Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qzmvnsaa35
Target 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye
SHA256 bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb

Threat Level: Known bad

The file 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:42

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:42

Reported

2024-04-04 13:44

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF} C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}\stubpath = "C:\\Windows\\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe" C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}\stubpath = "C:\\Windows\\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe" C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA} C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C}\stubpath = "C:\\Windows\\{F64B3978-62CC-461e-8171-248679C9158C}.exe" C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}\stubpath = "C:\\Windows\\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe" C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728} C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}\stubpath = "C:\\Windows\\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe" C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23}\stubpath = "C:\\Windows\\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe" C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF} C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6} C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}\stubpath = "C:\\Windows\\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe" C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C} C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E} C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E}\stubpath = "C:\\Windows\\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe" C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E} C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E}\stubpath = "C:\\Windows\\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe" C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}\stubpath = "C:\\Windows\\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe" C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE} C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23} C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}\stubpath = "C:\\Windows\\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2} C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
File created C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe N/A
File created C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe N/A
File created C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe N/A
File created C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe N/A
File created C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe N/A
File created C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe N/A
File created C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe N/A
File created C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe N/A
File created C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe N/A
File created C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
PID 1464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
PID 1464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
PID 1464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
PID 1464 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2536 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
PID 2908 wrote to memory of 2536 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
PID 2908 wrote to memory of 2536 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
PID 2908 wrote to memory of 2536 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
PID 2908 wrote to memory of 2672 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2672 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2672 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2672 N/A C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2408 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
PID 2536 wrote to memory of 2408 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
PID 2536 wrote to memory of 2408 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
PID 2536 wrote to memory of 2408 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
PID 2536 wrote to memory of 2512 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2512 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2512 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2512 N/A C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2368 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
PID 2408 wrote to memory of 2368 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
PID 2408 wrote to memory of 2368 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
PID 2408 wrote to memory of 2368 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
PID 2408 wrote to memory of 380 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 380 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 380 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 380 N/A C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 1064 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
PID 2368 wrote to memory of 1064 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
PID 2368 wrote to memory of 1064 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
PID 2368 wrote to memory of 1064 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
PID 2368 wrote to memory of 2376 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2376 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2376 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2376 N/A C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
PID 1064 wrote to memory of 2428 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2428 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2428 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2428 N/A C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1960 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
PID 2728 wrote to memory of 1960 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
PID 2728 wrote to memory of 1960 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
PID 2728 wrote to memory of 1960 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
PID 2728 wrote to memory of 2016 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2016 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2016 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2016 N/A C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2276 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
PID 1960 wrote to memory of 2276 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
PID 1960 wrote to memory of 2276 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
PID 1960 wrote to memory of 2276 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
PID 1960 wrote to memory of 980 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 980 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 980 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 980 N/A C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"

C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe

C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe

C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C782A~1.EXE > nul

C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe

C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA2E~1.EXE > nul

C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe

C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5CF~1.EXE > nul

C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe

C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D6B~1.EXE > nul

C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe

C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{920BF~1.EXE > nul

C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe

C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F64B3~1.EXE > nul

C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe

C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE61~1.EXE > nul

C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe

C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F3963~1.EXE > nul

C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe

C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36797~1.EXE > nul

C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe

C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94BE6~1.EXE > nul

Network

N/A

Files

C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe

MD5 4b42f57ee3e86d494c41cdf8e51d651f
SHA1 b1af92ac51b60ebc391c3fb9c043cb280fd47a26
SHA256 96837a319c4f4b6b176c8cc133ed976ef17e237622de04a0d7937285291a2d86
SHA512 0b08d7333b48af4aadbb0ab72e22c63383472990a4f0bcdf7d61ca47dde9d0466fe81f41279f33558089a242a4fb1a780a4d91082ecb1382ae9d760f5412e99f

C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe

MD5 ff8acbd3543ce31c8313c1a7b6231d11
SHA1 f82242e02f84fcd123aecacb59ea0dad4a9f39c6
SHA256 3c82f0326f2e69495f966f5784e5444e343283119e3f8495a5644d1de2cecb54
SHA512 65b935648925acf737a82f59016cc536a803277f434a71a4bb2b6651427e506b7f6a740dc7da2abbb36744336e2d7142849f05b0ef4ec9d185d150c2113a60d7

C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe

MD5 9907c62fdef52d2b392b33b0b9e1621d
SHA1 0992aa321d81fa6a90c1da32c5cb055bb2860c7c
SHA256 b22e7b832e0ff1fcad9e682b1ec6dd746e60798b75bc223233b2089f897e6811
SHA512 51b4190b5dea9dfc90fab358cc262064c0a67a726b1bed366b2eb00d14e70e3f519d08606d9445658045c1bd95e6c0cc061da7b6a528f4ace0255ef105775835

