Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v9sacsed98
Target 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye
SHA256 21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291

Threat Level: Known bad

The file 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:41

Reported

2024-04-04 17:44

Platform

win7-20231129-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078E77AC-14C6-4977-AB96-835408A2F49B}\stubpath = "C:\\Windows\\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A464C467-8DB9-4705-88A7-DD0F667D776E} C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}\stubpath = "C:\\Windows\\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe" C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D} C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA52E9F0-3EB2-4534-B398-8B14364E48F6} C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}\stubpath = "C:\\Windows\\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe" C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078E77AC-14C6-4977-AB96-835408A2F49B} C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8} C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}\stubpath = "C:\\Windows\\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe" C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8} C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B868C-88CF-4092-A3DF-94BE950B904C}\stubpath = "C:\\Windows\\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe" C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}\stubpath = "C:\\Windows\\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe" C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A464C467-8DB9-4705-88A7-DD0F667D776E}\stubpath = "C:\\Windows\\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe" C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{461A4BCB-1FE3-4e37-8159-3E032AF404D3} C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}\stubpath = "C:\\Windows\\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe" C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}\stubpath = "C:\\Windows\\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe" C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497601ED-FB01-40e0-AC8D-053166A61BD0} C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5} C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B868C-88CF-4092-A3DF-94BE950B904C} C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C34729-1D2F-4bdf-A242-3CC3E23B0618} C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497601ED-FB01-40e0-AC8D-053166A61BD0}\stubpath = "C:\\Windows\\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe" C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}\stubpath = "C:\\Windows\\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe" C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe N/A
File created C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe N/A
File created C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
File created C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe N/A
File created C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe N/A
File created C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe N/A
File created C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe N/A
File created C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe N/A
File created C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe N/A
File created C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe N/A
File created C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
PID 2304 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2528 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
PID 2616 wrote to memory of 2528 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
PID 2616 wrote to memory of 2528 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
PID 2616 wrote to memory of 2528 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2860 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
PID 2528 wrote to memory of 2860 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
PID 2528 wrote to memory of 2860 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
PID 2528 wrote to memory of 2860 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
PID 2528 wrote to memory of 2672 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2672 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2672 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2672 N/A C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2488 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
PID 2860 wrote to memory of 2488 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
PID 2860 wrote to memory of 2488 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
PID 2860 wrote to memory of 2488 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
PID 2860 wrote to memory of 1136 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1136 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1136 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1136 N/A C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2964 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
PID 2488 wrote to memory of 2964 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
PID 2488 wrote to memory of 2964 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
PID 2488 wrote to memory of 2964 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1664 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
PID 2964 wrote to memory of 1664 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
PID 2964 wrote to memory of 1664 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
PID 2964 wrote to memory of 1664 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
PID 2964 wrote to memory of 1472 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1472 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1472 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1472 N/A C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2812 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
PID 1664 wrote to memory of 2812 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
PID 1664 wrote to memory of 2812 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
PID 1664 wrote to memory of 2812 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
PID 1664 wrote to memory of 2800 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2800 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2800 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2800 N/A C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1656 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
PID 2812 wrote to memory of 1656 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
PID 2812 wrote to memory of 1656 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
PID 2812 wrote to memory of 1656 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
PID 2812 wrote to memory of 1784 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1784 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1784 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1784 N/A C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"

C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe

C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe

C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{078E7~1.EXE > nul

C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe

C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAAD~1.EXE > nul

C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe

C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A464C~1.EXE > nul

C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe

C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{461A4~1.EXE > nul

C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe

C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{556B1~1.EXE > nul

C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe

C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{426B8~1.EXE > nul

C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe

C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2DCF1~1.EXE > nul

C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe

C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27C34~1.EXE > nul

C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe

C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49760~1.EXE > nul

C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe

C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06D84~1.EXE > nul

Network

N/A

Files

C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe

MD5 3e5cdf2b1be42d81596aeb4e91e154d9
SHA1 e4a3a3ee8bda4e5cd610dee18b31766abcb04bbd
SHA256 c8e23a7be403cc2a8d94385f5f4a325fa0f58dd4a7be617074f4e159f7498d4e
SHA512 4ee5eb36f2300f7705f5f07d24b3e476b94be3f2d7d5186520c927e2dc02a576f32a315f176bacc0be33c7cb18f14c20c6239573c5a3007b088658147c546b1a

