Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1hj3kabf9w
Target 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye
SHA256 3c8f713770473a68fa2f70b65f1c2298547b78ca26462e0d7db89518b8fbe950
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c8f713770473a68fa2f70b65f1c2298547b78ca26462e0d7db89518b8fbe950

Threat Level: Known bad

The file 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:38

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:41

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10E4A0B-590F-437c-905E-3C783C71CDA1}\stubpath = "C:\\Windows\\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{264F2785-FCDD-43e0-9391-59585FD2D279}\stubpath = "C:\\Windows\\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe" C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2} C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E} C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF93032-56DC-4257-B6BC-A36CA443290A} C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10E4A0B-590F-437c-905E-3C783C71CDA1} C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1} C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}\stubpath = "C:\\Windows\\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe" C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB} C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5150B930-5E72-4a46-B950-332CBB906302} C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1186066-2F68-49c8-AD03-A226BCBAF6F7} C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}\stubpath = "C:\\Windows\\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe" C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}\stubpath = "C:\\Windows\\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe" C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{264F2785-FCDD-43e0-9391-59585FD2D279} C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E} C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}\stubpath = "C:\\Windows\\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe" C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5150B930-5E72-4a46-B950-332CBB906302}\stubpath = "C:\\Windows\\{5150B930-5E72-4a46-B950-332CBB906302}.exe" C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}\stubpath = "C:\\Windows\\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe" C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}\stubpath = "C:\\Windows\\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe" C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55DF49BB-C557-48a3-AC23-D1507FB4642B} C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55DF49BB-C557-48a3-AC23-D1507FB4642B}\stubpath = "C:\\Windows\\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe" C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF93032-56DC-4257-B6BC-A36CA443290A}\stubpath = "C:\\Windows\\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe" C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
File created C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe N/A
File created C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe N/A
File created C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe N/A
File created C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe N/A
File created C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe N/A
File created C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe N/A
File created C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe N/A
File created C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe N/A
File created C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe N/A
File created C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
PID 2892 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
PID 2892 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
PID 2892 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
PID 2892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2548 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
PID 2812 wrote to memory of 2548 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
PID 2812 wrote to memory of 2548 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
PID 2812 wrote to memory of 2548 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
PID 2812 wrote to memory of 2400 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2400 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2400 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2400 N/A C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 920 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
PID 2548 wrote to memory of 920 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
PID 2548 wrote to memory of 920 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
PID 2548 wrote to memory of 920 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 800 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
PID 920 wrote to memory of 800 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
PID 920 wrote to memory of 800 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
PID 920 wrote to memory of 800 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
PID 920 wrote to memory of 1484 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1484 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1484 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1484 N/A C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1976 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
PID 800 wrote to memory of 1976 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
PID 800 wrote to memory of 1976 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
PID 800 wrote to memory of 1976 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
PID 800 wrote to memory of 1624 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1624 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1624 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1624 N/A C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2636 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
PID 1976 wrote to memory of 2636 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
PID 1976 wrote to memory of 2636 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
PID 1976 wrote to memory of 2636 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
PID 1976 wrote to memory of 2280 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2280 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2280 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2280 N/A C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2316 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
PID 2636 wrote to memory of 2316 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
PID 2636 wrote to memory of 2316 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
PID 2636 wrote to memory of 2316 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
PID 2636 wrote to memory of 2312 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2312 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2312 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2312 N/A C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2292 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
PID 2316 wrote to memory of 2292 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
PID 2316 wrote to memory of 2292 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
PID 2316 wrote to memory of 2292 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"

C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe

C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe

C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E10E4~1.EXE > nul

C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe

C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{881AF~1.EXE > nul

C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe

C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{264F2~1.EXE > nul

C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe

C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B4C9~1.EXE > nul

C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe

C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5150B~1.EXE > nul

C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe

C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B859~1.EXE > nul

C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe

C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B37BB~1.EXE > nul

C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe

C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55DF4~1.EXE > nul

C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe

C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1186~1.EXE > nul

C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe

C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B856C~1.EXE > nul

Network

N/A

Files

C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe

MD5 4014ee03f77db1a15d6f5e8cc36be755
SHA1 5eb203ae6e495b8a481cb4e9eb3e99fa38c21bca
SHA256 bb7da3229ce37a17d13f83c978a56da1e8bcbbf37f7311b9a52dcdd5ca4b32de
SHA512 90a8f8dd327b030318ed05ed44b436a32e05bff30efa42a85f7081b627c516895eaa02a93f99e5d158c78b6316fcc94c57d68f8020b25bbdb1a57eb3ef725cdf

