Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3gxclsag62
Target 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye
SHA256 e48951fb1eb66395f19027038718abafe06697d96adda70534ba15c0cc7ac7a8
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e48951fb1eb66395f19027038718abafe06697d96adda70534ba15c0cc7ac7a8

Threat Level: Known bad

The file 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:29

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:29

Reported

2024-03-02 23:32

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}\stubpath = "C:\\Windows\\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe" C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F7A9F5-36CD-494b-BC04-87214242FD5C} C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}\stubpath = "C:\\Windows\\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe" C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}\stubpath = "C:\\Windows\\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe" C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99C201A-19EC-4844-86F1-0BECA5B9BC23} C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE} C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6CC007-05F2-45ea-B99D-B62A183E437E}\stubpath = "C:\\Windows\\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe" C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284D26C3-C78E-45bf-8836-211245AD58FD}\stubpath = "C:\\Windows\\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe" C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7} C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}\stubpath = "C:\\Windows\\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD} C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F7A9F5-36CD-494b-BC04-87214242FD5C}\stubpath = "C:\\Windows\\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe" C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC} C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}\stubpath = "C:\\Windows\\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe" C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6CC007-05F2-45ea-B99D-B62A183E437E} C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086} C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}\stubpath = "C:\\Windows\\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe" C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F3EAAB-F2ED-4213-B90B-D44501870BE2} C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}\stubpath = "C:\\Windows\\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe" C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8727761E-1900-4c91-8C05-DAE64E4FF6DF} C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}\stubpath = "C:\\Windows\\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe" C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284D26C3-C78E-45bf-8836-211245AD58FD} C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe N/A
File created C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe N/A
File created C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe N/A
File created C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe N/A
File created C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
File created C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe N/A
File created C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe N/A
File created C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe N/A
File created C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe N/A
File created C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe N/A
File created C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe
PID 1516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe
PID 1516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe
PID 1516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe
PID 1516 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2664 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe
PID 2780 wrote to memory of 2664 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe
PID 2780 wrote to memory of 2664 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe
PID 2780 wrote to memory of 2664 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe
PID 2780 wrote to memory of 3000 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3000 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3000 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3000 N/A C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2896 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe
PID 2656 wrote to memory of 2896 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe
PID 2656 wrote to memory of 2896 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe
PID 2656 wrote to memory of 2896 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2072 N/A C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 472 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe
PID 2896 wrote to memory of 472 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe
PID 2896 wrote to memory of 472 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe
PID 2896 wrote to memory of 472 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe
PID 2896 wrote to memory of 1292 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1292 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1292 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1292 N/A C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 1120 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe
PID 472 wrote to memory of 1120 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe
PID 472 wrote to memory of 1120 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe
PID 472 wrote to memory of 1120 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe
PID 472 wrote to memory of 876 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 876 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 876 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 876 N/A C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1752 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe
PID 1120 wrote to memory of 1752 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe
PID 1120 wrote to memory of 1752 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe
PID 1120 wrote to memory of 1752 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe
PID 1120 wrote to memory of 1088 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1088 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1088 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1088 N/A C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe
PID 1752 wrote to memory of 2756 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe
PID 1752 wrote to memory of 2732 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2732 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2732 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2732 N/A C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"

C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe

C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe

C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1F9B4~1.EXE > nul

C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe

C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B711~1.EXE > nul

C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe

C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{37F3E~1.EXE > nul

C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe

C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{82F7A~1.EXE > nul

C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe

C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E99C2~1.EXE > nul

C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe

C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87277~1.EXE > nul

C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe

C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4100C~1.EXE > nul

C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe

C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D23~1.EXE > nul

C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe

C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6CC~1.EXE > nul

C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe

C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C69~1.EXE > nul

Network

N/A

Files

C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe

MD5 eecf3019153851685ca1853710e1ac1a
SHA1 f09c06cf819104489f57beeb794dad36b8c3db5d
SHA256 b55b4eba4eeca3776695fcb590e63aa5deabf8b379263a5449d7fb262142d9ca
SHA512 1d149e9e6149980e7813e57094bb2a9eca13c44292bec35d2ab72da0bae1f5ae12890b74cc980d203212d9cd536ce9109c785e7f16fc2b8e96568cc089203a6a

