Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t6lgzafd73
Target 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye
SHA256 81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182

Threat Level: Known bad

The file 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:40

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:40

Reported

2024-03-02 16:42

Platform

win7-20240221-en

Max time kernel

151s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}\stubpath = "C:\\Windows\\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe" C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2} C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A} C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50585677-D0E6-4114-86CA-2766851ECBE8} C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238F10B-946E-4885-92AC-3E7418C36887} C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05BD4040-845D-4213-8D25-50C5888F151B} C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}\stubpath = "C:\\Windows\\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe" C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D95E9586-EA22-4cb3-9567-47390ABB001D}\stubpath = "C:\\Windows\\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe" C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452B0288-016E-4049-8C26-0C5DBC5CCBE9} C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32} C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}\stubpath = "C:\\Windows\\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe" C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50585677-D0E6-4114-86CA-2766851ECBE8}\stubpath = "C:\\Windows\\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A} C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238F10B-946E-4885-92AC-3E7418C36887}\stubpath = "C:\\Windows\\{C238F10B-946E-4885-92AC-3E7418C36887}.exe" C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05BD4040-845D-4213-8D25-50C5888F151B}\stubpath = "C:\\Windows\\{05BD4040-845D-4213-8D25-50C5888F151B}.exe" C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}\stubpath = "C:\\Windows\\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe" C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8225FA58-5299-4e72-96C4-A5A397A72C39}\stubpath = "C:\\Windows\\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe" C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F559BA1B-F487-4680-A8A3-8A2B89408B6B} C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}\stubpath = "C:\\Windows\\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe" C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F69377D-A230-4f8b-BC36-50663C83845E} C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F69377D-A230-4f8b-BC36-50663C83845E}\stubpath = "C:\\Windows\\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe" C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D95E9586-EA22-4cb3-9567-47390ABB001D} C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}\stubpath = "C:\\Windows\\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe" C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8225FA58-5299-4e72-96C4-A5A397A72C39} C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe N/A
File created C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe N/A
File created C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe N/A
File created C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe N/A
File created C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe N/A
File created C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe N/A
File created C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
File created C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe N/A
File created C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe N/A
File created C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe N/A
File created C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe N/A
File created C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
PID 2176 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
PID 2176 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
PID 2176 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2608 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
PID 2636 wrote to memory of 2608 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
PID 2636 wrote to memory of 2608 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
PID 2636 wrote to memory of 2608 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
PID 2636 wrote to memory of 2600 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2600 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2600 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2600 N/A C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2376 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
PID 2608 wrote to memory of 2376 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
PID 2608 wrote to memory of 2376 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
PID 2608 wrote to memory of 2376 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
PID 2608 wrote to memory of 2436 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2436 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2436 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2436 N/A C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2348 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
PID 2376 wrote to memory of 2348 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
PID 2376 wrote to memory of 2348 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
PID 2376 wrote to memory of 2348 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
PID 2376 wrote to memory of 524 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 524 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 524 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 524 N/A C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1500 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
PID 2348 wrote to memory of 1500 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
PID 2348 wrote to memory of 1500 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
PID 2348 wrote to memory of 1500 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
PID 2348 wrote to memory of 924 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 924 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 924 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 924 N/A C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 624 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
PID 1500 wrote to memory of 624 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
PID 1500 wrote to memory of 624 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
PID 1500 wrote to memory of 624 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
PID 1500 wrote to memory of 1536 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1536 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1536 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1536 N/A C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1220 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
PID 624 wrote to memory of 1220 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
PID 624 wrote to memory of 1220 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
PID 624 wrote to memory of 1220 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
PID 624 wrote to memory of 1948 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1948 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1948 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1948 N/A C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2640 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
PID 1220 wrote to memory of 2640 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
PID 1220 wrote to memory of 2640 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
PID 1220 wrote to memory of 2640 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
PID 1220 wrote to memory of 1092 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1092 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1092 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1092 N/A C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"

