Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3e1x1sac8w
Target 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye
SHA256 07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615

Threat Level: Known bad

The file 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:26

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:26

Reported

2024-03-02 23:28

Platform

win7-20240221-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B} C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081A041-FB51-4b83-A4F2-DB029A990789}\stubpath = "C:\\Windows\\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe" C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D442DA56-6D21-4011-9C2A-9A090EDD21E7} C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}\stubpath = "C:\\Windows\\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe" C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}\stubpath = "C:\\Windows\\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe" C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467F62E4-A9F6-4496-8D3A-12761792D9FE} C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081A041-FB51-4b83-A4F2-DB029A990789} C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6B544-9626-4129-85B6-66F9CFA910A8} C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}\stubpath = "C:\\Windows\\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe" C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433668F4-6242-4c2e-A412-0D1760A89D27}\stubpath = "C:\\Windows\\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe" C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}\stubpath = "C:\\Windows\\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD} C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C} C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}\stubpath = "C:\\Windows\\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe" C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6B544-9626-4129-85B6-66F9CFA910A8}\stubpath = "C:\\Windows\\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe" C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467F62E4-A9F6-4496-8D3A-12761792D9FE}\stubpath = "C:\\Windows\\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe" C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318} C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433668F4-6242-4c2e-A412-0D1760A89D27} C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BE235A-C140-4c57-82F5-4A2B196B5C95} C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BE235A-C140-4c57-82F5-4A2B196B5C95}\stubpath = "C:\\Windows\\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe" C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe N/A
File created C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe N/A
File created C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe N/A
File created C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe N/A
File created C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
File created C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe N/A
File created C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe N/A
File created C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe N/A
File created C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe N/A
File created C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
PID 2240 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
PID 2240 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
PID 2240 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
PID 2240 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2324 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
PID 1296 wrote to memory of 2324 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
PID 1296 wrote to memory of 2324 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
PID 1296 wrote to memory of 2324 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
PID 1296 wrote to memory of 1992 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1992 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1992 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1992 N/A C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 576 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
PID 2324 wrote to memory of 576 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
PID 2324 wrote to memory of 576 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
PID 2324 wrote to memory of 576 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
PID 2324 wrote to memory of 704 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 704 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 704 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 704 N/A C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
PID 576 wrote to memory of 1736 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
PID 576 wrote to memory of 564 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 564 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 564 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 564 N/A C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1772 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
PID 1736 wrote to memory of 1772 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
PID 1736 wrote to memory of 1772 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
PID 1736 wrote to memory of 1772 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
PID 1736 wrote to memory of 2616 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2616 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2616 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2616 N/A C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2452 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
PID 1772 wrote to memory of 2452 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
PID 1772 wrote to memory of 2452 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
PID 1772 wrote to memory of 2452 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
PID 1772 wrote to memory of 2552 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2552 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2552 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2552 N/A C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2628 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
PID 2452 wrote to memory of 2628 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
PID 2452 wrote to memory of 2628 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
PID 2452 wrote to memory of 2628 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
PID 2452 wrote to memory of 2856 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2856 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2856 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2856 N/A C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2700 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
PID 2628 wrote to memory of 2700 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
PID 2628 wrote to memory of 2700 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
PID 2628 wrote to memory of 2700 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
PID 2628 wrote to memory of 1868 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1868 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1868 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1868 N/A C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"

C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe

C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D442D~1.EXE > nul

C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe

C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D9C~1.EXE > nul

C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe

C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A845F~1.EXE > nul

C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe

C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADE3~1.EXE > nul

C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe

C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE6B~1.EXE > nul

C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe

C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{467F6~1.EXE > nul

C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe

C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC1D~1.EXE > nul

C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe

C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{43366~1.EXE > nul

C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe

C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{73BE2~1.EXE > nul

Network

N/A

Files

C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

MD5 2ce0b4053f2e21485822e3f3b2384418
SHA1 e5eab5b79aa8aaca244b2ea18cdd2f0bfdf21780
SHA256 0f5630f8d3f48aa9a3edb9b2d8151e5717fd3a5337540ee7cac53098dba8acdf
SHA512 86163ad58b73ba8fbcf7183e87b7d5d02630049a7ee59f0397fa13dc7e418dd1b069aa37ed3ba99080dd1782673fd3b6b6bfd3422fbca92c5fbc28d5a1c08291