C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe

MD5 d2c1bbefcefadaa5f80bab8646873e7a
SHA1 5636f70dc73aa2532c0b5438d85061a0d3a2859c
SHA256 e1023be86c224af7f96e39fc1609e448c1ef5c619659daab1144054d66214dc0
SHA512 2217ec114c74bcc760b69d7b1997d1f88b62f8765b184d3db84588da80e9426bf8e751ae528bb51572b5a74ce9094120b5b49569816584c4e5de5237e71548a9

C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe

MD5 a08864dc9265974a3d169a3d711a999a
SHA1 49fc19f76c8933ad3ac08f267a2539b8879a5fcc
SHA256 fb269aa32b7948763e28019218556940ed97af49c4659c7f7549502ee22c77f6
SHA512 5b5a1f5716284d38ec2924124503c2d76f5fea3000f4bfa25f951c426c92e7e94803c92914cdc7c26a16ca5ed0c174c148ea5c1157aa95e43c37c1ce395dcf5c

C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe

MD5 23af495fbbf57e341b05688705e8e7d9
SHA1 1ef0fb494ea902bf566265de3530b120e320bffe
SHA256 16352ebfb83f274195f05009d22a5dc0830e37899660c49a5bc62a631dc91144
SHA512 31762f04c5dbc6736f315dc2999a2b1206f571b3a41936630e7fde6161f6a10040b2de4d680e5730daef2eee9ea4049b68065c6f72972a0827f510a33df904bc

C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe

MD5 b144b003083472a8b14fbdfc4fcf1472
SHA1 d03ebedb4fd39aac378d491619bb8a2862941301
SHA256 9f14ce9edbfdf9ab8a72fa001638c921fc42bee1005f78ac853789fc31091e9d
SHA512 04f3467509c025aff2a62226091d0615bb34b23d7e0c14d0d267cba242ad91c2681f1a15f878ef833962a67aef2190aa3765ea790d255573bfbecc2f9435e49b

C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe

MD5 d5f150ad055a2d39a8cb84f745024991
SHA1 8c06abea5e76cf724b6b0ffd2f4df0e098f7b147
SHA256 70260cef0842348f30967cd833ba5f2b94f1e659877717bde18bf9faaebb2514
SHA512 ab68d25375136e193d54db9c573c2c26a715eb0d5dbd649bb33d98b32069c79241ef5c0b9c200968dbd53576ee39c21a233b747bf3748347022788bec80f8c4d

C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe

MD5 3e0d718c6b48d70737bb51bb96a8ed3b
SHA1 0fe5a1f26cb13493d79da8151575dd9dd4bc5e81
SHA256 d496cbbace86f240d9c16a7b07022eb0da2b59a3915603acd8660abc8cad12d4
SHA512 dfcbe215c615f5f3c43ccf20da89527eb6c31856bea0f16d45a28f5a9f7ae3be810e3a94fc526511c4b5b42bf0c21d9219a8d897c755337c60bd94cfe454445d

C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe

MD5 5b95d81b0d47521462f516f22ec8f75a
SHA1 f9f7d614cc6232ff1b80891d5c139d07d1c4a547
SHA256 49eff79a1b566c7c6d1ea3de1117eb2a4f1acd794c817e34617b39ca792b8324
SHA512 8c688001c04239cf10491079ac01a3d6a3d74232bbe9fff6d6f8d7005d5faf9f2f11de167f7bfbea4a1ee7ae320fbe39d4a8d740e6c0bb3d275c5cf489c1d58d

