Malware Analysis Report

2025-03-14 22:53

Sample ID 240406-1jzjmsbg5x
Target 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye
SHA256 90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811

Threat Level: Known bad

The file 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:41

Reported

2024-04-06 21:44

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550} C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550}\stubpath = "C:\\Windows\\{ED33C418-2F07-4973-B760-12A88137C550}.exe" C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8} C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7} C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8} C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B} C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F} C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7} C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D}\stubpath = "C:\\Windows\\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe" C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C}\stubpath = "C:\\Windows\\{2680033C-A89D-471f-9091-39AAECD0687C}.exe" C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}\stubpath = "C:\\Windows\\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe" C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}\stubpath = "C:\\Windows\\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe" C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}\stubpath = "C:\\Windows\\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe" C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D} C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F} C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F}\stubpath = "C:\\Windows\\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe" C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D} C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}\stubpath = "C:\\Windows\\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe" C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F}\stubpath = "C:\\Windows\\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}\stubpath = "C:\\Windows\\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe" C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C} C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713} C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713}\stubpath = "C:\\Windows\\{32F24C0A-1292-4459-813F-39555AB20713}.exe" C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}\stubpath = "C:\\Windows\\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe" C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe N/A
File created C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe N/A
File created C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe N/A
File created C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe N/A
File created C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe N/A
File created C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
File created C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe N/A
File created C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe N/A
File created C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe N/A
File created C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe N/A
File created C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe N/A
File created C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
PID 1940 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
PID 1940 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
PID 1940 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 4364 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
PID 2000 wrote to memory of 4364 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
PID 2000 wrote to memory of 4364 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
PID 2000 wrote to memory of 3076 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3076 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3076 N/A C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4420 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
PID 4364 wrote to memory of 4420 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
PID 4364 wrote to memory of 4420 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
PID 4364 wrote to memory of 3112 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3112 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3112 N/A C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4376 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
PID 4420 wrote to memory of 4376 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
PID 4420 wrote to memory of 4376 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
PID 4420 wrote to memory of 1424 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1424 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1424 N/A C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 4176 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
PID 4376 wrote to memory of 4176 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
PID 4376 wrote to memory of 4176 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
PID 4376 wrote to memory of 3424 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3424 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3424 N/A C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 1352 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
PID 4176 wrote to memory of 1352 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
PID 4176 wrote to memory of 1352 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
PID 4176 wrote to memory of 4012 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4012 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4012 N/A C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1456 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
PID 1352 wrote to memory of 1456 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
PID 1352 wrote to memory of 1456 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
PID 1352 wrote to memory of 1680 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1680 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1680 N/A C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4592 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
PID 1456 wrote to memory of 4592 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
PID 1456 wrote to memory of 4592 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
PID 1456 wrote to memory of 32 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 32 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 32 N/A C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4904 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
PID 4592 wrote to memory of 4904 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
PID 4592 wrote to memory of 4904 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
PID 4592 wrote to memory of 4896 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4896 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4896 N/A C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2988 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
PID 4904 wrote to memory of 2988 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
PID 4904 wrote to memory of 2988 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
PID 4904 wrote to memory of 684 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 684 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 684 N/A C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3508 N/A C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
PID 2988 wrote to memory of 3508 N/A C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
PID 2988 wrote to memory of 3508 N/A C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
PID 2988 wrote to memory of 2620 N/A C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"

C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe

C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe

C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B92C2~1.EXE > nul

C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe

C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D65B8~1.EXE > nul

C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe

C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED33C~1.EXE > nul

C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe

C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B90D~1.EXE > nul

C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe

C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BBA~1.EXE > nul

C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe

C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26800~1.EXE > nul

C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe

C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D840C~1.EXE > nul

C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe

C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{794FA~1.EXE > nul

C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe

C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32F24~1.EXE > nul

C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe

C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5A6~1.EXE > nul

C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe

C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B39~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe

MD5 6962adeb8a2852c28b56bea84dc051b4
SHA1 5907305582039e400dd5d214a13f4a9bba30eb82
SHA256 480de0a304e17a1b8c0de5334d98abffd05466c1b16532b2b1ceed37369871cd
SHA512 c1f3b8cb3aac9f7f83eb7a47e4a91a79b7c4aef65a3ac8c4e3e5695b4e1fe3f54c24d8b572359537d2b6c7fe4a352c69d1e981089d7b1d5c4e6ec06ffea0bb6a

C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe

MD5 b504145634f79796411c82829d3921a7
SHA1 22fde7d1e723e8df472ea8c9d2a5e9263a0d0ba1
SHA256 9928f7e2740af14a3d8e59d7a84906602cff695ec24c3039d5444d0901aa1718
SHA512 043bcdab1c18f0ea3e0a8ef27765b192fda380828343a427bf6555f22172c0299f02259e5b4675740c94297595fb3b48822b2155d30e8d8e6917077066a53e56

