Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t2t9baeh8z
Target 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye
SHA256 f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5

Threat Level: Known bad

The file 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:33

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:33

Reported

2024-03-02 16:36

Platform

win7-20240221-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5598CEB-C6DF-433a-937E-4E31CB358AD8} C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372C5E36-A21F-401d-ABC9-C9A3CB892D44} C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}\stubpath = "C:\\Windows\\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe" C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1876614C-7669-4144-A331-81E143FB8CB7}\stubpath = "C:\\Windows\\{1876614C-7669-4144-A331-81E143FB8CB7}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA} C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAED611D-5084-417d-8664-AFFFB6E502AF} C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F024A393-9B71-4bf1-8E82-79D123AE1293}\stubpath = "C:\\Windows\\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe" C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}\stubpath = "C:\\Windows\\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe" C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA954FBD-7CD3-42e0-B684-26CA2184E798} C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA954FBD-7CD3-42e0-B684-26CA2184E798}\stubpath = "C:\\Windows\\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe" C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}\stubpath = "C:\\Windows\\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe" C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}\stubpath = "C:\\Windows\\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe" C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAED611D-5084-417d-8664-AFFFB6E502AF}\stubpath = "C:\\Windows\\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe" C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F024A393-9B71-4bf1-8E82-79D123AE1293} C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911} C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}\stubpath = "C:\\Windows\\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe" C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1876614C-7669-4144-A331-81E143FB8CB7} C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}\stubpath = "C:\\Windows\\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe" C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF} C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A} C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe N/A
File created C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe N/A
File created C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe N/A
File created C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe N/A
File created C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe N/A
File created C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe N/A
File created C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe N/A
File created C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
File created C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe N/A
File created C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
PID 2336 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
PID 2336 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
PID 2336 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
PID 2336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
PID 1316 wrote to memory of 2032 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2032 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2032 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2032 N/A C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 592 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
PID 1964 wrote to memory of 592 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
PID 1964 wrote to memory of 592 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
PID 1964 wrote to memory of 592 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
PID 1964 wrote to memory of 268 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 268 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 268 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 268 N/A C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 1736 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
PID 592 wrote to memory of 1736 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
PID 592 wrote to memory of 1736 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
PID 592 wrote to memory of 1736 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
PID 592 wrote to memory of 564 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 564 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 564 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 564 N/A C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 696 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
PID 1736 wrote to memory of 696 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
PID 1736 wrote to memory of 696 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
PID 1736 wrote to memory of 696 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
PID 1736 wrote to memory of 2660 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2660 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2660 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2660 N/A C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 2396 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
PID 696 wrote to memory of 2396 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
PID 696 wrote to memory of 2396 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
PID 696 wrote to memory of 2396 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
PID 696 wrote to memory of 2884 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 2884 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 2884 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 2884 N/A C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2556 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
PID 2396 wrote to memory of 2556 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
PID 2396 wrote to memory of 2556 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
PID 2396 wrote to memory of 2556 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
PID 2396 wrote to memory of 2840 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2840 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2840 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2840 N/A C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2708 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
PID 2556 wrote to memory of 2708 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
PID 2556 wrote to memory of 2708 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
PID 2556 wrote to memory of 2708 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1792 N/A C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"

C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe

C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe

C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18766~1.EXE > nul

C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe

C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D40ED~1.EXE > nul

C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe

C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5598~1.EXE > nul

C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe

C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AAED6~1.EXE > nul

C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe

C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F024A~1.EXE > nul

C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe

C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAC3~1.EXE > nul

C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe

C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7DF~1.EXE > nul

C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe

C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA954~1.EXE > nul

C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe

C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{372C5~1.EXE > nul

Network

N/A

Files

C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe

MD5 49dfb7e96385145f6e1e447582806c08
SHA1 219aab2ac1b5ca966f6b03ffe6a839dbb9fee0a0
SHA256 fb2946cd7fa9b8d72ed2c7a1431efbc185f9c71c544835a01392f778523b5ffd
SHA512 1c329ddb2c9dddde1ea6166cd830cee6ac5e660451f5753f7270604d72f3be14c020448d775d9353adb5951f605f70efeeadeaf4e12be29e2ed3a77a371476ea

