Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1kvbbabg8w
Target 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye
SHA256 969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5

Threat Level: Known bad

The file 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:42

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:42

Reported

2024-04-06 21:45

Platform

win7-20240221-en

Max time kernel

144s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407049F9-154A-4f38-A988-6DCF262C8374} C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407049F9-154A-4f38-A988-6DCF262C8374}\stubpath = "C:\\Windows\\{407049F9-154A-4f38-A988-6DCF262C8374}.exe" C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34239C63-5A02-4f46-AC44-CA746C59DFF9} C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}\stubpath = "C:\\Windows\\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe" C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}\stubpath = "C:\\Windows\\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe" C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC94C7-DEE2-45b0-8CD2-299380742F36} C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC94C7-DEE2-45b0-8CD2-299380742F36}\stubpath = "C:\\Windows\\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe" C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}\stubpath = "C:\\Windows\\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe" C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E037E02-F335-4fed-AB31-E2C49B1E0823}\stubpath = "C:\\Windows\\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe" C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144} C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34239C63-5A02-4f46-AC44-CA746C59DFF9}\stubpath = "C:\\Windows\\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe" C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD} C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F212FD2-E7F2-47a7-A344-2C22C2665C91} C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}\stubpath = "C:\\Windows\\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E037E02-F335-4fed-AB31-E2C49B1E0823} C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}\stubpath = "C:\\Windows\\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe" C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC} C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}\stubpath = "C:\\Windows\\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe" C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93FDDD8-765D-4767-9B22-8C43F8147A6C} C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A52C194-A382-4a98-8D16-46270DCD1027} C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A52C194-A382-4a98-8D16-46270DCD1027}\stubpath = "C:\\Windows\\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe" C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACC91CB-61D7-49c8-8271-B3BC73B132A4} C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
File created C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe N/A
File created C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe N/A
File created C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe N/A
File created C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe N/A
File created C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe N/A
File created C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe N/A
File created C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe N/A
File created C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe N/A
File created C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe N/A
File created C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
PID 2196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
PID 2196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
PID 2196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
PID 2196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2032 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
PID 1744 wrote to memory of 2032 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
PID 1744 wrote to memory of 2032 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
PID 1744 wrote to memory of 2032 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
PID 1744 wrote to memory of 2440 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2440 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2440 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2440 N/A C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2460 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
PID 2032 wrote to memory of 2460 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
PID 2032 wrote to memory of 2460 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
PID 2032 wrote to memory of 2460 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
PID 2032 wrote to memory of 2420 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2420 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2420 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2420 N/A C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2816 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
PID 2460 wrote to memory of 2816 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
PID 2460 wrote to memory of 2816 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
PID 2460 wrote to memory of 2816 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
PID 2460 wrote to memory of 2928 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2928 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2928 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2928 N/A C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2684 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
PID 2816 wrote to memory of 2684 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
PID 2816 wrote to memory of 2684 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
PID 2816 wrote to memory of 2684 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
PID 2816 wrote to memory of 1564 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1564 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1564 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1564 N/A C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
PID 2684 wrote to memory of 2748 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2748 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2748 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2748 N/A C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2648 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
PID 2672 wrote to memory of 2648 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
PID 2672 wrote to memory of 2648 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
PID 2672 wrote to memory of 2648 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
PID 2672 wrote to memory of 1552 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1552 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1552 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1552 N/A C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1248 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
PID 2648 wrote to memory of 1248 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
PID 2648 wrote to memory of 1248 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
PID 2648 wrote to memory of 1248 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
PID 2648 wrote to memory of 2216 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2216 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2216 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2216 N/A C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"

