Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t9cdgafe33
Target 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye
SHA256 a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e

Threat Level: Known bad

The file 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:45

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:45

Reported

2024-03-02 16:47

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8} C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2} C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}\stubpath = "C:\\Windows\\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe" C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91E18E1-095A-467c-9F8A-046DB187A3D0} C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}\stubpath = "C:\\Windows\\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe" C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}\stubpath = "C:\\Windows\\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe" C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78179858-76B0-4561-B5D9-EE443E5194FC}\stubpath = "C:\\Windows\\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe" C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}\stubpath = "C:\\Windows\\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe" C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810C727B-A546-4c18-A4B5-EC623A04E23B} C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810C727B-A546-4c18-A4B5-EC623A04E23B}\stubpath = "C:\\Windows\\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe" C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49} C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC65423-244C-4824-BE8D-F58C174D51E2} C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93} C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}\stubpath = "C:\\Windows\\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E91E18E1-095A-467c-9F8A-046DB187A3D0}\stubpath = "C:\\Windows\\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe" C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037} C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78179858-76B0-4561-B5D9-EE443E5194FC} C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}\stubpath = "C:\\Windows\\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe" C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}\stubpath = "C:\\Windows\\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe" C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC65423-244C-4824-BE8D-F58C174D51E2}\stubpath = "C:\\Windows\\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe" C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D} C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8} C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe N/A
File created C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe N/A
File created C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe N/A
File created C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe N/A
File created C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe N/A
File created C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe N/A
File created C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe N/A
File created C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe N/A
File created C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe N/A
File created C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
File created C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
PID 2236 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2988 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
PID 2304 wrote to memory of 2988 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
PID 2304 wrote to memory of 2988 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
PID 2304 wrote to memory of 2988 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
PID 2304 wrote to memory of 2488 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2488 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2488 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2488 N/A C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2772 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
PID 2988 wrote to memory of 2772 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
PID 2988 wrote to memory of 2772 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
PID 2988 wrote to memory of 2772 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
PID 2988 wrote to memory of 2028 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2028 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2028 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2028 N/A C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2408 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
PID 2772 wrote to memory of 2408 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
PID 2772 wrote to memory of 2408 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
PID 2772 wrote to memory of 2408 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2520 N/A C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2412 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
PID 2408 wrote to memory of 2412 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
PID 2408 wrote to memory of 2412 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
PID 2408 wrote to memory of 2412 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
PID 2408 wrote to memory of 2504 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2504 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2504 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2504 N/A C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 828 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
PID 2412 wrote to memory of 828 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
PID 2412 wrote to memory of 828 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
PID 2412 wrote to memory of 828 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
PID 2412 wrote to memory of 1888 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1888 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1888 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1888 N/A C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 1340 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
PID 828 wrote to memory of 1340 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
PID 828 wrote to memory of 1340 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
PID 828 wrote to memory of 1340 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1656 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
PID 1340 wrote to memory of 1656 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
PID 1340 wrote to memory of 1656 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
PID 1340 wrote to memory of 1656 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
PID 1340 wrote to memory of 1708 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1708 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1708 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1708 N/A C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"

C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe

C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe

C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E60~1.EXE > nul

C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe

C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09FC1~1.EXE > nul

C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe

C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{78179~1.EXE > nul

C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe

C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6356~1.EXE > nul

C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe

C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7AE~1.EXE > nul

C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe

C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{810C7~1.EXE > nul

C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe

C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E83EE~1.EXE > nul

C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe

C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E91E1~1.EXE > nul

C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe

C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{328C2~1.EXE > nul

C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe

C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC65~1.EXE > nul

Network

N/A

Files

C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe

MD5 40685e5a3a90c2911e4a99c7f638caec
SHA1 34474e02f0657ef7e29f59160ff08ecc1a2f0e9b
SHA256 1178f9eb98acdb79ac1f95c47a59593337d1a21f1c24fbeb30009df96fcd9a29
SHA512 e7256555c902e4bd0627ab091c2c200c45314351fd90b7124d9a0788a934c8d4c7d08601d186023564eb2b4aee58d1a3d766e98fba3a77e7d553dd457c83833b