C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

MD5 dced0a3c1d041f2fcb706e6f962b402a
SHA1 6797bc1f4a8baed184c85735ddad0a23090eb837
SHA256 e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4
SHA512 c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544

C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

MD5 07f48b6695face04080bcf29eb53f18d
SHA1 fa23341aa93bbf220603c133cb478ba5585bcffd
SHA256 14beea22ce46f1c5041f82e3a0f38e47722b2f4dcbcdb2c3a456621ac095c640
SHA512 42ffd741bb4f3b3fb944d48fff5ca9f1f805ca9e395dd3528c82c6faacf4f995b7ccc04ad7d6c5fc29aae5624f9a08c4b2ed5ff17d4297cb70a98846cfce0488

C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe

MD5 3857a898f9e9e2fc078f13e00414eb2d
SHA1 0ad990dff042eeb4846367c468036f10ad7e6d3e
SHA256 d58f5cddac02ed231266560fe9b0c14138542184623c61c773be8285328de63a
SHA512 535f816deec5472cd49ec2da6d0d4bd57cf92d4a6298300af73a645399134f358cd7db1fb2f63193ce1465c041fab0bf2d3047cdc5572108033b37b4dffe7056

C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe

MD5 0f736fdecc7a78c09c5767e7dd375d4b
SHA1 c0335e4fe82e3b82989af7ef7b1d0b03e121b472
SHA256 6c378c3cf2a88ddceb778fd1b645ebdfdb18775fc1429ba40e09c00ca54ae844
SHA512 9d463dc532374c629e954f84b1b76fb570046f966821fcd3ccacf48ec4bb6bc8acab2ef80d3b3e20451001002738a3b7ed6194c4db847d3840d3234bd81e82db

C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe

MD5 f0c49411699a6322532563223601d959
SHA1 1a2e2e57808141909bbe3157a4f48a7ab31d78c1
SHA256 4aad20ac973aad8128a05439926c7f446e6e5744594a349d47bb851daa472e28
SHA512 f45d98e1fcd2ba4fffb16ad03a1f0a2ba7cce3c8a24b1920843d08a606c791cd80e4567ff94fd88a7348a3b18a94f26c8cef7ad9be4b388e72d9eadd5b44041d

C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe

MD5 dd4645c9aeb2b0966587bdb8f27f5646
SHA1 4fc98d2eb8850f3707816927c8826275eaebe184
SHA256 f95a4b55b4aa6eddceeb58b5efb9412ca223aa4b89105a46000d7f3192031302
SHA512 19d1815041ea4d2d98b8f30572c8ea7f3ba3c6deb300eaf34147a1a19336b2add464d11d06b5317ca687928b9a56a9a660d49d1d4d5db9ee1a94cb8f604bc3d4

C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe

MD5 8b8e854f32b8d27f81972379dda156dc
SHA1 250a2d041b6ddf6e1716b96ed36f111a454fe028
SHA256 b6903abd071477d67f89a97e7520cbdae6c5127a92863c3df1c0dd243c3d58e4
SHA512 165f3a87f2eef26837201f719d8585772f6e7151cbd59db5f3f6bfbac7a03efa1ce75c437bd98991a4b8eb1822bb1a707982fde8034eacd7b49d2ea399f873a4