C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe

MD5 f6f8d2511aee421c8685fbe3ce24359d
SHA1 7beb9417f11423f25d4f911ebe769c7efd3958c0
SHA256 58aaeeb46791d8bdf3688b8ac92fd0a5abed6c38ebe6336a023fedcee9f0ac8c
SHA512 fa67a703000f6c2dc89da4e9a9442a3e8fefd5e2079934ba15b5e781a71a0166112f5baf9f631592d71a8cdca1b5165e73df80baa495581189685fa18ce2e842

C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe

MD5 fe002134e4747e06d5ab3e884154fc39
SHA1 d560c23c7c45a3e4f9821ae96ebad1f1ce9a352a
SHA256 0c322116fd015e5c3573d7ee054557b7533dcd91d610f406b4af310eace8e2f0
SHA512 e3482f5e0557a729222bca5e8b57668267afa28d6e2a596cedbd33e9aea9c2ac187b3111f65ec60629cd8f26e6f1fa66bf06a8d8a5f1b8bc39b9fb56e859c603

C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe

MD5 d3294ac02cb45d61b0302912bcc27ed8
SHA1 f7c1af37f4dd27ca2790a4c3758af518feca145f
SHA256 d080182dd80ad639a86ba945f545ad6a4ac52c234087a12ce0b92e1f659ab812
SHA512 db5f85c05785c6147016b71a51d6af8f0efe99dc372d0dbfb51a0ddcbd3075adee71feae7dec2fa582022c54a1a7393d95e48f5aa6f9c823791b3a7132139be1

C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe

MD5 079ac69f9705a4ef7f4c5ca220d1800a
SHA1 3f0530dbc6bcf86e1d517f41153cb0f3bc866bba
SHA256 478615967619e87c9f6981aa415a573d03376d62fad923c30cd3f59ce9b3d603
SHA512 a002c6863d534165080042b672e183fedd85c0798d93af7dacd59d7471e3ffb9f91431ab1393c066379f7f2e7e6515599f8527cae15e3f6745f416e30d1d6e78

C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe

MD5 2bd31cb8e2006bd1fd6ad76cbd48bdd6
SHA1 778023fb0f2caac2273c2327233b685133675970
SHA256 ee53567553ccc2ea919a894866a4e782ef7191cfa3664fab8229f1f6111a97c4
SHA512 cd043116126c238e2e988b2afe89d99f50d21a6330c10fe287c705cd508be0cf6645412614d9cca9cd0ff68867ffaeca89ba91c4c2bcd4772712fa4c4bbd2951

C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe

MD5 80ed4bf39e39a2b91f8c29377637e079
SHA1 01e4fde850e2cb109ba1a3eb4ae4578041d89f89
SHA256 fc5b51a90731f9ec76a359cae3b518749332970482cb35d6fd09fd74c86d3777
SHA512 4bbd5834fde5280e29cc79f032ec0c0157172874cf4427c24f9b6c0b506172641f3ba3a2afc9e85ec0d4c0c2c01d07420d6e6d91cf3349e68e815e78be50c12d

C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe

MD5 b753931bc1fa56bd061b91ec0a4aa2b2
SHA1 293efa10b26e52f7b3f452e7bf7c8d0f5449d4d8
SHA256 83fdbee2ead73a48588455a654dc618b237bb5e4f558bf06fe6b5c889cabdc56
SHA512 239c9a38cc6028555b6cb618394c5c53a0ce6b8900becce022e813017dd7b994da62d46e2b475be2c508ba731e5336581f53ca73b689ff82c45b9bbfc35d4c21

C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe

MD5 0ebcd8c95897bb0e7ea042bcc69e0bb8
SHA1 8fbb3bd6f6f084130fec320c948d0366c2b83f2d
SHA256 fd6eb326f56d7f908e6eeb69d1965e135f293f828a7cdba87ee6c3c3ecf24d5c
SHA512 84821a26a2e7c9b5335cce05aabc171ca150b3017c84a6022902fb1cd599521a02e0c00dfd3400b709573719bc9933fcabde223fe04ffa36bea8420576d4299c