C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe

MD5 d5dfc78fbb73d6edc7c19703fabf77d0
SHA1 095c2933296358889b6e10d1f43c51a73b2808a7
SHA256 8063779302b9bcc34e6d29c7224fb30fa477fc39e672a4c9b2bf783b3a54e3dd
SHA512 a0c64d5cd0fb5fc5c6d2dd0d4a40336485f12da1f66610747450b9b45816ffcc0124fbce6b8ac6830d7c6962589b9ea003594f270a1cadb3d0aa292537b89b55

C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe

MD5 949d98d35e97b835f28f078d72b69aca
SHA1 d30326be9bbc81eb790305396723dcaf8e437334
SHA256 781fbe67a844a1d559fe4074e29a7905db24227d43acb037a98f13dcbb3f4251
SHA512 dcf17491f6fe5f65c8ef933c09916477eb640ec80c47ac9f8cc113c55cef637fd4c043af815535fbe87afc064c6b12ed4e25aab2508eed2bcffad5c7cf86b021

C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe

MD5 36f02598c6d56eee278b9f9cbb72d619
SHA1 1c088df7d7b2d6a121ac4982ed15e6b98d7208e4
SHA256 bb112bf0e18ead7674a99c86639645ee7d9bdd2b27eba718ca563cd031d01f57
SHA512 0efa2578240a2c58310e6aaa89547c8224a33544784d07199bf751f1995461f89b9076559ac5c5589dd559039ff9cd89dbc706106bab7d1a2e39c5362f715869

C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe

MD5 b082d0ff4877e40a9bfdfe9095343976
SHA1 8ec80b079bd4ccd4328ff396b784826c1e5b9c5e
SHA256 65888e3d4bcfff0ed93ec0dcb43c7ff16ad4efa0c9d5b635e0cdb3a7b26570fc
SHA512 1a930232afb7e35bf2491cec6e67c6998b9ad916da699b1031ee62f5289c829190293e7dd321b38eff19aaf4d6ac02ab53be23a6d218dbd2e506d6bd82fca964

C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe

MD5 e26a794d2045114c83298d8d5875c7a0
SHA1 93bb6506be8b5c338f821b93b8b59821837ab5d6
SHA256 d6a33b1f57e29064eb24893b7a277cf86e741fa9dfc39fd3a1ba286dafafbe98
SHA512 a769f85d8036d072a3060452f3ccce781a41a2359c81ae60c8cdeddfcf21f3fcbe487cf02c7be854bf45b8c2c7c5b8f5280b87f98b11bde6c75e2a70e6062a87

C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe

MD5 f1df4cee614b9fc836baff4035c6336a
SHA1 9ff7f16f8f42d70ac77106df11363279ecbc5cab
SHA256 5a2e8dc2799f9e0f485b6120d7134945b63f4a0319556cd6c249114b3f97ec3b
SHA512 1227393d1fd94ec42e37b98464021bd028e7ce3e86bd93d3ecd1952fc2b62105d30a7946ae98b04005957e43a5a7182d187579456bdff26068cca901f4723d00

C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe

MD5 aaa61632abfb10c830613246cc942e7d
SHA1 36b129240db280b7258b61265d5e289b92cb53a8
SHA256 c7c14b18c0c34f3e5529077079d5e72cb213f260e856eccf349712cda1ea7a0b
SHA512 ab0bb8f6da304feb85e72722ae1b200307d1ab83a69c185f2b70ffa884001a416747345eb35d109be82a26c45955b9494db067e461cca66c0f6b5851cbaef333

C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe

MD5 f60190a92486c66674a30a333a4260ee
SHA1 e2b9ac2507f6ae85677ca3afd0b6f081a9c8abd2
SHA256 4537a0bde08f4e89cab3c9207605386372710f51a5412a37d42d7407e9a89e00
SHA512 5a2146e7a9bba075ea9fb192cae3ab0ee3abc3fff3c3bcd25bb680991a09191339a2db984e8b0019eb27296601c80d509f7986767a7e1491d9ae66a2405f0c5c