C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe

C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe

C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50585~1.EXE > nul

C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe

C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5AF~1.EXE > nul

C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe

C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7F693~1.EXE > nul

C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe

C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C238F~1.EXE > nul

C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe

C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05BD4~1.EXE > nul

C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe

C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA93~1.EXE > nul

C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe

C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D95E9~1.EXE > nul

C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe

C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A138~1.EXE > nul

C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe

C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{452B0~1.EXE > nul

C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe

C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8225F~1.EXE > nul

C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe

C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F559B~1.EXE > nul

Network

N/A

Files

C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe

MD5 d0a6460ba0e4520aa7b99f60e19008b3
SHA1 d43bf08f59662aaa2abef14c31e2d0d07b7a93b6
SHA256 1ebfe46c066599ee000ce1493b424ece21b649778fbe122d6ec5443c0f2a9b0c
SHA512 21ac324a6f0f12bc990a961af41e8dbaa12375cdc530da67614f66bb593f15dba03fb9e35facc4bde44705e688dc9866752c522e9a913a4f8537bf6e4c346526

C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe

MD5 e39e3163467045f97f592aa00cd4488c
SHA1 21b104121c9c42fe6502c9ad14710725bfc91e65
SHA256 7177d64893a675bfb19323e079676cdf7b454be4216ed74b801832544c6e6c27
SHA512 eca21cda60237fcd552fb5b1ff6aca2ec2b722a9e8339f8fa72680f448443b3e7fb6437140b64541654eafb64f23dfdc901c8d514b118a96358eed4921be761d

C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe

MD5 a4020abd96505f3b0dffbd615e91ea35
SHA1 a1ccd8f4e535ca033d440224ec33516b671e7624
SHA256 703e6407c0deca5d6f82113fd90aaf28c8965cd8ad6fa71e50ca088a517d6a5e
SHA512 5090ccff293fbe2410173b2bb2b644c538b38e69fb08a9a1b8c208390a0d193e1184a6c28d06fdc7e21d3ca04868f60c930fab1e50a859414aaab6ec43d3bb03

C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe

MD5 6f915ef3b9130be1621a3df1ec94fa4a
SHA1 67b558465ac3b0cd1b37a1243b69c573f9b0bdb9
SHA256 9a7456517b208a9a689dcedeb6f792dad207168ab1735db591b06b9d531e7dae
SHA512 0c4acafb536d391a6b1d421b8562e934e251436beeb0ebacb4a4221252d97217ea6c3b9b6ac5940e55f11acd5f3a57ba4df1897af22ed0eecbc8b169ea05ac98

C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe

MD5 23a8a3d667aa1dec00f491cc9fed4d54
SHA1 0febb1a2713d6268c7af98dea8623cb94ad420ee
SHA256 379f6b8aa819726ded8f0efc283e3c120f90a7456c6600b7cfba865a6c37cdb2
SHA512 58faaa2b7e13345ca296814249ca47bd4d8cffa6ce03fc3a7309880a33a9e017ef9b4585b73107fe4a138c94b883b23099f10c0be49cf41f23f66719b63139c3

C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe

MD5 5994c63cbb90584152e4744a1d59e260
SHA1 f5751ddcc67ee87e00d1c88992e9685dc1a1d01f
SHA256 bf75e180c63986076999d0174a11ef7648272438079775560445885ebf3f2574
SHA512 da32d8a72d88fda795d2f7fe5d4cf54186dd5ca2963171b1209dead171f9b5c641ef46b280481b256409028bee0d477a0f0e0e0b658827228e41a72242c59c0c

C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe

MD5 d01a6ac9ba3fc56d760e767181241f5d
SHA1 f8b946fb6009326d68b83c8ff2da165f5ecdac4c
SHA256 8002f315d532a8976d685cd67154e409422068553f690688b41ced2af4315efe
SHA512 9b12305a1205208f5548fcb90f69c293a0bf429d8c5a9c724401a87730857b021546d9c78431625f16e7821e2cd87ca38931d1a561c850aed2262d239bf00e3e

