Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t4y1aafa2y
Target 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye
SHA256 02229c757c01b07239d030159c39b38281b72687a8d3406f01043e42db7128b9
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02229c757c01b07239d030159c39b38281b72687a8d3406f01043e42db7128b9

Threat Level: Known bad

The file 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:37

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:37

Reported

2024-03-02 16:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076EC35C-09F6-4f9b-82BB-77423B6A286B}\stubpath = "C:\\Windows\\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe" C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933B6DB4-F9F5-4f47-A84E-937B41564C73}\stubpath = "C:\\Windows\\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe" C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FCF7F5-F675-4490-B6FD-18630AA83617} C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8831F8CB-554A-46f9-8C5B-74B37D277869}\stubpath = "C:\\Windows\\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe" C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AEEC420-0A05-442b-910A-B0880445E89F} C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}\stubpath = "C:\\Windows\\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8FDD9D-0067-40a3-A7EC-552286070268} C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8FDD9D-0067-40a3-A7EC-552286070268}\stubpath = "C:\\Windows\\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe" C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AEEC420-0A05-442b-910A-B0880445E89F}\stubpath = "C:\\Windows\\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe" C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F07FF5D-1A0E-49dc-970D-6196304AC766} C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076EC35C-09F6-4f9b-82BB-77423B6A286B} C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02} C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757} C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}\stubpath = "C:\\Windows\\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe" C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40} C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}\stubpath = "C:\\Windows\\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe" C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933B6DB4-F9F5-4f47-A84E-937B41564C73} C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FCF7F5-F675-4490-B6FD-18630AA83617}\stubpath = "C:\\Windows\\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe" C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091} C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}\stubpath = "C:\\Windows\\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe" C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F07FF5D-1A0E-49dc-970D-6196304AC766}\stubpath = "C:\\Windows\\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe" C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79611CE9-02B9-455c-8ECF-E92BD5531AEF} C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}\stubpath = "C:\\Windows\\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe" C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8831F8CB-554A-46f9-8C5B-74B37D277869} C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe N/A
File created C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
File created C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe N/A
File created C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe N/A
File created C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe N/A
File created C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe N/A
File created C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe N/A
File created C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe N/A
File created C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe N/A
File created C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe N/A
File created C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe N/A
File created C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe
PID 3536 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe
PID 3536 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe
PID 3536 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4728 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe
PID 4716 wrote to memory of 4728 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe
PID 4716 wrote to memory of 4728 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe
PID 4716 wrote to memory of 2944 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2944 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2944 N/A C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 2508 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe
PID 4728 wrote to memory of 2508 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe
PID 4728 wrote to memory of 2508 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe
PID 4728 wrote to memory of 3652 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3652 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3652 N/A C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe
PID 2508 wrote to memory of 4804 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4804 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4804 N/A C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3068 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe
PID 4108 wrote to memory of 3068 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe
PID 4108 wrote to memory of 3068 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe
PID 4108 wrote to memory of 2988 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 2988 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 2988 N/A C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 1656 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe
PID 3068 wrote to memory of 1656 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe
PID 3068 wrote to memory of 1656 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe
PID 3068 wrote to memory of 4800 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 4800 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 4800 N/A C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4520 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe
PID 1656 wrote to memory of 4520 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe
PID 1656 wrote to memory of 4520 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe
PID 1656 wrote to memory of 1884 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1884 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1884 N/A C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4388 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe
PID 4520 wrote to memory of 4388 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe
PID 4520 wrote to memory of 4388 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe
PID 4520 wrote to memory of 4696 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4696 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4696 N/A C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 1692 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe
PID 4388 wrote to memory of 1692 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe
PID 4388 wrote to memory of 1692 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe
PID 4388 wrote to memory of 1848 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 1848 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 1848 N/A C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4776 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe
PID 1692 wrote to memory of 4776 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe
PID 1692 wrote to memory of 4776 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe
PID 1692 wrote to memory of 3852 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3852 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3852 N/A C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 4752 N/A C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe
PID 4776 wrote to memory of 4752 N/A C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe
PID 4776 wrote to memory of 4752 N/A C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe
PID 4776 wrote to memory of 3896 N/A C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"

