Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3ga5daac9w
Target 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye
SHA256 2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb

Threat Level: Known bad

The file 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:28

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:28

Reported

2024-03-02 23:31

Platform

win7-20240221-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E} C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729A74C-CE76-42bf-8133-64095F4D1408}\stubpath = "C:\\Windows\\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe" C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA} C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}\stubpath = "C:\\Windows\\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe" C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B34DD3-3981-4fde-BF93-04F022FB8A36}\stubpath = "C:\\Windows\\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe" C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}\stubpath = "C:\\Windows\\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe" C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{096C2CE5-078E-4ab5-8108-63C14835295F} C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729A74C-CE76-42bf-8133-64095F4D1408} C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2307504F-A577-4294-991D-2D5167107C7D} C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2307504F-A577-4294-991D-2D5167107C7D}\stubpath = "C:\\Windows\\{2307504F-A577-4294-991D-2D5167107C7D}.exe" C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B34DD3-3981-4fde-BF93-04F022FB8A36} C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}\stubpath = "C:\\Windows\\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe" C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D515D68B-A213-4574-8B90-6E8AC15AFA1F} C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}\stubpath = "C:\\Windows\\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe" C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FFF679-D305-4e81-921B-46B1BF473518}\stubpath = "C:\\Windows\\{47FFF679-D305-4e81-921B-46B1BF473518}.exe" C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6} C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27768E8-A198-413d-9656-A6E89BDEFA6C} C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27768E8-A198-413d-9656-A6E89BDEFA6C}\stubpath = "C:\\Windows\\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe" C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E7AEEF-E853-4415-9076-31F6E421E2E3} C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}\stubpath = "C:\\Windows\\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe" C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{096C2CE5-078E-4ab5-8108-63C14835295F}\stubpath = "C:\\Windows\\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FFF679-D305-4e81-921B-46B1BF473518} C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe N/A
File created C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe N/A
File created C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe N/A
File created C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe N/A
File created C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
File created C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe N/A
File created C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe N/A
File created C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe N/A
File created C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe N/A
File created C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe N/A
File created C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
PID 2876 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
PID 2876 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
PID 2876 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
PID 2876 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2640 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
PID 2000 wrote to memory of 2640 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
PID 2000 wrote to memory of 2640 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
PID 2000 wrote to memory of 2640 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
PID 2000 wrote to memory of 2576 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2576 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2576 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2576 N/A C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
PID 2640 wrote to memory of 2932 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2932 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2932 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2932 N/A C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2020 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
PID 2168 wrote to memory of 2020 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
PID 2168 wrote to memory of 2020 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
PID 2168 wrote to memory of 2020 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1028 N/A C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2732 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
PID 2020 wrote to memory of 2732 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
PID 2020 wrote to memory of 2732 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
PID 2020 wrote to memory of 2732 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
PID 2020 wrote to memory of 2792 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2792 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2792 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2792 N/A C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2248 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
PID 2732 wrote to memory of 2248 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
PID 2732 wrote to memory of 2248 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
PID 2732 wrote to memory of 2248 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
PID 2732 wrote to memory of 1656 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1656 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1656 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1656 N/A C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1732 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
PID 2248 wrote to memory of 1732 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
PID 2248 wrote to memory of 1732 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
PID 2248 wrote to memory of 1732 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
PID 2248 wrote to memory of 2260 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2260 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2260 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2260 N/A C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1556 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
PID 1732 wrote to memory of 1556 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
PID 1732 wrote to memory of 1556 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
PID 1732 wrote to memory of 1556 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
PID 1732 wrote to memory of 2296 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2296 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2296 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2296 N/A C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"

C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe

C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe

C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{096C2~1.EXE > nul

C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe

C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47FFF~1.EXE > nul

C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe

C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC5C~1.EXE > nul

C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe

C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23075~1.EXE > nul

C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe

C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2776~1.EXE > nul

C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe

C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E7A~1.EXE > nul

C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe

C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72B34~1.EXE > nul

C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe

C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BAB2~1.EXE > nul

C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe

C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F729A~1.EXE > nul

C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe

C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76E4D~1.EXE > nul

Network

N/A

Files

C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe

MD5 390c55ee0511099e04793ae981379888
SHA1 75ed6d878afa9b03ef114b89b0ccc013d02651b5
SHA256 f9d2e5d639e990bd98e05d0a5497c20d067c21f64080877a381fa4c9a398a7c5
SHA512 96762b4d1f1239ee9b4780152fe4bfe0b45847c157ec98f0f84a9f916c430b3cdb6582b88e6e2d99126f6d077266c382b87545976203ee7195b8ca09033daeee

