Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3fpw5sac8z
Target 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye
SHA256 620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671

Threat Level: Known bad

The file 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:27

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:27

Reported

2024-03-02 23:30

Platform

win7-20240215-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6} C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE45463-3B10-498a-85C2-E94266581A59} C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6} C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}\stubpath = "C:\\Windows\\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe" C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2} C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3799C4-2489-4948-A95C-CF8AFB117F51} C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407A3AE2-0B21-43b7-9A61-B748D5619F08}\stubpath = "C:\\Windows\\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe" C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161} C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8249BCF6-A546-4459-A6A5-CF77F0495C2B} C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16} C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}\stubpath = "C:\\Windows\\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe" C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}\stubpath = "C:\\Windows\\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407A3AE2-0B21-43b7-9A61-B748D5619F08} C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5} C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}\stubpath = "C:\\Windows\\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe" C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}\stubpath = "C:\\Windows\\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe" C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE45463-3B10-498a-85C2-E94266581A59}\stubpath = "C:\\Windows\\{0FE45463-3B10-498a-85C2-E94266581A59}.exe" C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}\stubpath = "C:\\Windows\\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe" C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}\stubpath = "C:\\Windows\\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe" C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA3AC43-A49C-490d-8B96-E30880475306} C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA3AC43-A49C-490d-8B96-E30880475306}\stubpath = "C:\\Windows\\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe" C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3799C4-2489-4948-A95C-CF8AFB117F51}\stubpath = "C:\\Windows\\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe" C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe N/A
File created C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe N/A
File created C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe N/A
File created C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe N/A
File created C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe N/A
File created C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe N/A
File created C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
File created C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe N/A
File created C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe N/A
File created C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe N/A
File created C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
PID 1996 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
PID 1996 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
PID 1996 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2576 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
PID 1204 wrote to memory of 2576 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
PID 1204 wrote to memory of 2576 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
PID 1204 wrote to memory of 2576 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
PID 1204 wrote to memory of 2748 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2748 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2748 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2748 N/A C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2808 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
PID 2576 wrote to memory of 2808 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
PID 2576 wrote to memory of 2808 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
PID 2576 wrote to memory of 2808 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
PID 2576 wrote to memory of 2616 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2616 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2616 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2616 N/A C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
PID 2808 wrote to memory of 1732 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2992 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
PID 1732 wrote to memory of 2992 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
PID 1732 wrote to memory of 2992 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
PID 1732 wrote to memory of 2992 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
PID 1732 wrote to memory of 2996 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2996 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2996 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2996 N/A C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 868 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
PID 2992 wrote to memory of 868 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
PID 2992 wrote to memory of 868 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
PID 2992 wrote to memory of 868 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
PID 2992 wrote to memory of 2664 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2664 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2664 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2664 N/A C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 768 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
PID 868 wrote to memory of 768 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
PID 868 wrote to memory of 768 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
PID 868 wrote to memory of 768 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
PID 868 wrote to memory of 2680 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 2680 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 2680 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 2680 N/A C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1968 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
PID 768 wrote to memory of 1968 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
PID 768 wrote to memory of 1968 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
PID 768 wrote to memory of 1968 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
PID 768 wrote to memory of 348 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 348 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 348 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 348 N/A C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"

C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe

C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe

C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{45B6E~1.EXE > nul

C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe

C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{407A3~1.EXE > nul

C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe

C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE45~1.EXE > nul

C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe

C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{75BB0~1.EXE > nul

C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe

C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCF6~1.EXE > nul

C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe

C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA1E6~1.EXE > nul

C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe

C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA3A~1.EXE > nul

C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe

C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4D189~1.EXE > nul

C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe

C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C379~1.EXE > nul

C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe

C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8249B~1.EXE > nul

Network

N/A

Files

C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe

MD5 91e20bd9cef3885fbc44677ce9be2dcf
SHA1 84025b167d64805331963b5bd5a8e18519cf075a
SHA256 f0ed22c86aa12039a142ddd022bec4979476e5b7883315e5cca6566a6918b138
SHA512 ea1e852a7bbbaeef560e85648b8093d1e358fcf3995eb6c9146f0ba18f8e57c5770d109699273f553a42c6db0e9f64306856e414261a6d76de850cc83be4ba4a

C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe

MD5 847feb87c39ac1c593f8ebb5394d64f2
SHA1 190e028778d53a4a7dc5e568368a48ebe2491f3d
SHA256 cc582374bb32c622b1d4d72cfd3f17a1d55294cb1515092ea24fb3e35983bfce
SHA512 c83d7658ea3eb071148343724d2828f830f33b3ebad735a35ae267dec8dc958ab2997835c1fc95dc1793e2da9f4b20e3311c9217e28efb5655aa8f1a1f6839d3

