Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v6ng1aed32
Target 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye
SHA256 dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e

Threat Level: Known bad

The file 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:36

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:36

Reported

2024-04-04 17:38

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}\stubpath = "C:\\Windows\\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe" C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B262A6-8634-4111-B6C1-706529378260}\stubpath = "C:\\Windows\\{75B262A6-8634-4111-B6C1-706529378260}.exe" C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34944F5B-185C-4f6e-9C70-054FC4FFF07A} C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095A86-877A-41fe-9020-5B202D6BD5C2} C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC76868-8834-43c2-8005-D056C7D53FD0}\stubpath = "C:\\Windows\\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe" C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B262A6-8634-4111-B6C1-706529378260} C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}\stubpath = "C:\\Windows\\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe" C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17} C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554} C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30212D-1F06-44a4-A49A-983A53730C27} C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02236274-6E38-4e40-B216-244B4A5A7C62}\stubpath = "C:\\Windows\\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe" C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}\stubpath = "C:\\Windows\\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe" C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}\stubpath = "C:\\Windows\\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe" C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC76868-8834-43c2-8005-D056C7D53FD0} C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02236274-6E38-4e40-B216-244B4A5A7C62} C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30212D-1F06-44a4-A49A-983A53730C27}\stubpath = "C:\\Windows\\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe" C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738898C5-E120-4eb7-A4F5-6CAB93E402FA} C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}\stubpath = "C:\\Windows\\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe" C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFF01D9-908D-4d74-929B-1ED6243A5585} C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFF01D9-908D-4d74-929B-1ED6243A5585}\stubpath = "C:\\Windows\\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe" C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095A86-877A-41fe-9020-5B202D6BD5C2}\stubpath = "C:\\Windows\\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78} C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe N/A
File created C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe N/A
File created C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
File created C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe N/A
File created C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe N/A
File created C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe N/A
File created C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe N/A
File created C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe N/A
File created C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe N/A
File created C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe N/A
File created C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
PID 2144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
PID 2144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
PID 2144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
PID 2144 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2560 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
PID 2584 wrote to memory of 2560 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
PID 2584 wrote to memory of 2560 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
PID 2584 wrote to memory of 2560 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
PID 2584 wrote to memory of 2412 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2412 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2412 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2412 N/A C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2416 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
PID 2560 wrote to memory of 2416 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
PID 2560 wrote to memory of 2416 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
PID 2560 wrote to memory of 2416 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
PID 2560 wrote to memory of 2476 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2476 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2476 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2476 N/A C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
PID 2416 wrote to memory of 2204 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2204 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2204 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2204 N/A C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 528 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
PID 2384 wrote to memory of 528 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
PID 2384 wrote to memory of 528 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
PID 2384 wrote to memory of 528 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
PID 2384 wrote to memory of 2948 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2948 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2948 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2948 N/A C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1532 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
PID 528 wrote to memory of 1532 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
PID 528 wrote to memory of 1532 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
PID 528 wrote to memory of 1532 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
PID 528 wrote to memory of 616 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 616 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 616 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 616 N/A C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 308 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
PID 1532 wrote to memory of 308 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
PID 1532 wrote to memory of 308 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
PID 1532 wrote to memory of 308 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
PID 1532 wrote to memory of 2000 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2000 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2000 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2000 N/A C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 640 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
PID 308 wrote to memory of 640 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
PID 308 wrote to memory of 640 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
PID 308 wrote to memory of 640 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
PID 308 wrote to memory of 1112 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1112 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1112 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1112 N/A C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"

C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe

C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe

C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B095~1.EXE > nul

C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe

C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4567C~1.EXE > nul

C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe

C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC76~1.EXE > nul

C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe

C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46A6E~1.EXE > nul

C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe

C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02236~1.EXE > nul

C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe

C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B302~1.EXE > nul

C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe

C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{73889~1.EXE > nul

C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe

C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{75B26~1.EXE > nul

C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe

C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34944~1.EXE > nul

C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe

C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFF0~1.EXE > nul

Network

N/A

Files

C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe

MD5 b4052f6bca4d0d07a4dba0233a716079
SHA1 032806afae10b1b931c2f8aae1ab05fc22e8c498
SHA256 d0a3aff2789173f2ede3e4c9692c15857f977002cc07baf8bb8d87105172a62f
SHA512 989f48f0680e3c51fdcc6fc46bdaf5b452ec91f8b24d5e85413f854622e6ef6217cd9c69901848d4dce22cdccaf263062465b1aad37a0b1963d0a97b8613b24e

