Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qqgx3ahf96
Target 2024-04-04_1116de28e782e197373277782dff7273_goldeneye
SHA256 361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f

Threat Level: Known bad

The file 2024-04-04_1116de28e782e197373277782dff7273_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:27

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:27

Reported

2024-04-04 13:30

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300} C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9} C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}\stubpath = "C:\\Windows\\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe" C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}\stubpath = "C:\\Windows\\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe" C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}\stubpath = "C:\\Windows\\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe" C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA} C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300}\stubpath = "C:\\Windows\\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602} C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}\stubpath = "C:\\Windows\\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe" C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A} C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117} C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771} C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}\stubpath = "C:\\Windows\\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe" C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057} C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6} C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863} C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863}\stubpath = "C:\\Windows\\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe" C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}\stubpath = "C:\\Windows\\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe" C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}\stubpath = "C:\\Windows\\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe" C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057}\stubpath = "C:\\Windows\\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe" C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}\stubpath = "C:\\Windows\\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe" C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850} C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe N/A
File created C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe N/A
File created C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe N/A
File created C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
File created C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe N/A
File created C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe N/A
File created C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe N/A
File created C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe N/A
File created C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe N/A
File created C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe N/A
File created C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
PID 1612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
PID 1612 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
PID 2520 wrote to memory of 2492 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2492 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2492 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2492 N/A C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
PID 2508 wrote to memory of 2628 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2628 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2628 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2628 N/A C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1792 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
PID 2612 wrote to memory of 1792 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
PID 2612 wrote to memory of 1792 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
PID 2612 wrote to memory of 1792 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2700 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
PID 1792 wrote to memory of 2700 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
PID 1792 wrote to memory of 2700 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
PID 1792 wrote to memory of 2700 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
PID 1792 wrote to memory of 1544 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1544 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1544 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1544 N/A C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1740 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
PID 2700 wrote to memory of 1740 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
PID 2700 wrote to memory of 1740 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
PID 2700 wrote to memory of 1740 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
PID 2700 wrote to memory of 1712 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2196 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
PID 1740 wrote to memory of 2196 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
PID 1740 wrote to memory of 2196 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
PID 1740 wrote to memory of 2196 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
PID 1740 wrote to memory of 2112 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2112 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2112 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2112 N/A C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 976 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
PID 2196 wrote to memory of 976 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
PID 2196 wrote to memory of 976 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
PID 2196 wrote to memory of 976 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
PID 2196 wrote to memory of 2120 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2120 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2120 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2120 N/A C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"

C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe

C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe

C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{862EB~1.EXE > nul

C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe

C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFA90~1.EXE > nul

C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe

C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7310~1.EXE > nul

C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe

C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{501F3~1.EXE > nul

C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe

C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8410~1.EXE > nul

C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe

C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{20FB5~1.EXE > nul

C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe

C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC16B~1.EXE > nul

C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe

C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A99B~1.EXE > nul

C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe

C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE0E~1.EXE > nul

C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe

C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{80421~1.EXE > nul

Network

N/A

Files

C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe

MD5 889e9ad93b2d919b168683e582829bc5
SHA1 93758ae5196bb57d01687c405b0b3607fedd3c58
SHA256 8332e7f3b109e8aae4e5c47d58f4fa17124e71539e8474b9831d3d4ea75957fe
SHA512 0cb1e2df143f186b9e9c75de4af2fe5e5ca432e136898bc09cbd5efa08ce1b8346851e9a1337f8fa98f00297809219029d9df3909d5f901e950ee6b2c3c18f39

C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe

MD5 4da78d24447d78737bd01da22ade50db
SHA1 d4b66d26fa84427288b1501187284dfe49d3f515
SHA256 922a641c5d9f28a614bc28d58b0ebc966236d915c48c98d0a2458c48e132dedb
SHA512 2c1aa901b51476e88b2cb5659dafa328da4a55468509b51a1542066dee80676448dd2519e9d4cf55a33cb4b9f13eda33c64ff888bda74901432b1427c1288109

C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe

MD5 4273603e448c7b2028e9f101be08eab0
SHA1 4d094e903c9519bd530fb1b6a40c5166514751d5
SHA256 cd770e2929a25314938efd1eb79dff867efd46c84025d85352160e55105770fd
SHA512 dde4620c1a1b0ba7c2c1b7262678531cbf551ddfb3025b1949ed46bea171e10e429abb26ee10569091599ec3ca4d9e02cc59ad46896b5ebde1518e42d81cceb2

