Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-t1fpjaeh6x
Target 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye
SHA256 a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605

Threat Level: Known bad

The file 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:31

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:31

Reported

2024-03-02 16:33

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}\stubpath = "C:\\Windows\\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe" C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1487626-296C-4ab4-9CF2-9151C92E0F26} C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98390355-6891-402d-927A-52B1E7189C9B}\stubpath = "C:\\Windows\\{98390355-6891-402d-927A-52B1E7189C9B}.exe" C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E7109D-AE94-4470-B6F7-5F31C9834698} C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA800-E614-40a1-B7DD-0D97095EE950} C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA800-E614-40a1-B7DD-0D97095EE950}\stubpath = "C:\\Windows\\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe" C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEC787B-2000-486e-8202-B09C9CF892D1} C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0C126D-BF7F-464c-81D5-20282407A79C}\stubpath = "C:\\Windows\\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe" C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7} C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1D86F5-EEAC-407a-9CA1-BE4569038184} C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}\stubpath = "C:\\Windows\\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe" C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC392DD0-8D27-48d0-86CE-67B54EFF477F} C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49F18D3-5A3B-4067-9364-726C5BCC3E29} C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}\stubpath = "C:\\Windows\\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe" C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4047F151-F5B3-428c-9065-74BB13FC01E7} C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4047F151-F5B3-428c-9065-74BB13FC01E7}\stubpath = "C:\\Windows\\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe" C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98390355-6891-402d-927A-52B1E7189C9B} C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7928A926-96D1-4569-8672-1371AB35C300} C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E7109D-AE94-4470-B6F7-5F31C9834698}\stubpath = "C:\\Windows\\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe" C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEC787B-2000-486e-8202-B09C9CF892D1}\stubpath = "C:\\Windows\\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe" C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0C126D-BF7F-464c-81D5-20282407A79C} C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1487626-296C-4ab4-9CF2-9151C92E0F26}\stubpath = "C:\\Windows\\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7928A926-96D1-4569-8672-1371AB35C300}\stubpath = "C:\\Windows\\{7928A926-96D1-4569-8672-1371AB35C300}.exe" C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}\stubpath = "C:\\Windows\\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe" C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe N/A
File created C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe N/A
File created C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe N/A
File created C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
File created C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe N/A
File created C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe N/A
File created C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe N/A
File created C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe N/A
File created C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe N/A
File created C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe N/A
File created C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe N/A
File created C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe
PID 3032 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe
PID 3032 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe
PID 3032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 3404 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe
PID 3624 wrote to memory of 3404 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe
PID 3624 wrote to memory of 3404 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe
PID 3624 wrote to memory of 1188 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1188 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1188 N/A C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 524 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe
PID 3404 wrote to memory of 524 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe
PID 3404 wrote to memory of 524 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe
PID 3404 wrote to memory of 2376 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 2376 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 2376 N/A C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1144 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe
PID 524 wrote to memory of 1144 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe
PID 524 wrote to memory of 1144 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe
PID 524 wrote to memory of 780 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 780 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 780 N/A C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2248 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe
PID 1144 wrote to memory of 2248 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe
PID 1144 wrote to memory of 2248 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe
PID 1144 wrote to memory of 2432 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2432 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2432 N/A C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4624 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe
PID 2248 wrote to memory of 4624 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe
PID 2248 wrote to memory of 4624 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe
PID 2248 wrote to memory of 220 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 220 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 220 N/A C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 1188 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe
PID 4624 wrote to memory of 1188 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe
PID 4624 wrote to memory of 1188 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe
PID 4624 wrote to memory of 3528 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3528 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3528 N/A C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1860 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe
PID 1188 wrote to memory of 1860 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe
PID 1188 wrote to memory of 1860 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe
PID 1188 wrote to memory of 4724 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4724 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 4724 N/A C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 3584 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe
PID 1860 wrote to memory of 3584 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe
PID 1860 wrote to memory of 3584 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe
PID 1860 wrote to memory of 4476 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 4476 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 4476 N/A C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 4056 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe
PID 3584 wrote to memory of 4056 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe
PID 3584 wrote to memory of 4056 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe
PID 3584 wrote to memory of 1288 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1288 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1288 N/A C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 4488 N/A C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe
PID 4056 wrote to memory of 4488 N/A C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe
PID 4056 wrote to memory of 4488 N/A C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe
PID 4056 wrote to memory of 928 N/A C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"