C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe

MD5 bccc7ded669aca828b12a44dba6be6b0
SHA1 c140018ac283e6c5d850fe0e5c61c85866c856ff
SHA256 8779e9b180439baf0d60ac827902bbfcb05d2a774b34462680efe0d94af4d540
SHA512 10d8ee365b1cd14a0f40dd3bf642ed8d67b388d355dd957387efacfb8d38dbbf300fb07a3defd1dda1f20c98514290e11fce1437b0fdee00d69ddf6270abd824

C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe

MD5 027a2afe743b8e7f302d9e17a6dc64ff
SHA1 150bdb9c4637fe6bca00199a0a893f1ade95d5eb
SHA256 d93fb31739b96b22b7fadb11922f663a8490c8ad1c78e16f676ba716c70b61a8
SHA512 b69603b28b363edb66687ea4a755fa9ceb9bfdb8ffccb36c2fe6f22554222fbc7c3257c556c3b67fb11f48ea24139293e7e880e4422ade1d55c94cc911ba61bc

C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe

MD5 7ff9394f03b533ee3db7378e06c54918
SHA1 b7bc39151306c7aceef08ce93c4942d3f4dd8a31
SHA256 cbb52e589977b0e5ec3188d4593e2551f854d520ed247d5496f19dc6c2889eff
SHA512 88482e4145953082545b0ca4ae66b5a963b9dcde782ceebc0fbd7344677e88352aa421318eecced653c1be22381155a016e96a3684cb4f406f2a7be69c31f14c

C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe

MD5 929399e0342830bf0710ebd803092f5c
SHA1 678181bdbcb31c21fd8ac38cf3c8ff470ad2ff96
SHA256 4324afa1c74105c6516de8e7a907d64a6af927dafa48e3cddbb3f74fa36ff7b2
SHA512 38d2def89e5039743545c6b09d35292bea29579fed26c04497b497e3d4ff5dc10bc1d1920fe2ff7141e1c9947111ee5dbb103e44174a9e1ce080ab937bbe6416

C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe

MD5 30a2f91ad1d532477b22a47d54d69be0
SHA1 edc6b3eb02a27af5dddc1148ba9992aa08a7a15c
SHA256 910e3bc9a16b96236718ce3c35af19974042cc602cd0d01b67837b9d0741bbb2
SHA512 9056ba4c6e242caa2265aa3064a2ef16e6c2d4e84e3d5d362640ff5bbe440d7c60b5860c6c7ea4206f252724996c1921d3bf1a266086ce4c397ee965dec9c304

C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe

MD5 37c10b9ad027b9f642830a5927c8a327
SHA1 9cc7c72390c1d3bb69867a7dce963ca7e94d8ad0
SHA256 9ac04aa56ae35a387d6f9dd785c5df73e07d9699b7e67c9974a878f6630481ae
SHA512 9c0788cb226d31b25f071cebeacdd3af332387fc0373416f3fa8fed88df06efeb0779cd6db7b184c56f54dfb73f82b9a7d6428bd2abd6705e9a064d9f84aa21b

C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe

MD5 4e161548adfffc7bef81913932eea4e2
SHA1 bfdd5db3fbd9e99f34bccd20acb26ee8f23cb5e1
SHA256 0581234d311cf46ee829722a5d52605a67cbeb70a088680941e2367cc46670c6
SHA512 743b582e88e29b1669d44237a4ba8de1a2646e35a6106aa0f5ca08f90ecd26c137f87c5624605a2716874ca8f1aad4936cd4095a81077e8defc7ad756eb1e9f5