C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe

MD5 80c4a35fa6dd315ee65abe522bfe91ba
SHA1 01572e552da3a525d4a2a0347929a11bbcbd9ab8
SHA256 5e80d7bb4ee22a8a704337cbccc979dad30d757b05f2c047079c165ae8db5496
SHA512 4e1c08ecb69edad66729b4ddee583a52f72e522c238d8a561f4e6ed50039b0d7d2d5fcaf383796e7711c74840971a5d306844fd1de5339d0d3d4ebda54271dc2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:33

Reported

2024-03-02 16:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A16191BF-E242-4f12-A904-4E1736978238}\stubpath = "C:\\Windows\\{A16191BF-E242-4f12-A904-4E1736978238}.exe" C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A7F74-6948-4205-87DA-4508981A156D}\stubpath = "C:\\Windows\\{771A7F74-6948-4205-87DA-4508981A156D}.exe" C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}\stubpath = "C:\\Windows\\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe" C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F83CD59-DA86-481c-B635-0B85AD568669} C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDAB469-8DF8-4f29-AB7E-D515444040DD} C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5} C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A16191BF-E242-4f12-A904-4E1736978238} C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7E64D7-194F-454e-8186-333C59E578F7} C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}\stubpath = "C:\\Windows\\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe" C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}\stubpath = "C:\\Windows\\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe" C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2} C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}\stubpath = "C:\\Windows\\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe" C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}\stubpath = "C:\\Windows\\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe" C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F} C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}\stubpath = "C:\\Windows\\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe" C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}\stubpath = "C:\\Windows\\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe" C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76EE2A53-169D-4fe2-88F1-FED477FCDF63} C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A7F74-6948-4205-87DA-4508981A156D} C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E} C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7E64D7-194F-454e-8186-333C59E578F7}\stubpath = "C:\\Windows\\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe" C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F83CD59-DA86-481c-B635-0B85AD568669}\stubpath = "C:\\Windows\\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07067EAB-9D51-4841-9266-5A212058E859} C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07067EAB-9D51-4841-9266-5A212058E859}\stubpath = "C:\\Windows\\{07067EAB-9D51-4841-9266-5A212058E859}.exe" C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44} C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe N/A
File created C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
File created C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe N/A
File created C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe N/A
File created C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe N/A
File created C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe N/A
File created C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe N/A
File created C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe N/A
File created C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe N/A
File created C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe N/A
File created C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe N/A
File created C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe
PID 3596 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe
PID 3596 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe
PID 3596 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2672 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe
PID 1220 wrote to memory of 2672 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe
PID 1220 wrote to memory of 2672 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe
PID 1220 wrote to memory of 832 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 832 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 832 N/A C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 768 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe
PID 2672 wrote to memory of 768 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe
PID 2672 wrote to memory of 768 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe
PID 2672 wrote to memory of 4508 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 4508 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 4508 N/A C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3704 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe
PID 768 wrote to memory of 3704 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe
PID 768 wrote to memory of 3704 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe
PID 768 wrote to memory of 3164 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3164 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 3164 N/A C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 2992 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe
PID 3704 wrote to memory of 2992 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe
PID 3704 wrote to memory of 2992 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe
PID 3704 wrote to memory of 1216 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1216 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1216 N/A C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 4404 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe
PID 2992 wrote to memory of 4404 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe
PID 2992 wrote to memory of 4404 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe
PID 2992 wrote to memory of 3300 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3300 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3300 N/A C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 380 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe
PID 4404 wrote to memory of 380 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe
PID 4404 wrote to memory of 380 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe
PID 4404 wrote to memory of 3316 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3316 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3316 N/A C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe
PID 380 wrote to memory of 3564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe
PID 380 wrote to memory of 3564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe
PID 380 wrote to memory of 4564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4564 N/A C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 532 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe
PID 3564 wrote to memory of 532 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe
PID 3564 wrote to memory of 532 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe
PID 3564 wrote to memory of 4508 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4508 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4508 N/A C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 4640 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe
PID 532 wrote to memory of 4640 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe
PID 532 wrote to memory of 4640 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe
PID 532 wrote to memory of 4388 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 4388 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 4388 N/A C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4348 N/A C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe
PID 4640 wrote to memory of 4348 N/A C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe
PID 4640 wrote to memory of 4348 N/A C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe
PID 4640 wrote to memory of 2304 N/A C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"