C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe

MD5 14e74bd59edcd4a68e26d47740a12da9
SHA1 35c89dfbf00ae2781881b86d9beb0efcce5da2cb
SHA256 02e6bd1ecd2f52fd12f9bd9afde63a8c451e0d40910a101a8920449dc837dbbe
SHA512 8c69c1be6d24ea85e3c29944e11570c7d778e75a465b9d6b1ea0c66ce78380117f96105e4c8c3ee327309938a1701122ccad4145cb3f28bd7bbb8c645a0c3996

C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe

MD5 8f7fc3441b85910da7ce2bb0176475f4
SHA1 35ecad29debfcf35855dd724e21df2a80bf8a24c
SHA256 1e24a12d41345d812c440e7d4febec8c4f4cdf6279654e4bf6370287caefe08f
SHA512 ddc88c551d80dc68ccf87396d20500e944b5338c3bf6fade8e74a1b9894e48a88a35bee142ebf608272bde88140c013402bf21287cc37cc3c0b9f61aeb4aca69

C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe

MD5 4e7143ad2ab66f105d2b43a95ab5cf4a
SHA1 0f45aeb483c444ebd0b8de91542ef0497f9c2d96
SHA256 8f7d1c2fb4bc6ef09f9533dc8d9827a47622861ab091ef60d3dd3b1f663708fe
SHA512 73f247689308558e90b2d6d0a5cdd1cf7e994e29c8f3ff0ba61473734a6f0b65984e904f38ccb128bf45b0a76cfe20ceadc6ce62b03d2fa6e43edc461e842875

C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe

MD5 a9c9bac13fb70541f39017f8f8d199d7
SHA1 e7f091d84c6759890c2c5b8d1252636a1599410d
SHA256 ac8bd60150c4d5d4a8270454c7e324326dc594ba2583723c69a45ffd336d259c
SHA512 9c265c068a6858d82d66a9425a85dc3c38f5333b6cb11c8c4e884462f3ef7e110d762e14b6f6deddd09adbfb9514237b7e78e3bc62eec12e4363207a44da90ae

C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe

MD5 4a34e622d36db1196c79887b301f8441
SHA1 8392bc74952f7e4fc2199dea72c2b294c28399dc
SHA256 f60c45726cc136900c041c333a216f78c38db1d572d80709a74e3cbb7b62d918
SHA512 86f2b9b2554ff1f2fc5e35d28d215db3238061b86a6501ecb265ae241bb264afed5cde1cca8b6f93dee820432df3e23bb27088101ceb085d76afad2fff06ab70

C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe

MD5 37e61ec242d9c0c8dc80d4590f11a792
SHA1 1c405746c041bcc95e585b74e4bab8eda19cf459
SHA256 f3ace24592a0b3cbe3ca0441354b4ee0556243759b956077518249bace59ca6a
SHA512 426c3207ffa179b2f0725fb3415b48b5c8f3981980ca15689db761d3acf957f0da4d0653d124ee2e20d204675eae0a711402a940c24b884107113b56e5ab65a4

C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe

MD5 bf394358745e130a73277c8627275149
SHA1 e8268281fe29e50cc9635c54534d4738ab04f483
SHA256 634d555153b95ae032eecf74fc26c1b827d2a769a1d2b2b4460c24bb5536f84e
SHA512 65cb06dc34e85325fc2fa8561ce7604d5975ed574db18d1adec70795155c50f809b3238f8e3fd3d6b1ffeb3bc680b956ba47bca2fe6cbb65a2ffff2dd425e3d9

C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe

MD5 d106ea958f98b9ab2f15bb0dcf23c19d
SHA1 44982e47143f396e3036c591d90ff7fe77868a65
SHA256 903fccdef9188d0e47801f5b23f3bcd8ee8d004693941f85cf2bb8e9be88fa2e
SHA512 4856a3a4ae3bd51e63f879225532c9a14c2c62ecff22e54467246c5cffe455d5016997e29ee19f037879c4adc8f3e504a72da452ef83bbf2041f5a2875fe815e

C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe

MD5 fe3a358292020d362b7f8420ff8286a4
SHA1 cc181405503b56bd931c7d947e5804c84117853c
SHA256 e7319833a24d0ad618b134e0830b7f186c2a348b6a4f388b64c6ff2fa3508157
SHA512 a53f4138387782c9bff2004e4843cfdfc8ef692ac2b96b8abab9b14e8d9fe290bbd8a118282c835193a11043e9cd5ae984905229ccf96a464f888cc7ccdf87b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:27