C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe

MD5 334a5ebc11ef198a66e6c55bdb215269
SHA1 009373c7c99f5e4e92e7725c93a95552207d0d91
SHA256 314a69a6fce784517c7c48b99e909eeeb321cdc3ae260e7744ecbbd689145908
SHA512 cbf9381edb7e876810d7f29f87045aec180be6c31e43c3b0d58a300b1076fe5eace1133b6f19cfba8f967f6a7084c2348227228d56f48f22a2ba4e3750f55bac

C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe

MD5 441dcab9ac8c081f081e4258f8ab256d
SHA1 98664e10bea5f76c5ae9fdd849854c37d8082750
SHA256 a3d1ae74990868fb93970728253c097ad65707c9ebcdaba999139bacc5a11fde
SHA512 015cec3befd29c27c05097c1790b87037b28666cc85636bf46dfccb69d09cdbe0a5ee1dfaf4cefa9ae60c01f20d7b6f5630d14dd846a365bbabbb09b05b4a7af

C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe

MD5 519c3ed5a34169bdd1832f7284044806
SHA1 46bd7a2c52e807c36570c92c573dce520c29aa42
SHA256 f2bf7323239830e55984150592f66da362f31bbaaa52f55c9e7718817d80e798
SHA512 8feafa1e7ff9ff8bd3617019ffd06121b3c0934f55d49e0d3055028c522a4c4502846d37410cc0ff9e45c8efab1f4ec9c983254a075f77e276f52715384b7f54

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:36

Reported

2024-04-04 17:38

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B97CE493-16F8-4140-884F-15FB1B237A16} C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D} C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D63F22D9-9ED5-4316-8767-821075F36FAF}\stubpath = "C:\\Windows\\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe" C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}\stubpath = "C:\\Windows\\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe" C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE} C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9} C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB533CCD-0C97-4751-BC4C-F246376E0600}\stubpath = "C:\\Windows\\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe" C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}\stubpath = "C:\\Windows\\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe" C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D812A7-C614-4f51-9C74-610C39DBF4F3} C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA15531-A12A-4272-AA7C-2956CD817667} C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE23A6F-85C7-41f0-A344-CA8116409042} C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918FB280-112E-4283-97CF-5681231EA6BF} C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918FB280-112E-4283-97CF-5681231EA6BF}\stubpath = "C:\\Windows\\{918FB280-112E-4283-97CF-5681231EA6BF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B97CE493-16F8-4140-884F-15FB1B237A16}\stubpath = "C:\\Windows\\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe" C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D63F22D9-9ED5-4316-8767-821075F36FAF} C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE23A6F-85C7-41f0-A344-CA8116409042}\stubpath = "C:\\Windows\\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe" C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB533CCD-0C97-4751-BC4C-F246376E0600} C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C40225-1013-4415-A568-FB02DB725901} C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A} C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D812A7-C614-4f51-9C74-610C39DBF4F3}\stubpath = "C:\\Windows\\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe" C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA15531-A12A-4272-AA7C-2956CD817667}\stubpath = "C:\\Windows\\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe" C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}\stubpath = "C:\\Windows\\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe" C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C40225-1013-4415-A568-FB02DB725901}\stubpath = "C:\\Windows\\{12C40225-1013-4415-A568-FB02DB725901}.exe" C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}\stubpath = "C:\\Windows\\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe" C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe N/A
File created C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe N/A
File created C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe N/A
File created C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe N/A
File created C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe N/A
File created C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe N/A
File created C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe N/A
File created C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe N/A
File created C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe N/A
File created C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe N/A
File created C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe N/A
File created C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe
PID 2872 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe
PID 2872 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe
PID 2872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 2496 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe
PID 656 wrote to memory of 2496 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe
PID 656 wrote to memory of 2496 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe
PID 656 wrote to memory of 5060 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5060 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5060 N/A C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4596 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe
PID 2496 wrote to memory of 4596 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe
PID 2496 wrote to memory of 4596 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe
PID 2496 wrote to memory of 1948 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1948 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1948 N/A C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 1620 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe
PID 4596 wrote to memory of 1620 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe
PID 4596 wrote to memory of 1620 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe
PID 4596 wrote to memory of 3420 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3420 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3420 N/A C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1248 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe
PID 1620 wrote to memory of 1248 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe
PID 1620 wrote to memory of 1248 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe
PID 1620 wrote to memory of 2572 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2572 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2572 N/A C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2824 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe
PID 1248 wrote to memory of 2824 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe
PID 1248 wrote to memory of 2824 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe
PID 1248 wrote to memory of 2840 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2840 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2840 N/A C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 4308 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe
PID 2824 wrote to memory of 4308 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe
PID 2824 wrote to memory of 4308 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe
PID 2824 wrote to memory of 2072 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2072 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2072 N/A C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 3820 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe
PID 4308 wrote to memory of 3820 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe
PID 4308 wrote to memory of 3820 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe
PID 4308 wrote to memory of 4916 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4916 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4916 N/A C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4036 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe
PID 3820 wrote to memory of 4036 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe
PID 3820 wrote to memory of 4036 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe
PID 3820 wrote to memory of 1988 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1988 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1988 N/A C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 2484 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe
PID 4036 wrote to memory of 2484 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe
PID 4036 wrote to memory of 2484 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe
PID 4036 wrote to memory of 824 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 824 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 824 N/A C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 5000 N/A C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe
PID 2484 wrote to memory of 5000 N/A C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe
PID 2484 wrote to memory of 5000 N/A C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe
PID 2484 wrote to memory of 3216 N/A C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"