C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe

MD5 0b122aeba2289aa68765b8c086c26956
SHA1 4ae982a3844b145b5291c8fb89dc68b99ee75d17
SHA256 99e52d0c25c2e1f21cfa1cfb8c1c9a271a5ccc892a78c8378d91dd034c0c5e14
SHA512 f1295767a0b9905dd3079f26abe30d334c7f24edc99685cee0b539df6f2645328d1011dbf28d224cabc8ea02f6709bc3d98f8a3449ca405e2ea4d12f62d1aa8b

C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe

MD5 68e970621a0b1749cbfdb6a330f3a9ec
SHA1 b3c3c03f2da00206fe650311f1f9c0cbc7307701
SHA256 a86a207316b09004046001584543e036149d11c650e44bd4bf88b800aff21539
SHA512 33dc6301924ebbf5a7ad277a379cc70f16c59734e7240aa4681f3fc0ac4a481c7bc6a63bd91cdc3632ea75f0a2a3218838cc774a1ef9f2d1b54b80684f7d39bc

C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe

MD5 fb4ed78d30e1c05b6708f72ae907af2e
SHA1 f35d3c787dcaeceb7cd5d5f84eca33389f5b22cc
SHA256 6c6104a0805c3d1161e895ac00699e22823a6789f12934c23a3ff7777835e6a4
SHA512 eab8cb6fc4ee5fd1dac8a310a72474911e660f29054ceeecdfd1c572c184fcfac4c65d7d3c1d6225afa4f42c3d9f5ff7c2b6ad66fb9aca3bef027f14e68c1c81

C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe

MD5 def19c364ba04e14c7adcf121ccee287
SHA1 ce072c658498784ddf8fc7f3147d02b6290bad44
SHA256 6554e12264aff64eaeeb35f18a520e2569b08befe01d620c13543ea79811ef1f
SHA512 fe4d11585e6a0b3271ee94ddfc230d6dd942022f7ec80d4559412836487190c413a5d460f6f7caf1113b12115b860b4e6d0fed483a42d704e7ddbf22932c53d3

C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe

MD5 262a8824af97263fcfc4ecaddd5d196e
SHA1 75a8ad134b466bad9eaaa73f1cd83339a5f894e0
SHA256 dcb64cdce056e17c43af3aa9ead868175bad4f363b4b76e2813b2cc3ba7eff2d
SHA512 5a4b083abc98eeed509044730d16d0b33310a96b4792f1d2ebcfb40aefcc10bbe44757ec7994ab48539a6fa7193d7322e11e23bca48ade6f7de12492808a9904

C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe

MD5 e28bbf67be1dda490cb2ba2ab2c98a1a
SHA1 44ba096787de53d56fee869b311537ced7a7d131
SHA256 710c96a2288a543dbb76332b796c16cf4af76d3a6779a95db4471808cc77a5c4
SHA512 ad3a249ce4f4557746f1f7a620c1a0876b8b14c705ca9c15fae2f7ebd1cfe1df96ad21dbc1637e1097244fc2107d3db0ae586c55d9840cb55ca9f4cd3338b38e

C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe

MD5 2a2f6f4f3f464d8d48c7530ff2b50793
SHA1 0cf16e6b9075f74b87f628fb2eb360de7ac6c63b
SHA256 37d2708b17c3472a1da270fce99fcddcc9b1013b91683ea415055ed6235d3c81
SHA512 15da7985db99aba74ba6a4e0c6bfafc061391d2c745c3ae248f6fe68cb6af128512e20bd02c59d18958c79415775069484ddc337a790aa7820dc30d0686308e5