C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe

MD5 fdfdc2075a8de66e869dafab01c012b5
SHA1 9aa543a7e925e9725b8f2b280ac5c06aad775724
SHA256 6c62934fcdcdcad6dfe8c91335ccbb51d9421e93f2918164f982a95552c19470
SHA512 68c9fc0be067dfe19d7e1b89ee4ef4f426f776e252f4b281cd01ea748044605770bfcf081361720617be7cfb970c521a1f25628b8c60c1b10f8dfb2231efddf2

C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe

MD5 ee2f9d5b0a62a18843ce33ee95bcba4d
SHA1 bd6d3d6884c0a3d1bad8a6de6b77c4daaa0d8b13
SHA256 ac88b640c9478c7dafd34928773e01601926c8db1308df4367aa45631baddb64
SHA512 2229ebd603b96b5a71ba64c418eed52714e384b59e01ac36bbac9232d98049191e1789eb5c526abc4d4536392200e43d14ba7833edcdc9fe3a2618b7cbdc228d

C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe

MD5 65b5b533d1f2566f31037a8da7b498a3
SHA1 a185f384ba6de5c70fd76322f71aef42a74e81be
SHA256 89d58a4b2e734b314236d54c8eefb5cf0e70a324ac891cf9737b0a52abe99509
SHA512 244a6af78fa1cff489447e513fec448e626e58c1132c44f01ee3d518bb57ac7db2d4ba26d7e4bae18a36662aec88decd0ecbbb70bae56fa8e14b6ddedf45bb33

C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe

MD5 b75db6f9365c24882c57d5ff83fe0dbf
SHA1 e64517d9d1b35735230361ddf0f822742b6706c3
SHA256 aaab70da9dd1c6c9ca98ddb7ee591ca94dd6367c1738e9c197a7bbb671e92e4c
SHA512 8b9713673bfb645d3059c1c1dff16a6ff9547315369e0edb80926d3c4255c36c6eb2096f974d23761cb7adf6466a6cfad5cd94769c12105616ac179af92a5a29

C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe

MD5 96278c90470dc1f051d664f363d4ce1b
SHA1 a83a2bb684550a62bb7b499db2b20eda606a36d4
SHA256 47f63746c867b7385831a4c34ae29fb4a8eb97b5fc4eb3d29dfe86ba5565c34e
SHA512 bb7b2f64e50da6756d12f97c8cc8f0c9613d42bd3d2719d47dd14d1e52a709dc972301a2c22c8b4430b26174f0c1b886292c65221d69f9fb7eea61d970921e0d

C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe

MD5 8ee5ed7f1030a4ccd9795db5e340fed7
SHA1 a96f84c7fbf7779562b5a3a227b6965eecc9ae0f
SHA256 0fbbf62a1871b9ff097b92f7916c2e54b98a89ee02ee969c2ce84e9396f9322d
SHA512 64acfaf9e57bc8a7339883bff2df0f29a56a174d74113a7896713538aae54b2e203b662929eb16d8b9f405a5e751534b528bca6aa4ea73d59e489033373917be

C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe

MD5 29fa0d25b2dd0b024c450fcd54db314f
SHA1 a01fbfb2248c8a57b43b3e5d713a2445eca2ef61
SHA256 17bb93fa291d0d528522b84addf81a02cb3d546ec13821de9dc8969a2c460810
SHA512 4bac242ee76a0105dd1e77e175a4c0f71eed7f548dcd9f1dda61f2e47dab28b65d339b5257f4070ccd6cc29ff14d9ec087b33378a88deca833c180d1c67b24c2

C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe

MD5 f6a62f6c23abc1fc11b0c8ee2d475888
SHA1 9065ab3c4ed47caec92dab3138fb9aad4febddfc
SHA256 78a3ff1171f4154707bfb22dc34a3035fcbec5dc2eaf3af19e288a8a8ae11b2b
SHA512 5aa1115bdab8dda5968efdacdd0bc08eef8c984193f5b6e1d126cbba6cabf895dd701142665b3302da19bd33dc003038d4187ec602fdbb84739b21da28d40c9a

C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe

MD5 9671dae3d90688980dde21da52be1951
SHA1 d98e5f5bb90e0e57f6cf557ba6d2448759491b08
SHA256 bff45c304fbf073b11471f423f3088354d7a58904d93c51de531258d4a01c46b
SHA512 64f74269b5e907658c892411914039d44c280e94a5abda87353648811c6bf77e77241901c9fd96bad53049050866f00f20463a9cad4675812fafc9bfe2ceaddf

