Malware Analysis Report

2025-08-05 20:46

Sample ID 240302-3ca9ksac5z
Target 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye
SHA256 20c1f5b05d5cb43caee71a2c91870af3415c008102ab0f54d480f1df4f615b1e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20c1f5b05d5cb43caee71a2c91870af3415c008102ab0f54d480f1df4f615b1e

Threat Level: Known bad

The file 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:21

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:21

Reported

2024-03-02 23:24

Platform

win7-20240215-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7093274-1777-4ac4-B969-E6BE00326EBC} C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349BF865-E6B3-476e-92E2-7DEFAB157E09}\stubpath = "C:\\Windows\\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}\stubpath = "C:\\Windows\\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe" C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}\stubpath = "C:\\Windows\\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe" C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55759448-FCFD-491b-8029-1400D52CA454} C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55759448-FCFD-491b-8029-1400D52CA454}\stubpath = "C:\\Windows\\{55759448-FCFD-491b-8029-1400D52CA454}.exe" C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C3D896-65C9-4269-B2E0-68CF526001C5} C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0356565-AC7A-46b8-B37E-B4E01826C914} C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37} C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}\stubpath = "C:\\Windows\\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe" C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0} C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0356565-AC7A-46b8-B37E-B4E01826C914}\stubpath = "C:\\Windows\\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe" C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}\stubpath = "C:\\Windows\\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe" C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A3C94-099A-4550-90D4-FEF732FE301E}\stubpath = "C:\\Windows\\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe" C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD} C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C3D896-65C9-4269-B2E0-68CF526001C5}\stubpath = "C:\\Windows\\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe" C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}\stubpath = "C:\\Windows\\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe" C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349BF865-E6B3-476e-92E2-7DEFAB157E09} C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7} C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694} C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A3C94-099A-4550-90D4-FEF732FE301E} C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7093274-1777-4ac4-B969-E6BE00326EBC}\stubpath = "C:\\Windows\\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe" C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
File created C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe N/A
File created C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe N/A
File created C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe N/A
File created C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe N/A
File created C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe N/A
File created C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe N/A
File created C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe N/A
File created C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe N/A
File created C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe N/A
File created C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
PID 2908 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
PID 2908 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
PID 2908 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
PID 2908 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2396 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
PID 3016 wrote to memory of 2396 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
PID 3016 wrote to memory of 2396 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
PID 3016 wrote to memory of 2396 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
PID 3016 wrote to memory of 2508 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2508 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2508 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2508 N/A C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2284 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
PID 2396 wrote to memory of 2284 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
PID 2396 wrote to memory of 2284 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
PID 2396 wrote to memory of 2284 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
PID 2396 wrote to memory of 2188 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2188 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2188 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2188 N/A C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2456 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
PID 2284 wrote to memory of 2456 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
PID 2284 wrote to memory of 2456 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
PID 2284 wrote to memory of 2456 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
PID 2284 wrote to memory of 2664 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2664 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2664 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2664 N/A C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2660 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
PID 2456 wrote to memory of 2660 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
PID 2456 wrote to memory of 2660 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
PID 2456 wrote to memory of 2660 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
PID 2456 wrote to memory of 1276 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1276 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1276 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1276 N/A C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2208 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
PID 2660 wrote to memory of 2208 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
PID 2660 wrote to memory of 2208 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
PID 2660 wrote to memory of 2208 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
PID 2660 wrote to memory of 832 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 832 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 832 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 832 N/A C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1244 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
PID 2208 wrote to memory of 1244 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
PID 2208 wrote to memory of 1244 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
PID 2208 wrote to memory of 1244 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
PID 2208 wrote to memory of 2448 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2448 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2448 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2448 N/A C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2032 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
PID 1244 wrote to memory of 2032 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
PID 1244 wrote to memory of 2032 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
PID 1244 wrote to memory of 2032 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
PID 1244 wrote to memory of 1688 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1688 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1688 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 1688 N/A C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"