C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe

MD5 c24450c3cbe3dcdff588f34388295f42
SHA1 5614c01e2fab10f52b0a79654c33f595468234a2
SHA256 f72c415acac63a4463108008560a171d231def02994ceb37f0d535320416ee90
SHA512 5795634cea623c68567076c6c25b4d69ce0608bda18e2dda9f656d923f12b5b4b0981c82bbde0765d2739353d151c0e123b7696e5b8e3079d0f02d4acca41dcb

C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe

MD5 9fb341ddcbf48db9e37f5d63c2084705
SHA1 9f4e7485c81d41ddcc31548f98d9267e538d21dc
SHA256 6a41faca498c812cd0831ccd7e378257de28ac5d5cb25e9e86e769bfd28353ce
SHA512 9d8861a88d8e757cfa68681d06c28386c17997d18fc1707ab48f9ad9506561e313da38d31a5cfc290a4348bac494cfc5d5aed83b027f2aef2687bb52dd8f1a49

C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe

MD5 f2c35d9944e0643dc0b588fa3a3380e6
SHA1 b66fb0f757c1ec58908a8c6049c000adfccb517b
SHA256 fb6dbdf50b91af1a8079cbcdb44af16dea0aa581eee4752c3c771ebe31f3d269
SHA512 3690ee889d5d08f92753e1a0b746389141603b371b022fb493b0de44dfbf70fbf88d335cdfd4b387771ddbb561141ee4a424dd0c13d75b2895a5d4178ed63fdb

C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe

MD5 5b90109b4ab119b9a6b25816f3bdc064
SHA1 5502751862aa4166fe7dfef1b286950e322a9233
SHA256 5d2c0927c15835ae346e3eb7731a898101853fad40cce77014d2c5c2b76677b1
SHA512 9921de11a102f0f555b348426a5622716650aa63ff5b97a06247e60d4bd3d3c501cd2b1f5460dadf48c0fc6e4e6f188182413e94d82a7d800ce349eb60446733

C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe

MD5 09d4c2912afea1e0a3dcfdae9cd7b868
SHA1 1bcb2ad4992c6c3075b03082c50a70a46b3db7de
SHA256 a59861623c732b41d00c8e8b54487c9e039640a805bf26c63ffc9a640916804b
SHA512 143ac9b238efb498d81e316b6218ce46cb92828b10139ff09bfc35e868f41d970c67e9ddfb026d802c9bb08afce6eda7a7d9b336990903811c47063a0dbf12f3

C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe

MD5 290f954bcf0f9b0167146ce3171b829f
SHA1 73574d377d512a6dd99228bf9449cb2605670429
SHA256 64600a71c67e74025063dd732e157e80bfec2c15ee141d70251cf2b248cd02ec
SHA512 6643c6c994060199b97b9f95c03059fcbf19c9984e9a492bcc86de1b90b2b9b29df74797516d22b49a797d3dfbaae64f52a9a305e9d20c7610366e53d2457631

C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe

MD5 a9c7c1bcdfc14394fe703ba14883d28a
SHA1 adeba02744da21681be854b68b6d1618dd43c2f6
SHA256 7874c96707f7c87f633ec0529c73b3fcce37dc1485bb345e7a79effe8be1b0fa
SHA512 e08cb170f3754ae4824b6f4cf623e6161616a6961f17109a28083a3a9d9c52ca49df98dea4573ccd76a3ee52eb432bf5c7a284f1298dfe3c252d0426d03fe79d

C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe

MD5 7e12a616238cb8367b5e35a1dcfa90c7
SHA1 369421451944bd67f3eec5f8a67bba1c7614cc30
SHA256 4b53bf0c1f73dc6628cbe3dc09a48d6572b15fc5972718861961461846ab93ce
SHA512 9ca46155913eecf3d39099934f6fe8c331b7e1bed6d31b748a7369fb9b9f8c7b94882571bd56ddbc889039a874be083ff32cfdd3c5e505aac89bfd3b8158e878

