Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-wdqbkaef32
Target 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye
SHA256 2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e

Threat Level: Known bad

The file 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:48

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:48

Reported

2024-04-04 17:51

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188} C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44FE8BB-A758-4604-8038-D6BBB468095E} C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44FE8BB-A758-4604-8038-D6BBB468095E}\stubpath = "C:\\Windows\\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe" C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5} C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A} C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}\stubpath = "C:\\Windows\\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065356A9-054A-438d-801D-7B8D233D20D9} C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C002CB-84F6-43c4-8669-828973402A04}\stubpath = "C:\\Windows\\{49C002CB-84F6-43c4-8669-828973402A04}.exe" C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}\stubpath = "C:\\Windows\\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe" C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4} C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B8E691-3B63-47e8-8344-4A35FE4BE585} C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F86B980-6168-4005-A647-C532A5A89090} C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C002CB-84F6-43c4-8669-828973402A04} C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}\stubpath = "C:\\Windows\\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe" C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}\stubpath = "C:\\Windows\\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe" C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D49ADD-D329-401d-94D9-C0437798EB4E}\stubpath = "C:\\Windows\\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe" C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D49ADD-D329-401d-94D9-C0437798EB4E} C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}\stubpath = "C:\\Windows\\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe" C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065356A9-054A-438d-801D-7B8D233D20D9}\stubpath = "C:\\Windows\\{065356A9-054A-438d-801D-7B8D233D20D9}.exe" C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D} C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F86B980-6168-4005-A647-C532A5A89090}\stubpath = "C:\\Windows\\{8F86B980-6168-4005-A647-C532A5A89090}.exe" C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}\stubpath = "C:\\Windows\\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe" C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe N/A
File created C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe N/A
File created C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe N/A
File created C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe N/A
File created C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe N/A
File created C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe N/A
File created C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe N/A
File created C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
File created C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe N/A
File created C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe N/A
File created C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
PID 1548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
PID 1548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
PID 1548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
PID 1548 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2536 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
PID 2528 wrote to memory of 2536 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
PID 2528 wrote to memory of 2536 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
PID 2528 wrote to memory of 2536 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
PID 2528 wrote to memory of 2456 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2456 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2456 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2456 N/A C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 944 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
PID 2748 wrote to memory of 944 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
PID 2748 wrote to memory of 944 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
PID 2748 wrote to memory of 944 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
PID 2748 wrote to memory of 1352 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1352 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1352 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1352 N/A C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1836 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
PID 944 wrote to memory of 1836 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
PID 944 wrote to memory of 1836 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
PID 944 wrote to memory of 1836 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2076 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
PID 1836 wrote to memory of 2076 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
PID 1836 wrote to memory of 2076 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
PID 1836 wrote to memory of 2076 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
PID 1836 wrote to memory of 2624 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2624 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2624 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2624 N/A C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 876 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
PID 2076 wrote to memory of 876 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
PID 2076 wrote to memory of 876 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
PID 2076 wrote to memory of 876 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
PID 2076 wrote to memory of 2328 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2328 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2328 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2328 N/A C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 1588 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
PID 876 wrote to memory of 1588 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
PID 876 wrote to memory of 1588 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
PID 876 wrote to memory of 1588 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
PID 876 wrote to memory of 2668 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 2668 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 2668 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 2668 N/A C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"

C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe

C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe

C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57BD6~1.EXE > nul

C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe

C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06535~1.EXE > nul

C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe

C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49C00~1.EXE > nul

C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe

C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46FE6~1.EXE > nul

C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe

C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC3A4~1.EXE > nul

C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe

C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D44FE~1.EXE > nul

C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe

C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12D49~1.EXE > nul

C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe

C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F86B~1.EXE > nul

C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe

C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F17DA~1.EXE > nul

C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe

C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2D944~1.EXE > nul

Network

N/A

Files

C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe

MD5 6e852c4fa2ace9bebd4533daf3aadb57
SHA1 ffa391f5a432d09cc6836331e3db84b80a67c8b5
SHA256 cae9787dd5ba28e248110a3af03371647166559a2859efd0803719254b4e6e4b
SHA512 1d5578b886a4546dc769f41395681e1b09cdf94e4b838bbd76496636603b38993e8fa872c7ba1a294299ad60d83ce9cbf060768fc816e07fafc64166ab0816d7

C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe

MD5 a5339f48a90273eafb444b82bed4b4bc
SHA1 c051789dc287364d02e5978d4f110930018e2f25
SHA256 484a85a06de61c7d0c1dd674bcd0963da813c3dc8619aabb1668c8d2657a0d3c
SHA512 777a3054326ce4f0d1c568c286f91741ebeb78dcc40e3b87b92f16c4aefa215a3b0e816896096bcbcc408a7775b564bf43e98d630cf99562e9671c0491fac8cc