C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe

MD5 e406ff81b38d6345e349eecb1497c357
SHA1 bc0d58325725d6e7606008c7ee388a935716fe71
SHA256 ccbd9999b56d84dd603ef8e10d8e11708f99bee4990cb653119ca8f639915432
SHA512 a60d3e88aed545ee93579cc4885e1b338a7cbcc5064a70a0d24a4115e47cfe8559bddea9e960bae8a971450337de3718c9fca36b08bb2643faa0d56fac667c3b

C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe

MD5 3939837a97ea9c5afc9d5497797f6027
SHA1 60bca6a9f5b4c7aa2f25486e50886daa447679df
SHA256 78c9f2808f4ba3709116ffc569f82608fed7ae9c7fb90d91339b14e527c66936
SHA512 95b9adf68f4c57def700c0dc4287dc34409684bd74e02dc6ba91af43dd5ef912376ae9df7f368e13b3922fe10b2b022a63a48678eaaa9f943b1f9ac7a0e51474

C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe

MD5 ef29cc273952a3b498d62421972de1ad
SHA1 db41749e6b2d88efd47f702439157165feaabfb8
SHA256 3760b972106ba2943ea4d5364a3447c197e284c70d0d4d1dc7f0f71680249322
SHA512 3f72b87162219bc2d39210367dd7f834a3a0380b63c2ecd4c3a9d422bcd0d52800625ca6fd20fa67eb3d944dbd2339d207fc18ddce6d9f3d3db7110f146a8b95

C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe

MD5 be7300af720926e9c34f4d4c85d0a168
SHA1 2010698dd5e18a526bd0ac9b15e92ac6fe762cb4
SHA256 ae8a021d3d6e906b42c41109f6b47920f6fa8ba846e04f20bb0ed2938161a9f5
SHA512 1c1ca9b9afac50bd463e11455829534d0a20a08728983cef589d64422cc6406c74bc646bcbd0272327f70e20080e7123013dbcd569e79a4bb789db9d190d4465

C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe

MD5 88817a97e9a1a961dcee56943ddbb608
SHA1 425d0524a1eec26766c21083ae277de41973d40a
SHA256 dc93feedd95866e99971a93af9a451ec919f2c6fa747f7bc6d9312ceac08e267
SHA512 3cef6275c28f2f43e8204ffcc496837c0adf4dddac80cf3be95a8bcb5474541578db9736acb25c9346b56b56c22d8735f7f1988cc441a96206a581913256dab5

C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe

MD5 ca55d477ed4eede8e5b94fe42b8f949d
SHA1 8e902ce629764a85f600d4cfcf48c010d110119b
SHA256 a15e9259a03c8f164cae9545c2f5df51b23a3fde74e07129d09723e04bec6bfe
SHA512 fbe136a998203fc08229e5fdc4a07a6e9283a98dae99d920d77f15e6120c3d8cf32ee1c78fb495641cb81708f97515ec99547974b9d6ce547c93943ed4cc3bcf

C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe

MD5 722cbef8ae74ebf39aa3f9d1330fb48e
SHA1 8386d787dab363302b520f0a637ffcca3afd7cdd
SHA256 0d04e39af934d04687e0d64b64dd425548b553e5bbf82c7ed9ec5aa965417a7e
SHA512 b6e9cadf81d59ecb82f98d24f8cf53e3edb37abd923a517e6de99059208ce02b6b7e66679dabaa19d1a4da4c8b4c0a113b8b2c4fd393d54c2add07666d0de493