C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe

MD5 98063389c3f8bd8f2f95c1d313b0e7f3
SHA1 fa28e9808d48b2b26d91ee2eac369d0d2aaeee6f
SHA256 b0098d332c4c5bb6adae0b3bc8ead451bbf49035c417b1aced56e4299e6dd120
SHA512 20d3430e54a5138b1479f24ee9b82437b4493f6c0f85c1f552c36829f5d808e1abc53f64afda44da24b7828c0da8a95539808aa425a1f6a793c104cf36d02bca

C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe

MD5 6e8d91f8ec471520e97c8fca40c26afa
SHA1 e0c94df57408cf42667c5f1c5814138de90f2386
SHA256 d59ad072aab0e1bb5a539f540dbf2838b76086784dc5936859cdbec33cce83ea
SHA512 712fa21dbb9b5f4957b00fba12689fad495d5aba1a6bf93d20cb40405916eee27d8ccc74c30e27b9257043bf13ee5f4f121426b3cf1b1408b8454ab0c122960e

C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe

MD5 8a8a9e54ab5f3e9ef5e571e3697d2450
SHA1 b41ecbd632760f9a88cae67941c8718e4b5f06fb
SHA256 5d54f9f7df2225f2502013e11e5f6c99ea8471a6bec9938db8c8a691b39d19b1
SHA512 7af4510303f4f9b954ac27623e02968106769d004c98484612b122a35defb464b44bd03d81e8e5a0e36d01abce5dbeb8d12d571a4412b5bdf65d8bbd672b05a3

C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe

MD5 934822e66a124a591ef45fbc90a70da0
SHA1 b0e6ed8f13f9eebb72b901566710eb463f35d3dc
SHA256 065e9a0767f62e53846da57f017aff07b4ed58b78755dc61c466c4c7550b3940
SHA512 e5f8965202a65f3892e4872f480d08f136c16ec79f618fca5259ffcfe0a0533c5a34c4e1d96b415208b0fde7ae657754bfe51604816be4e34dbb366c158194d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:26

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5} C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}\stubpath = "C:\\Windows\\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8} C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}\stubpath = "C:\\Windows\\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe" C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}\stubpath = "C:\\Windows\\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe" C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522C254F-592F-4129-836C-CD7F331029B6} C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522C254F-592F-4129-836C-CD7F331029B6}\stubpath = "C:\\Windows\\{522C254F-592F-4129-836C-CD7F331029B6}.exe" C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B36113-3956-4e8a-AB00-6E5E880DE7D5} C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62} C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}\stubpath = "C:\\Windows\\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe" C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA} C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2} C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57276813-B02B-47df-9D70-1E3C0B09D1DE} C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57276813-B02B-47df-9D70-1E3C0B09D1DE}\stubpath = "C:\\Windows\\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe" C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4} C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}\stubpath = "C:\\Windows\\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe" C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}\stubpath = "C:\\Windows\\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe" C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}\stubpath = "C:\\Windows\\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe" C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}\stubpath = "C:\\Windows\\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe" C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6122B18-6B08-4ea9-8089-6B830B04D3E4} C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}\stubpath = "C:\\Windows\\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe" C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02} C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}\stubpath = "C:\\Windows\\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe" C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D190816-1739-44f8-AE4E-86F59A3B8F8D} C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe N/A
File created C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe N/A
File created C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe N/A
File created C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe N/A
File created C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe N/A
File created C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe N/A
File created C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe N/A
File created C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe N/A
File created C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe N/A
File created C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe N/A
File created C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
File created C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe
PID 4560 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe
PID 4560 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe
PID 4560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 4008 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe
PID 440 wrote to memory of 4008 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe
PID 440 wrote to memory of 4008 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe
PID 440 wrote to memory of 4092 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 4092 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 4092 N/A C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 2920 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe
PID 4008 wrote to memory of 2920 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe
PID 4008 wrote to memory of 2920 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe
PID 4008 wrote to memory of 4644 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4644 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4644 N/A C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1476 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe
PID 2920 wrote to memory of 1476 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe
PID 2920 wrote to memory of 1476 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1188 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe
PID 1476 wrote to memory of 1188 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe
PID 1476 wrote to memory of 1188 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe
PID 1476 wrote to memory of 1408 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1408 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1408 N/A C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4208 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe
PID 1188 wrote to memory of 4208 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe
PID 1188 wrote to memory of 4208 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe
PID 1188 wrote to memory of 2488 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 2488 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 2488 N/A C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1604 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe
PID 4208 wrote to memory of 1604 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe
PID 4208 wrote to memory of 1604 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe
PID 4208 wrote to memory of 2076 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2076 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2076 N/A C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4864 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe
PID 1604 wrote to memory of 4864 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe
PID 1604 wrote to memory of 4864 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe
PID 1604 wrote to memory of 2340 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2340 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2340 N/A C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe
PID 4864 wrote to memory of 4028 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4028 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4028 N/A C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3996 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe
PID 4440 wrote to memory of 3996 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe
PID 4440 wrote to memory of 3996 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe
PID 4440 wrote to memory of 2316 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 2316 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 2316 N/A C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 4916 N/A C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe
PID 3996 wrote to memory of 4916 N/A C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe
PID 3996 wrote to memory of 4916 N/A C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe
PID 3996 wrote to memory of 408 N/A C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"