C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe

C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe

C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{349BF~1.EXE > nul

C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe

C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0356~1.EXE > nul

C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe

C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6A3~1.EXE > nul

C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe

C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FF2C~1.EXE > nul

C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe

C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0067~1.EXE > nul

C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe

C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C84A3~1.EXE > nul

C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe

C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4ACB5~1.EXE > nul

C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe

C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55759~1.EXE > nul

C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe

C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C3D~1.EXE > nul

C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe

C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F7093~1.EXE > nul

Network

N/A

Files

C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe

MD5 cb25b0cfcbce8417a444a1818549e343
SHA1 3e15d11255b914c0f258733deb2608e44fbd6333
SHA256 a5a11e872ecc6f0c0e2a9956f7bdad13bb8cb475be309178ed671937bd37ac55
SHA512 1543034484d568b647b776e9969aac6dd3d0303255937d1719d8d1532feb20382761598c12a33f2501217437fbae1b4f7426f1620dcfebb4b71922e326d7945a

C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe

MD5 9972b236f565d23a0129d52161547462
SHA1 9808ba32a2c84e8f6734afa641236c7ce11af06f
SHA256 4a56bfec3eb1a099db22b3f1e2d48f0a3bbe368768fdb63812708d7e33646512
SHA512 f2dea232b02786d161ab1ef98a68a002632f36406bb41bb2765d730be54ff07a16f069eb386d8ca50ddb5f3c486776cc558c7a65d7844f7341d66bbab783b853

C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe

MD5 5db3c689872e6469504b0f76a19e31ec
SHA1 6d98063c96b260568fe10aab43b65eb5351662e1
SHA256 51d54906e7415d21e278aaad08ac053ecc4a6ee2216fa614977f9a0e2be0bf3f
SHA512 84c98954a17a5d338086af1e5eb7575efe8249d497f625dec340c585633759f1f6e5fe9c2d813d550e41bb0bd1ace58a22dcdd45eaf4e5244ed7d49fb558753d

C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe

MD5 a3f5b5235fc3b8118941866068d937a0
SHA1 afce5bac60e6a86368e39b28b9f2a5e3e458712b
SHA256 7b4de28c1827e8656f98b49c248acfcab3aea4b281de37e08a3c7054c9bc0abb
SHA512 fdff73845cceeecbf882d72d33786352297347a5dd318ca4325062c19a6044320550c3dcf197002a05ad5539c0de2542a0ad60996a1c00d3dbf2225bb2e38d92

C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe

MD5 18151b9edfa5d4de05afdbfc2c7e7524
SHA1 7543c574375f583c7a04215fbfdcb20cffe6fc75
SHA256 2dd41b6f5f92528c6033d668d382b232c82e4b6835e6c142595788f8fd5c3714
SHA512 521dd13cd30ae08768fdf3b12f299a329030512e474b602afe3f73db532d2db7c101f8231ce2693a568a6b96ac50f1f46dbfe52b8c28455b9f0f0c12d7f11f44

C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe

MD5 c53cada65f0aae9ddf758daaa5613eaf
SHA1 9329dc931db3e747bbb69b752d6059f12e207e2a
SHA256 5e5f086ebe80fb0b0483517f9cddd95737bcc4c60a246db2a8f880872085b81a
SHA512 544093018bb11f4246ee241f462320bae53c2403ecc598ac63abf879e5a479aeb7d5a4c9e973670abc128fa3a57f7b5ff51f987d7a4b5fd8bdccd3e8ea7ec517

C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe

MD5 a403e45f00c7ee093696e1840e57f63c
SHA1 6bc43aabaa9c5caa9a00dd6fbd11000d05c70dbb
SHA256 cd8abe234389dfcb3f196b1a745065510e39c886f220ad3de941bcde527a5de8
SHA512 3dfba8762375a6bcfaaa247ce9ab623d8121e8168d04556b46371e71d852e949a14f7a76e31ea9817881740da5a0cfee0b48674bbadb19f5eaf1ad9112b0d8c4

C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe

MD5 cbfdf45502c266e02a7bd3d996d32a2e
SHA1 22db723ef20d8d55271f362036cc27782cd2314b
SHA256 4188e718c8054ce771cdee46c18697fa3fc7a55ace15a93a5abf793b84575474
SHA512 7425d850c173802db952584ff1623526a2cdb0ac5592a7cb0c732cc2821a7e47b05579dc0e4c14b5b9a2c9dce9d02dd3a4f596de277042603cf15dd694800ce2