C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe

MD5 4ff33fb26b61da49e83fe406d51a8982
SHA1 07604d582437ac09de6aeae0e1ecd156de5febfd
SHA256 614b933bd78930ae1d838fe41b6726ffc274d68cefd722f54013a3ea0670aaeb
SHA512 e1a68f50daee46f9db7ee7b8bfc14268f368229c542efdec965d0a42462a1793f1c57a617caec49c0242c6a8cff42066053bed54152221c2b163cff47600d83e

C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe

MD5 d02898c4cd0cb0e4ea21e91cf478649f
SHA1 2d375d28672be069c5e271665ae21da9018c9a55
SHA256 c4520bd43438daa2de7df765d96476e00d16d38ad7e52dcf9c240490302f9aa1
SHA512 215a674ed280ae67036fd2bf43bd91f748ed99b76a4ec00d2b2f5b984a250ada3e2e42efbf28bdf9143a0a2ce8d7557b6e5aee1ec061969965e2dfb3deaaca8b

C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe

MD5 612b6b96bcd5a76e7acee8288e5dc76d
SHA1 9a44636d7852d5c5cf2a1234b77f701640349542
SHA256 30b5641ae34c4063450513675a8e1422e26d1182dbcb42afef01e22d34f26304
SHA512 ca94e93d549b08e78589b692efc6716427cb19e3cea56dfb54403792b14a9a70c724f539bf8138586c77c0758975cdb3b91cab07954f88dcf30274837fcd6edb

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:28

Reported

2024-03-02 23:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463} C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265103C9-430B-4f0a-9818-6BD7EE838406} C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C} C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D0E909-6E6C-4dc0-9649-8352FB05D048} C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6033F77B-1201-4192-9A20-4578E4AC9D91} C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}\stubpath = "C:\\Windows\\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe" C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}\stubpath = "C:\\Windows\\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe" C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D0E909-6E6C-4dc0-9649-8352FB05D048}\stubpath = "C:\\Windows\\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe" C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}\stubpath = "C:\\Windows\\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe" C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951} C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}\stubpath = "C:\\Windows\\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBF6982-3869-43b0-821D-45007428D1F7} C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74D6168-E472-442b-AFA7-3A3270527283}\stubpath = "C:\\Windows\\{A74D6168-E472-442b-AFA7-3A3270527283}.exe" C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4230D073-77CD-453c-A048-C265E7B6C88C}\stubpath = "C:\\Windows\\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe" C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B702087A-6271-48e1-B654-048916612255}\stubpath = "C:\\Windows\\{B702087A-6271-48e1-B654-048916612255}.exe" C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F} C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74D6168-E472-442b-AFA7-3A3270527283} C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9947C9-53B0-48ce-BEC3-0F6418F63653} C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4230D073-77CD-453c-A048-C265E7B6C88C} C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}\stubpath = "C:\\Windows\\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe" C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6033F77B-1201-4192-9A20-4578E4AC9D91}\stubpath = "C:\\Windows\\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe" C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B702087A-6271-48e1-B654-048916612255} C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265103C9-430B-4f0a-9818-6BD7EE838406}\stubpath = "C:\\Windows\\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe" C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBF6982-3869-43b0-821D-45007428D1F7}\stubpath = "C:\\Windows\\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe" C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe N/A
File created C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe N/A
File created C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe N/A
File created C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe N/A
File created C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
File created C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe N/A
File created C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe N/A
File created C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe N/A
File created C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe N/A
File created C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe N/A
File created C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe N/A
File created C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe
PID 464 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe
PID 464 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe
PID 464 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 2620 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe
PID 3932 wrote to memory of 2620 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe
PID 3932 wrote to memory of 2620 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe
PID 3932 wrote to memory of 1016 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 1016 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 1016 N/A C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2760 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe
PID 2620 wrote to memory of 2760 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe
PID 2620 wrote to memory of 2760 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe
PID 2620 wrote to memory of 3184 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3184 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3184 N/A C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1832 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe
PID 2760 wrote to memory of 1832 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe
PID 2760 wrote to memory of 1832 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe
PID 2760 wrote to memory of 64 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 64 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 64 N/A C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 4048 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe
PID 1832 wrote to memory of 4048 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe
PID 1832 wrote to memory of 4048 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe
PID 1832 wrote to memory of 1396 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 1396 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 1396 N/A C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 3496 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe
PID 4048 wrote to memory of 3496 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe
PID 4048 wrote to memory of 3496 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe
PID 4048 wrote to memory of 1956 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 1956 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 1956 N/A C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2080 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe
PID 3496 wrote to memory of 2080 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe
PID 3496 wrote to memory of 2080 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe
PID 3496 wrote to memory of 4284 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4284 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4284 N/A C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4516 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe
PID 2080 wrote to memory of 4516 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe
PID 2080 wrote to memory of 4516 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe
PID 2080 wrote to memory of 2716 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2716 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2716 N/A C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 2232 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe
PID 4516 wrote to memory of 2232 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe
PID 4516 wrote to memory of 2232 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe
PID 4516 wrote to memory of 4524 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4524 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4524 N/A C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2564 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe
PID 2232 wrote to memory of 2564 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe
PID 2232 wrote to memory of 2564 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe
PID 2232 wrote to memory of 4380 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4380 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4380 N/A C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3024 N/A C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe
PID 2564 wrote to memory of 3024 N/A C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe
PID 2564 wrote to memory of 3024 N/A C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe
PID 2564 wrote to memory of 232 N/A C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"