C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe

MD5 df7aa31266fed34925ef2cc175cf6ff5
SHA1 69a2700ce3b49adec1cbd399f3cc973fac7663b8
SHA256 7ed3e15ea573840680f44dc82790ed08b916fd25db3531bd2024d32b836f681e
SHA512 45a2f2dadcf0f1270f9e310300847b1b7bc8c369822ab5f2e5c30e3debd20fb0258bfae034032eb92d1bb542d4c00a8ebd6cceec0d7105c5a2a2596b214da675

C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe

MD5 c0a5cc39d316c7294f41abd03011f5f0
SHA1 4abfa7261e402984464a52f0baffce06f0e001d1
SHA256 d02fad6f622cb5f67c8ed3ad28d3b47fb538c7956d0514bd1957369809d7970f
SHA512 ed00a9108a05578112e0a140d198cc3a9d7f4f5705ca191b12b9c7e09ade1788f55d2103ec885dd996fb4698a06282ba3e81db4bd8bfe3982ab1b0e928718a68

C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe

MD5 1d7119d991dbb7b23da22d4a5246f1fb
SHA1 f43296ce17ffd1f0633e1292719bbfefecb988c2
SHA256 ce992bc1baf4767bb163614d1d5a257582b0d7cff4146436fdf101f9ced91536
SHA512 7cd3b31759e15254e11ed6234fa800ea648232502cb1718f9ae90928109fec2da03dd7c697aa9171fbbf311913c976fa382aa371b694e9edc3ebca5d25e3a007

C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe

MD5 4cb5cb4c122368ab986902efee33130b
SHA1 726a76f6398e300f6afd5725ec00d74584249e00
SHA256 925674927431b5a27f46b8d931a17d13049a017d5ed92a09bcb5408989940fd6
SHA512 682cd878ed92a9a9b5ab451c7d3d3ceb3b693e453028e5af022394c2a2e5ee7ac7d9c8f614fd8aa0d0cd2411fcae374f1b2bd076ebb6400f8618ac04dc412198

C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe

MD5 73568b4ef73379e82fb7dee5c19c6fd8
SHA1 457f6b3886c9a29a47589e7ae4744b8ea7ca4271
SHA256 331799bfcab39fba94442e6d7f28b649c1d4aad6efa0e607ffe29ff69cf54cda
SHA512 b2d091c06713bb445e6ab3ea5d74b514a4c3ece3a50b85ca1a7d3c7ed8fee7bd3636409806f6fa7e59658334bebeea90935aee13fb73a36643b2cec72193c4a1

C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe

MD5 811b7c05a9979a820e391a5842b0c1db
SHA1 7c0536b415317a5d972fe49baabce1fb8402d46d
SHA256 99042bdcefb2b5148ac0c52cd5db8ddf5d8502d8ce5182230745cb276b7c28ab
SHA512 9a393cbf4ca807fdf2b95d83e176f4495c1fd7571ec696aeec06ec754efb94ae1073ec6edfc3c0dddc6d9bf104300e3b1383f5355f3e2dad5dd86c1660a73773

C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe

MD5 b28f934e806da810484d9744c2ed4b6b
SHA1 dee68429624cad3061c78aa93afb78ee14369d41
SHA256 fa2328837d705b03535e24107266fff500000d42c8d801d26bb5567f61a9e051
SHA512 364cc7cfda304701ca6a681c20cfda3af3d6eb832968fdedf13e0f1e86295115113f18130b0b0f2098101390c8ef76f473fa0c1e4d6348443574443307448d81

C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe

MD5 27a729d2a6ee85b190fa46d20eed2a10
SHA1 5c71ae69a8d461d51427bd710acefc507b9da15e
SHA256 13d278116ec744b7570bdfc0cf1738361d72858107d66e8ab703556649278dfa
SHA512 1bac7c0f6768aa45b3cf9aa568fb8fbf96373155252e4da0ba26dbfda99a01b1f3e9c6e181b677901efd1d3634c4d4258ef3c977cc6f76649f7a67ce75235695