C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe

MD5 0d8994e62835a0fe3b64fefc71ccfa35
SHA1 72b6b239b7b45ff460dce646720f051ad21a1772
SHA256 481cbdd92c60baa555c2af68334cef4998a59ebed40ea396b70b08ea3897f9a9
SHA512 668cbdc312df764fba33d7a614b7b4f1139ccdce83499bff6078ad4e3bd401e53ff4a838f7269bbd610f1c2f51ea355470acbd12a78aa55cb5afd094b109d2ea

C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe

MD5 62c240b09ff5d30bf1af3c009feb979b
SHA1 9759988be3380b559f0487e3f2ea3c2242d3f713
SHA256 bf49f4f3e79cbd53eb5ce5b6790f894375671e68eb32dfa62f5ffbaa1ac55908
SHA512 79e3f0dd46c2168966a0853b31a341431afb08425c3bcfa224c69bcb3adc7989d53eea164b8c3bb01aca090c640a6a85c64e2b180446e07964107db5f5697ad2

C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe

MD5 2da9d22d06fa58a013d5cf503d476073
SHA1 a8d69507380bef0d5d68bf5d1995c6cae2d0de53
SHA256 3b9d3bf2b08822350e2700a3304074ca5a8da15a06cdfb1124629677f705c8bd
SHA512 1735d3be9135ea696cc0605c274e2ad74e1afadc15dea9af977f45b5f369ebe6561662b26bfeedcfef3ea1a39cfea7008adb3dc7a61211cfda73aa61c417d409

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:29

Reported

2024-03-02 23:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F3B260-ECB9-419f-A6E0-75228242B783} C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F3B260-ECB9-419f-A6E0-75228242B783}\stubpath = "C:\\Windows\\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe" C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}\stubpath = "C:\\Windows\\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}\stubpath = "C:\\Windows\\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe" C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD4879C-A249-48a3-A27A-C43BB29809A3} C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E} C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23165439-5507-40d0-87E0-44DA67AD8BBA} C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23165439-5507-40d0-87E0-44DA67AD8BBA}\stubpath = "C:\\Windows\\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe" C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45CC08-B088-4182-9AF2-5EFB265E37F3} C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC} C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}\stubpath = "C:\\Windows\\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe" C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF94757C-4601-43e2-95FB-3473002162AD} C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}\stubpath = "C:\\Windows\\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe" C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}\stubpath = "C:\\Windows\\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe" C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6} C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}\stubpath = "C:\\Windows\\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe" C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3918B111-817E-44b2-B903-8496C332C94B}\stubpath = "C:\\Windows\\{3918B111-817E-44b2-B903-8496C332C94B}.exe" C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29C7468-FA74-4bd9-8F20-7290C473AA9E} C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2} C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF94757C-4601-43e2-95FB-3473002162AD}\stubpath = "C:\\Windows\\{EF94757C-4601-43e2-95FB-3473002162AD}.exe" C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD4879C-A249-48a3-A27A-C43BB29809A3}\stubpath = "C:\\Windows\\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe" C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4} C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}\stubpath = "C:\\Windows\\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe" C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3918B111-817E-44b2-B903-8496C332C94B} C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
File created C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe N/A
File created C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe N/A
File created C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe N/A
File created C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe N/A
File created C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe N/A
File created C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe N/A
File created C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe N/A
File created C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe N/A
File created C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe N/A
File created C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe N/A
File created C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe
PID 5100 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe
PID 5100 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe
PID 5100 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3084 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe
PID 4692 wrote to memory of 3084 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe
PID 4692 wrote to memory of 3084 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe
PID 4692 wrote to memory of 3400 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3400 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3400 N/A C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2976 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe
PID 3084 wrote to memory of 2976 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe
PID 3084 wrote to memory of 2976 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe
PID 3084 wrote to memory of 5072 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 5072 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 5072 N/A C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2572 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe
PID 2976 wrote to memory of 2572 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe
PID 2976 wrote to memory of 2572 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe
PID 2976 wrote to memory of 408 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 408 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 408 N/A C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3252 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe
PID 2572 wrote to memory of 3252 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe
PID 2572 wrote to memory of 3252 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe
PID 2572 wrote to memory of 4048 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 4048 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 4048 N/A C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3220 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe
PID 3252 wrote to memory of 3220 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe
PID 3252 wrote to memory of 3220 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe
PID 3252 wrote to memory of 3256 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3256 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3256 N/A C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 5044 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe
PID 3220 wrote to memory of 5044 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe
PID 3220 wrote to memory of 5044 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe
PID 3220 wrote to memory of 4068 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4068 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4068 N/A C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4956 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe
PID 5044 wrote to memory of 4956 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe
PID 5044 wrote to memory of 4956 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe
PID 5044 wrote to memory of 2180 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2180 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2180 N/A C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1420 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe
PID 4956 wrote to memory of 1420 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe
PID 4956 wrote to memory of 1420 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe
PID 4956 wrote to memory of 3564 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3564 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3564 N/A C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3140 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe
PID 1420 wrote to memory of 3140 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe
PID 1420 wrote to memory of 3140 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe
PID 1420 wrote to memory of 2440 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2440 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2440 N/A C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4704 N/A C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe
PID 3140 wrote to memory of 4704 N/A C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe
PID 3140 wrote to memory of 4704 N/A C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe
PID 3140 wrote to memory of 1992 N/A C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"