C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe

C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe

C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B7F~1.EXE > nul

C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe

C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6033F~1.EXE > nul

C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe

C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B7020~1.EXE > nul

C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe

C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D459~1.EXE > nul

C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe

C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{96B07~1.EXE > nul

C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe

C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A74D6~1.EXE > nul

C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe

C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61D0E~1.EXE > nul

C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EB994~1.EXE > nul

C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe

C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4230D~1.EXE > nul

C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe

C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF609~1.EXE > nul

C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe

C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26510~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe

MD5 5b9430a139ecaee61573ebe8426f5eb5
SHA1 04ed75c542a4307bc498c60512b1ae7adba5adef
SHA256 fb40a326f6845a378db2cb744f565683764f8fc35048fdca0079c2b9379b3241
SHA512 e06c8ce49678d21634d9c0131cd21d37d3765dd45aaca01040ae5b06f547dbc08d9f780ea04695f172a1735844c09d2e11434e4cb427843dadd181037486290b

C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe

MD5 f15b33461ac9a83eed236f5b934cbe22
SHA1 78c7ff3c060461b78f41de81336a487cf6cf0362
SHA256 e7c82ed7d0bfec120b2cc07137173f6829278b9e8c881eb62bda5c8c220c9a09
SHA512 24e82333016f3b5f5d8edbf6c91c4782e6e6c67ad8d0c561ed1978b2faa923d6601048740bfac1fb05049c14faa57416a621d14feae07f4721c255ba7c473026

C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe

MD5 245269caefdf73472f343bb76da7555f
SHA1 c507c40d01457f68524c6618d7bbff671c54f7ab
SHA256 def68294b8101d9f07f69ebf48249d07bad9236cba1e07d1a3358d242d64d164
SHA512 18b8e0b3ad3763d4aa841d9b48748dda7c257287521159488c01bf4b4c76260043905d9bd2ccd1169adf961a992d86bb21a06a568491bae0739117c9fabdf76c

C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe

MD5 5237f6b7b6b7821e06a3edd0833d3bc2
SHA1 11401acec1301eaf901d0f8b6bc7486cf3d2953e
SHA256 af4e806a5a956bec46189c188ac230926d2aeb49063051ef5c263ebfc0c015a7
SHA512 fadcc8a9fcdd3453333d6a5442bf1a1fc76eb646420d1196b9ddfe5fc126823e942a282181e850bb2276419bd0e8f3512538fd6240d85ffa8201a696e146f98f

C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe

MD5 4c200c84ba34def1fe624f14731ae243
SHA1 4830ad5d634f74b543430ef2288fe2b7b27f2693
SHA256 75205987d26d568bca19e39b80fd67172ee932d023e46bffd1fcd09c7dbffdd4
SHA512 0aff53eaad68eeaa56fa57cfe903cf219ac3c63d38aed0120dded0e18f63a2c4d8245b133b4d12366255c9b8ad0f593060cdd2bd89b917f846c46411e053e185