C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe

C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe

C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD72~1.EXE > nul

C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe

C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86A21~1.EXE > nul

C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe

C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B8FD~1.EXE > nul

C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe

C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{076EC~1.EXE > nul

C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe

C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{933B6~1.EXE > nul

C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe

C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87FCF~1.EXE > nul

C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe

C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{79611~1.EXE > nul

C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe

C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8831F~1.EXE > nul

C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe

C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED5B6~1.EXE > nul

C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe

C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AEEC~1.EXE > nul

C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe

C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6F07F~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe

MD5 0222c0644392482b8c3739427502e3df
SHA1 b5e2f97c7fe430d663ddec04d8f460dcf8090cbe
SHA256 a2e9a9174be46d3d56ffa28f75a1e87c9aeee7084227838c37dae21922a4f82e
SHA512 bcc51aa975d5c55bf6118c75908a9de604ae0c3cc4e4b99015455f949be6255a0ab4f9fcb94bbd4eed1ce1a754ddadfa768bf80de214a21dfe6394912295f42d

C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe

MD5 f76e25a2a9ec34485124050eb887c171
SHA1 57e283859ecff5d4fd67909458a1d1cd22dc5246
SHA256 c6ece3af24f6f61a1295e80ab8e5a13225354d1f3a63c95ef68dd47a4585d6e2
SHA512 1e6e243bb3dba0c7bb0d68c6242cc5296a1bea4e4d0c968a1882c02a5dfb073fd90c1f1ed8cecfcdd3c22dd0808acb5172535704bfe402ba559a338a14f8363c

C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe

MD5 93014206419f1bf219162c2d939f0de6
SHA1 482a32325b57e7a4e0880401217ad181de3faff8
SHA256 ce22842c522925fba5cd17f95f8be33557218244a267e0bf5f17d9b1477687c9
SHA512 bc92927a3ab95bce82a7a7892f12f58fe5ef0e0d79748a3510132df8379b04fe09c150e72ff5d7a252d0239ec905a236440034a7d957d0c9b2b70923cf122e49

C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe

MD5 3dac8a0000423b8d656b4ca0e0358560
SHA1 5f46bb597a200cd033f93874b3d3bbce6755d855
SHA256 dca6f5effb16c5269bf80bdb7845f6c6162c6db2e09332db0e9ffe1186034462
SHA512 aa45571a307b7054db80e8fbed2e8ec682421945443c87da36ff6c8c6242acdb182f1cb93d3b09f238ad04621f0d7d432d5ebfbfbfa6d0f366494bd816c4d9de

C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe

MD5 c500b16705b7f2dc7d3f8beee5f887e9
SHA1 4ffc6625a6b40060dfec1a2a6cc0e9e485ead7ea
SHA256 4940a34fc59855a9e7e4c4c2d31dad3d1344b0d3fea70ca0463092a55fe54177
SHA512 688acccafb63485bf4254bf973c88cd6fcfdc6f6df85e0f54fc0b4a09bb1e5f63241f3c14b0b85f3ee6824e38e3d504a372320687a1256e47241a5fb8204f462

C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe

MD5 33a6e25d5d9f217bb285eaf3cc006f21
SHA1 eb6b11a10d19472ad474d460d4b94db7182be57e
SHA256 024be0c1b1859ba502143e882d527c8041866a0d9481cf446ece0a809e884d0e
SHA512 5fc68cfe3a826f4f6af7c718dd2bf82cab64baa93990496971cb101d7e77594234625468ac702eebb3a2054eca3bfab73b9fd042e9efd8d3966ff2a119c02610

C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe

MD5 37d58c1180a0c0e00808b873341774e1
SHA1 3302cb3983739d8604a021fefd833cf4fb63d758
SHA256 ba8a36c3f79ee4ffa48f24d979aaeea758a00bcff1699aa55a2921a8c175343d
SHA512 b4420bf980830608461b29c09a1ecdc447e1f96c0f753cff3ce908c06f5c17d5f78b238babe93b4de02bb54b754d5fbfced9271702acb250c3253c4f2c8e9d90