C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe

MD5 e74102eb2963cbd5c6715bf037901107
SHA1 616ce399ac8c200cb332dd7fcffa92f8b2f9249a
SHA256 b8b9a101ffde55e3fa403c3757c1af3c57e633f2f60609dc34b5b9488a47f108
SHA512 4c0aa40e6726cba5df7b1f68c564ba7e8c09f64af91ab7ec85b493597e5328c5d235e36b7af3acd8bc2eaa5b8fa0d03e3e84cbc00004c69f029b25b39b540cfe

C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe

MD5 0b5c2a17b230d2b014b1e156f1ee1835
SHA1 101b97d540dab9139789b506a9421d5e129b0e28
SHA256 e6b174135585b04bd19d2f5baf6224569fc960efbc51350c6984da9d60327b46
SHA512 ba367728f9698d355b348938b8623e5878822775fe51e251c034ce662baff2a47c20d55e299e6e325aa4b4957604dddb79d0ed6b3508f42b646880ac78a91092

C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe

MD5 e40a5e92c1c54b56656c3051b17f4c86
SHA1 d5744f3bb346b5c75ffb2b2d85195c267c540d36
SHA256 b1233d05aa56c6e6f48b02498036009e8b66e16731730629430664badbcd78e2
SHA512 caadfceeb200631570712c10ac785a3a8707245dfb989fe319058d80b8c210a203ee9370c14babd2a46bc528d49c6ae374335fd40e4cdda9d168f2998cb095ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:41

Reported

2024-04-04 17:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}\stubpath = "C:\\Windows\\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe" C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE} C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651C47C8-01D7-4345-91BE-DB021417A092}\stubpath = "C:\\Windows\\{651C47C8-01D7-4345-91BE-DB021417A092}.exe" C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72} C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB18EE09-3F82-41eb-993E-4301F2707232}\stubpath = "C:\\Windows\\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe" C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1913E57F-A12B-4755-A932-D2AA5FE221C9} C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1913E57F-A12B-4755-A932-D2AA5FE221C9}\stubpath = "C:\\Windows\\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe" C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42723B1C-F75B-4464-931B-718D61F1FA72} C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223B197D-6314-4ab8-8D61-AE16B275A698} C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0} C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD} C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF82682E-7377-4a09-948D-0DB6CD97A905} C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}\stubpath = "C:\\Windows\\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe" C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6916BB1-1AF2-482d-A48F-866F5CF633AC} C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}\stubpath = "C:\\Windows\\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe" C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42723B1C-F75B-4464-931B-718D61F1FA72}\stubpath = "C:\\Windows\\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe" C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651C47C8-01D7-4345-91BE-DB021417A092} C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB18EE09-3F82-41eb-993E-4301F2707232} C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75034D37-7304-4983-AFAD-141DC02D1E5A} C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75034D37-7304-4983-AFAD-141DC02D1E5A}\stubpath = "C:\\Windows\\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF82682E-7377-4a09-948D-0DB6CD97A905}\stubpath = "C:\\Windows\\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe" C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}\stubpath = "C:\\Windows\\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe" C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223B197D-6314-4ab8-8D61-AE16B275A698}\stubpath = "C:\\Windows\\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe" C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}\stubpath = "C:\\Windows\\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe" C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe N/A
File created C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe N/A
File created C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe N/A
File created C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe N/A
File created C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe N/A
File created C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe N/A
File created C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe N/A
File created C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe N/A
File created C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe N/A
File created C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
File created C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe N/A
File created C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe
PID 1640 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe
PID 1640 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe
PID 1640 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1504 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe
PID 4848 wrote to memory of 1504 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe
PID 4848 wrote to memory of 1504 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe
PID 4848 wrote to memory of 5116 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 5116 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 5116 N/A C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4280 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe
PID 1504 wrote to memory of 4280 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe
PID 1504 wrote to memory of 4280 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe
PID 1504 wrote to memory of 3468 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3468 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3468 N/A C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3204 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe
PID 4280 wrote to memory of 3204 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe
PID 4280 wrote to memory of 3204 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe
PID 4280 wrote to memory of 4788 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4788 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4788 N/A C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 5000 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe
PID 3204 wrote to memory of 5000 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe
PID 3204 wrote to memory of 5000 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe
PID 3204 wrote to memory of 5040 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 5040 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 5040 N/A C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2524 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe
PID 5000 wrote to memory of 2524 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe
PID 5000 wrote to memory of 2524 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe
PID 5000 wrote to memory of 4360 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 4360 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 4360 N/A C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4372 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe
PID 2524 wrote to memory of 4372 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe
PID 2524 wrote to memory of 4372 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe
PID 2524 wrote to memory of 4972 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4972 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4972 N/A C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 5060 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe
PID 4372 wrote to memory of 5060 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe
PID 4372 wrote to memory of 5060 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe
PID 4372 wrote to memory of 680 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 680 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 680 N/A C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1988 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe
PID 5060 wrote to memory of 1988 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe
PID 5060 wrote to memory of 1988 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 3892 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe
PID 1988 wrote to memory of 3892 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe
PID 1988 wrote to memory of 3892 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe
PID 1988 wrote to memory of 920 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 920 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 920 N/A C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 808 N/A C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe
PID 3892 wrote to memory of 808 N/A C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe
PID 3892 wrote to memory of 808 N/A C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe
PID 3892 wrote to memory of 4876 N/A C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"