C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe

C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe

C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C1487~1.EXE > nul

C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe

C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4047F~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe

C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7A1D8~1.EXE > nul

C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe

C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98390~1.EXE > nul

C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe

C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7928A~1.EXE > nul

C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe

C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DC392~1.EXE > nul

C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe

C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5E71~1.EXE > nul

C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe

C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67EAA~1.EXE > nul

C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe

C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEC7~1.EXE > nul

C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe

C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD0C1~1.EXE > nul

C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe

C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B49F1~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe

MD5 6a44eea4d9ee4644da0f417a6e62c31c
SHA1 8180cafbc6821cbee7168eaf3516d243d30f5f8a
SHA256 af427ca61bc00f5de18b688fdc8d7e821610d655ac9c0879d5d749ed720edd93
SHA512 199fd36ce92ee3e75338dfad55c7f13034d2b4baa070b78ce87cf0d7415c2b08574bb89fcbc32fb315dec949861a7cc117a18c7bed7242ac72728ffca97aec9f

C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe

MD5 6822c062a6193fc9b110d60141911442
SHA1 832a2bab459971279a0be22c3c497895824b24d9
SHA256 e781bc9ede80c86fef40af68046924dc316223acfca632c267ad00919dd4a3d7
SHA512 53ff51dd2268aa28c81cc99ad442b30eab518bb9036f442e15e4969bde08e24e3d3cc58a26809460eb262fb452c9d7d8f6f5e5f59d97b390b57bca05c754d0e5

C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe

MD5 7b63b31385159d4733045e1054b49edb
SHA1 1b93e4f9f8acc0becefeda31befe305c2b242e87
SHA256 1ada88a4b298996703f2e652ef6189d519eb5d8c9c51e7320c17ee08f27e3b69
SHA512 9742b6540feab5d1cdd238aa3c4559488fd444b07a9728d145c3e9c932658925abda330464e2f3b75ace26f739302aae4b94be9e0c87d61f95f41b4d84a29c5e

C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe

MD5 ef5499a41592997ec8ca74cf3f689649
SHA1 84517388825a894c75b4093b1a682f664f73061e
SHA256 0e6bc8ee87b54ceab7ff4e5c35d6ed8f239bc8134535b7789b73ac2be0c6703b
SHA512 e3ab069f94ad4223a2147b11ac4952d85f24c02b99bb5e6e0668fb0f2a6b6fe0cb13a860c3d2501ed6b3013722b13ef83885a3844be9adb309447c590011eb45

C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe

MD5 47e04ced1c2db2935026a227926ebcd6
SHA1 a3c4c4a3942771b5742ccf8693212ee101079fec
SHA256 3b29723d796787d129b5dbc005498142c3ae95cb1b0e48ca8f214650933184f8
SHA512 05e3bb029e3b233e01dd135be42e38f481950302701862379b57d327709031f495c4b3da546b37d2dab8bc0f6c87e1149078b0e03868e1690a12db7f28f456d5

C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe

MD5 20f72f12d151ec7fe7922214446a59d9
SHA1 74df359bd98fc9de661547848b231b6a4995ed56
SHA256 8ad33bbca96bee57753115962efdf01433c728d71daa5ac143a319e411bb46de
SHA512 c2323265e5d5e225056c25198401e632cbe99abb94b88595dcf04befc5d36dbdd4c484dfe257f298302f9b3b40e718b695359e5efa08bbdbb777faf9980dfddc