C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe

MD5 faeda5aa22db9084a7c12512c4669596
SHA1 3d63b84feedb1e22693c11ca2ff1de1435d21d11
SHA256 6ec3f8bf128b36e40e018ee4e908a3b650b7299446af6d30664e34d078fe8814
SHA512 7a2f83fc5b9a3d0177c9ca3347d7034fa93cfb4983186130772d4656096754321d8b95566812976fff3f082050e1be0fa3b3edee98e481f4d88778f777c67b40

C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe

MD5 6fc6b7f217a919982e5a37099e28aeb7
SHA1 bac97f57bfa1bf19b1c2fed4e469a4255db53624
SHA256 74610157bfc034535da76f72140bbe7df255a2dbf03395f129cfaad3990e3a99
SHA512 5c88828e49b1fcf191af056168b27a6193ddb39cc0042964843c87c18b78141acc71e8daa676a8e413b932f71d9213abbcad5297b40cfe91900ffb788eab1975

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:45

Reported

2024-03-02 16:47

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077} C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361BD565-F520-4a0c-AC81-3EB5639A041A}\stubpath = "C:\\Windows\\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe" C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}\stubpath = "C:\\Windows\\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe" C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42358362-7D64-474d-B848-4EC07CD85593} C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D39418-887F-4c99-8E18-114FBBF96294} C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D39418-887F-4c99-8E18-114FBBF96294}\stubpath = "C:\\Windows\\{74D39418-887F-4c99-8E18-114FBBF96294}.exe" C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4BA13-0E52-4031-A865-893C625108D4} C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4BA13-0E52-4031-A865-893C625108D4}\stubpath = "C:\\Windows\\{35C4BA13-0E52-4031-A865-893C625108D4}.exe" C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}\stubpath = "C:\\Windows\\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe" C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E} C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}\stubpath = "C:\\Windows\\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}\stubpath = "C:\\Windows\\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe" C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42358362-7D64-474d-B848-4EC07CD85593}\stubpath = "C:\\Windows\\{42358362-7D64-474d-B848-4EC07CD85593}.exe" C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5} C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CC1E98-DAB9-4620-9657-880BF5F522DA} C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8917BC4-4EAF-41f3-931A-6A775500B0A6} C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60652E29-8BED-404e-8F02-F4FBE2CD08EF} C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}\stubpath = "C:\\Windows\\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe" C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361BD565-F520-4a0c-AC81-3EB5639A041A} C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}\stubpath = "C:\\Windows\\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe" C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CC1E98-DAB9-4620-9657-880BF5F522DA}\stubpath = "C:\\Windows\\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe" C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3} C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}\stubpath = "C:\\Windows\\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe" C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD} C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe N/A
File created C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
File created C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe N/A
File created C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe N/A
File created C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe N/A
File created C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe N/A
File created C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe N/A
File created C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe N/A
File created C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe N/A
File created C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe N/A
File created C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe N/A
File created C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe
PID 5108 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe
PID 5108 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe
PID 5108 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 2912 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe
PID 4308 wrote to memory of 2912 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe
PID 4308 wrote to memory of 2912 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe
PID 4308 wrote to memory of 452 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 452 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 452 N/A C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2324 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe
PID 2912 wrote to memory of 2324 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe
PID 2912 wrote to memory of 2324 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe
PID 2912 wrote to memory of 5116 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 5116 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 5116 N/A C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1308 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe
PID 2324 wrote to memory of 1308 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe
PID 2324 wrote to memory of 1308 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe
PID 2324 wrote to memory of 572 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 572 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 572 N/A C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3656 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe
PID 1308 wrote to memory of 3656 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe
PID 1308 wrote to memory of 3656 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe
PID 1308 wrote to memory of 4716 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4716 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4716 N/A C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4816 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe
PID 3656 wrote to memory of 4816 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe
PID 3656 wrote to memory of 4816 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe
PID 3656 wrote to memory of 4704 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4704 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4704 N/A C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 3908 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe
PID 4816 wrote to memory of 3908 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe
PID 4816 wrote to memory of 3908 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe
PID 4816 wrote to memory of 2868 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2868 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2868 N/A C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3192 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe
PID 3908 wrote to memory of 3192 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe
PID 3908 wrote to memory of 3192 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe
PID 3908 wrote to memory of 1976 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1976 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1976 N/A C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 4416 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe
PID 3192 wrote to memory of 4416 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe
PID 3192 wrote to memory of 4416 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe
PID 3192 wrote to memory of 1956 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1956 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1956 N/A C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1456 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe
PID 4416 wrote to memory of 1456 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe
PID 4416 wrote to memory of 1456 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe
PID 4416 wrote to memory of 4220 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4220 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4220 N/A C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2084 N/A C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe
PID 1456 wrote to memory of 2084 N/A C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe
PID 1456 wrote to memory of 2084 N/A C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe
PID 1456 wrote to memory of 3060 N/A C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"