C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe

C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe

C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{75034~1.EXE > nul

C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe

C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03EF5~1.EXE > nul

C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe

C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF826~1.EXE > nul

C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe

C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1913E~1.EXE > nul

C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe

C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0E5B9~1.EXE > nul

C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe

C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6916~1.EXE > nul

C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe

C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{42723~1.EXE > nul

C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe

C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{651C4~1.EXE > nul

C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe

C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BB799~1.EXE > nul

C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe

C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{223B1~1.EXE > nul

C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe

C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34A09~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 145.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp

Files

C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe

MD5 694c9e86cd85f7362dd7e6dc514ec0b9
SHA1 0ad1fe62854aa38c5539c2e7b667cebe44371823
SHA256 8fc2bb0cf6eab93b131f16bdf0180f61b580375333cafcdc4d26e0a1db8704a4
SHA512 286dec890858a91b0fc06cd31eceba0ae6c2cf96faf637e3fb0685ef25cebf682dae916e40d4f8416588aece5ac533fff733652d9594cd35c2a733cd81f6ce91

C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe

MD5 632f5de6ddb7cbc1e82fe3da2ade607f
SHA1 31fce5224d4856f7ee5bccf3a6132fd069b5d92a
SHA256 54209f59ab57303331dbd9a99b489ef09d3d32654fcb1ef87add45a34642ba39
SHA512 096ab142941158f4f78f28f5a3761b7a5787838251e32af2aee8b09fdfec569f9a8d6d35919cf8a1ec1f5d7027093164b90e364fbb9c115b70a39de253abdd8f

C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe

MD5 226cfbc1f59376911d164a505733cc9b
SHA1 2eeba35d1c79d21d5da6ec75d6c11f09b5bb3fdc
SHA256 df2690b448d26da7ba3c6a691e61efa49224034bf290e26ac7be28ed5b640ce4
SHA512 534b9685d4c94eb458b086634b90beeea85b8bb179a28db8dd036fc3e084cb7181c19f5d624fc2aaf90a2ae59310bcd230c93fd0fa7f4d0f7d4fd863693a3c80

C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe

MD5 d4cf6e476c25122f0ee3761484378300
SHA1 4d0c6b096d1217efc8a7dd06c7ae0ccb117303e6
SHA256 37f78c040f4cefa089991f19482978c6eb9ed513286eb1a66096c7ccd93193e9
SHA512 8756a473ac49ea04207e33f1d551e2248b822948dd8b61521a3dff566a858bf16e43a4c3a74029641633343deb0d2721a5318d4728ca893fab5c93209119c744