C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe

MD5 b9293e774cd94a788396b30464b8b819
SHA1 20d02816fb2e7f4b5c36a05ddc0595b0d1f29757
SHA256 665e27cebcc4f7321cf2aef0f59028e03e59bfa4f837a463686834b3fd883104
SHA512 146a2b92685951b35da8fc3a83ef82227eee727ed3e7c7f6aa82ac35a0a21b801282ce765d4a1121ad7e9253040e839175cda4366525f006952917a32c1c7614

C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe

MD5 0e95545d51ecdd67ba0b934041f13241
SHA1 122464d3c861bd3eb1b6597117880d35863ab140
SHA256 1230ffe58a9718cce1d4c9ba854a02066442af221f47da2e658f2be5d7153105
SHA512 85f23502b4852fb12d347a458089acd1ae69549048e5535d07de1efbb9fb283a5974d44cc4ea9669df5226309179c2e564712bcb400601fc1ac79565da84a193

C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe

MD5 4d84f15606401cb742f115d34744371f
SHA1 6839f696ec877dff4554ad58eaba66877e015c9d
SHA256 95c99d02c81794e2e2efb5d101383834936f522e002d3f2d704f4e286dc609ff
SHA512 e7c81211fd1fbe2fdb093f5412b28d80c9166f38432d1adcfe6085256c3613f2c50a38b6e111b1fff9b07f6529379d9a5cbb736713115f4e0d02ba5a84587737

C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe

MD5 88f0d17a1e9c2fd69373dc00d9fe0e0a
SHA1 35c46a0e8ce212f83cdc1bf706ac231c7486fcb4
SHA256 de97abc898f3a2470951d7f53b5b1fbd68ea7917e84899a220c6ddf01d7f696c
SHA512 0f22a6fb9ea991fd94a272e4ae8f88ef009e02b112989f814a3c257a73877508986d21ce92454e92a5b40078d2d64b87735f22bbd4c8628ae0747f8fc9202f67

C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe

MD5 fc72558249d967002775beed8e140ae7
SHA1 e1f511923db1756a88595ea9a9ed5fdc25f6fa94
SHA256 5d522fbe1de227a84c9a46a0743b0d0776091364a0015cdf01010262d76173b0
SHA512 9a261cd4b793605895273a5b1ffa74cc2467ab20e2730c2bbc62b9effc0e97bc4a1a6ca7d21060c975dc4f814e780ed80994708e45f8456f6d62482599967ba5

C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe

MD5 a28b95e4c2afdfc172591f374bfafa4e
SHA1 b043104438e486f83235430f15ecdc261825a9d7
SHA256 0ca7c450fa96d1cd359341643c9a181a92930275443ad76bcc3230e52fc3f9a6
SHA512 b7ca8ee701100f494f46f652bcbce4f34bfcca05a4d73dd4d9724e2d3a7ffcc02fcd2a2e1dae542ee5407f1ede132eeb36309c824b5fb8410c9e9754c95528d1

