872 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe
PID 4596 wrote to memory of 1872 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe
PID 4596 wrote to memory of 1832 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1832 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1832 N/A C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3624 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe
PID 1872 wrote to memory of 3624 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe
PID 1872 wrote to memory of 3624 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe
PID 1872 wrote to memory of 1908 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1908 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1908 N/A C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4300 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe
PID 3624 wrote to memory of 4300 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe
PID 3624 wrote to memory of 4300 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe
PID 3624 wrote to memory of 4088 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4088 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4088 N/A C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2748 N/A C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe
PID 4300 wrote to memory of 2748 N/A C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe
PID 4300 wrote to memory of 2748 N/A C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe
PID 4300 wrote to memory of 5088 N/A C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_dd833d8b0310ae0db7c72846e6202b7e_goldeneye.exe"

C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe

C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe

C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B5DC~1.EXE > nul

C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe

C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49153~1.EXE > nul

C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe

C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0A7~1.EXE > nul

C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe

C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91649~1.EXE > nul

C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe

C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFE9~1.EXE > nul

C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe

C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB69~1.EXE > nul

C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe

C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CFADE~1.EXE > nul

C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe

C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBF8~1.EXE > nul

C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe

C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91E1B~1.EXE > nul

C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe

C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC63~1.EXE > nul

C:\Windows\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}.exe

C:\Windows\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1BCEF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Windows\{8B5DCFAC-430A-484f-88E4-367C3F29CB25}.exe

MD5 c835391372e9790d623af11c41e22728
SHA1 264164e04fc4078c0de3e2bfbad0036bf515df95
SHA256 93861ddf0b619c9f39c010b40f1ac8dbfc539963e5386c5bcc785f6154105db7
SHA512 292814ec96354bc1a84aa4c97b35a9df8c33b970d429b41505dbb73e250d4f31b89dd75b32b302a520a357c83be1fca088d2f3c84e39ed51374545c7db2a82a2

C:\Windows\{49153064-B613-4a65-B8FA-D361BF1CEC02}.exe

MD5 6bc5eb2332e65e50a500579752b4b070
SHA1 f056c5d2a62bfcdb38545dcbdbaa11ae00657758
SHA256 6120abe490caedd2365a01143c2a13db2834f295fca1e757bfbc1ecfd05fb89c
SHA512 15b00edae3febc35f9f3ba41c4fb172d1d2551c8c7ef18961c4fac0d176abc85772cc192c85b7d0d3fff55e53ec0eaf155c9c4b440bee524ac2c2ccc06c3a6d7

C:\Windows\{CB0A78D2-5461-44f8-A540-0322FE86175F}.exe

MD5 ab541398a642015da8b8756dd6338b7f
SHA1 2d653c9057efbc8948ddf370847551f3b7c42e46
SHA256 5dd2d2fce78d18ec6d1c720a839913147bb1b18cb87958bfbc7ac308f5ea077b
SHA512 9e48b3bcec426ce5ae90024345edba103771aa7409b34960284819dfcd273fb33ab54a55f3dc1299e940494be77bc98259ce663126d4a4e6b9f125689ae523db

C:\Windows\{9164958E-8642-46b3-B634-FF459772C016}.exe

MD5 34e797446e71ea0b03d943ba0c25eb74
SHA1 b4874817987bc10dd706cf2d7d5bc57a0f518d73
SHA256 0403d91394b67492afce5aea22bf83542358598811e0a09569abf5ada7bf1c7a
SHA512 f1491972c10a6dd1e28c6244ee2582f2f9ecdb2ab932c471db2e961ef9abd9bad9825f45417819f3a17ebfb18c1a00960d41424c6a1bef097528756ea9ea7385

C:\Windows\{CDFE9889-535E-404d-B6C2-EDF148D7B3AF}.exe

MD5 5a1881c5a7dae5004e5973873a553a07
SHA1 a68ee20d534ea8cb3fed9bdf29609ab82174afb1
SHA256 b3238714f132bfa4b0300660677cdb332c002b22368884e7c32403ff8e6cb056
SHA512 a5e6bbcedfef62af794288b2b2653d96d5b02be26147cff845dfb7982b980f63b4025e1551f4cb82f6e93db0db5e8ca699c51c76245f7058b89c8d4906c86170