C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe

MD5 96b150812c214e2448606befba0853bd
SHA1 c7436e2cdcef3134e459a5e87af1422a98150c57
SHA256 d4eaa4294474847f6c827e1ae5ea1e2c9872258a154e4515be8420935ece3b64
SHA512 f71741abcf04f5fbbf10ca9ba5bee07f1995353e449cdcf6a5f71e58061de146011425c935e32c1df646364427b7f618e6f925945df6ef7746e89de7fc27d46a

C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe

MD5 8b1aa8beecf7703712edf6e2d5b66bd3
SHA1 aab2f887506290cb1f63df1cca47e8a54feb5e40
SHA256 8dc3ca1e11d75d96fe7fc1e91aaca15878cd9d056377af1f2d21e2e1872eb9d8
SHA512 fc5b02bd10328428548a396a8257db450f7d54731abb5cf18d4c645b339ee942200f985773335b95cc6fad5af499f1f514fdcf525c7d8864961ab82cd9e9346c

C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe

MD5 75363e3e3641dcaf387599fc85c10313
SHA1 5e32d925468cd29e5e03ac81651724d2cbc5713a
SHA256 bf3f64aa28fdb34a44020fe627e2ec097c5a6d047085769bac063bc5943ebf24
SHA512 ea6c04fe5d91ceec12f8f617df3500a1c07fa5362d67bdb3d720f91a1a25b2867a8adc0ed553e190f97a69fde2dca6c7ccbaa6bb34318b52f92e70e9afbd104b

C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe

MD5 62c887fe00794f92f5bcae7ec9c2422d
SHA1 9dbf591e2d23bc7e59b7ab0457df0a72093575e7
SHA256 be169592d960afb855d6cb836960554a7c5334d82f2cb8a5e674323402e4c715
SHA512 4694d52537b18fc34ceec19a709ef8f70869ee293453759b50f1d8bd6d32bec2359ac78c50960a6778d658af1da3826fd9540a1e452c4ab45bc1c8ed2d144dec

C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe

MD5 23e44dae1b62aff2adfe009b407e09d2
SHA1 ac558e257930cc6bea1fd1adea6827b5f8bb6cd9
SHA256 d7ff4669cb798ae72b2b2527ca9a17fe1e69d987f35f28646128606904a288f3
SHA512 4b923e24c6be21fb2cfc373f16569ffc2becbe063e9bd0d06a818cb338009a43cb1e146c8a72fc841912ae3c9436cc92ed9e449922fb824473a21243456d1ff4

C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe

MD5 86b33c8923947dc9ce00b919d01f68b2
SHA1 65d8eb6fbd9db745d9c5156760cea1f8f0f97a27
SHA256 5b666817cb57151c46a3922d85f10ad157adc4ee1745fd0b81b108c31bd5ccbe
SHA512 d0652fb4f80729b02693085068fc0537a827e9cf5173f1dba38bc23d00d4bd856f0dafb8680b7f25e252200e0314a1fc4ff38f7f6f9eeba6eb4021cd8b45da44

C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe

MD5 95efe9b25e1208ac39de6cf2e267c25f
SHA1 5dec70913b652ad79b7c81b5f132348375ccc45a
SHA256 703652989ab0be398251fae833426a7b2016c2df7754adb38cba1a945e2558a5
SHA512 c57b9e4f58812db482370408e8a46b94c4b426228ad1b43b24f3901f0964687a1316dc0e145dbfe83f16e182097a4bb861882c62f4d69a53e2d7cec1e938f8c9

C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe

MD5 ff1831da8a50d0376406aebfb439576a
SHA1 b0f28269eb2459d5642ccc0668c9049329b305a4
SHA256 c78a446b480452462f0589380493f805ac5a97e3d4c5fdeaf29b198c723327b9
SHA512 180be68952eec2fa75923479d438cbe6994139c9350e515b9f07d337531a2143f3fc3a4ab763c98fccdb5dda183c14d4dca12acb0347f7145719f2a360fc0c73