C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe

MD5 9b866c5f58afe88e9fa73e459457f5f8
SHA1 dfd0b14b459bd1b358da13b99eacf484d928eb5e
SHA256 a5adf49280dd4ec4307da85f48e5471ece791d26f192dd7977c8f670eb4343bf
SHA512 54c6cee3298a3f1c0a21387ff491cc6a90dbe79e6fba35e3cf9797e773b90f9463251477d10d938a99a90cea6cb5ec85ebe50e12e63d0027596c8d40717ee2d2

C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe

MD5 f40535bdf5fe9ea5e925c63184b35c70
SHA1 b87bbe67df2126d9790e605eeaaa9523ecaba931
SHA256 335b6786a780f2a5d625286b68820df1d196f90111618456f967e163f5b8a5d1
SHA512 18b2c452ba5fca45980a81b9f54af2f9f7e179bd16e25ebcd67234912e54f012ce5ab0bed8c3e3afaba7602562e16f9543863f2501400335d73675c41b8d5315

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E72E84-049C-44e8-A114-B65F8736614D}\stubpath = "C:\\Windows\\{89E72E84-049C-44e8-A114-B65F8736614D}.exe" C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD620C2A-9F46-4605-8F8C-FE9952BB8272} C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2} C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A975883-4A2A-4c58-AEB1-C4D279630A26}\stubpath = "C:\\Windows\\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe" C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}\stubpath = "C:\\Windows\\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe" C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}\stubpath = "C:\\Windows\\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe" C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6499CC57-06F0-48d9-B4ED-A8C2B311B531} C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}\stubpath = "C:\\Windows\\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E72E84-049C-44e8-A114-B65F8736614D} C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}\stubpath = "C:\\Windows\\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe" C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F} C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108134B4-B6AF-4668-8F16-CAED54D980FB}\stubpath = "C:\\Windows\\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe" C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4596DCFF-B727-41d9-8C06-38B209A66420} C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB26D8AA-4CA9-4653-B66E-65145673825A} C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A416E20-9B36-4346-9E43-D3823FDBADEF} C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4} C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A416E20-9B36-4346-9E43-D3823FDBADEF}\stubpath = "C:\\Windows\\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe" C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A} C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4596DCFF-B727-41d9-8C06-38B209A66420}\stubpath = "C:\\Windows\\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe" C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A975883-4A2A-4c58-AEB1-C4D279630A26} C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108134B4-B6AF-4668-8F16-CAED54D980FB} C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB26D8AA-4CA9-4653-B66E-65145673825A}\stubpath = "C:\\Windows\\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe" C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}\stubpath = "C:\\Windows\\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}.exe" C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}\stubpath = "C:\\Windows\\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe" C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe N/A
File created C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe N/A
File created C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe N/A
File created C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe N/A
File created C:\Windows\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}.exe C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe N/A
File created C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe N/A
File created C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
File created C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe N/A
File created C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe N/A
File created C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe N/A
File created C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe N/A
File created C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe
PID 3260 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe
PID 3260 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe
PID 3260 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2336 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe
PID 2424 wrote to memory of 2336 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe
PID 2424 wrote to memory of 2336 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe
PID 2424 wrote to memory of 2776 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2776 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2776 N/A C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4548 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe
PID 2336 wrote to memory of 4548 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe
PID 2336 wrote to memory of 4548 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe
PID 2336 wrote to memory of 4196 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4196 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4196 N/A C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 3092 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe
PID 4548 wrote to memory of 3092 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe
PID 4548 wrote to memory of 3092 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe
PID 4548 wrote to memory of 2840 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2840 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2840 N/A C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 720 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe
PID 3092 wrote to memory of 720 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe
PID 3092 wrote to memory of 720 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe
PID 3092 wrote to memory of 1332 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 1332 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 1332 N/A C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 5004 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe
PID 720 wrote to memory of 5004 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe
PID 720 wrote to memory of 5004 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe
PID 720 wrote to memory of 4328 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4328 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4328 N/A C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4420 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe
PID 5004 wrote to memory of 4420 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe
PID 5004 wrote to memory of 4420 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe
PID 5004 wrote to memory of 3112 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3112 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3112 N/A C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4964 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe
PID 4420 wrote to memory of 4964 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe
PID 4420 wrote to memory of 4964 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe
PID 4420 wrote to memory of 1356 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1356 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1356 N/A C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 1660 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe
PID 4964 wrote to memory of 1660 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe
PID 4964 wrote to memory of 1660 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe
PID 4964 wrote to memory of 4432 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4432 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4432 N/A C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1624 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe
PID 1660 wrote to memory of 1624 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe
PID 1660 wrote to memory of 1624 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe
PID 1660 wrote to memory of 2688 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2688 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2688 N/A C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1404 N/A C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe
PID 1624 wrote to memory of 1404 N/A C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe
PID 1624 wrote to memory of 1404 N/A C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe
PID 1624 wrote to memory of 3896 N/A C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"