C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe

MD5 e434399788ed1d3a9f561850554d3882
SHA1 2ddb7b08107150f36b0479064f7d3ee3953b5cd1
SHA256 95ad3dfabbe06a664113a2e3f5a2f9905209e9b6a3d15d42479815afcd4d4e2c
SHA512 57f0628ef1319764cbaa3f0009067dbc94cc077269852fb8288e6e658afd2e9d71d62cbd8d55aa860a734d83f2dab4981114b3cde79e4391982ce62deacc3eed

C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe

MD5 1cf7581d5a88697cccc4e18e87cc7bb9
SHA1 b19a93894819855e59315924480436f518fcb46a
SHA256 751d7f581e8ac21da26b76f1ef096d196c72fe2d539b6b35ff3e556e9b295932
SHA512 307b2732ab4fa693b9a4c8c4638375930045e3c82bfb1f32787eb38bc090ec1079ece9561b4f1c9c29da19fc2b0cf80f536609a16c029ad1e9264b2e4f507ef0

C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe

MD5 5ba6854e805176daad8ec33cbbbb362f
SHA1 10249623952118c5b5ed62a77398da505a01a96f
SHA256 83f81b1e659a665d2aec11335c40e6be18cc30d40349e3613b88106bddadef93
SHA512 8792aa494af8959119ef04b6cc9644312a2abb885e763e75818e79df3d8f3e44c2050302ec5540ac5a36148757565ef6647f6f6e20d0f0e6df1abf4d7d8683f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:21

Reported

2024-03-02 23:24

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C} C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188CFD5D-417E-455a-80FE-4036922037E3} C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5} C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}\stubpath = "C:\\Windows\\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe" C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B52BA59-1776-425f-89E6-7DB4A83B6079} C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A66C-776A-416d-83B7-A9EBD28AE784}\stubpath = "C:\\Windows\\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe" C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}\stubpath = "C:\\Windows\\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe" C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188CFD5D-417E-455a-80FE-4036922037E3}\stubpath = "C:\\Windows\\{188CFD5D-417E-455a-80FE-4036922037E3}.exe" C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B} C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}\stubpath = "C:\\Windows\\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe" C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41079BEB-0797-4979-B8B4-1463829E8964} C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E233E4B6-F8F1-4162-9080-DA5239FAB902}\stubpath = "C:\\Windows\\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe" C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0} C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55327C1F-113D-415c-B775-53944E266C8B} C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41079BEB-0797-4979-B8B4-1463829E8964}\stubpath = "C:\\Windows\\{41079BEB-0797-4979-B8B4-1463829E8964}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A66C-776A-416d-83B7-A9EBD28AE784} C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27279475-5E18-4255-BA3F-39DB88883C10}\stubpath = "C:\\Windows\\{27279475-5E18-4255-BA3F-39DB88883C10}.exe" C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}\stubpath = "C:\\Windows\\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe" C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B52BA59-1776-425f-89E6-7DB4A83B6079}\stubpath = "C:\\Windows\\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe" C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27279475-5E18-4255-BA3F-39DB88883C10} C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E233E4B6-F8F1-4162-9080-DA5239FAB902} C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4599676F-2902-46ca-BA9C-808AECC7B0D9} C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4599676F-2902-46ca-BA9C-808AECC7B0D9}\stubpath = "C:\\Windows\\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe" C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe N/A
File created C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe N/A
File created C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
File created C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe N/A
File created C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe N/A
File created C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe N/A
File created C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe N/A
File created C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe N/A
File created C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe N/A
File created C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe N/A
File created C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe
PID 3948 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe
PID 3948 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe
PID 3948 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5896 wrote to memory of 6020 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe
PID 5896 wrote to memory of 6020 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe
PID 5896 wrote to memory of 6020 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe
PID 5896 wrote to memory of 5500 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\SysWOW64\cmd.exe
PID 5896 wrote to memory of 5500 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\SysWOW64\cmd.exe
PID 5896 wrote to memory of 5500 N/A C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe C:\Windows\SysWOW64\cmd.exe
PID 6020 wrote to memory of 5876 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe
PID 6020 wrote to memory of 5876 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe
PID 6020 wrote to memory of 5876 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe
PID 6020 wrote to memory of 1660 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\SysWOW64\cmd.exe
PID 6020 wrote to memory of 1660 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\SysWOW64\cmd.exe
PID 6020 wrote to memory of 1660 N/A C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe C:\Windows\SysWOW64\cmd.exe
PID 5876 wrote to memory of 116 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe
PID 5876 wrote to memory of 116 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe
PID 5876 wrote to memory of 116 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe
PID 5876 wrote to memory of 224 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5876 wrote to memory of 224 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5876 wrote to memory of 224 N/A C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4160 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe
PID 116 wrote to memory of 4160 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe
PID 116 wrote to memory of 4160 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe
PID 116 wrote to memory of 1280 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1280 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1280 N/A C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2640 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe
PID 4160 wrote to memory of 2640 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe
PID 4160 wrote to memory of 2640 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe
PID 4160 wrote to memory of 3936 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3936 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3936 N/A C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2472 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe
PID 2640 wrote to memory of 2472 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe
PID 2640 wrote to memory of 2472 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe
PID 2640 wrote to memory of 3744 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3744 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3744 N/A C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2192 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe
PID 2472 wrote to memory of 2192 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe
PID 2472 wrote to memory of 2192 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe
PID 2472 wrote to memory of 1652 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1652 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 1652 N/A C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3728 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe
PID 2192 wrote to memory of 3728 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe
PID 2192 wrote to memory of 3728 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe
PID 2192 wrote to memory of 4836 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4836 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4836 N/A C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 4620 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe
PID 3728 wrote to memory of 4620 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe
PID 3728 wrote to memory of 4620 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe
PID 3728 wrote to memory of 1648 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 1648 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 1648 N/A C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2324 N/A C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe
PID 4620 wrote to memory of 2324 N/A C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe
PID 4620 wrote to memory of 2324 N/A C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe
PID 4620 wrote to memory of 5084 N/A C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"