C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe

MD5 9dec9cbef597c559fb48e55982d16108
SHA1 acba07de7127565cd44a0d9113d793a503ffaf9e
SHA256 7848b148da89da4b6aadff7092d5ec32b71bf503612daeedfdf73067783ff44e
SHA512 cc7eebc4188ad8ea076f8950650eb530b444b1ac11627d1b2cf4ff4c6bc7d3ff9d40ae1113a785d76007c7f36e4a35a93bfc7a8011c763d65c5c8be351bacc22

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:41

Reported

2024-04-06 21:44

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893}\stubpath = "C:\\Windows\\{431A6667-4647-415b-BF7D-1DB71C339893}.exe" C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}\stubpath = "C:\\Windows\\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe" C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A}\stubpath = "C:\\Windows\\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe" C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}\stubpath = "C:\\Windows\\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe" C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}\stubpath = "C:\\Windows\\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe" C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A} C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC} C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5} C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC} C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF} C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}\stubpath = "C:\\Windows\\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1} C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893} C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}\stubpath = "C:\\Windows\\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe" C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A} C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39} C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A}\stubpath = "C:\\Windows\\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe" C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360} C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360}\stubpath = "C:\\Windows\\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe" C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC}\stubpath = "C:\\Windows\\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe" C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5} C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}\stubpath = "C:\\Windows\\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe" C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe N/A
File created C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe N/A
File created C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe N/A
File created C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe N/A
File created C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe N/A
File created C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
File created C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe N/A
File created C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe N/A
File created C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe N/A
File created C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe N/A
File created C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
PID 3044 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2652 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
PID 1692 wrote to memory of 2652 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
PID 1692 wrote to memory of 2652 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
PID 1692 wrote to memory of 2652 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
PID 1692 wrote to memory of 2504 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2504 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2504 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2504 N/A C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2436 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
PID 2652 wrote to memory of 2436 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
PID 2652 wrote to memory of 2436 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
PID 2652 wrote to memory of 2436 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
PID 2652 wrote to memory of 2400 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2400 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2400 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2400 N/A C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2964 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
PID 2436 wrote to memory of 2964 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
PID 2436 wrote to memory of 2964 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
PID 2436 wrote to memory of 2964 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
PID 2436 wrote to memory of 2364 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2364 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2364 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2364 N/A C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 468 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
PID 2964 wrote to memory of 468 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
PID 2964 wrote to memory of 468 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
PID 2964 wrote to memory of 468 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
PID 2964 wrote to memory of 2736 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2736 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2736 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2736 N/A C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1928 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
PID 468 wrote to memory of 1928 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
PID 468 wrote to memory of 1928 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
PID 468 wrote to memory of 1928 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
PID 468 wrote to memory of 2120 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 2120 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 2120 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 2120 N/A C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1676 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
PID 1928 wrote to memory of 1676 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
PID 1928 wrote to memory of 1676 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
PID 1928 wrote to memory of 1676 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
PID 1928 wrote to memory of 2680 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2680 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2680 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2680 N/A C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1644 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
PID 1676 wrote to memory of 1644 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
PID 1676 wrote to memory of 1644 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
PID 1676 wrote to memory of 1644 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
PID 1676 wrote to memory of 2852 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2852 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2852 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2852 N/A C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"

C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe

C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe

C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DE330~1.EXE > nul

C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe

C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{99CDB~1.EXE > nul

C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe

C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{014E8~1.EXE > nul

C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe

C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65A36~1.EXE > nul

C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe

C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36360~1.EXE > nul

C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe

C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E5672~1.EXE > nul

C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe

C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00587~1.EXE > nul

C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe

C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5E559~1.EXE > nul

C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe

C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AABE6~1.EXE > nul

C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe

C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CD9~1.EXE > nul

Network

N/A

Files

C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe

MD5 e13aca139107da106545a2d03b31bd18
SHA1 76a9425041ab4fd03cc452685a34c144361ffadf
SHA256 0046739247a69b062926e9a3865069020397c20918798c0b42eb55a690b95f88
SHA512 e94a1e446ba6b39b3094881128696313e1ec1d7ac7a0e0051f16075b37b5575ef6a1dfac11a14696f3e4284fe1cb229b65f87aca62a893c1746907da21f72e4e

C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe

MD5 2e1bc942e8496036a7ec152dafb49be8
SHA1 49bdb411dab31499e68fa530d72e780b1f347941
SHA256 73cb93940dabafadafff46649320fc2890411e4bd5441c97d885afa6fd96fd85
SHA512 296430ca0ac0d68a0ef235af848b1450e4628da1a868a9389922a8559638a0a4773577f0e37e3a65478e71ee32cc44d2f44f2ddb1e9b001737fd80a0964dd555