C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe

MD5 dbeb31fcbd98185b6f29529e1b16dbf3
SHA1 5a2ffce4a1858c399c0bf2f2dab46b6fa95188f3
SHA256 adf49f9aee8e7c938b038b56b75f40ae7ab654bc0c064c2550cf931b6f4403dd
SHA512 f97119f34ed5b20ef98f4d562b14551e8898400d0e7551c5cc262700d9c19fb85f966f016582b7fe91e0da00ed08234253a1bc31ac83d965bf6e510f4fed7134

C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe

MD5 7250e2d39ffe7a7f35d1cd47687ef8bf
SHA1 fffc3f4686a598c42cdb54affb7c68cf1a3b8b09
SHA256 baf34db5cef61dc7c2d25a5e76fd25dbfed2f3d16fdb4a503248fc908875084c
SHA512 3cc792abc7fe009249051da866765991b89cdb74a9e26f2de95d405db10c153aa1a90ca286e7ec44aa8c829b0df585e46b8e263a1c5b3aed736f622cb6ce5134

C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe

MD5 c740497d7f086dcec681ba3b7b7cf5b2
SHA1 0bc46e55f3c56a15cd916797b39291c5ff28fb26
SHA256 1ac366c0afac3a08a78e77e7b0f74485bf48ea3b7b775c70d8de480a4c74339d
SHA512 d81bd8dbcc34e19f0edcf06c199a59e1a4bc01369881c82e32bfbaa1f5a4a0706ad2ecfc153c72d5f35e8a56de051f84c37fc8dbf6309385f7de777df6ff87dd

C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe

MD5 923e02862829fca540e83b38bce6f14b
SHA1 aad0bb741539837421c747abb352035f3260b9df
SHA256 b10590ee956c0b18bf04a27f245a81290ad456ce63f6dd27c019db819cba590f
SHA512 51dae9360a8404df356872361f069c20937fd52287ac66534936fa2f8e1c1bcb948027b2d8879796375b721f4b2478019c6cd6e7ef3a5f2e61a022e09b9120cc

C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe

MD5 131398e6443c3117035ec6c47d62474a
SHA1 d2ae9c726b5751a5614816b48b297e81ef47d5b1
SHA256 d0365f24749190725f9edc83793fd9a54f0dcf4acfb3f6d8af2a92f2d6777ea7
SHA512 18535dbe62d0885ab701f9f39d9b68defe9d71bc8ea5324cdddcc7d86ca24835889f1ad36a005c9d2b9573ccee6211da8a0266b7f006b327919374f9dd599460