C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe

C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe

C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AB45C~1.EXE > nul

C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe

C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B401~1.EXE > nul

C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe

C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF947~1.EXE > nul

C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe

C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD40~1.EXE > nul

C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe

C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD48~1.EXE > nul

C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe

C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{134A5~1.EXE > nul

C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe

C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86F67~1.EXE > nul

C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe

C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E60F0~1.EXE > nul

C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe

C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23165~1.EXE > nul

C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe

C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68F3B~1.EXE > nul

C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe

C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3918B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe

MD5 674a5393a2a376e1deec7a7ac7b537fe
SHA1 8c6028185affd9c5e4287319d2792104beeb460f
SHA256 a14373251ede7656ba0e663c99d821125687e298e660c710761991ef509f92df
SHA512 81ebba36583013dde926f5b83967f2355d1d9aab3f31b9610bc185d5c3174864af48c07c6dc50299620db406de29122f002190f89ec79d57264fd338d2f8e020

C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe

MD5 c82e97fa401f2f3daf68c9593ca9bf9c
SHA1 08971b20b19731c5e2a46b407016a6d09bb36d69
SHA256 337a0eb0ba44d357255493bef374bf7768efd7781c9e0972bc11c0b83771f440
SHA512 fa978af771c898c9a91651a8af00bcbb735ab67059632882be2b4e46c8b3871f124c26ab81bbff93ce2e30306c271502282e97551c54c82151b8be34088b500d

C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe

MD5 3bcfa94acb83c266ac12c9696fa2ed6c
SHA1 f690fb244bdaddfc5d733e7870713cdb88d2a387
SHA256 df3486fa77f1983b49a626e5284dd0264798e2fbcacc411d1460a32e1bcb55b0
SHA512 49ddbe20318311244f69e5c3420259a8c815445b3284644dd0885144f56434337ede5e087218198bdf4a1949f6bf86b45934c8b03bcef29b149a5e5d012e8e3d

C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe

MD5 952897cbcbcad645036bca2cc9f3e356
SHA1 9d4bd55162e5589124adc580d23bd1f1c2af4feb
SHA256 9f4dda4e49db472e95426c781e9d72ca12b7af5ef40df0842a3da9c84ff48baa
SHA512 f7836f7961bd4c46290c3d2550fc1a1ab6e766c9eb42fdf0b186f73020d1fe07dcab0a2b8e165a8f983758188710b2b1eb26c124303b7a8410944707b7c3cc75