C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe

C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe

C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F41E8~1.EXE > nul

C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe

C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{89E72~1.EXE > nul

C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe

C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DD620~1.EXE > nul

C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe

C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C18F7~1.EXE > nul

C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe

C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A975~1.EXE > nul

C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe

C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A045~1.EXE > nul

C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe

C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10813~1.EXE > nul

C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe

C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4596D~1.EXE > nul

C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe

C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB26D~1.EXE > nul

C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe

C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A416~1.EXE > nul

C:\Windows\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}.exe

C:\Windows\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{082CC~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 23.53.113.159:80 tcp
US 138.91.171.81:80 tcp

Files

C:\Windows\{F41E8FEE-6043-4bc4-9B6F-3F012F3E1EC4}.exe

MD5 e21404cd1c8330379b22f9d13c6bb04d
SHA1 43777f6486305c5fdf6c2ef39c4d0df1aabef2b9
SHA256 f1b6c0e1bca8d2b9918c7bf32795e8775635f8de57c0189b6ba2a3271865b5a0
SHA512 dc81a4d2f071cfb4ddb0aaa39d031151cb16809415ababec95157fdbc1588156bda8d6d1655d7b980176b7e0d282962cd97c2ac4aba51fe1b6c722b3197a3401

C:\Windows\{89E72E84-049C-44e8-A114-B65F8736614D}.exe

MD5 886bbffa5313033a4177396260837d0c
SHA1 23e5c987c4b01c5bdb7aa9fef8df34a738f5bb6a
SHA256 1a06d9971881570242f1740d03249e3f0400494554d87a7966e82b42fce63578
SHA512 95bdc57eb5a4e45ed50195a19d2794bbb22618b99146a163b75aae6017757e834f1fda73ffd6bcd79009c36471172c946985169d16910bc94bca6079b5749bc1

C:\Windows\{DD620C2A-9F46-4605-8F8C-FE9952BB8272}.exe

MD5 4c49fa65433da4f6b772058f0e6be866
SHA1 ecd01ad428ca4431ab2ec87bca5dd33296b74a9a
SHA256 640c49575250a404eeec21f3671a0eab4b8ed92c7f21e092e2fcb522d4261062
SHA512 9b79bd0c4f00476f30cd73fc9d44c25187140fba06b39caad097255ce60c161ddfcb6de40f1b446e41a94ab7a021727cdfffc4877764917a81881779ac221b3c

C:\Windows\{C18F7DBC-3272-4fee-A2AC-9CCC2E4829C2}.exe

MD5 1bae2fc1c8da90401a0f6620f58acd47
SHA1 32815dd1e885ad7a0b4716598460be6650757eb7
SHA256 91a9ca8a3ade3d6b8d26e10f962fa1b07680064841f4c116479db81b7d7530f1
SHA512 f73ab1292e2deb0975ed5b71a473aef900a4d5961eaaa82a35cea22d9a3d1a9bcbc2bc5de982205e18fb817be6e5ec381b56c03bf6ad2cd2c941abd175ee03fc

C:\Windows\{9A975883-4A2A-4c58-AEB1-C4D279630A26}.exe

MD5 ee14e0fa5db5b055e9cde495316644e0
SHA1 881e32d948202edbceb623741da70b8a2a0509cb
SHA256 45d1d81dbfd13d82b1f677fa90f105b52b668d3ea4c4dd14d0a65b9cb820b90e
SHA512 c35fe92546bec22b48f3fc832a8a7d01e551b71693be675cd530d2a6351d61ef2fdb15a06efd83efa44fd732389606a73c6f1cade40fdcda18da8222b099d4b5