C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe

MD5 dfb9fb38b971ea131e1274d545f81262
SHA1 7092e9d359ad9fbc75cb9cacf9ce35bbe7d4a607
SHA256 6537390b09f221c94c23d41a22dcc7ffc73fd988465162e2f8d6c44b51c13714
SHA512 42ac191ee6fa14ed25212dd3c483d5274ee88a651dcdb1e43ae2f0d15bbcf8bfb3232539c9e2403d17ab37bbb0468ba10467f79276daffc6c3446d6fe67e3048

C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe

MD5 34d3af00ed115617adb3777f1a63c514
SHA1 6d14004255c37b1400695bfc403c855f0988084a
SHA256 72292e8c7af5947f40a1f7514a48eb16eb9f7d9efa85a1ee27c724c5d2ee5776
SHA512 cbcaf16e7ce90539de8c3b730ea9c8434570066f4c8f50bf8a4593076579096017ead1bd5307f7ebeece5a4a2cd133480fc0b7292d6a82ad453e8f80064771bf

C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe

MD5 deb360054d213dd02c5a34c052be5b06
SHA1 056461744fb11379f1452f8806ae8181ecb4e6fb
SHA256 af1a7f4dcdba93586bfef6d92ff81143fdea2eb88b822a444837ef454e23deb0
SHA512 c6afe704a380320576002b2f5808c75710f126baadd7620aacfb349e570f36babcc1d77d6b1f07a753f91a86cc6872fed34bb9e61833b8b34c954f09ec27f94b

C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe

MD5 79cbc8085ec66c145b86355054490749
SHA1 710b02a2d6eee9bfb729233b12248b9335b48bd9
SHA256 44f96db7262e448a514acc5c0d3119f8461111ee5874d428eeb15b4a4432eaa1
SHA512 df72261494c3573983f55094f8b64f7388d2d4605c6e4e23ac70e8f91f1e43197e999eb45c839efd99ce9911c91693f580e02d01808d607d3685cb9bfc00c345

C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe

MD5 68f6c6db281151d8c97444c65046c35c
SHA1 2c02aa6c202e4d7444ee466836ea46d2aabf4f3b
SHA256 16c8a83d2ac18926f491f50ca7651321b7c8b818d1a317f7ac51027c8afce420
SHA512 d28b4251574cefebd077fe928de134b448479575b1726bd6da106682874c4cf70e4d11c3d5ae402697cda030a54245e0270f5c09dd19173b6ded192b0f244499

C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe

MD5 c32086061c8a05518defb7adac317d09
SHA1 bb1024c9f4b57473454e62de0b46ff522c0a5236
SHA256 cb901e91ad47f0d8ccc3431a2d35221f71fa277f654a339163060cc3bb55da29
SHA512 0aafb626a1ccb96d47c51105228f13e66ec71926f2a62bb4b396f968a6598fa3689450000a2a100e8cc2ba6c01df45a2a68d3d00a6f6feebc0320c522339e78f

C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe

MD5 eebb8aea957d2cf29eb0e5b71e9bc100
SHA1 7a461b535364e4b7f93199901baebb744368378b
SHA256 1c1396952983bd2815370eafc23d389f2a16844b52749980761532b4ae027dc9
SHA512 08eaf6900eddc86836b5ebe8d0321157b28c9a3585163037d3c312df6d94e951c9f5dcee97573db5b888ee70c24fdf02cc1cecca7a6e7e6c0a95229683812a91

C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe

MD5 7abb1ff2c11aa70f8c132333541cc153
SHA1 149cc827b1cf9fe911dfc48f4081d89cc70c3ca7
SHA256 ec77a0cb0e0387072f48aaa202603aa4948ddcf64a290107537b61f9e453f347
SHA512 752f358c3566babb0743f7d68229aea5116e3ddd9ec8cbaafe1be4eef07aa1b6dd3526b503f2032bb8c445016c074ea65454f997b1c20374415520f5d35d7078

C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe

MD5 4ee820e0a1e61a5b0d333ee8296d1317
SHA1 599500b2b53aeaea8caf6608f014f7d710b8ab9d
SHA256 4710ddbc9c63759debd161feea8f51c4619bbb4dbabd514e1a8b8e23fb44f805
SHA512 cb3ec96a4951c03ec4746854cacdbfc0387985ad9dbe2a03666ad1fca58bd0fb4ee7ea2a04e0a08c7f70fa82d0d83188c4153f2422a46266f49adfc589b68119