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:27

Reported

2024-04-04 13:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}\stubpath = "C:\\Windows\\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe" C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81}\stubpath = "C:\\Windows\\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe" C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}\stubpath = "C:\\Windows\\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe" C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81} C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE} C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE} C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}\stubpath = "C:\\Windows\\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe" C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5} C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}\stubpath = "C:\\Windows\\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485}\stubpath = "C:\\Windows\\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe" C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}\stubpath = "C:\\Windows\\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe" C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485} C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D} C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}\stubpath = "C:\\Windows\\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe" C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254}\stubpath = "C:\\Windows\\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe" C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49} C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9} C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44} C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF} C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF}\stubpath = "C:\\Windows\\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe" C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254} C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5}\stubpath = "C:\\Windows\\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe" C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}\stubpath = "C:\\Windows\\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe" C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6} C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
File created C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe N/A
File created C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe N/A
File created C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe N/A
File created C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe N/A
File created C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe N/A
File created C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe N/A
File created C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe N/A
File created C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe N/A
File created C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe N/A
File created C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe N/A
File created C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
PID 2364 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
PID 2364 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
PID 2364 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 1440 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
PID 3540 wrote to memory of 1440 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
PID 3540 wrote to memory of 1440 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
PID 3540 wrote to memory of 2592 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 2592 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 2592 N/A C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 404 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
PID 1440 wrote to memory of 404 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
PID 1440 wrote to memory of 404 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
PID 1440 wrote to memory of 2540 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 2540 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 2540 N/A C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 1844 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
PID 404 wrote to memory of 1844 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
PID 404 wrote to memory of 1844 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
PID 404 wrote to memory of 4736 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 4736 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 4736 N/A C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 456 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
PID 1844 wrote to memory of 456 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
PID 1844 wrote to memory of 456 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
PID 1844 wrote to memory of 1376 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1376 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1376 N/A C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 1596 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
PID 456 wrote to memory of 1596 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
PID 456 wrote to memory of 1596 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
PID 456 wrote to memory of 1856 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 1856 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 1856 N/A C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 212 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
PID 1596 wrote to memory of 212 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
PID 1596 wrote to memory of 212 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
PID 1596 wrote to memory of 2400 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2400 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2400 N/A C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3800 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
PID 212 wrote to memory of 3800 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
PID 212 wrote to memory of 3800 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
PID 212 wrote to memory of 4432 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 4432 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 4432 N/A C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 920 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
PID 3800 wrote to memory of 920 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
PID 3800 wrote to memory of 920 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
PID 3800 wrote to memory of 4276 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4276 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4276 N/A C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2512 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
PID 920 wrote to memory of 2512 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
PID 920 wrote to memory of 2512 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
PID 920 wrote to memory of 1684 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1684 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1684 N/A C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 3196 N/A C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
PID 2512 wrote to memory of 3196 N/A C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
PID 2512 wrote to memory of 3196 N/A C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
PID 2512 wrote to memory of 712 N/A C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"

C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe

C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe

C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81D0F~1.EXE > nul

C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe

C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36A73~1.EXE > nul

C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe

C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98564~1.EXE > nul

C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe

C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{99A38~1.EXE > nul

C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe

C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{43A2F~1.EXE > nul

C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe

C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B8F~1.EXE > nul

C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe

C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1F495~1.EXE > nul

C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe

C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE20~1.EXE > nul

C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe

C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71881~1.EXE > nul

C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe

C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{52E86~1.EXE > nul

C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe

C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5ADBE~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp

Files

C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe

MD5 37cffa0494c1acfdaab59db8bf2abdf6
SHA1 ceb79398fe061e75b147df206d0c8931b87b2f0e
SHA256 d28e5a7dac2c92f01be36cd81226ef3da23cfc1b381256f9d23d3b7a75761a90
SHA512 969bbc0283170e3be1fb13c172e1af39e59204b15b6440129fc1d9ba8da8ec31b6eec78fc650dea4959c22fbc9ac1924999bf660119b438921fb23a8d95fe305

C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe

MD5 177bcf7b542648f46334093f02604971
SHA1 4ddb1f863ac94a00e6b86fb2ae75c1aa2560a1ac
SHA256 247b7f4bd0828cb272330cfbdc7aad6fe220aeb062308104039107ebaadcdbf4
SHA512 12e211a187659c70be78fd7bcb267d57933c049ee39f3a3b03180a446373dcf501c9a38a2e72ef12e0c6fdca85b21868377687f72762e052d30853ce65fde0a7

C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe

MD5 6176220e2dab4612004bc65e96766a9d
SHA1 d4c619cc039bfe99c504aeb093d939109d56b699
SHA256 c4cd918cf112dd65ecb51ad39b2372a934232f225cbc77f8f0d83182cd107642
SHA512 ce81154903611f996ca598fb90701a3a3a97307f5d1fb73b6c8699c9f28acb51a44c3f236e25f19937b35b2fa058a5342a1e73bc66aadf4ebdc4dd493051278c