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:42

Reported

2024-04-04 13:44

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92} C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}\stubpath = "C:\\Windows\\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe" C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85} C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9} C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}\stubpath = "C:\\Windows\\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe" C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD} C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD}\stubpath = "C:\\Windows\\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3} C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B} C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}\stubpath = "C:\\Windows\\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe" C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D} C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85}\stubpath = "C:\\Windows\\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe" C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}\stubpath = "C:\\Windows\\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe" C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2} C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A} C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89}\stubpath = "C:\\Windows\\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe" C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A}\stubpath = "C:\\Windows\\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe" C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86}\stubpath = "C:\\Windows\\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe" C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A} C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3}\stubpath = "C:\\Windows\\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe" C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}\stubpath = "C:\\Windows\\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe" C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2}\stubpath = "C:\\Windows\\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe" C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86} C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89} C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe N/A
File created C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe N/A
File created C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe N/A
File created C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe N/A
File created C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe N/A
File created C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe N/A
File created C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe N/A
File created C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe N/A
File created C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe N/A
File created C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe N/A
File created C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe N/A
File created C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
PID 3848 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
PID 3848 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
PID 3848 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3144 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
PID 2008 wrote to memory of 3144 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
PID 2008 wrote to memory of 3144 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
PID 2008 wrote to memory of 1084 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1084 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1084 N/A C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1272 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
PID 3144 wrote to memory of 1272 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
PID 3144 wrote to memory of 1272 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
PID 3144 wrote to memory of 4764 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4764 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4764 N/A C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 680 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
PID 1272 wrote to memory of 680 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
PID 1272 wrote to memory of 680 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
PID 1272 wrote to memory of 3348 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3348 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3348 N/A C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 3236 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
PID 680 wrote to memory of 3236 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
PID 680 wrote to memory of 3236 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
PID 680 wrote to memory of 3700 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 3700 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 3700 N/A C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2556 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
PID 3236 wrote to memory of 2556 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
PID 3236 wrote to memory of 2556 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
PID 3236 wrote to memory of 3788 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 3788 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 3788 N/A C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4824 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
PID 2556 wrote to memory of 4824 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
PID 2556 wrote to memory of 4824 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
PID 2556 wrote to memory of 4316 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4316 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4316 N/A C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4740 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
PID 4824 wrote to memory of 4740 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
PID 4824 wrote to memory of 4740 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
PID 4824 wrote to memory of 2144 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2144 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2144 N/A C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2748 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
PID 4740 wrote to memory of 2748 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
PID 4740 wrote to memory of 2748 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
PID 4740 wrote to memory of 2320 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2320 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 2320 N/A C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 4436 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
PID 2748 wrote to memory of 4436 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
PID 2748 wrote to memory of 4436 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
PID 2748 wrote to memory of 3816 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 3816 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 3816 N/A C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2068 N/A C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
PID 4436 wrote to memory of 2068 N/A C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
PID 4436 wrote to memory of 2068 N/A C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
PID 4436 wrote to memory of 2884 N/A C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"

C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe

C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe

C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E5F67~1.EXE > nul

C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe

C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D38C~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe

C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0596~1.EXE > nul

C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe

C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A667~1.EXE > nul

C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe

C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54C94~1.EXE > nul

C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe

C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71936~1.EXE > nul

C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe

C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF312~1.EXE > nul

C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe

C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A52E~1.EXE > nul

C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe

C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C02D8~1.EXE > nul

C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe

C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5ADD6~1.EXE > nul

C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe

C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3F1~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp

Files

C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe

MD5 2fa53ac77d584319fb682bf4a5257a34
SHA1 be1ed2b18952627e2a623d07912418b18f90790d
SHA256 d64ef68becfeed01dfc3bbad27f6e1c6302784e2739e9dc7890a96d1826b54c9
SHA512 523a8d10bab10e0af6f13c1e23ff8015132ba08931875388948781631cb5bc13dd8d38ef27f1662299dfac36af6bef90177aaa55d11261ce94828d72dc895bbd

C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe

MD5 285b2768c7711416ebf74c8aacae5cfd
SHA1 75756931c440c41cdffa0097200abc0c78bdb478
SHA256 83e28d0d2cb27fbc20c549906e9590ca1eb29124f126fcaeb9340597c77ad7c1
SHA512 2a131d67b795912304972b9a2c04304bb025ea1be31ef6511d7be69788099f1d09e8dfb04ce6660c728067bb71361edde979e65e151f621299029465abf960ef

C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe

MD5 0d248fe2b7c379e3a81a524d8aa48e27
SHA1 535b884585f705900d5bc4934773b4bc8374b5a2
SHA256 92a57033f65dec9510e5a94c176c137b93e09050e66dd59da0675fdd603a9245
SHA512 a42dbc65dc668de8b6b12cb9faf18c863051d6e16033a9063d394cb10e5eed896e754a344d67ded837f93bab2b35a466b5743735fcebb728e85197a9dc8dc92f