C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe

MD5 47882488cf23c1702a8cd47c00178f9f
SHA1 a403275e4be5b321aeb45309a67cb8b670690680
SHA256 9ad99cfc1d83f99ddb0d50e9869b5c1229e772ec278f6ec6886dfe8958c6ba81
SHA512 11fd836f4046fef617c84ac7ea9d85da87fd684e59f95f951895d85b162783b85f4415e8e2a3f4503cafdc7ddb3dd90313bcb495a9e1677b74217926e6a762a7

C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe

MD5 b4758265a1bcb744da59142f4f21fb10
SHA1 d27bbef5ea913b5dbd6ae44bb21b1263f94e20e3
SHA256 60583ddb6f0a12b0fb0e6bf17b83f700e502c88ba0fcfa15d960cff67838ff41
SHA512 76b38b4497fbaf1f5bb419dd67c3262de6128c4a38b451d657b9f372a3f8b339997226c85a8e4817d44ed478c56549364379e12b1350e2cd1ad1b500ee49d2a9

C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe

MD5 b0ee43ceef85b06bb67e9c637f93e4b8
SHA1 f771e96685459ebf626e89960d3a99b0706c5fab
SHA256 6f588742d92ad5398bf463e75609bfd4bcbb4289e0eba1a7bda9a0eedf55dc1a
SHA512 3e4e5049b6316397bf64280e206f9701c5e7f4ae5a255ff5a191f6b9711566c421a921a67655f52519fe272f51f4be5a105b96122aa8d555aced69155b08c675

C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

MD5 7b3964433f61b823c378e412c551c8b7
SHA1 7d9e3e3096c1fae79809bbdffd48886db119b503
SHA256 fe4da07fd704ff8009f65865f14c6e699b088b20fa86ad1b2d2378f3a2128620
SHA512 fd0f217ccd26211dcc2e493dc194a3f0b33186582180af7ee6e26d92e15d98c5f7ade96d6206c0db5a0685cc2b0ec9c08198ef7c5c5f21dcc48d78e4825ce768

C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

MD5 fe2bc60abd87b30bd3b72e7889201c15
SHA1 82bdd91ec15f5da8dbfbf2564fb9734d72bbba76
SHA256 c3b82ac77a18271b78b50bc644b604c49ed50ebca1e74ff1be5fd78010a52aa6
SHA512 7169fc17e3f657b121b0c93b96c83f8c11acd5e6b05c2f32f85f6c21eeb8f9694f9529b142702545a05bc82d93710818c3ec17cd1f9801eebcad9ad771535c0e

C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe

MD5 7ce1ec0c4a3b0dac191b0e5aa2433d4b
SHA1 6e9d809458224011bee3fd854ca1105373c14d10
SHA256 1107f4f0be773b9becd8cbbb7b1734eb942ca446ab24df43dadfc2e8c4c45fee
SHA512 f501f8aec54e166d2ee83d03010f5d37da9afc3a2917e59035ff31640f166dcff75fa6fe8db13bafc9f89410cf1ddc3b8e52944a89a89220bc9e3b6f9806df02

C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe

MD5 f34b8409633dba039481280551fd4eeb
SHA1 4828820e77b10824de4fdc502bf5df29f380c269
SHA256 711a1363101b5e4cc4f667e3be70b2d6b6b7ca97ab0e65da8dacc488498c6e62
SHA512 cf8ac527c04a127e7b62446e1bff6f84e35bbce20a179b9d36c56215b9e6964a0c985dab47c936e60673e537dd5babe09729f868084b4f78ad10a682f3985ce8

C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe

MD5 4f2de4f0cf46e93a4addfdd360be57b0
SHA1 15d3e623ff339f6c4723af02608442c10205d70b
SHA256 71430d66ad0ca9578ea99dfb54168d702bcc39821643c0ee5fc2d914cc5e1715
SHA512 f88529cd96e04185ea09d2685f3a2cd0b8f432941f12a86c23c4979bc2b6256b8f99babe006066842fcdd3ae83c3e8216861ebbd83a5ff66a885bd7de4140e64