C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe

C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe

C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9F212~1.EXE > nul

C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe

C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0E037~1.EXE > nul

C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe

C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C08CF~1.EXE > nul

C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe

C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34239~1.EXE > nul

C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe

C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40704~1.EXE > nul

C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe

C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{381BB~1.EXE > nul

C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe

C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57FA5~1.EXE > nul

C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe

C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D93FD~1.EXE > nul

C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe

C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A52C~1.EXE > nul

C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe

C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02EC9~1.EXE > nul

Network

N/A

Files

C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe

MD5 f5982fb9bf7efd7d07b9abd717c1d524
SHA1 a42b25d2d7a2ac8abae97ca23a04dabf49d77a7a
SHA256 3d3d79d15a598a7bf0047f26022645f04374e187d71751533d45fe08755eefb8
SHA512 48999ebc379680246d1ca2262698892167591f9d3011870c8be09e5c1d6563363d84c1b988929ecbf32fe5a5b5d44531b66c68b7cb258a8198ceb3915e268221

C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe

MD5 5fa0084ea6a69bf7e98516fecf8ef6c5
SHA1 d5edec9d8854bf3153e0eac32f5e36ca5afd051f
SHA256 78916a038b4f035deb02ab14ba0caa75c732ebc1a2bbdabea5d934764f7fad04
SHA512 fe6147065847c6ddc6bf33e52a61234b4595f49bcedaf3ff130f37041f98e227364955aeeca464beae6bd3bed8518e7dfe3d4230f8e7e752fd7f6f0b30e4e344

C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe

MD5 645f1e94b9481f93d97252ac617ef36d
SHA1 252a58b7ea7d003505b539ec575b013d882810bf
SHA256 c9eb0804423967adf6b6052447924168bde170e6a1da01c2f92e7b2c27e4b61a
SHA512 668c890a2c397160c640d9e0ea64863634cc7b2f74cdf283f34747161c61c511bb1a4046d1e3f30dd0716d928dc93a577f7fbab19a6d06dd8e7dee36c4eba530

C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe

MD5 d4187015c4c16bf2de929c7891f689d9
SHA1 d7bfccd8c1927c2721c527c0ef254ef3c3250f5d
SHA256 d873681be2a38c8a4fd14acba2d81bb20bef850012b03780dae52d9217683b11
SHA512 d632cc1ceaf5327c09515011e22a09228587191973180f2d346c0e4d0762649d7b1d920d33515e0c61a71fa0d2b2a655202fc16e8eebf5e4f4ac4addd0678b3e

C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe

MD5 5392ecc05f6cdb9a359c2bfe70d15158
SHA1 5d18789c6df531bd6db2b6b896d4ca13978c20a8
SHA256 f6208bdc71d71f5920a2741ff139ca6b5747abe0b505b317e4f8bd1359b282b9
SHA512 73f24e93f46a9a0daea02872fb34bded30282649e5af782f0a12e7967367588770f9be5df6a42a7aee76c9929c08d3f55497968fb8c3689407990ef5beb2fa53

C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe

MD5 4651cd0b5ef1a128f28fe22b5d611f70
SHA1 80b8937e2b2eb9328aeb8129fcdc3bfd30f27a8c
SHA256 d3c656b9a7f22dce8b388f065513106b41b403c6ba9b1032bc0fd834d4505bb2
SHA512 7b33300fcf3f8de865add60a4d1ef67890e25e2d138cc7d0375b6c57aededc82db40a05b4a161b321431d696ab728c3568341725eba7773d7b656ca857290465

C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe

MD5 d269e90beca3d45f4244adfa7011f427
SHA1 29b73d5d1283c61388cb9de1c83575d43528b1ae
SHA256 3143bea3e4379d83d6a66f0c57982cdb43e5f60d6d08a0638045b2de8fa2b127
SHA512 a0e199ff4b5fd6e112bfc9e88b3a4c734b33ee5f47dd5f99ed5775d1816abdc19924f6d4f58108c1c0208628eeaea63d616d432ee53a3b8705cbc85260b310f7

C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe

MD5 708a4a2b231b6715d1fa392392001e32
SHA1 5c4acdfa9020eca54a073b9d032c666744c4f167
SHA256 9b7f051c49f6e993879c889ae8e7c6837ab583769cb4f41d849fa346928fd63e
SHA512 fa4e3fe0713e89f892a3d39f295598cb340e09b1e10dcbff7dc4cae7f240df5b65998781586708719e28e70d9cf8addb5ff9865c3c5211fad381cbedad093212