C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe

MD5 a01988c7c6e58597b4a3172b98bf5f0c
SHA1 aa9f9c4523e9b0eb6f383fa384622c4f39b4fb24
SHA256 1720adedf684c3287c524cd2ab876e64af6681c9d7878e3520d9d6eeb74766ff
SHA512 71e602a0a1bbf8944381e7bd35099e50b091fa9e58414fc0c356d28d36a6d278ebfa9e28d59c7b2ee7377fcf0be0c7834995c638aa7a07ee1a22b8eec7ad0c4e

C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe

MD5 366373eb32a66bc1475f99a76f7b6e0f
SHA1 95353d57e3b405d1ef49dd289f406af830615ec8
SHA256 79b4874e6b4bafe432b1551013f82de30265040054164ee165daf2a00a7298ce
SHA512 d4aa152983156180a6f372557d6c31098c2f4736177ba0972ba07b226770dfb5933e3a3433b5b75635776a0259646a31bc774404e70b20a19c0968222ad5bb0c

C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe

MD5 560fe80261ec77ddb3cdbbc6765fa9ca
SHA1 5fb88a6eb607884a20563c572417740f1d31b615
SHA256 3614f55976d8952cb78b88a1598df89e037cec763b69279b08da6441410d43f3
SHA512 a3b450426542721b481f722ff5b4e3f1e79b72968d75dc0d09a439d97384afdad9a1b581db3671b4c37b91fa5d73eb335de868db7eed8f63f1883419bf5c7801

C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe

MD5 03a4b468b27ae81ee11ca6f9bf654c25
SHA1 5b6cc702a4070ca817dcf6ffc9da1472417da0ec
SHA256 01e7b6014516cd8a6974c3a40fb7125bbf65e7c1b7191bc83e16621d6124e256
SHA512 e4f319300ad7f1f7021a7b10916903599f8ee060654b0942700b80c1f4e638e6116c30aec57750a62f5187a51188c8157482c5537a400b8759bb3a86ff7edaff

C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe

MD5 42f4d1fed021ca9a392605f8a171e3c5
SHA1 5883da9b09aa4ca2a7503f733779dc262f5bd323
SHA256 0eb1fb50f988383196a39b52a00ce9191e358edd652ad62d3067829696bff486
SHA512 7e7d67654c0d4575c261ba54567cbe1bcc4276b92ba389df5e343efa95dd4bf3c3706e62e3cd92695735899e663c384968a14d85e9de82fc13c3c6006e4767fc

C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe

MD5 1af5e07bd92ee0fb4ffa34c18da6343a
SHA1 b59f6e7b3495a9ef78541db64a345ee46aab7f08
SHA256 7ddb33b8cd22962182659346c8de4ce268d7198273a9ad2b34f854fb01d8999f
SHA512 949ebc74c681c9ec111b50cee65d0b3a55c8ff68fa87e83b4243291867076dc1a0debbbeb56d40d7e92f7c6272dd8c2ad0db01ad0cec76e980b8189060af2be7

C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe

MD5 cfee9fffc6e1d72f482da1f494267319
SHA1 85eb7a0346ac34642e13d8480f468e5deef73a70
SHA256 d44374ff9148a9025d58ade52d6b37ff7be7e1ec8d62f3e599f34347b3324432
SHA512 60fba8cff74d25b1f075d7e4a512dd6224393598f1898f7dc17777c2247546615505b41ff3f2dae9a23518d18876e633a3bad5276452ea93bf93d0563238190c

C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe

MD5 552ba3b676000103b683b1816832d3d6
SHA1 1879bee58f94c903515ac1b67953f0337d5a2914
SHA256 3737c3904ef925754eee91c036c164ef8aefbee35ed462bc740b3dd37832aa1f
SHA512 2d56ab5b2e9ca8b86de8b27df138b32acab3a1fd3f40df61169ae548e52a6df9c9bbdbedd956a35da37c9c0049cd5e1208204317424447d9d76a46153d21dccb

C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe

MD5 4c4f6507127de70ef1ab0c80824a8d09
SHA1 7670d55eacfc561fe0272fe6bf63e519069fd179
SHA256 0bd47a3ca69cdaa174de4877ab17bb3b5b78f0bf2f54d29edb8c169662bd47cc
SHA512 c8cf455e13da10affdeacd917cf757eaa215d1e4b905119abf9a6b0c49a3744a1d99048664d6eaf494c350e6a9f7f4202765d49ffcc31c776aed46967662c481