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:40

Reported

2024-03-02 16:42

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC153F-BB60-412b-8C3F-F1B34EC93524} C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}\stubpath = "C:\\Windows\\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe" C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D} C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E312C99-BE09-4d60-852F-924EA9BEF217}\stubpath = "C:\\Windows\\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe" C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}\stubpath = "C:\\Windows\\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe" C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A} C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627} C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54C357F-FA2A-45be-B6A6-452751C97022} C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}\stubpath = "C:\\Windows\\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe" C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E312C99-BE09-4d60-852F-924EA9BEF217} C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2197D2BF-4031-4864-8338-89ADD2AA9500} C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}\stubpath = "C:\\Windows\\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe" C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54C357F-FA2A-45be-B6A6-452751C97022}\stubpath = "C:\\Windows\\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe" C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D2B923-E5F7-4039-8524-2F186A503072} C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D2B923-E5F7-4039-8524-2F186A503072}\stubpath = "C:\\Windows\\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe" C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BA070E-A646-48c3-9CF8-430F095B9F8E} C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BA070E-A646-48c3-9CF8-430F095B9F8E}\stubpath = "C:\\Windows\\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2197D2BF-4031-4864-8338-89ADD2AA9500}\stubpath = "C:\\Windows\\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe" C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A} C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}\stubpath = "C:\\Windows\\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe" C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56} C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}\stubpath = "C:\\Windows\\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe" C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe N/A
File created C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe N/A
File created C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe N/A
File created C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe N/A
File created C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe N/A
File created C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe N/A
File created C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe N/A
File created C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe N/A
File created C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
File created C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe N/A
File created C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe
PID 4356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe
PID 4356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe
PID 4356 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3252 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe
PID 4092 wrote to memory of 3252 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe
PID 4092 wrote to memory of 3252 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe
PID 4092 wrote to memory of 1416 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1416 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1416 N/A C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 1412 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe
PID 3252 wrote to memory of 1412 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe
PID 3252 wrote to memory of 1412 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe
PID 3252 wrote to memory of 3400 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3400 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3400 N/A C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 684 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe
PID 1412 wrote to memory of 684 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe
PID 1412 wrote to memory of 684 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe
PID 1412 wrote to memory of 2120 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2120 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2120 N/A C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2872 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe
PID 684 wrote to memory of 2872 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe
PID 684 wrote to memory of 2872 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe
PID 684 wrote to memory of 4040 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 4040 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 4040 N/A C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 3632 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe
PID 2872 wrote to memory of 3632 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe
PID 2872 wrote to memory of 3632 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe
PID 2872 wrote to memory of 1480 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1480 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1480 N/A C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3684 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe
PID 3632 wrote to memory of 3684 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe
PID 3632 wrote to memory of 3684 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe
PID 3632 wrote to memory of 3076 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3076 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3076 N/A C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3684 wrote to memory of 4080 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe
PID 3684 wrote to memory of 4080 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe
PID 3684 wrote to memory of 4080 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe
PID 3684 wrote to memory of 2740 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\SysWOW64\cmd.exe
PID 3684 wrote to memory of 2740 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\SysWOW64\cmd.exe
PID 3684 wrote to memory of 2740 N/A C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 548 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe
PID 4080 wrote to memory of 548 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe
PID 4080 wrote to memory of 548 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe
PID 4080 wrote to memory of 4920 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 4920 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 4920 N/A C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1968 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe
PID 548 wrote to memory of 1968 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe
PID 548 wrote to memory of 1968 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe
PID 548 wrote to memory of 4548 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 4548 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 4548 N/A C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 1148 N/A C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe
PID 1968 wrote to memory of 1148 N/A C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe
PID 1968 wrote to memory of 1148 N/A C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe
PID 1968 wrote to memory of 3196 N/A C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"

C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe

C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe

C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47BA0~1.EXE > nul

C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe

C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E312~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8

C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe

C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2197D~1.EXE > nul

C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe

C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1FF0B~1.EXE > nul

C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe

C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5EE6~1.EXE > nul

C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe

C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D9EE~1.EXE > nul

C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe

C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77591~1.EXE > nul

C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe

C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E54C3~1.EXE > nul

C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe

C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BBAC1~1.EXE > nul

C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe

C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D2B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp

Files

C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe

MD5 0fca95936320ef7652a6226c696db753
SHA1 19301c0f6a1db028c870d2bc4d11c2f9ca8a2080
SHA256 878af7c83ab958f08ac591529648d7a19c98e3f1ff3e2e00b3811578b3570117
SHA512 f34c0cd419ce56f776ee9cbd6fb79b7fe21b08b31a65a6dc0d3e275fc9eaf73c8413d29de5ffef90f6611c2a586ff02133168f01a711f865c292c830df7865d7

C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe

MD5 2661adf58cc1085a05a164e4f282836c
SHA1 a437fb91e661a698ca16a14c4074e77c381746da
SHA256 5d66c31f49f7f973bea8249ff5a60db617b7a12b1b815213cbf819f4786b4ad0
SHA512 c6c63aa89a904b9db6b833f4f33c406971fb6472d712742138f06b84efcec9a3e28ac9680309406dc1fab0732b6ff888dac1df3e1289ed7e1dd7a7a2ac34c37f

C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe

MD5 587b7d4b954a4cef2e92ecadb5e2079f
SHA1 e1f5a776214389059d331aac54f970b8703dc740
SHA256 35e9298bde40defec090fb819e12b70d0a62fd7495bd6408106e8ce18162ff89
SHA512 04596edacc6331fe4a31655172eacc844e6744ae4f776a00ae01942c9db480ce2d8a2379502d63843244536920797279619ef2d93d901ac0495beaa0f93690eb