C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe

C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe

C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{918FB~1.EXE > nul

C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe

C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A45AC~1.EXE > nul

C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe

C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BB533~1.EXE > nul

C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe

C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12C40~1.EXE > nul

C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe

C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A25A0~1.EXE > nul

C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe

C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74B5E~1.EXE > nul

C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe

C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{80D81~1.EXE > nul

C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe

C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B97CE~1.EXE > nul

C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe

C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA15~1.EXE > nul

C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe

C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD4A~1.EXE > nul

C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe

C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D63F2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe

MD5 cf085e698cb7b788bfb5cedacefe0257
SHA1 7af13fead39d1826f6daea7132ed1badaff46447
SHA256 99715c049e6336d7f2d9ed8b4921bb6e04d529bbc3332ff8f02a345a1fdec323
SHA512 1e5984877c22d225ef2c7097599980b7f0589a5fa06ab410878cac7ecbded4d9682d007e0f6cc1094819dcb69f1325844363e3ee8be5a08c005983cae25ec0ce

C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe

MD5 dc588700cb292a8ad17c88f572b97dc5
SHA1 5006a6dde1252f87f1cd2cb3b0d2013eaac448d2
SHA256 fc0bef8ef2348fde23cfd4bd301a7adae9a40e87a21b61e1655931f90f886ee6
SHA512 4067c53d1d0ecc97dd1ad83177bb3e34de03ba467f01203f654607d7d639313ab3953f81c484b10f3b735b9bc0409abd78a925fbee0c30d3b0c2f0e89f933f10

C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe

MD5 c19eefde76eeb805a99f9ef9971f6483
SHA1 83757c1587687cd7ea30802d52c1d5578ce8a996
SHA256 d4193ef8d13817bb4a15f2500372c39bca26771fd26834bfd7d6bea43d36c282
SHA512 c17facf5f765dcca748b2b65e3123d36931ea9b184b530881772db7588bdb4784a499e3644af170be6f5518eb883ea5d843911a07836db44337dae946130e257

C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe

MD5 543893a0a858923956e345f39ee6b4cd
SHA1 fae3f9e9617a4624b0ebb360fc432480e85bafd1
SHA256 b883cd5714ea5d62f99bd498662407c7e26636631be5ef052e2364499a18ed02
SHA512 b34192ccabb1e9364916546b9526401461d2331398ebe19f275950f87cf49b8334fa1ee9b28d642d2fee948895062e4a57a7b74b9e3476a013fcce11f4a94078