C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe

C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe

C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB5A~1.EXE > nul

C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe

C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A28C~1.EXE > nul

C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe

C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6122~1.EXE > nul

C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe

C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1DA0~1.EXE > nul

C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe

C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5EA8~1.EXE > nul

C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe

C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{290E7~1.EXE > nul

C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe

C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05D8E~1.EXE > nul

C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe

C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9D190~1.EXE > nul

C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe

C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57276~1.EXE > nul

C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe

C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64B36~1.EXE > nul

C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe

C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{522C2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe

MD5 88c3aa68b4031353e129ce9e90e1a94d
SHA1 8769d549c9bc14c8f76e046f34fcac0ca5242752
SHA256 4b2c5de39470eda9515877df37182c8c64132ce5f64ff2d87b7b0945534c768c
SHA512 94c2d76c18e6bcab1047522713de8d4b741f53ab4f3a169b552a0c0cb1fbbdd8c3072dcbaf437f0acabaedbf81a3428c48d8824bf89ea6395dd6e3c18b5e6e9a

C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe

MD5 82c81495e641c9fad127da3cd37d0a44
SHA1 924763ecfe7e72c21cfaba9088ce45433b669552
SHA256 5906c179ff4f4de9e91641882557a279970507b0c4cd4a0abd9dad254a69b368
SHA512 4fee49e4c9b4f5a045c215460e2ff0c6f0f72cea46762d28022ae001c22cd51a7606657a824798b36b84ed435a2607fffb41317a9450a6372776166e79c40b0f

C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe

MD5 4b3f5bac184ac4e52b95d460558c9919
SHA1 d497b693626ac0a52da006d8b1c78b23ff5af5d8
SHA256 e25a11dcbce071042321e254567d08cca4e66badf3c1a5626d2ac8e50f7476d0
SHA512 8e464b398a604ac4e1156dd338a64b8d463eb335602856865de2ee030dc184be6d7f11b2fa1c99d64211d84711c5920b643d7f11c5ccc979817437720bb30614

C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe

MD5 e4e8c89d5655bd7d88394763da5ff80b
SHA1 14b59f875f127baaf02750086cf6cd1447f57fb8
SHA256 41c50025da9bed2b151b43e906b562a8273053c55be0dce666611ec487d4c8cd
SHA512 aae27ac6be5476086d17517667e79e8e01665e3e10fee85b5574831a749c693f3c517909beab04ff1a38dd93adb3f68b4e0a991e434d6fdbf2b6c6484c58af6d