C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe

C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe

C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41079~1.EXE > nul

C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe

C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E233E~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe

C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{45996~1.EXE > nul

C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe

C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB02~1.EXE > nul

C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe

C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B47~1.EXE > nul

C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe

C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B52B~1.EXE > nul

C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe

C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E17A~1.EXE > nul

C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe

C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59AFD~1.EXE > nul

C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe

C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27279~1.EXE > nul

C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe

C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{188CF~1.EXE > nul

C:\Windows\{55327C1F-113D-415c-B775-53944E266C8B}.exe

C:\Windows\{55327C1F-113D-415c-B775-53944E266C8B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9C34C~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe

MD5 88d04b107bcd3eab68613f40a428af6e
SHA1 07bea16a9870b6f3d8752b94130ff7f496e529a2
SHA256 459a15d91b42da890e8897d0e783b7fc19a64bb6aee19739f82eacb0f0a7cc7e
SHA512 71faf1118bb18b7ae19e1386358ebcbce8df10705c53de3600d7f3e1acff3e8b8cf1ffef441c34fb2b028e7924f6dee6d84671886fea1891686fd3858f005505

C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe

MD5 3bcf5d071e436d662733535c8f93ed4a
SHA1 274eadeb3ae84ee63d0c90c38bf19565ce3249b5
SHA256 de718c7ad1cd9df737b96dec285c41a5d2d02283d5c2d4db9ae1d1e6dc335fae
SHA512 e869ba2dc6fe2a93f79ca42f8e6d575a19b8512ebfca65720becf2c6fafd8f09d2adcc5f70c01dd65ee8b01b99cf252dc7c6191fdcdd1c20d05eaddfb73d2182

C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe

MD5 4c7d8353aa8d61ff84eb2c0fab2ff149
SHA1 9d8e735da283193eb01b08eb7b8365f013da48ab
SHA256 2835115d6f4fc52845ff17225223ac5e4c5075b85e78c98dec593b28ca05feaa
SHA512 0cf99664468e7fd18d7d858b7d6a16c908377911a5d2029121215628339f674bfd7ba31b85f7ad55511a04f99057460f15ea9643f73ce488de9da68ef49cb92e

C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe

MD5 97f79c95fe30860ca9d17bb71ed413c9
SHA1 da25338feb702ad9d3dee1a720fe8f3af55ee812
SHA256 9d4d65b0f9d820e74031a514b2c3b9f2e7c93c74d1f62470eae06c2b455f0237
SHA512 aa953d28d626a3dcae07b57178507dce4077eb42f0e7fdbf09e25c745c75e01b680e2eda14cddcc71f31fa69a293f373bf09bbd2bd6a1d3f8a497c0c1341c4cb