C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe

MD5 374f07b6aa3ffcee853b7a554f790f4e
SHA1 a7515baf9487bbe2b69c2fa2721240c34e822bfd
SHA256 37e622ed28c4653e6f7fcc1d952cde18edd186b0b5e97a318e279e06ab58a6fe
SHA512 fd210822fcc3bb79accc5a7df6499aa3a10b0b9e04a29c5ca892f7fb6c6d2003bd395477ebabb952329171b2fd29f8f2bc896f870fe6bb9c0e36b7af5c7e1b6a

C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe

MD5 7ec7c296c9feaef5cbc79346743cc08e
SHA1 b16c189a86b2b7543a24350452476514b3671c65
SHA256 a9e1d5af92d131812381c439922923e5ebbe9203e155014e440d8baf979cc53d
SHA512 2aa17c3f1569cbf7ac21964aff57346230749887316f4c768a7ce2aeb1a6195c7b5c152fb0f403604c0957ecb23db4255eab99e41ab3e12aca05c7bdc7a639ad

C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe

MD5 83110ba80eba22bd0239bd592b9e097b
SHA1 2ee014c4fbb6f0a64b8207bbe2dec283883bc504
SHA256 8d69c02d00e871927ede6169e96a0ee30898f0cbf1316848bd18be9a1d6cc05b
SHA512 4b968acf061e1b3437b3587a8087725b4a86071e7c42e7471b8ee451dc2b81f77a2bcdde9a654d08440ed89cf8b9602c6f73adbbfb955522a13e70f30fdffd4f

C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe

MD5 c40dd394d23cffbb4672b76e41e23810
SHA1 495c497c331d3872121c4b4a8108cc983c97e27c
SHA256 9e43bba213842ebb58e3585e25d6217781de1f31ce252d2cef1532243b5ffb9b
SHA512 fe318d1e018dcdbee9820ce28da16ba9d44217f32f82439f60329cda9897e2810bed3e5b0ed307d817d41cabf9ca86e1c4fe81af2ff57b99981c99f605e7ac44

C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe

MD5 619ab951baafa425c0c8d262b30e262b
SHA1 935fc17742754e40acff04720916acb08c7c9af5
SHA256 3bbe74a70af9f84b5d928f6d0e91035d6449f922b83c15eb9d7bf7fee328be76
SHA512 2a95be8fc84c0257a94bf66fd7fc158dccd9efcdd873e69053877198edc471508542bdfb30f26787dfd9c4393cf46cac30a93a7a60f61a3f208454760c666d72

C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe

MD5 9c4ba614e06b949b1edd56220f24e012
SHA1 56e5b0d307478611c69eefed771aa0af025e2d01
SHA256 e2c527cf97c7cf2bd4a656363af539f62158ed97f26592dc3ebfa7ac23087834
SHA512 13942efe7ce4f18d11eeab435ebe9f290a57bd910d0c20ccd091fae10a58e072fb838580e0e84b7369c073105339c3a5a8e56cc0d310df8b240616c19ed6e298

C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe

MD5 6cac860cfdb3ce2e185fc59a208181f7
SHA1 072e612aa9ac14ccc8a6216836cd00b1c9f307ec
SHA256 2dfd46c24e34892638bac5d02e69b7774398e705832a8da0a841be713829f2e4
SHA512 742d06f7d29fd57dab9d0d9d96d54ad0877f6208e918804a11f649c9f514fc3d52a8e9edba04db4c1957c4073d8a40d9fe0fad57e1b70d8d0cd272f721f07ec0

C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe

MD5 0992fb00c2243a51cb78cce49361ca7d
SHA1 2e6814582d6e3906fdce032179c732c044559ecc
SHA256 ea55c098f7bc16008ffbd505611c8d4764edef88f75972e59e4117e8950a064a
SHA512 6f7a7d631ab6723c31801d7d8e0e730b911ee645d856e081c1346a4f2b914d3832a9799e8669c7df9276bc62bdb41367d3ece4080dcd42fc39c3011a8fc56168