C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe

C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F83C~1.EXE > nul

C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe

C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07067~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4224 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe

C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DDAB~1.EXE > nul

C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe

C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBEC~1.EXE > nul

C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{20A2D~1.EXE > nul

C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe

C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1619~1.EXE > nul

C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe

C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0A5~1.EXE > nul

C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe

C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76EE2~1.EXE > nul

C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe

C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{771A7~1.EXE > nul

C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe

C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{84C53~1.EXE > nul

C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe

C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE8B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe

MD5 548ea5db646c24f49b5eb3bea5fd7458
SHA1 1bdd14dcf16cc43126aec5fadd5da574cb39ed41
SHA256 393d73f09757daceb5f9331b67579fcee6af09107b6b65a505f1d0f5ed8f6576
SHA512 40fcbd1fee864722e3b2cc01f8fd9c600ddea25c4937208dbde38f2070eebf116e33dd3366dbfa3b67c274941e29f007b93adcf3e0e5bf1d1831ce3f99e2a110

C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

MD5 cca51e7dfaa5f27a249469af368a4655
SHA1 04a872c7d638dcddaec7cead1dc401c95ac9d07c
SHA256 25470cabaa697c40591c0332085586b324c6e5c877694960b9a4a1f03094f17b
SHA512 44be8af59519f28038e2f8f5c66cba7a6b6fae5f46e44e83a976b3309f4bd9594ac85cfa96107064c534ebf31f4e913eb48a2b3f8f7e1af620b4a32ec244e1c8

C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

MD5 2993494add3e412e3c5c56b8d200c2a2
SHA1 4923e8042c5bc177f5f373681784eafa685f6da7
SHA256 9b0cfdf648cd75d6ecfe4ac19b2ab48e9e1b49b3cd547d0449a028a60fcf6ddd
SHA512 b898bcf0ff87ee4655b696860c41c21de41ab415001f61ccfd956e2eda19af1c1cc94e09dceb57cbca1704a978532b326f3613ad5b7d31ea92211b73400b389f

C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe

MD5 d757dacdcb362e0ce3af605dc8618600
SHA1 d7dda4a940408ce62324ee13be8a0a5e0bf560ff
SHA256 8aa8b06052a649ebe0c998ac11111ebf29ad2d7ff89a850153644b1c9d9b7a0e
SHA512 9da3daab4dc9a41f533fc0b4ce55767eae211e916233d9072d7f4a321951751c4a2cd68d2950e5eb481543b6bba033afdfc4b2f7212c35a9aec4e4b92bde29b4

C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe

MD5 4b86245c0a3e54d5b4bd7e69f15de39c
SHA1 aede20f0b579147b04111789db5c0ce6c9c4d48f
SHA256 22083a09eff09101ab166ffa48524c249b1b1d7fd4d0f16d73f4bd1f3f5e73c2
SHA512 73aedd80eb1172e393998430dc0f8aae54ba759a29bad7dadb2629c0bf9ad743c0960374d1dbd7460ff3f21c449d3e2b712b4515897c3ee7ef5a6823c489ef1c

C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe

MD5 f49a5f3fc71e272472d342c3b38f193c
SHA1 732ef5f2244ce298f4b19d97152d5581bbd23302
SHA256 dce6a251f87a3f11353d02310d421393528d1993c90853f87aa5faa03a349504
SHA512 71d73ff2f18e2116b8a0120551300eb43caa9af5b4b012f88299439926abc1d4b65c26fa49933c57ba624fed83e084c0e21e49f7c4ff84efc9bd43274d6f6044