C:\Windows\{7FB69ECE-313C-44fc-AF68-10D570AAA2C7}.exe

MD5 6d68a83654791c2d5f869cdefbb48dd0
SHA1 b5fa05f83bc728eb50bfc4ff08d0aa6954283fb8
SHA256 3ea61ac6331586aadc972652c6c110616c22315686c38a568f272fbe52c30673
SHA512 9edcebff5b0e2c5b2a628394afcaae500e1885c325fa4f348c8f7ddced13154b1962507b74d2c637711a1e8e625a91c7136af1f14ce5a698aaad1c873532ea00

C:\Windows\{CFADE122-FE7D-43eb-A544-791611B2F26B}.exe

MD5 59c0ab945ef3784b66b72988a4a43e0c
SHA1 9daac84da50a3f6b16aca96ef4c3b7eb693a6c6b
SHA256 4c305d26c9a7a3134e826e0dc1b49d7265a7d5e50b01931d473d6a8483719153
SHA512 1be049177cfa8ba9111bec7787874badf325ef6b49762b7816174b8df8da9609b3fd7dab347c9df54602b1ef13a22f64abb37ad755b0943399decd85e7a319cf

C:\Windows\{FEBF8050-BE26-4c73-90A4-C51126F9207F}.exe

MD5 2239342b14682254c3b94eca9c5d86cf
SHA1 f94f979033e8074dbb8fecc490ea132148c5afaf
SHA256 39f8972b295c9f6c4264290c3095b14c844dcc1f890d27153832ffd1846e5c15
SHA512 7e441b70e3a2d801f6e59a8c9c8c7c9624882ad3d29a1ddcd025af663481d120c568b6715c21c6789d53f79b604189fbbf11c6f705ddaae40b388432271132f2

C:\Windows\{91E1B2A3-507E-4036-ABAA-9EC5B5EDE06E}.exe

MD5 ee8eea4152c0e50ebbf4885596e266b4
SHA1 242abc7a82ca3ef405146948d47901389b5399b0
SHA256 de7ac0f00364d2afa88cdbb6d46f03f6fd14cb3476d00804c9cfa87da220869e
SHA512 e807fc2a02eca4a1bb3ac5199f74accda971fcf09927495101e2bd0e9145454043888910e1f2d5f18d20ccac43b4f0edce4b494d090d4aeac76928c9601c7a75

C:\Windows\{5FC63B36-0E6A-468a-A94A-CF14C88A713E}.exe

MD5 57a6c2d6d4b94114d2a4553bff15a566
SHA1 5b7cd339f908bddb39689a6684dd1ccbb19c1c2b
SHA256 0072699a4fdcf1044446749316f44630ae4775e1bb1796d674611af101b5999b
SHA512 f1267568f7c1c4e51a366e9ddc34762652e90e6fc2f25cd795413c2fe6ce33259a41a9037f4c96b7cabaac75828271158c34feabe423f7cd4194ea692d980118

C:\Windows\{1BCEF5CE-E6A2-4e2b-87F0-783471CBA34B}.exe

MD5 b6e0a745c0f30e03aa3d89c1f041a179
SHA1 093352f62d7b25f9a697a1448beb301a4cc6f159
SHA256 4a3dc5fce4042738a1de2733a25a489eda2a57df80808798d70427e4fe473d34
SHA512 9ce94b7ecb85db29d519c2660954088fc54aab017ccd26368e57d3f710876c3afe01afe9c31abcbf399d3457135c5539eb22076af32fbd2b6f1e1c41f758570f

C:\Windows\{F9B5DB0F-F9AB-4cd4-84D1-E728949441D3}.exe

MD5 f25ffd1eeacd2b45b5b2089e0ae93654
SHA1 3fb5de3a9fed9a293397a88fb6d3d0da797e34f0
SHA256 a314f1a9ce504f42a6221dbc4e3e7fffe4527ccb84fa38dbd45fb811896de7d5
SHA512 e73b0dc9304f6cb9b424b83db0c64ecd8e37bd704bc92cbf68ddfb6b392b674a1991bfa2f59c6ce59dd39ee197a921be7eb3d1fa67c1370d0f272ebd579a9b8e