C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe

MD5 1621f13afd01660d04a674ab644c5e49
SHA1 4497ac719660aa0d555e86e1e3cd3a88d445e17d
SHA256 961104ab387497dd86914599d5a0b038d9e5dd69c74b1d304142ef2472a10e04
SHA512 1e0c58d517c328c327ac19cccacac571d3357fb193f9d600d304d827ebac4562b532bb686504c72aa129f9825fe8b610f27105401646d4e91278d6216f8b6566

C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe

MD5 60e3f1188eb9543985dce240ba146172
SHA1 ccdf18e1a8fcf7a9802c8b19cd71b599468d7d58
SHA256 0df832e047d3f0c50a7ad982736a491f910873be0e957f21f8cc9e86fcb95f9b
SHA512 6f98d730985212f372e379c9cb53e2c9a535e76f6ae634dcbd820a8eb6f203cb6e80071a30840bdf5b68ca94c6cf6247201bbc3cc800b3704868978e3c693111

C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe

MD5 7120fff8ab996c36830f3f9f3125760f
SHA1 26d4178273e95d0ce3950fd3f72f875697143e7d
SHA256 e29ad291faa377c41708cea6edd25d895e41a42c701d114833b538f64c86de3c
SHA512 c8e8f6c6efb34e7a4afbc2586e802c5abe4c7ec4e733c10611f900c20d62f0f9920c78c20ff2d60b9f870b760f64ce4bfe0cb651ff89c7c5b3cc5568be006c18

C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe

MD5 43dfb71b4482e4557379a2295aee8be2
SHA1 b33ee106c44b8546d4c4eeed7ec491a7c404ce1f
SHA256 3b7f7731df850b57267e425dd060a59905e5ea1ffcb6077003aefe398705e54b
SHA512 6687a1040e509febed8437ee2ecc030a3872013ee95c5fa1f86a2627c0f218f74d9e81a603ce7802eafbd2d4e7f75b00ce45d094ad6c49e5242dfc914d4aff41

C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe

MD5 7fc22b8a82efd85fec22b43327a33ba4
SHA1 fe10711d8e3b8f56f9a5c94a0a94bd706f0eb54d
SHA256 7097f4214f12471f7fb616dc38213eb166774956e72bac78c93f507309dd92c6
SHA512 b3b83ddb0039ad0da0143bedf141cb1ee2390674dc9c4ca5d8ef698806d2241fec16d4cb8e23af69852cb34b249c5fd5cc8210c1fa1341ce9757d18be2d5361f

C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe

MD5 cd798d87908f4770b05dba0ea015ce78
SHA1 9b60aba1f4e87eb91bee8ce68e1d196f9b0a9033
SHA256 9e869640cc2fb619edcfca48e778cd59833c2380ba6e32d694b7e29ed7a41963
SHA512 2363ede2ff5c55249031501917b0c3f67f79522c1c1e9f7afc1e4954a95883e777c7f9a2fc3f47b59c0d31961154f971417f473b1eb6c530eaf291fd839d9c0a

C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe

MD5 5ab84c126baadf46c059da66b6b37cf3
SHA1 803599193cd9e9e16092627f6b77a11603613c68
SHA256 544489fac4679b40a6396c9785b7e52d84aae92f40705e3392177ad067867968
SHA512 791b9b5e2649781ac6e03fd628d8c6440ca3c6068eedea47372a6aae931ce4e71b26801a617179a6bb7047cae76cf8fb07cc7e091c29ec212a364b8d3e7d995b

C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe

MD5 106976e94e6d2d155a0694ecf9b12208
SHA1 aa283aed1e0dbe54ea6dcba78fb560648c755ba1
SHA256 5b99c975beceb7fc84e723b128a0c492d977a98df89935afbf680c0b2d9fa260
SHA512 65d0ff816b4a16892922f0e91eb47b9c63b7d7e50ad8eacb8bdb85b4feb75e7e5ccb11c7339d5a6c956a5551e6705e24ec5b2fe4093db4bcac78d5e36be2bc95