C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

MD5 fbc51456463e31bca13898a39887a643
SHA1 0d1c41b396847662a3fcd0434b3b9002feab89c6
SHA256 85a9946e6a217e9a2f7fc4074965e7a22e20a76ca7ba7b9746ea003979cffb38
SHA512 a4a1147af7721a1893627c1dd1a4cb5a403fd63245493a3e45a978060ad6ea335dfecd14c8153eff26db6701cfcee5537213083b0c3f2f90ca58bdda0bad757d

C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

MD5 b1a9f29bff49b339b30fc32f4c86ced1
SHA1 8690ff1d4fd76b76c38d4199ff7247899952ca7b
SHA256 92189e99592c76fc19b240c7d644a1290afb1967eab181523261369f17821fc4
SHA512 ee3f438dc62457462dab5f5d068382f84d3561fa043309afb91d2786bd79542efa5248ca2df9ff49e14f90e9b8234554fb04eb1371656db554fedbf4b467ca76

C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe

MD5 9ef53047d8e6c14e7e67491137a0b4d9
SHA1 fa3bbca105e3b8e1094860e7b727dcfd2377f4bd
SHA256 9e7fc29ef0ae93271150677db1db2efaadfa1c86c9e603c9efec2c6c979ac5b6
SHA512 673bc129a064a7bbf82204b8b89875f2a1ace2fafc18323ff5a9adf994c0793ef9076bc9e0bc0cfbc47fe3a66e348ac51a1e0a6009896841e289dc5f8d9946f4

C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe

MD5 417ee8f1429e9367853267d5fc0328ee
SHA1 800651ed04339a8b1894b1dfff42adacdd7c5bc1
SHA256 648f072119e72e117308f13c35271f090a59943417cdbbd03a243e860ed986e2
SHA512 f7886a02b56d0ebf9b8c24a66d3a2c7230d7561d24820a0b1b2294fd53a8ffa61182314f6a1540c25197a8039cfc6b2a759fb782977dbbae279fd356a03c29b2

C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe

MD5 c9537d3be1791e3f08c11ef9cd04577c
SHA1 7be77506a41daf0bbac3491ae0118d4c960913f3
SHA256 b903599cf6010d7873ef204c20d2460876a56355af8e3384354387a85c940a53
SHA512 e2984d264b2ab70306491aeea6e0ceefd7ae5920a24a11136e4b8b39110b107881b9a2da9bb6a8165b5193b2ef44cc2beb6cf446256b7e86c4bd3d451b176348

C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe

MD5 a38d7338dacc42228b21e01d03fcb93c
SHA1 ee7225abf8ee23f802185edb8a0f5acea7e84e35
SHA256 f7481e04575040664c113f2cdc513e494bfc70529e97bad3c1cc1c94060ea488
SHA512 d4dee547aa5846439fdd3825fb2480c9a1189ff234595b3cf44d92f3ac7c1ee90a7dd04af9c1d4680a9cc6fdb0f41462b139b811dbca5d7140311b0ed4e811d5

C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe

MD5 63c1bf58fa9612eb1f6a5798be2ebcf7
SHA1 2727ce40684db0fdd50b8f17f44971c3a6dc42c8
SHA256 24ef24706c91f85de202ee1013b1da312ae5d3851523c7fc00c6af8c82ffc7e7
SHA512 008b98656fd829fe4fa925574ec870cd6c2650bf7d01a7ac9f24e2b3dac7b357a78af0fdeba730d81fbbc89f95bcb079beccd1fdfe0b504ab1225df4ed71acda

C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe

MD5 55b35606901ddb9001d7aecf35d66491
SHA1 da77a85ce0445f7e89e7a98289ee267bc38935f9
SHA256 f5604da47d608512f1dc6eb6e5db666590e5998801220d346c298caccd222c65
SHA512 ddbca9e5b605fdef2439f2fc0bb7b76b9620dc113e012ddeaf4d76b2e3cf70174ec4fa272e81f9f50c81f20669995fe49851c2848e5f0dee1c56e8967bd2766e