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:48

Reported

2024-04-04 17:51

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D} C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762} C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9C31-DCBC-40b5-85BE-42289F29373F}\stubpath = "C:\\Windows\\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe" C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9C31-DCBC-40b5-85BE-42289F29373F} C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}\stubpath = "C:\\Windows\\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}\stubpath = "C:\\Windows\\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe" C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25} C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}\stubpath = "C:\\Windows\\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe" C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54370453-3C4D-4bb3-9D78-10B68D041334}\stubpath = "C:\\Windows\\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe" C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7B2012-539B-4fd6-B920-4609950626F9} C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7B2012-539B-4fd6-B920-4609950626F9}\stubpath = "C:\\Windows\\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe" C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD} C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}\stubpath = "C:\\Windows\\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe" C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}\stubpath = "C:\\Windows\\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe" C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5} C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080B4434-0C83-440a-AB17-6F320EFB129E} C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080B4434-0C83-440a-AB17-6F320EFB129E}\stubpath = "C:\\Windows\\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe" C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C4F985-777B-46a7-B1A5-A98752F5E3D5} C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462} C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}\stubpath = "C:\\Windows\\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe" C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54370453-3C4D-4bb3-9D78-10B68D041334} C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}\stubpath = "C:\\Windows\\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe" C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe N/A
File created C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe N/A
File created C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe N/A
File created C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe N/A
File created C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe N/A
File created C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
File created C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe N/A
File created C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe N/A
File created C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe N/A
File created C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe N/A
File created C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe
PID 4220 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe
PID 4220 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe
PID 4220 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 888 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe
PID 2504 wrote to memory of 888 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe
PID 2504 wrote to memory of 888 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe
PID 2504 wrote to memory of 216 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 216 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 216 N/A C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 2000 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe
PID 888 wrote to memory of 2000 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe
PID 888 wrote to memory of 2000 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe
PID 888 wrote to memory of 2300 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 2300 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 2300 N/A C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 4944 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe
PID 2000 wrote to memory of 4944 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe
PID 2000 wrote to memory of 4944 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe
PID 2000 wrote to memory of 4128 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 4128 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 4128 N/A C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3416 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe
PID 4944 wrote to memory of 3416 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe
PID 4944 wrote to memory of 3416 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe
PID 4944 wrote to memory of 4516 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4516 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4516 N/A C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 4624 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe
PID 3416 wrote to memory of 4624 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe
PID 3416 wrote to memory of 4624 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe
PID 3416 wrote to memory of 2304 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2304 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2304 N/A C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 992 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe
PID 4624 wrote to memory of 992 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe
PID 4624 wrote to memory of 992 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe
PID 4624 wrote to memory of 4384 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 4384 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 4384 N/A C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2944 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe
PID 992 wrote to memory of 2944 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe
PID 992 wrote to memory of 2944 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe
PID 992 wrote to memory of 232 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 232 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 232 N/A C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2044 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe
PID 2944 wrote to memory of 2044 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe
PID 2944 wrote to memory of 2044 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 3784 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe
PID 2044 wrote to memory of 3784 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe
PID 2044 wrote to memory of 3784 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe
PID 2044 wrote to memory of 1844 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1844 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1844 N/A C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 2172 N/A C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe
PID 3784 wrote to memory of 2172 N/A C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe
PID 3784 wrote to memory of 2172 N/A C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe
PID 3784 wrote to memory of 1624 N/A C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"

C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe

C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe

C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD30~1.EXE > nul

C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe

C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92B78~1.EXE > nul

C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe

C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58C4F~1.EXE > nul

C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe

C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9D3F1~1.EXE > nul

C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe

C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EA1~1.EXE > nul

C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe

C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54370~1.EXE > nul

C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe

C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D7B2~1.EXE > nul

C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe

C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD2F~1.EXE > nul

C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe

C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{912B9~1.EXE > nul

C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe

C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A3ABD~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe

MD5 9b86bc58f5ae0197a04832b9067a984f
SHA1 0a5edfa9c4ab43fd2350baba7c74c3c15badc93c
SHA256 742167644596edcbeefd0ffe035a364554cc3c1372f9bbb1cde838d96e79ea9f
SHA512 67051a14fb20ae98fd09e3072c88d0a6a702e599310aced9952c5a1f1cd7dc01caeff9537ad4f852abd19f7b01806a8553b4709f5330e6f1cad640c40e9e4ecf

C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe

MD5 901847d0005cbc3f64d86eb79d01649f
SHA1 284b12f3e49e288f3167058caae96c3ac85d24a1
SHA256 f7770328c79c1faa491ea895da274863fc4bdee6df1bd8198822f12c872b47ca
SHA512 53efe621dc3818a18c4301c54d3a03c6d21e96ecaed6e122e1f9bb767d20a4c8661dd121b79b2960f24331f89f29934d5a9a645d06a90df423ab1311298b2b2f