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:31

Reported

2024-03-02 16:33

Platform

win7-20240215-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}\stubpath = "C:\\Windows\\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe" C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}\stubpath = "C:\\Windows\\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe" C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6AA90D-493B-4314-8541-88CD700166E2} C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}\stubpath = "C:\\Windows\\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe" C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71E79-0AA5-472f-BA94-B4E662969B5D} C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90692767-9AA5-44ba-ADF0-C1B781FA909B} C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D6AA90D-493B-4314-8541-88CD700166E2}\stubpath = "C:\\Windows\\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe" C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB} C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2} C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}\stubpath = "C:\\Windows\\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe" C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E906994-9BD7-4aa7-8A86-D14E1598567C} C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E906994-9BD7-4aa7-8A86-D14E1598567C}\stubpath = "C:\\Windows\\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22EFBAC-3677-47a0-BB2D-2B557CE10031} C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39A3723-EFCF-43d2-BE6C-63C8AB327401} C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}\stubpath = "C:\\Windows\\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe" C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}\stubpath = "C:\\Windows\\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe" C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90692767-9AA5-44ba-ADF0-C1B781FA909B}\stubpath = "C:\\Windows\\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe" C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7BE827-BA83-4855-8117-6FA863AE8BA9} C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41FE860-1F41-4e02-982F-F300D9204BBE} C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41FE860-1F41-4e02-982F-F300D9204BBE}\stubpath = "C:\\Windows\\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe" C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}\stubpath = "C:\\Windows\\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe" C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E99404B-06D2-48bc-AB6C-09C642A09FD7} C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe N/A
File created C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe N/A
File created C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe N/A
File created C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe N/A
File created C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
File created C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe N/A
File created C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe N/A
File created C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe N/A
File created C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe N/A
File created C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe N/A
File created C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
PID 1644 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
PID 1644 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
PID 1644 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
PID 1644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2528 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
PID 2960 wrote to memory of 2528 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
PID 2960 wrote to memory of 2528 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
PID 2960 wrote to memory of 2528 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
PID 2960 wrote to memory of 2604 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2604 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2604 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2604 N/A C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
PID 2528 wrote to memory of 1588 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2408 N/A C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1564 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
PID 1588 wrote to memory of 1564 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
PID 1588 wrote to memory of 1564 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
PID 1588 wrote to memory of 1564 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
PID 1588 wrote to memory of 1536 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1536 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1536 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1536 N/A C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2316 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
PID 1564 wrote to memory of 2316 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
PID 1564 wrote to memory of 2316 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
PID 1564 wrote to memory of 2316 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
PID 1564 wrote to memory of 2332 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2332 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2332 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2332 N/A C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
PID 2316 wrote to memory of 1640 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
PID 2316 wrote to memory of 1628 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1628 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1628 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1628 N/A C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2292 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
PID 1640 wrote to memory of 2292 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
PID 1640 wrote to memory of 2292 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
PID 1640 wrote to memory of 2292 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
PID 1640 wrote to memory of 1676 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1676 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1676 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1676 N/A C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
PID 2292 wrote to memory of 1376 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
PID 2292 wrote to memory of 1708 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1708 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1708 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1708 N/A C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"

C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe

C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe

C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E906~1.EXE > nul

C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe

C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F22EF~1.EXE > nul

C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe

C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F39A3~1.EXE > nul

C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe

C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F71~1.EXE > nul

C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe

C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7BE~1.EXE > nul

C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe

C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C41FE~1.EXE > nul

C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe

C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90692~1.EXE > nul

C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe

C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D6AA~1.EXE > nul

C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe

C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5D2~1.EXE > nul

C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe

C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE43B~1.EXE > nul

Network

N/A

Files

C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe

MD5 28cc4bee2a1bb57f74817b4ede0525f6
SHA1 3fe8f36b9fdf13dd2cadad6ab0ab876dd3a7b134
SHA256 5361d7536654046c9f8ff7f31cceedbb195a3e87f456f3a3e83ea3604a0127a1
SHA512 1a34649e86b4efc14cf92dc400da181d13417ec9487be6f11ba4e54ffadd94e3cd47751d30f7b65757c1f8c2ced7931aa22efd35a15197f5909779ed4446f40c

C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe

MD5 9526767791aa1a7994e1b550353c340c
SHA1 e63534cf0bfc88984732a4927fa8779e474e745a
SHA256 8a610c3ef02b6e91790a7cd0f840819bc00f36588cd465ba0f00e4c2f8f37752
SHA512 9fe1def048ec62256beb2addddcc9f97ab30ae6cc4c31e97f187025b77710dfef6674e272433088a17d98a662dd2285270f5f23269e6e15b30a6385373966909

C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe

MD5 e8e7596e171ef9cfaa34c3bd218dcab9
SHA1 88ab1aab3687e1412bb670e6057858a88cc47046
SHA256 c78af638d7fb0b0a59cf18924d9fa7210f91a1cc7cd2f0ea75d39288e4ecd23e
SHA512 c666a2e3f02782ee2bd26f18af841715f61437d1b6b4ff2cf1c8973c39ce2ca67c02c3a2bd635e154a2796dbb31986d99063a6ac096cf5e54e197bfe77ffa9b1