C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe

MD5 cc88fe9641bc4dd52adfda5343d53406
SHA1 7494fbd3e57967d58bca0e384fc921f7f46448b7
SHA256 321ae1fd42e4e8365854813ebfa57f519546d116947b5bc1360e05f287c1efa9
SHA512 26cd03707ed6baed35cec44eb63e71b4e119cfcaf65026e6c816d560e47bfa06e6f27f9c0d54765fafbcd10fd1d6505e02a3ca8f728e3ac864b601f5b26d6f5f

C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe

MD5 bd4ec6d4525e8b587136394971beba94
SHA1 20534777e5834dbfb4e35c3a5f94767e5458e99b
SHA256 992e6c349ba887d6218eb267c63f9e85470df60c2f55fe814cb6fda44d9de4d3
SHA512 f8015eb6404c2f97c66704dd97727c819d3c168d477597592d0dda8235b52bf169d91063c313fa136c654f134d55361b9932ab52493a68975b785681329df8f9

C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe

MD5 7e03607394275d6189d04533b4d0f503
SHA1 4c4d95b784b812f7fd1aca2ba44a7625a75693b7
SHA256 62e33872fe852a18df6960267ce3e1d5550a56805e6967ee1b069e96eeaa8f7e
SHA512 e148c42d3bb3a250a315c823f39ca1c6309b927bca97bffc3144bf618b6d3061fa8f2afa9fb5bb08da234af2096e0f5c5db90abfba8336fc2cf53d4cf3b21349

C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe

MD5 157f984840c33b695fa372f84a49ff54
SHA1 3cd2cfb10b6e8d161a28883fb78c89b91260def1
SHA256 c7bf0d2140c2737dc7fbca9aaf814e6d205c9e31c3d2c158810d44d22fa7ca9d
SHA512 0e96c5d2b96bcf6b97b6efc06a49a6c3c2e05794f76d56a05a3b3c04759690053608aa1e7bc3f1192feb5e0b91080a871c5b5ef47451f3a5a0493bc550cc6e78

C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe

MD5 3676a0b39fea3ff0550740acbabccc48
SHA1 bf75ed13abd00528ceb189d45321a16a48fa6212
SHA256 2067b5a0904ed2787a6504113ee425e5990a769b7a53479e1bee6a05dc762e91
SHA512 b69ebb1a696e4eb4e35bca678f10bf7976ff4dac85d5531622d437963558e33b3c8ca5728e1f68a3dd56da0e3766f39a5c6d9a27d05f77c411ee40343b9e9fbc

C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe

MD5 7c9674bb77aa94fbbf68319a0ea655a9
SHA1 712d4a9c14a64c8f774265dfaa6e3e9371bbe5df
SHA256 0c7afec432553d1fc3496b5514654818a1a8c8a0cdc42b322d64110c75d68042
SHA512 c94e5cd8b9a78af06c074718606b30c1c1a7d7b81220b1814b71bc1e21717debf4bf9ce6dba26c63fdf77a485637faa7b9a88382a2b3307fa6e7a5c956a1515e

C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe

MD5 6ade46bec34defa673c810246aea28cf
SHA1 19acf06bf3d8f40627f486705a5e4c3e957ea3e7
SHA256 fb925708eb0f2128ed2a63ecc7fca2314abf1376fb05cc04a4d56d6b52216ef6
SHA512 9566a754bc3a0c2d383ad2fd7a1f8139125cd45819d06922ab41a012a175bf93d58d2bbece1de52c8c770db9931bea2eae6318d5681de345352d42725157474b

C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe

MD5 aa5b1822951f496cde3997df058ee316
SHA1 9364ed6126601c4ca70c13e99e288feb35239af1
SHA256 1cacd2d2a2202134de18e6caa101031ff05c1c8b7751642d9b371ff861612066
SHA512 52ca09ea1749678f04f3608bf4aa56048e774b7af15a1c8e984c18668f241a83fb425e2fc9d947407ecb778c8825665b04b7c873f8a66ececd243f2f157ca5ae

C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe

MD5 af2226b1f99ea6e3cef0aa350d449f61
SHA1 975ed800da6df9dd2cf07fcf9c43c75bcc3b6f83
SHA256 b671b48dce982152aaea611f2c9421e02802242c5dfb63eaa6ae507daa01c082
SHA512 427c5448196fe3f921c31725fd0aa78cfa77b7b778d71c30635fe50a2ba1ab5f211f5d2ae4f6565e27f220b9d85709b81f01c12f7b183278e68a083f5a4dbf15