C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe

MD5 40e1f0c62392e3cffe6b4b08a05c6d3d
SHA1 f12f5e914b40c720ace215311626891c30399f0d
SHA256 a0102928968a94ca73b71ab999b58771397be1af60479ee5bc31f2f2902ca8cf
SHA512 7c9e700f527c2a44ddc107ac0cc060883aa3a1775a8059df8468832c5bbf57c875ee8aa552e142fca11b88f1a90fe87e7a162d76a18efb712babb558200ffec6

C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe

MD5 3ca39dd2213ab7e93fef7183bb8fd091
SHA1 b9d663fd31330fe964347fd5b9be43894c61b8ce
SHA256 951b86b9c332cbe2c11dc629a4ee7370a4715881e6fac691353c32fe2d152850
SHA512 0263cfd644a3362cd72c1c2c8138df25ea6fe63c59f5d010b72e79bf2285192fcde981ce7f6dffedec912bcb39d1463488a4035777d2b89c9449cc5989df33d9

C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe

MD5 becc6d8af59879aa5eaed6c1384fcf07
SHA1 e87d94a33374ad7ff7cd33fceb46e1629ff19270
SHA256 ca5bc898bb06bf35e23411ea66acf242c17d79c555a3a2e6bf70fa695b34a774
SHA512 5b7744ee2b1a79b5cdd22137614b2c215a88eac9056355906fc707b0fde021b49a3d21cd3bae7ce28886756be9b01c7c38bfb8eb881b3cdd9c0fb6f5cea570b9

C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe

MD5 031babf7863ee2fc22edcd65accbdf79
SHA1 e50d10b75b4a312cfa51521c257a3deb435b2b37
SHA256 1acec7fa5fbbbd7e30484ede202a70a9c97a4e859729b02b0747af15b1f958e9
SHA512 72173a4e48c1aa81c9891c57429a52056a9fd79f8ffaa9a4d5ca52d97638ab2efb7e709f18b3cc024c03cdea4d19d346e2d47c7b2b5583b862cf470c0a7ea90a

C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe

MD5 877e2b907394a94b852541b3d039815f
SHA1 5810bdf516621dc478431278bec8f0cfe94b2417
SHA256 392110d4cf24075af778d012a9f1ccc0bb00603d492f4399fb4f1fb65842d1ac
SHA512 343a3536643eb57814137885be7492c65f498bc64f9d73242beafb84e419f4578edc9ae5553b81af399c12ab3645a176501925d65d81851575f125f43e6ccd92

C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe

MD5 b9f992ce548a2c7350fab4662303dede
SHA1 2000a837191879d92c545f4ef3e28292b49593af
SHA256 f5c4a7629469ffa1c0273376afe09b0450a0871f5e5abf2e311a9ccd36ec1f95
SHA512 68efd942a2d5e73aeaedd777c4b3f85d0a721d935f4771f3c16f86a056de8c701d21a58d04961b8c2d207dc2f49f9da43be2f7ec37c21538fb9453305d3a5684

C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe

MD5 b2c2cf23a68a0520455916dfca50e23f
SHA1 a1ffd6782607ba0aa7412f0ba99a6165d46f8278
SHA256 a66b758d375f0e40e918dc82d3ddb8f4784e30bb790d65a9a2cf85ce61893716
SHA512 cee7c740034b2846b3a5761ed0d04ce667e682ea49b78ffa120fa836ff6fb06b7b3db54b4b4bbf7248241e5220eed1b247706c087c48726cf1e52ff76d9329b8

C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe

MD5 58079788461af6af7fab24b296b65ef6
SHA1 121beeb5cc2460ef60ba99e5d993f377bc2b1ec0
SHA256 952d52d6527e073c5bf5663b9e05bbe39aa2bf3bf8f9dc188b410863f6f35aab
SHA512 2db75c5e58b1036620b171176ebfbb7214734e1181ceccc0da1f1e00871ad87815650ee21072e1b8dbbb8dbe33681438a2778ac05a00734627c2784ccc2d17cc

C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe

MD5 3113041443b5fa15feddca2389f5302c
SHA1 993c0ec28cb2f49d2a5172b5b1df86a6cf78558c
SHA256 40adda4ee5cc4c6a6a588cf818871c3279ab7b19a542618d0cdc5b66f46e864c
SHA512 d8a565a0e42b8b177533314a67169b4ba13acfd2daab51498f006cd7d037fd195a074762631f098c515f66bc19bcb313d9af8d36cd15b6e668b33985257d8d96