C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe

MD5 6cea902fc332e2c74cba3f05f9d314eb
SHA1 4fbd768f83add22faf116b126ab602743ac7fc85
SHA256 05a2f099f6882fdbd39839f0f35eab7953f1a0815635f2e73587cd224098685a
SHA512 9e541791d428c722b381d31f0d38ab9aebd7bf37ff31cada3f5e12921cb776635ff4ea503c621572bd9b8457636eec2e654278f9b349c1327449137d19ca21db

C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe

MD5 21bc7436d9478f9131e14f9855d72401
SHA1 d6c7d683be20f50389fc5a29c9628d4e3c1a1864
SHA256 88f9059cc843fb1d8d5ca4541340113d9adcd967a2868b2ad9a034713a7a3374
SHA512 4ef6b6e267cbf712c89738a351e11edcce79ac11b18bdd05a59f716c36136a70937883c41c434bdaca184baff9ae6d0c7544e2210875c890d43287fc181862a3

C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe

MD5 f125b894f3c72dda6670c1c3d4936fb0
SHA1 5a488bbd79f9cbf3f4aa0b9aae8b983637bf87bf
SHA256 61f3aa50b5f3aea2f004b555f9d347cdb5c2798507fa9cdd1eb9ddffcc8591a7
SHA512 2df315d36c4ead43b78c090f5f64fe4ade5d3b4f6aafe25133123644e6950cb0050d5d0ca4d40325cec141c9a997fc74533a5d5278e5cbff25df7edce80309b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:42

Reported

2024-04-06 21:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ED5798-F50E-49f6-8587-1BE750C57253} C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ED5798-F50E-49f6-8587-1BE750C57253}\stubpath = "C:\\Windows\\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe" C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EA55C0-93F5-4848-83C8-9421A078FE23} C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C} C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5} C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}\stubpath = "C:\\Windows\\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278AF669-9213-44bb-9714-726BA685660D}\stubpath = "C:\\Windows\\{278AF669-9213-44bb-9714-726BA685660D}.exe" C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65629895-740A-431b-BA87-438EDD33690F} C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32886B16-178B-4b18-98C6-C3F4595281F8}\stubpath = "C:\\Windows\\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe" C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A73444-1137-4ab1-934F-4C02ACC6BA76} C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}\stubpath = "C:\\Windows\\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe" C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09} C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}\stubpath = "C:\\Windows\\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe" C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146E4933-B102-4ed9-84D1-0DDE11C40ED8} C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}\stubpath = "C:\\Windows\\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe" C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278AF669-9213-44bb-9714-726BA685660D} C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E60B719-3A63-4176-AC7F-62BBF397CBF6} C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}\stubpath = "C:\\Windows\\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe" C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}\stubpath = "C:\\Windows\\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe" C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96} C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65629895-740A-431b-BA87-438EDD33690F}\stubpath = "C:\\Windows\\{65629895-740A-431b-BA87-438EDD33690F}.exe" C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}\stubpath = "C:\\Windows\\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe" C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EA55C0-93F5-4848-83C8-9421A078FE23}\stubpath = "C:\\Windows\\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe" C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32886B16-178B-4b18-98C6-C3F4595281F8} C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe N/A
File created C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
File created C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe N/A
File created C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe N/A
File created C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe N/A
File created C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe N/A
File created C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe N/A
File created C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe N/A
File created C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe N/A
File created C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe N/A
File created C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe N/A
File created C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe
PID 4828 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe
PID 4828 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe
PID 4828 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 1876 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe
PID 4472 wrote to memory of 1876 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe
PID 4472 wrote to memory of 1876 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe
PID 4472 wrote to memory of 2132 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 2132 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 2132 N/A C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2692 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe
PID 1876 wrote to memory of 2692 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe
PID 1876 wrote to memory of 2692 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe
PID 1876 wrote to memory of 1564 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1564 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1564 N/A C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 4524 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe
PID 2692 wrote to memory of 4524 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe
PID 2692 wrote to memory of 4524 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe
PID 2692 wrote to memory of 852 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 852 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 852 N/A C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 5072 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe
PID 4524 wrote to memory of 5072 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe
PID 4524 wrote to memory of 5072 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe
PID 4524 wrote to memory of 3816 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 3816 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 3816 N/A C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3400 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe
PID 5072 wrote to memory of 3400 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe
PID 5072 wrote to memory of 3400 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe
PID 5072 wrote to memory of 628 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 628 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 628 N/A C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2204 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe
PID 3400 wrote to memory of 2204 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe
PID 3400 wrote to memory of 2204 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe
PID 3400 wrote to memory of 736 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 736 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 736 N/A C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4648 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe
PID 2204 wrote to memory of 4648 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe
PID 2204 wrote to memory of 4648 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe
PID 2204 wrote to memory of 4040 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4040 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4040 N/A C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 5020 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe
PID 4648 wrote to memory of 5020 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe
PID 4648 wrote to memory of 5020 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe
PID 4648 wrote to memory of 4580 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4580 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4580 N/A C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 932 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe
PID 5020 wrote to memory of 932 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe
PID 5020 wrote to memory of 932 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe
PID 5020 wrote to memory of 2436 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2436 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2436 N/A C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 1528 N/A C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe
PID 932 wrote to memory of 1528 N/A C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe
PID 932 wrote to memory of 1528 N/A C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe
PID 932 wrote to memory of 332 N/A C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"