C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe

MD5 d098339f19c86500aeae7ea4af4fc413
SHA1 2ff38fe36fa9b011ea3f17dcef08e23ae0c9e254
SHA256 74ac4b21e59f3fdf6b7607f66b73d7a99dafe784449849ee1de4d6a614a17122
SHA512 de1e1925f5d05ee14f23e5148fb1d18999bc43d061ad7a3c6bda041077c7f0d137711662985be782e9da68a0fa3167198df2665bf205d2b01ea83b6f2ce93ffa

C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe

MD5 3e49f3cc3e16882b51b4ed7e29d0f692
SHA1 e04bde84ab7f23984e28e0a08ba82c0c22733961
SHA256 2578029062fa38711f27fc2422a382a7ccf789b91d13b09d7181987ec3a0b860
SHA512 eeac99fc5e6b200ca4db54c48b2462246d6d435c72feaf969d74638ba45ba498ba5d04a0ae5a126da1f359be1aa033e85fa62008b13ddb52bd019e0bee013fe8

C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe

MD5 5f348da000176e032dfbfd0b310821aa
SHA1 1c463992f6606494aded81f4bd122fb703cb963f
SHA256 d40bbcfc67a2f293651098b3519920a60fd844631bc9d7288cfc2f846ee2a6f5
SHA512 5164611f29d55548aceaae2dfcd8d3d1bf2e63665479500694c47972b86d84d4ec726f7a357ae6fa288b95aebc2d2be40470351780597ec6dd5527b1fcd5e182

C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe

MD5 c9c4229ea6e87758e93432969278f9de
SHA1 e8e671545a90d5ca4f467d76085a55a7c6d1bd8a
SHA256 1a65373e9e7a6355753e681bf16d328bbd62c2cef5fcbd313d175a429c7a037f
SHA512 971f9bcbd52ea59809e9a0a0b2824862fe345a0f536298d9690c824a0820180eb9a92ed2aca4972e18f087a096fbd44f5d4f985f730677239609b1744d43e137

C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe

MD5 2e2bba62b4451cc670e9919c952de48d
SHA1 edff1b0919a4641324bc8f7d1abfa6b393815124
SHA256 7c6b96e73fc0474c89deb9500c826ee7f7dfbb179af15c174a7b505968032cad
SHA512 5a0cdde408cd4242f291285ece3932115715b4e7972c66a42371c1b02feafd997a74fa68086e41d4aa6215445be00bb14fa514c8bd17e75b204034e5a83bff5a

C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe

MD5 3911e221ab26f894d39e85e4c3dc7071
SHA1 aa5262371674129aea86f735f011504d04474fb1
SHA256 c689166d01078a3d486d8c5192cc4d6e5476f4d09f9ff6596bf84ceb8dde6524
SHA512 ec7e0f079b952fbce8750427caf79d6b5cde053c04f4eef130b44f1543aa4b134e52f034a137156f58a9f9bd5d313cfd916339f029c8604da631fbab1a9de210

C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe

MD5 2fed1986f077cce2c60ecfba09947895
SHA1 734f9664b779bde6169e74907027fc4105ec8f94
SHA256 2603ea77f63d120cb4aa9fda850b1d5dea2bb0b639b29aafcde626e34b163a34
SHA512 54a3f21a8ec13534312a922c48ea3e52472f21c80f1ba0397348ea61ea1ee3c4bbe2001b045adb1d72922a6bd55d2909e989a779ed34df8d87d3cc9b3afaa42e

C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe

MD5 a89acaaa4612e88c4e886713342399d3
SHA1 f1581092fed960e1590226b924e518b6b7d9b653
SHA256 124fb829a4ae16eb3b74d3af6c6bdb0deb5210f8b223cff41fb2064a4de86602
SHA512 247f09729ee83561ef9adff76094828a118f35f2c00923305ef0212e3bd16794528c307e24e89964af83b848756b989032ae5a45e5edc3faec2b4755c5dc1d85

C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe

MD5 da427f7382a7793f80af76bdca4cd642
SHA1 1ad7ecd90e2401c795910d9273f21df929d44d7f
SHA256 83d10ba3a26650dd02e6ef5c96faf2fdcc6086845b32bdf7184b69c4c5731344
SHA512 cdee2f2d99d5b50ca0f5645473889979a4af2e7436f7e7067f7e8f815be1a10cc5feae2b25d4b7b2cafdc133b25634ab48493d9388a09c937438a66a879e9913