C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe

MD5 a61a7b5724d714d412c42ef5fb25486e
SHA1 42050b0cc2efaebefb7d90e3a4998ba07eef4c0c
SHA256 9e920232f3d385fde2f4a58d63291cf240a5ef3a4a72103af901a050c700f62a
SHA512 ba63403c11aac59bc96874e2d73a4d91a9af7698bea3c7c513582313f7df4b69c9ed9b739d08d2544ca732b834a7c1d4f335c3d7d4eba2c1b9e7028b6b8ce68d

C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe

MD5 f3d37850bdd8a7e308af3129584aed7d
SHA1 e5bbd744d06f6bbf9b6c75652f60f3ffa7df504f
SHA256 7f31fbbc2d9f61fb0871aca95ea4a1ce048f788ad8c7001417afb71837debaf6
SHA512 1441a8c9bd0b3c74e4ec2e395700717964ecf7cac5fa7209e28021baecca30389823eac581060ca2259eefa5ff9479a1b7582f8a1f5892025bbc55014f5861f3

C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe

MD5 4e3dc5fe20190afdad7d051e0e422306
SHA1 02e55184b6662327e0e6af6c6a8be8cc4746420f
SHA256 dcbc5ee52f9589526e9ec5a2f8057a8260586f3105e05c44d9cfce9f8eefabb9
SHA512 f5e1fb2ad3adc47c52fadcee8d42059bbfe0018b66d01f86bed97f1ee37b05aacd40c7641ec26fbdd8de26ad17c2df8fdbc44f9ad50a5476f44abe26d8438556

C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe

MD5 8a6dce3283331245a56854c6e67cbb06
SHA1 47bb21c6e5b54f0dabca3acb4001c6f172f06a25
SHA256 bcbbd2793472c371106195af3e31df5706bcc437392a4e999e6f6a68820928e2
SHA512 6141031aee3d9cad3118cb5df2de257a765a762d4576e44f381d3f54c8426774cee5c23652f2900b4e7a3289c5519e49cb9daa7c5a150dfa30aa79fedfa75303

C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe

MD5 ebb98166aae649d0dd74f655b105b9a3
SHA1 e35846e2addabba2926922bad1c30a13a7068e1d
SHA256 15d72c234daa065e8cecc0d78473d504ecbe6bad2a7c2862aa8507fedd090d48
SHA512 a9aa41d3721aa6d5eb0eef2dad636471e5f1b0154f8f38d5e7fde1b388108e1cdbe42ab48f22f9be5e21dff1a99f485fae020099e58677900c445227883e04a3

C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe

MD5 595b4204ed87a8db4c3623006798240b
SHA1 437b00e026289aefa36fb53c4801cf3bae0846f3
SHA256 ee9b9a46652351e3b596975c845d59c051468ad2b4514096c7a843e3767632cc
SHA512 dc2860bec17b724164a433cdd6b60fcba5cd2848adac3f504dfe6be38c0ac3f9c2a1e34929c0557e944de337b7f7290f4bdc26e7f5c08d868dea507f6bd45d52

C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe

MD5 04e541aad12a58dc156a1bce222e5bc6
SHA1 42380d837f4e5a1dafefaa75fd7f0ce766b62001
SHA256 b39a7c41df2ca1281b103baa0f237bf0a2d86a4fa696cea3a386bdfdaaf653e4
SHA512 c84cf5b5cb62095a3797b9fca6da18198ac56f2dd62dc241e1adc6516d25d342e6dbe02588b4302017bb3c13e9f594f9d01aa8d91191e6881be26ac4100fae2f

C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe

MD5 9ee357d65edc8a7c3ae4f39cfbf89ac3
SHA1 2a988363797ad20b9805de80d376be4481f48304
SHA256 76aba62559a520c35fdc2614ba5b2bdedd236e18671dae0537b8f47201a5c222
SHA512 fe80712d34e53b1dcd4dadaa57ab7c7728f39a18ea35e179a33f7d5d0db51497e5be003d4f4a40b73d426aadb16d8290454d3181e685ff3766b57af169e92134