C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe

C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe

C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5BEBE~1.EXE > nul

C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe

C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{278AF~1.EXE > nul

C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe

C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{65629~1.EXE > nul

C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe

C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C79A6~1.EXE > nul

C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe

C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E60B~1.EXE > nul

C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe

C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76ED5~1.EXE > nul

C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe

C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41EA5~1.EXE > nul

C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe

C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC2B~1.EXE > nul

C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe

C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32886~1.EXE > nul

C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe

C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86D80~1.EXE > nul

C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe

C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{146E4~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe

MD5 a58b04d8ad755a69f26444cfdd8b463f
SHA1 c8d3504bad61c2a725983e0e8dd1ed74890899fc
SHA256 546ac77cc07ed72cf92395814b1c824e6fe9f58e4f3e18efeacd127f4d9343d4
SHA512 47941f06e601ea0b4b6c2114a6c936e5273ed02e667968d75ced5bda2f49a4bb0bc6e0444e1b1b6c304b5f8ee85a98aab15e5a3a08a90939e6b83192d3a47ae4

C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe

MD5 6134450ece3c6d582608228f58c337ef
SHA1 bb582bdd6750e1e3859439960b70b7934836ceb6
SHA256 49146285394797f80b71c0492c3f168d2ae4d370d213082ff57679679ca7b08a
SHA512 d1bf87d478e45827bd7e39372af8cfbbb7c09d85f2473f78dcaf36c3726dd4744da54dcc1f8df92e083372577cffc73ea8e9a93534150099cf5071733b22db27

C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe

MD5 56011916d51e8109cc76cbd32484a527
SHA1 94a94613bcf13e921342eada13dd127a835647b6
SHA256 f852a61d47bb80a38d819d44dec712a9eacf14ccec3c3f4ee7e4e8574d3a5cdf
SHA512 b438ec82b2063e969b64db150e1cb367774ca22fa949192263aa473f702a7de996bdaee6f910ebc0c076e8f8dd915b1c4f7bb9e91e4fb95b597069fe23b9e817

C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe

MD5 7e67e11a2ad8cc6b0651a6334072a49e
SHA1 673102eebe297978b5554a7cfa14acae2b22ac69
SHA256 2c56417f56f48eead0c1d97bb2fa141e217845f87e52c4cc668121cf75d945dc
SHA512 43dcae046ce295464ddcc1f9eab22295fb400942bd324d4a2ea3e1a3bf91b6926a5b06ce3228dfa09aacd76fb01b4d2b78fbe6d88b67fb0cb97e5924613e7d92