Reported

2024-03-02 23:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}\stubpath = "C:\\Windows\\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe" C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}\stubpath = "C:\\Windows\\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe" C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD77BBF-E7DB-49b6-8174-839B8225FABB} C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}\stubpath = "C:\\Windows\\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A416D-A83C-4226-BD76-03C874EED344}\stubpath = "C:\\Windows\\{B17A416D-A83C-4226-BD76-03C874EED344}.exe" C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}\stubpath = "C:\\Windows\\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe" C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49} C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A754E4-E0CD-4a63-8965-AEF17971FB57} C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}\stubpath = "C:\\Windows\\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe" C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2EB825-DCB5-4f93-AE85-DE25677523EA} C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558D66EA-34A4-426e-A7BB-6E728C6A0712}\stubpath = "C:\\Windows\\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe" C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC84F65-B632-4c1a-96B7-E1E529832E55}\stubpath = "C:\\Windows\\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe" C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}\stubpath = "C:\\Windows\\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe" C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A} C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2} C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}\stubpath = "C:\\Windows\\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}.exe" C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558D66EA-34A4-426e-A7BB-6E728C6A0712} C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC84F65-B632-4c1a-96B7-E1E529832E55} C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B} C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}\stubpath = "C:\\Windows\\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe" C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}\stubpath = "C:\\Windows\\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe" C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A416D-A83C-4226-BD76-03C874EED344} C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9} C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD} C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe N/A
File created C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe N/A
File created C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe N/A
File created C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe N/A
File created C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe N/A
File created C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe N/A
File created C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe N/A
File created C:\Windows\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}.exe C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe N/A
File created C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
File created C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe N/A
File created C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe N/A
File created C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe
PID 1580 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe
PID 1580 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe
PID 1580 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 3628 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe
PID 4768 wrote to memory of 3628 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe
PID 4768 wrote to memory of 3628 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe
PID 4768 wrote to memory of 4664 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4664 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4664 N/A C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1972 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe
PID 3628 wrote to memory of 1972 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe
PID 3628 wrote to memory of 1972 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe
PID 3628 wrote to memory of 4392 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4392 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4392 N/A C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 4332 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe
PID 1972 wrote to memory of 4332 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe
PID 1972 wrote to memory of 4332 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe
PID 1972 wrote to memory of 2040 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2040 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2040 N/A C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe
PID 4332 wrote to memory of 5000 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe
PID 4332 wrote to memory of 2420 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2420 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2420 N/A C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 3216 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe
PID 5000 wrote to memory of 3216 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe
PID 5000 wrote to memory of 3216 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe
PID 5000 wrote to memory of 2556 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2556 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2556 N/A C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 2304 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe
PID 3216 wrote to memory of 2304 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe
PID 3216 wrote to memory of 2304 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe
PID 3216 wrote to memory of 1684 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 1684 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 1684 N/A C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 3888 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe
PID 2304 wrote to memory of 3888 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe
PID 2304 wrote to memory of 3888 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe
PID 2304 wrote to memory of 2464 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2464 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2464 N/A C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 5004 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe
PID 3888 wrote to memory of 5004 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe
PID 3888 wrote to memory of 5004 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe
PID 3888 wrote to memory of 5100 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 5100 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 5100 N/A C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2612 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe
PID 5004 wrote to memory of 2612 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe
PID 5004 wrote to memory of 2612 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe
PID 5004 wrote to memory of 4628 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4628 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4628 N/A C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 4952 N/A C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe
PID 2612 wrote to memory of 4952 N/A C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe
PID 2612 wrote to memory of 4952 N/A C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe
PID 2612 wrote to memory of 1028 N/A C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"

C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe

C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe

C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD77~1.EXE > nul

C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe

C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{558D6~1.EXE > nul

C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe

C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC84~1.EXE > nul

C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe

C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B17A4~1.EXE > nul

C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe

C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{729AD~1.EXE > nul

C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe

C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06ADE~1.EXE > nul

C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe

C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50959~1.EXE > nul

C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe

C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77CB8~1.EXE > nul

C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe

C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCD6~1.EXE > nul

C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe

C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1A75~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe

MD5 a085988fcb2df201bc8e1e3a678b97f6
SHA1 07feca3eb52f2f15b18c3ce53efc056e29ce453f
SHA256 61e1ee1d51776e0d31e3d9f62c452a9190c8186f85d4d7e733fb2caa0e149a63
SHA512 949e335c44bdcd256fd8b46ddd13be1863913591c996ca2038bb222b55b87675967643e7dd3c28da9d24400c70c470f581b0269d0323afe4fee1e941c27ea31f