C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe

MD5 eaab6ff271b0cb5812015c6d704ef2e9
SHA1 b0dd32fb57b3c5c24ddd7a7a7c64f75187a9eea1
SHA256 8a0264dcd10f756d7cc23db486dd16ee04e07453ef5f0870c2a7e77673a59ef3
SHA512 8f2f51634a65b4722449a82450c7308397cec0f091a21866d0c24f22752a63cd4227209dcd234c636c7fa01e53f79c97329a906034711bb1b2cf75d1c26b8191

C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe

MD5 850c8cef58d54f74daeefd446279194f
SHA1 4e8ccec6c7176215639b21bf067450649edaca58
SHA256 1a62d1b53ea741cc0dc49fde505023f343e706c4ee771cb27c12b86792b43a35
SHA512 dc2d3f8a140141f50adb957779eba40edb34b17e88d4c6d68c8c83e49f0845292c5e603a9f6d31f561431e45fd314f86e4e599170c21673202d1972a88bd534c

C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe

MD5 dc4061bc402c57cbddfc1ebb51c9042e
SHA1 713e294fdccba195f9e9654399a690c4a60afd1d
SHA256 5ae79d6b8a88a237b1fc1291661799f3a18926abda8dd01788cffa31b3b6b58b
SHA512 10a55a85d666cd33e7202b27b5046f3aa088508af9d36fa3b89151ca51b887208a55190878069ef1457c50b393c2ff167380f4186353d3847d67b7d50b67d199

C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe

MD5 e0360ad5bc9e658dd3e5020e0cc2d1da
SHA1 8e307b30f2c3f6510c015b6f524fff1df35d9fc5
SHA256 cd56f90760ffa61219ad127c9c8540260b7147ad100d20d82e98364fad9fddf5
SHA512 186b07345eceb209bb8058329bf6fa5f3051fd4408a7583c7f7a27e2a87c3eb48123dcaa370fee4504315ae96ae10f6556217495fcacf6037e1da38b95b76a2e

C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe

MD5 bb21f764b3471002aa73f194c15b25e2
SHA1 8f3a180a3ca4cd6b87a00b687d4b52fc185a5126
SHA256 2b9ba5d951f622dc366f9cc2cb7fa3313474637628a4692fe5084aa1c18e8323
SHA512 45e7656e147c6bf96b083ce2536c135c3a9a57d9257943ec08fcb45a372cf30735a75df84453bd9eb1b60e01245fe9dfa6f65f92eae5c426125c495ab6e8d991

C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe

MD5 8fdcea4c2e9680d8ae6c735a6bdecc7f
SHA1 c03a98646f165c6a111e95029a6aab839c7ea6eb
SHA256 303080708d49b6254543630f4da6cb52b48d5483b5ae6ef128e41eac4a9d18db
SHA512 85cbd8e2ebb7197df8028639d90714f2d36bbbc61c92645f3acb8fc6d6256791565e20d13d7afeb702246a02cf71ec3be2743c6315f8a96e097e7d001ff3bd21