C:\Windows\{8A045D2E-FFEB-4ee5-809B-12A0B2483B5F}.exe

MD5 c64dcffa33ebb2b6ec9179a3a31ee84e
SHA1 61d17e94a2f8dbadce8a7d6c2fb03b27ff5b8eb3
SHA256 358ca50c302361c1390d0511834c3f6b8686084f5c3256d48c17ee5c27ae2af5
SHA512 add92f5c99a729c6bf0e8b4f60247fa06886fe9b4aacec749603ebe974e57cfc8bdd092aded76dc3fc747ca470eb3c61ef073526d16a7f2cf6c028bc004aecb8

C:\Windows\{108134B4-B6AF-4668-8F16-CAED54D980FB}.exe

MD5 98b22da199f32b1242533c603d23480a
SHA1 4d5636cb728dafb9fa8843984a79dcd882dc36e8
SHA256 cf0cb716ebc31f66d6311aab6e06d5e4bc8faed8edb7653593f27cc53c1b3491
SHA512 f669a6a48897118d022cc3f8833ecf7e8bf74c3ce612188c06daa9ed2c937c041fae2abc7295cc0dd2850e51c179ab660504b11b2fd5b6f580ebe8622e60b217

C:\Windows\{4596DCFF-B727-41d9-8C06-38B209A66420}.exe

MD5 de223f4d099942c112d3a2218d995ba5
SHA1 25aedd8015623450d0cb0198d6f69dee39af4962
SHA256 d4b19bebf9df83612ac5a34e2589c5f1fefc73bf5f0524f003d4cdeaf552d3e6
SHA512 a65ffc56ca4dfd98bf0473e7416b6b65cbd38e393a1866f7f3628db718cd160e4b8fb1645284e189cb1e11cbf865b7fd275b515976e2c4e20cb3f842359dda28

C:\Windows\{CB26D8AA-4CA9-4653-B66E-65145673825A}.exe

MD5 537b9e76bcd13b39721537decba86e0e
SHA1 1a8c74c548e1046a463b26af9f69851cc47e372b
SHA256 66d32fe1aac97e377ae0af7c5e23fdd60645896d07f3ff75d9c3a88d5bb99308
SHA512 bf2b024dd66685bf729980d2a8f82e883845c92d744a27f574c24c9ab8ea477f223aff3283ba664818f925e35a127725913cc7cab44be11317bf71972538f63f

C:\Windows\{8A416E20-9B36-4346-9E43-D3823FDBADEF}.exe

MD5 242bce61c35ed833f5f25b0d62929b4f
SHA1 2b967228b72e4e647d476263fdbd5d7cf7429e82
SHA256 4566f674bbf504569e983859d4bee1d54abf3083c3ba9221819daa248c7a51db
SHA512 76a47e605d7f12fb88f7cc6bc7c26f7487cdea6cfe35e2913d3e45b78540df789f533c60ee5be998e1d6931c4e3af3dde0ccfffe4fbff25a413790b3e369e4cf

C:\Windows\{082CC7B7-F50D-4c02-9ADD-3FC61038A49A}.exe

MD5 2f55271c1f7fa228f2e407fae7431fea
SHA1 373a078cee52df2dcf0a6501deb2b994a4ec856c
SHA256 4746a30301d6521a6a93536d41db4c19576d3c871528f987bb086720fcabdefa
SHA512 f1cd427c73d2500cf051068bdc23d48ad10bac0487d617bacaca37357aa990070b9e3f268e49829f84b54255922626b479ef22d556a97f67ce6e9e67a5a641f5

C:\Windows\{6499CC57-06F0-48d9-B4ED-A8C2B311B531}.exe

MD5 7631ce79fd0f38d9532aaa38f8b8b487
SHA1 3db3d7acfc243e196a7961fed61a0424b6e7198c
SHA256 89594b34419287d6f4e38c4913026a9741842d9776c07d3edbee9181266779b1
SHA512 7a3244276878e6bc39922cd1dfd1bc410707aadfed56442e83ea9dd25804d956690b31e5391cc5fd1f65c5fea614f219429a6e95d5fd3c5cedaf85bf71fe535d