C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe

MD5 fdda85422879f69397e1a4e738e35513
SHA1 df718d254fdc4a14184878e7a030e5ba431c7fde
SHA256 c4bdfcab796b7b3e015f12e1f9340381f55e9be1b1a76bdd88e30512be17de36
SHA512 3909cc67a0cd6a0627a0738a3eccf3eb9d7e6c002c393277ee1990d69b97080b97e13cfdbee2185a1d07cc9d4b4345e3a7968d7ef842d2be55bc38acb7ae59ad

C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe

MD5 fbc9859664284baf51a3f311b5b0e975
SHA1 38431c941aefccd091eebd44ee3afeb50beaaac6
SHA256 ccfd8d9b18f6586aa9294b81d759610ce6729a33bad2c4f2d881a71128c88165
SHA512 0dd93ad300f2b983807e92f905cb8f29b9f182326da4a122186f7464538339927c16dce660af3f2c344a767602495be1d8a6c74d80a1298ae33b73889682cfe9

C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe

MD5 a9cdfafa97c40058aac892fb6e056a0d
SHA1 effa6a53b8fecd1681cd48b3817ce8e888391e2e
SHA256 3f694aaf56a0aee5f73f42002917873c2c153ad0e09417a7ff64c7a75c0fc5f1
SHA512 dad7eb6b476007a5d4235d4446d805fae6182a9d978f65babdc6ff306428714729a1c59593cf4be7e48fbe05162da00a1f2fe04abb84801f20a7c77bfc27e6bc

C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe

MD5 793408a61333c587995894434376d967
SHA1 8f9b450063afef9a35736bc2b5e871d40353ff8f
SHA256 bbc6b690e7928a39972ef0ae7aa541680380138e39dd75759f5717814e70ec67
SHA512 521bdb7da053190ed8ddc722829c233ec66c82808100f17cb935f8f0f6805d3c79021c7d77848f85eb00b2c2d5b6c8efcf8fba936386dc43802460216c095a12

C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe

MD5 c3bf9dba1a2ceb13acd410db4d726d06
SHA1 1d03a136a91008e0fcf438648f490c6c8d3236d2
SHA256 36073b13e36eed30738c8c7b171b28a61715350fb63030be7c9d8178d7d58576
SHA512 3da1fdf906ddd32d12ee8a30c141952240bdacac451e5253c080a90247845b4a75c383ecc1a33a676ddfb1bec5f4fc19aa7e6b20555bacfe551c9495eb405095

C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe

MD5 078d6db615d52707787b75e92450a492
SHA1 642859694f6de0ba28a1874ba8dd6fab0efb608c
SHA256 7334ae862cd657f138d0fcb9f9ad21f28e4862d8d3bdd8de1ad1eadd45300c37
SHA512 42a8c44a546e1f63c30468e89a36d1bbf61d824d0466d86d0e36f15b1b639f9a58c1c32a1aa046762343bd4ad759dfee2c6e8fe4ac04277ff1b8906ff7282b15

C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe

MD5 2912d1caa77748e5fa3f95c8c1d15ece
SHA1 db8cbc93b83849ec11f09c88ec0e923190c4a4d0
SHA256 83e2b8bfdbea0fd79c8d2c47aa4c42656c41bd7bb4f03bac74481e33832e7d39
SHA512 dc80ad65af21d30d983451b3cc21ebbb6ea42bd6b3412545346a098a4be32ef866fd1cdaf9dea2efe67333707a150003c4bcdfcf890928769745ef219894b4ab

C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe

MD5 0bcef92b08a98cc4ae625dcb42d0ee6a
SHA1 a17cbe88d8f645d1a733fc6dfb4b3ae0745f2e86
SHA256 320e2ded66e4129fe2119b585e7caa58f5c24078503f652cf9334443e25096df
SHA512 c1f010455d2b03f6cef518b2261a481e9cc54f3a27f729446f2d2c1fcfa41cc0398c057e160f89f7d2c0f1563d0f0f6ff38f399695ae8f2eca16c7bd32456cad