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:37

Reported

2024-03-02 16:39

Platform

win7-20240220-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DD74C5-72BF-495e-9739-FD9FBE692788} C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34794B5F-6ADF-41ba-991B-BD29A125913E}\stubpath = "C:\\Windows\\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe" C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07979479-C257-4cbe-9B30-235C54347859} C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70} C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}\stubpath = "C:\\Windows\\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe" C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC} C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A39C267-FC2B-4054-8343-584CC181B7A8}\stubpath = "C:\\Windows\\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe" C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07979479-C257-4cbe-9B30-235C54347859}\stubpath = "C:\\Windows\\{07979479-C257-4cbe-9B30-235C54347859}.exe" C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF} C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}\stubpath = "C:\\Windows\\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe" C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}\stubpath = "C:\\Windows\\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe" C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC} C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A39C267-FC2B-4054-8343-584CC181B7A8} C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DD74C5-72BF-495e-9739-FD9FBE692788}\stubpath = "C:\\Windows\\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe" C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34794B5F-6ADF-41ba-991B-BD29A125913E} C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81173C5-D70A-4f74-8469-08D7C1B33BD6} C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}\stubpath = "C:\\Windows\\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe" C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11088D9-15BA-4c5f-9020-580D11D28345} C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11088D9-15BA-4c5f-9020-580D11D28345}\stubpath = "C:\\Windows\\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F810EF-4D2A-4724-BDAE-45589F53D6D4} C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}\stubpath = "C:\\Windows\\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe" C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}\stubpath = "C:\\Windows\\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe" C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe N/A
File created C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe N/A
File created C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
File created C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe N/A
File created C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe N/A
File created C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe N/A
File created C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe N/A
File created C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe N/A
File created C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe N/A
File created C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe N/A
File created C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
PID 2184 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
PID 2184 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
PID 2344 wrote to memory of 2624 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2624 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2624 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2624 N/A C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2556 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
PID 2640 wrote to memory of 2556 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
PID 2640 wrote to memory of 2556 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
PID 2640 wrote to memory of 2556 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
PID 2640 wrote to memory of 2460 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2460 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2460 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2460 N/A C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2960 N/A C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2824 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
PID 2680 wrote to memory of 2824 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
PID 2680 wrote to memory of 2824 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
PID 2680 wrote to memory of 2824 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
PID 2680 wrote to memory of 3040 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 3040 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 3040 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 3040 N/A C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
PID 2824 wrote to memory of 1940 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1628 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
PID 2784 wrote to memory of 1628 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
PID 2784 wrote to memory of 1628 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
PID 2784 wrote to memory of 1628 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
PID 2784 wrote to memory of 2492 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2492 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2492 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2492 N/A C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2616 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
PID 1628 wrote to memory of 2616 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
PID 1628 wrote to memory of 2616 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
PID 1628 wrote to memory of 2616 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
PID 1628 wrote to memory of 2256 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2256 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2256 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2256 N/A C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"

C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe

C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe

C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1108~1.EXE > nul

C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe

C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DD7~1.EXE > nul

C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe

C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93F81~1.EXE > nul

C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe

C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34794~1.EXE > nul

C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe

C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07979~1.EXE > nul

C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe

C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87879~1.EXE > nul

C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe

C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE95C~1.EXE > nul

C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe

C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA9D~1.EXE > nul

C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe

C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8117~1.EXE > nul

C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe

C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B16~1.EXE > nul

Network

N/A

Files

C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe

MD5 243b6ece830e64446c5bf1a1b833375b
SHA1 a55c44dcf55875b18c8b50eb60d6653678ca3814
SHA256 e8972d906dcfc2fd0c0f1e8d3be138b161c4fd11a76f60ef026e59eeb3816b3b
SHA512 5cc767fbb24bb2c3d0cf06f69bb6093824dda0d1b893997e984f4c36d930f0a66a63bc6cf2a223bb4365ff00d0a4f121b69138881b02a884592ff7bf2a7717ee

C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe

MD5 17fa96149d2fffbe71bbe306482417ec
SHA1 b93f81ce37200debcd52ee1b21b3138b3eeda8fc
SHA256 8f9c18fabb72006c45134c814717896803b828d823c5301ed38a6fd19a22d309
SHA512 1f4a9bba23dc821ef5376fb7e1bdab5e1b51e9d065391e9f4053b4399b3bd4b05a2665182a276ae0620ad676755ede3b9331301368eb0c31e2336c62d91b2fdc

C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe

MD5 6d1e6f9b0d112d0b4026b93387080304
SHA1 b3d1fa8428f1fddaa76ee2f801dff69619d6bce1
SHA256 6bc2cb4cba952c47dd33f511f61177aabb49cf565b4d2b4ee6dd714c5bb644dd
SHA512 5495e4e7108601b583b61ab0a54e908fef54f386a88892b5a29e6a964e3f09ea5b1719c0a0be2616597c3e6e1435c2a0e4ae7c5fd4f834d01f72ece7d95e8b7f