C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe

MD5 9a86691eceab19743ba7daac40099ddd
SHA1 f8319320e6644c490871a176d16bcc86eb599f72
SHA256 b91ed8fc47fd914ebd22c1b39a61a18f2c56769a7fbba299f432a4856bb67346
SHA512 b4d0d08e7a042ce0df084508e84a4e1529109b7cbdb040c9ad7d2c87a26c5686462d509af28de57b7aebb8d5cc696649d2f0bb33db31200b9f4a0b4050198c7b

C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe

MD5 0f6e1d9e5c5f76acce46c1f187d87f74
SHA1 969c2cc845e19700104172035b0cfc52a7de6e2d
SHA256 e385df1415ec7e531b1551e24fec5f74a2b32810ce7ca17b48bfa8935cb35338
SHA512 89a54b2b9a612fc0db58c2eb51d275814741c9148e2e286a614af7cd5d345ace2d993fcf02cd89c6c0bb5693074d77152c968edd1c998cc7bf8b1aece7dbe6ba

C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe

MD5 c3835bb14faad522fe804fe3aa286a30
SHA1 44b240695643419d2929ffb8c6393bbec3dfb759
SHA256 82bfc0025d2c168b404912fbd2cf1cac3d7ece6a8322a378f11051916eef17f1
SHA512 8425341a3916309c6275e93580922bc05016320016855a194c346fcea6c449d4e005f5a80bcb7625537f5d575ea9300b2bc9fa031fa0329bf88a4ba427ca2af3

C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe

MD5 d50272bbdabf94c656c963302f32597b
SHA1 b728abe3c9b15fc28ee4241f816c1d27b22a03fe
SHA256 09779308126d9add168f09852e50350d942c884cd0a4dd4641a107e3a564b22a
SHA512 30c5fe480317ceac07f5a39de022850a41e574b4be9d436e08a5e9cf4fa46d4331c3cef435860f1f7d7a166911ace7eb2a05aa5348bd8e077a53d0323a1c53fe

C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe

MD5 06d7e288e2e225274a6ee9dec1697e4c
SHA1 e016fde46fc695f6e48c0e65cbf59651950aad96
SHA256 8500afb1e76a1ea7f1b9de82ccaef5112a6c56f81f73979d516c84ef9625efe4
SHA512 d8029ed11d3139269de76e9324122b9c2c6f43e94759c5cbd6ac123f5f560d5e2f8d1bab0d04382f9fc7323a44c68cde9a24742b7a585f918202b181ac09c7f3

C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe

MD5 73696f50ba20f50033bd42c69de24135
SHA1 2e357efd09d5d403f401fcffcf8e347d14f9df6a
SHA256 1e07fe01c0b2c1f5e04a133ecde1f41ed0ef09ddcc17c8a338a431ca12c1c3ec
SHA512 8f7f2310cd3a6e2f31c64b16e85dd5ae296163d273768a1eeedabb2c84bd7fcb6e5fc726477f1b136a36649d4c8b773b036c397c9752c0ae704c3085c423007f

C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe

MD5 b27a9e4d1be9a28d4c3e2dbd9125b28e
SHA1 d629e1f9faf3b11200d327b945a825429716ce5c
SHA256 4d9dacd4345cc77aa2db7cfeda3fe243a4bec0b02f5077a6e848407ec021666f
SHA512 da0984d0160f29dfb26e8e80b19df029ef620e580df99cbfa3b5fb5b7c55bf2f070f069067bde2a5f294acb33c43724534e2c41317d7835aa8b2a5c00cd85b15

C:\Windows\{55327C1F-113D-415c-B775-53944E266C8B}.exe

MD5 ad16bd8b7f8f1a1e6c12118c8581ee92
SHA1 7febe6500a84f840fd11320c549f3d10f20d125e
SHA256 43bc36a9bc431b87ad5dd2beb73bd8bda833c29297bce02d48c1391e1f40207c
SHA512 05b63192e0476225f1f2ff8e0ca1ea696023b21bbb7badd8d41dd6243981bf076a257b5834c85c2e1652b40db09815d37a654bbe8aa3b231fd3ae398102f005f