C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe

MD5 0cf3d8bb15620e0884daf89c2acdd4ef
SHA1 4b302208c9c9aa2b8f957d141866a53e2bb7d97d
SHA256 9cd98971906a2ade31a76d2c6704b543705c36aaeb8ddfc6cf5f24dc5d8c7f74
SHA512 60100985d02d80ede80ea6afc30bd99137374b61d97b7f0941f4ca6f3fd91f7e0070b688440fdccfa89dbb9d6293ff617242dafe5178e2cf5f5abddf61005920

C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe

MD5 7f142d279f6d769736b4637e779645f4
SHA1 b719e52470b665f23c724a35c7be0de56cdb7726
SHA256 dee4ff6e58f4a737c7121974841ca59d9cd28cf07031b8af4aae24c57110251f
SHA512 a735091db4295ed55beb4b113554d690ce86fe6d6c7c60ba2c49ce569a648e082d2a9a874f99a794d0cdb786db204557483686ccee04e503653ac60c3438b5dd

C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe

MD5 69b8e53fd9afbf4d79ddcfab3eaad3df
SHA1 53418e9f7a56cc1b815eca0a4929d40b7a2660df
SHA256 e6c80ac166730aade6ac3a93c72e74f5fbf947ca916c71aa5eaef4c1dd3d9864
SHA512 b29406f8abbda9b17f19af3e20f06e6461c69bff4051575bdc39d6cafbc5a4982808b4cf86b280f14734890cba7a37893da4cd5c28bb5e331f6ceb8d7416d2b9

C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe

MD5 7a6a15e142979fd8b684a635786682d4
SHA1 f248eece4c4a98869139850f3635732dbb50ec36
SHA256 4a502d181500cbf021140f1f1bb7461486881f5ae4585f973c72b0477bbcf2b5
SHA512 1217beafa66581f6e8b5d0087f054475144c0817e052348ec9c04d569f47b724949e3b880fcb97804b86f87196ceda9060f3e2fa902eac54b0e02f969b39be28

C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe

MD5 19ea88ec3a9f3491dd6f19db450666b4
SHA1 648b6030d7669524917130177b06b6dfee5735cc
SHA256 a43542185a91d908ee6c1fc33ad264913d9336eb011e3f5f55bb2a928e07e54b
SHA512 a84857d3ecdeabbc22386ec246d769a781391d91c3b5e502672018cbfd9c310dbd7058eb09feaa3d86a651814442b9d30e54beb54516d976cc0b38aba91c7897

C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe

MD5 a664c2de655404a12a34aebfe331bdff
SHA1 8f956574b8cf3a50dd538a67abbce9d3ee68d192
SHA256 aa70dd3a0fcda38efeea6e77493dc5625ee18b0f8e0c34e6310387ee32814dc2
SHA512 d87f73c19a8e417b8e60917fe3634a1926caa0441eb28631e1de2192d6350d8f520c1110db584db4d11f764c98bf947616c4418e70a3b5ece67910f9eb0f32cb

C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe

MD5 8edbeb5b7e476176b745fc6fb0f2a00f
SHA1 3b5e7470c0616613115aeb924669ac0201997281
SHA256 b42f2a55fa9e6a64f36fc76220c5a244663432017083873e03aa9b4446832b8f
SHA512 d73e2f7796d5ebd6731e216c0d6952791589b6b849d81c229a53cd774b3d4bf22e6688765056090bf66585646ac5822dfdc1874114aaf9c8fea8f45daa469f68

C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe

MD5 a15ec99267fafde4ae25bc0acc8a9347
SHA1 19ee8309788a9d97ac4db0325e71fe67c57944df
SHA256 f6bea61c1db195d4a84996bf48761760ddc7dbdc00a5171fc57f3f14f4f90767
SHA512 75704bf69d2031063cf8fbd8c69d9617d941343a3ab7b05d976bae6b917e183e874ca8c03d853592830b7c778636a2c1071a63e2121731f361ca416bb7cd3989