C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe

MD5 b9c783bd79f264b1284ee69e4e7b183e
SHA1 e54ba80e8a8fce94b1b37a299a6b408768dced68
SHA256 e6472563a8bee4ced468bf5a97a3b5b436d24005c0f90a01e711dac49093ef78
SHA512 2d546cff0d569dcb22eee484660a2397fbc762d02c4af53c5232b63e31fa3965bfc13a9e85d217d16638e569292e3377eec1e3d65b8f9252d2a0369339856edd

C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe

MD5 6f2c20e3b0a402c56ef0c761ca471503
SHA1 61a5f5031c233e5dd0538d88b6098168207fe27e
SHA256 3834d237bd69ca2568740a4eca0977d72c84843c5f6292f25494649ee41ba411
SHA512 ea27126a868506ea787269f8c513f0aefa8ce53970bb35c8a3e1f1f5bc5327bf5893db52c7561345a759f212832e3daa20100be8c5f66a78c32fddcdfbf1bb38

C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe

MD5 2b6b909821942d68a586460dfa1a06ef
SHA1 2f67467a3794d1de47e0364d2d9a63acb60ec7e4
SHA256 e39e91d0c45cd109f66f913f54d5d0246fa8ed69abcb3dca929a7f7489a4bdf7
SHA512 1b84e89445c7b945d32a369a008cfc7ba693821e8522abaa273a47677656618a00f46cd6728649cf1f8b231e3b2351b444567081f1202e4b57de825e9ac1abdc

C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe

MD5 df56c7201eb6f98f49e61767f1b6f440
SHA1 3221bd87c2cc0013508ea9805c39ec054268b2c0
SHA256 ee1abe13ebf33f46ddf363c8ed7d8757f8ee2adb51aaf122553a76f64283389d
SHA512 191c6b22c05eb13b6b99b5691a1c5652ca8eb80760f3f8118afcc1c8aa5baeb9731819c9c497a4ae3fb65aa718cb09dccbb7011f8bfdf3a27cba83fbf9b3704c

C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe

MD5 1dd005d27374ab7866934557b258edec
SHA1 f4f1b6e5d807c001cb21eb06937ceae595a8c3dc
SHA256 9b13f709ba4e9b33a7a927680c668c52448fb1b2e4391d464031fe352a80ce36
SHA512 849a241fd56fb9c96008f2661ce0921bad29ea1dcdba1d9e171e934953d3e29dc90a347e57782db13e330c11826cf1060181a6ddb063c7ea0a5ebde5b9300588

C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe

MD5 410d0bda6c6cdb26d71fb4c402cbb9cd
SHA1 92c3240ac607ab713f557b6bb095e8059db08e61
SHA256 8c8a62ce64affd4bce5edeb2b094d4ba5d0c0976037dce9915989748d065509f
SHA512 33d1258ba7c8d169d41ab5be9bfa64406d4c782e7f4b7053311f5794c683728759f6eeebc67ad1cfe59d942cb1a5160a620a305f8741e1f53f8bdd68ec13a64d

C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe

MD5 93a690030a9578e17a4de8edee6cd383
SHA1 2f0fa931cc184b35377036c8bfc8f9f0871b8d76
SHA256 2f7206911447ef3d3cd92b112da991f36fbad26cf62329b92ad0d6c5c0466a1d
SHA512 3844f3a1137d12be6ab068ecc414292e3fd6604f56e85f68e3c6d5f789edb1cfb4707d589d03e049d20e0b6394437ee99c0f0e1ac301f13e729120feb91ea495

C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe

MD5 f8caae330947a6bffbd32f7c40d8de22
SHA1 18067c6341c34bba89845e439d5b2b4791d90b32
SHA256 9338e17b77a9e1d30ae2a19cf2d470d996bdf9b8fa15dbca7a48e9ffe6980277
SHA512 3ba168257f382ef4094e11cd50bc9c0b091fcbaae2721a60badec249db8fdd53bb4d5c329dc8aa719a1ed9b521c9aaa98001b8977ddb846f4c276f3bcfae3086