C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe

MD5 2f29dcd67ab25a1d8b66f256e08a0ded
SHA1 b82cdf48cc058b387f0b9649f83ee0fdfaeb97e1
SHA256 9dd1fcbf1040e2fd54ce547064d0bff3c1202c2195acdfe29f558fb3666e4589
SHA512 610a77a11582cd3724de5a0e49fbf55e6e1b7cd28ef64c3543a252782352fae346c4c696b37828e30a1afa1d8a2de81310f739ac76c95db452776287788cd7cb

C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe

MD5 6366bf3fc3e0af6785e1d8c6227d95f4
SHA1 59184270f232e71a531f23ddce24b644256aff57
SHA256 7267b9f9eb0b2fceb21a29e1d02a592c5229e63f103f2e98223d4091bf8ccd33
SHA512 68851e88870322242d73b28299b852d03c3efa9f9c220762e94c11cd8c4d151e5a0dfb235347f18c89f05a2796d99d95df1f81d64329140729d2ca1a909eba80

C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe

MD5 b113dd50ed62f2aa70f0cfd611994d54
SHA1 677b424659d090d1835671b58c745721b742b07e
SHA256 a0db00408000e8d03d34550f1208a50f1d5fa28a8374f397d30c6faf0f00e795
SHA512 e7677f57f494919a4f7f1b65f8c8561f7b1241ccf5964254801d1b87ef3e1c0afb198f6594f6aadf3162890c1fbfd0ab6b8c7f1fa3176a851a955079005f74ee

C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe

MD5 b0cadd284e6475b0da7670031c563dc2
SHA1 cab84a6856a5b94af73972ad9338d94d43e01dcd
SHA256 5afa4c830ef87b7d0436448918353e33a53ce524a2f03556f1f21fcfb43a3f93
SHA512 d24ad3f7acd090a7ecc1deab194fec5165a299b65e85bee0a4745b7bfcacdc9fc6a69fdd49f2ea7c7f86b481700b22bd7cee14cf62bb743da31b6d4d8256351f

C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe

MD5 ac9fa2a4221bd749f9a6bca8ab88d62c
SHA1 9bfc78a4d4ef8155080e1691c65162a35f15d6ea
SHA256 12138fbde420804b2b037190fa83532b8a711e49fdaf5d18c4cba5a1aebc94da
SHA512 560058ba482712ac3704c7bdf16354f6fdb8a4f1bcab553dc5cdead85550c3a8ee9cfb5053e7de0d8dca9abd33a4e3baa9f47b68123e1c01fab1bf4a62d9dfc7

C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe

MD5 2455b9dfa3240f88e4cbd906dba88ef9
SHA1 0f3b2dca4bf8ec6b0134560ab0ad7fb4f248b6cc
SHA256 c232d63ec482c0eba0b58a3e661c36c7136e599400ff1ce05c9089353c3f16d4
SHA512 ae8d03b44698761f868e67e3eae557c07b2e04e4ad735c6c6244f7099bc7b8e32f8c165fd7d6bf4428af85cc35ab366e62b0067609a4734efb827059af428bce

C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe

MD5 96da12da75a15b3f6b308bdc66f535c9
SHA1 89e8e5fd6e0b1fa378fb844919d94adbc05645b3
SHA256 c7fd2d257f25b00a5b6177ddff56fa33d6e49006289bb5e854c4875cf8351a0a
SHA512 c09bfecfe3464618cc6e173e2744b0ae633af80b21349512e48105b1ab8323dfdce4099b4a9dc02aceca564b7e2594b32119e04135958115933853e4fead26db

C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe

MD5 55c75934c745647e28b938043b65779e
SHA1 856d147aa1951aac8922f44c3a12891fd582caef
SHA256 aac89ad9247e50b74f968f5789f7a8c783e85b4dc49951ac730a2f6341fbb247
SHA512 2c87a626c0f2fb12be9a4be2a6b2057a0717423eef739637b1f658c52af3ef5a8628697316744713d9a3d7acbf7e9a194673549284612bbee5b5f7066c80a61b