C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe

MD5 2497466caab534f89f8df00398c9f42b
SHA1 5abb0260b3041f4e7abb026c79aada6b17adcecc
SHA256 6c1e2ccdca6cb783e31d0283d061842345329b028df00be04dd6fa01d399f5e7
SHA512 e521fd7de442bff2ee20b275397e71dcb46079c99ff79040c7be5a1ea4f5b578b8c2a01cf88f17d040d02d8938aff945e819382c557f75921da27549990752b7

C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe

MD5 78f6e86f4ad600d4760dc1b8b95b640d
SHA1 3187b172307de9c91049366f82ba1178801ed67c
SHA256 61833cf64da0c8e940d25429994c6f1aa6c6bbc33de4c1662239f2a933c6d34a
SHA512 1226dc7c201ecfa85954e29da61833e80e82f19848e4137eb2e5000464a479cf79c37946845cfeee44d0c9feff1bc1798f45ed664383380426dbc118e38529a5

C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe

MD5 5a2182df51dcdc9373e80db8898774b3
SHA1 9bd01b4ef25721dacc17bc6c8bbf5d82b573169e
SHA256 e55c9e1f281d321f9dfe6176ade0c1615339551b58faa152219792cc8d101e3d
SHA512 e72c750acb6606c837b1e1504824400da4b512656b5806ce2d965a5f08adaa496d871fb10ae1467d7b79586ff48132bcfc8fa0492b192c0fe6cee0f12c070c2c

C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe

MD5 fa906f0320cd43ca254b88858ea380bb
SHA1 66ef744ef0702a04b61a847277790e3b606c91af
SHA256 5b4ec02fc08942aafe18aba8dc678d746d0db5a2c61edf5472ffa521b52cf385
SHA512 0aa5ca3976572d857cfb7eba254f5ff22fa862ff5dd68ebf23f0193973cbc43e997bad54986ac75df07a726c5146d84c7a5a376b0338082c79cf7d9f9a1adb80

C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe

MD5 f8cdaed21a8b002179a39d0ff888dfd7
SHA1 9c48eb0f44ae3dfc12b5a73909235205285fbef8
SHA256 177c9fa341083b4100f70e1528718ba0fd5fe95e5751a3f11fbccdf9a742ff43
SHA512 8777ae8d97445b78a7de9b1fec648a3625e99a1b6d27e59ac15a43d32c1a22dc653d1e9d56148041599fdab96c392860cd871ff1761629a2367f837a6c988193

C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe

MD5 de2a3345e71bbfe2e1e0ae0e7117cb2b
SHA1 e3e87fbc6ffeba0c27d8ec355d05f03870e4206b
SHA256 d9cd32e79b9252c7de95008894c36f5156ded46e9f11cc37d03995a47c65da0b
SHA512 cd365f548a507bc2ebf31041a71d2da2d9f02965bc83cf89538b533073cdc033ac2f5d1cc554478087b8b658ef160534105ffa51c37d81bc7880eabbb416593b

C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe

MD5 38840202eda6e5361a340efc55616d22
SHA1 5c604014c232c5341ee604af65bcb7b4e22ce470
SHA256 a48cd787ce82587c64974a523fedd97accd142adcde15aba9acb4c2411c0b579
SHA512 ea8d6db81bd06bae687c9998f253a806aca1fcb1b8a8c6388d1a1a632e5977ef28e06ee14c53eea92b69e23f2f2d5361e0bf6ae18985b067d04e4099a285a61a

C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe

MD5 c60865db9dc7cec55eeb4b031cb623bb
SHA1 3793a5776ac32e42dd0137c511f01499b19acf31
SHA256 30d9918665979210ae8088b0b8917a2587c8134f47395e6c91972c5bf43b7108
SHA512 03d285b39ecb30618418e55aa2a11596a823f783d1cb0b5b288297f150b61d477f7f5b6c157fc31b797c9d866396122a732480f93c93371eefc5de670f928270

C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe

MD5 f1bc830f25b0209f05e65544de850fbc
SHA1 71cc48993ad9abfaea655e3141f8c114c8719529
SHA256 f68e6701bea65de2e7f2a6a4a7ef94848527a1a142123c56f9ae8cd2283ccd71
SHA512 d33d9dea7cb7ed742da7e4c73da874899acd1961f383b10eabf5fa66a1f13f0520375e62942be99986d2c4e7c87b3222cab7188dd4ae7cc7a50a2c96e38a3990

C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe

MD5 81320bdc8cbc7973873ef338cb7066d1
SHA1 6bfb3cb89e056fa6385b67e42a4f77c0cda4827f
SHA256 1cd7d72d316024796e93e2f8ea848dd456063f3e572d0fb9507c6e94470911bb
SHA512 71fa3d276fb20ceaeb1211458ca5e1fa331244ebd42c8edbfac57af81ceb6b978c02a1334e82215b5400c5e32d2cb6875c092c3e040e0d11325a5df8c4584b37