C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe

MD5 bd778c51783d35b41bc0470da5d6f382
SHA1 a5496d6c5657df05c346f0a0bce9b57b8e0a0cd4
SHA256 9e8b6cfc138f98d63d22152d6368c88b83cf2c2a4967084fb32594b401d36277
SHA512 7a549692c124eae2c6303196fe9e9b37c49ee9a38196f43f309186197ec142430eaff77c6822949675b23e75d8cf36bac531039c72e27c49ed8d8acc47487999

C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe

MD5 70da9901c64d8ba8fb67c90e22945be6
SHA1 c311cf5106f104d8632c43f102e81eca2590e438
SHA256 fdfca74e5ecf0b2d5f2bae3ca266c9a3689ee51b4ce79bf937490d4b4caf1e11
SHA512 5e2836a7d1bc5b44facfbec962f8d298e27f646acf4c4d5c820e379d5a5a788fce9dac8a805cd9bdb804ca7e55f0e59dbff213b1b7d8140d17122df6253c0a79

C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe

MD5 2e5e3f3c3f6d71e91da127674915dfe9
SHA1 d8481b00d37aaa7e93232257a05424315a28dfd6
SHA256 05b09472fdc47bd524966c4550f86ebf589eceb9ce9e091c3ac2f21466a754ca
SHA512 16978dbe3b750bd82587130628ada86c16d874841894e2a07bfe82c00f3fe01ab5d0cb24540e88009d75c7f6c3749ba7f151e0720ea7d29c1a832c8ee19f9de8

C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe

MD5 ed7a3d9d8fe69854cef4af9c7277f27d
SHA1 e0482173c75e0114303a1a4ebeb6c5cc82271cfb
SHA256 63592201ef6812b455619dd1446046e1bd83884c63699e1d2ed5eb4ea346d63e
SHA512 8c377a1bc8c517f01069b5097031b870fa1b2a0be63853a4173cf249cae41f4c8ba64d6de718930d259292e4472645269806d53e49300354a1a49b0b9a91482f

C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe

MD5 258c6feca60378dff101bf334e0e79db
SHA1 e9685928d6793a2b51aea7e8b4a6ef82c384ccb3
SHA256 23e9c4b2da06223038654051030ecef1e9c918e81f7870958ed27c5261727200
SHA512 4dcc672908af334c3502a4894ac9ba635d899e1e214036002f0237dbd6dba82acc2ab10091613aa127f82ab1c13db8031e183bf260de51cd0fb047347dd78467

C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe

MD5 978b09c9cfd75b3d843f0db0a6eed64d
SHA1 53c64c22a5b5438562849063ae7b2ea30c8b13a2
SHA256 96debc6763779e15f7bd0d1e16d17025d0d5f62aee7047e2441712d708c543d5
SHA512 beed3dd52ad4f4aea445ffe12af09aa5e465868164a3d486368604be40e491d6751c87d8f5c0608ab33f0f4cabf8dfb17b2ed988efaf620d0d0e2d0744a34bd3

C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe

MD5 122bcc6a1b6213c5febcd55e32782ec8
SHA1 2c18d4dde1a1077c0036ccd038b55a34fad9250b
SHA256 f06ccb1a4a5fcb55e9ff90233c055789eda94eb7135b7b4675152274519099b6
SHA512 0978dc7f4552696b1782ca9415d18f00d39430dea3ef8802e8dd01cc729e0006241ccdc119146af24990e9f0103a5b5046267842767b0c861a274a1fa20958c8

C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe

MD5 b0fd514bc925b3f07bd1ebfa63c05f63
SHA1 1688ca90f0054392b0062f1e4e858994925d1869
SHA256 638bf0a421389d67e06bca1f04043fea861f172e3fbb2159cb813f0d1898c17e
SHA512 6cc8ddbee6395980a662042167d142e1da902fa6aa14de01cdacd7228b17db49841b1aaf4e7a583c80a868d9aa8cbf912b1366c3ef9291a56cc1696a7c026525