C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe

C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe

C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8917~1.EXE > nul

C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe

C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60652~1.EXE > nul

C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{388B8~1.EXE > nul

C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe

C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{361BD~1.EXE > nul

C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe

C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{42358~1.EXE > nul

C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe

C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF6C~1.EXE > nul

C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe

C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74D39~1.EXE > nul

C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49CC1~1.EXE > nul

C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe

C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56A8B~1.EXE > nul

C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe

C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35C4B~1.EXE > nul

C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe

C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2443B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe

MD5 a7c118031f79e3996b1c156417d67b50
SHA1 60d3cd7a6004ccba9ed10b8a531fd2c78bbe0af4
SHA256 cc3eb543bf767c7a2e5379612d1eb36357f902479ee80c05935edbd1c747bded
SHA512 3a90735e6001246c6b57ba229f0dd5e79da608fa2500492632a18c993d5146f39e9bb312a6531ffd067b06d59baf445cb47c507528efb3834129ba1861c3ce8b

C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe

MD5 86418327961cf4c1db1179b6553baf6c
SHA1 40b7e6c2d7561f7b471c62bab3b3cb160359fbae
SHA256 eb1603ada95fe6bcc61a6a7924db6f4350526a19971a406284dc54106d45f1b7
SHA512 ed7e4074955432a2327b96048b5e36ec573d3681cfa2ffa7ed5724d7d524bf038c4d841df55b255cf64341f2883dfd1e9b89d9d16e58cc202ef6f8da79d925a8

C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe

MD5 0f16dd0befdc1566ef7ac383b39c69f5
SHA1 34a2bf4bbbfccb33722a7cf4dee2fa236027f414
SHA256 ea22e918411991f5c954918fb8745fa3294e96f8e78968a737b828263b5a014a
SHA512 68c8dbfa465e5a59f4ff84486994e8457aca7b373c59e5bb88fe49955aaa32e3649e9af532ef5d91c109787236f1303037023ec986125addaedee0e6cd9cee3d

C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

MD5 5701e1f2ed0c0f911de0286dba777765
SHA1 9e51219ae9a105d9f6e8ed41613e74dbb4d8bf87
SHA256 30eb511bace46334394f6e7acc3801b46056429dd8b32a3ecad7f9348d2214bf
SHA512 d99d12eb449ed25a412b3f3dcb033f6407a0201111c5305f158d6b63548797dfa671f8b78a7f90d0db78066f265f6097fe772fa886417744d30c6d5e6dc795ce

C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

MD5 3b7d8f06765878c2cb7b078747241cc1
SHA1 a0a8c8bbe92d748a31f4ff8ad40132ba358e1374
SHA256 6656cf24b62ddfdf95a992ac09f61d8c7a7a5c2cbe583bb4628757c07bf855e8
SHA512 8fb430796439f07302ada65c7573c3b2e33bbc3db7113bcda1aafa7de4e0cb496f864e201eab862ab2c6f096e1a8a76eebac40f16b0fd58778e2a352ebe45884

C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe

MD5 a3b7c939e1e66c91de21258e1a47a3ea
SHA1 0520697cc09b555a251b23e542507bd0eaf731a9
SHA256 a4f3fb6da4121f3122eb0a06664747307e55137c22c40a3f832239922d3db0ef
SHA512 951b39a0f30dd3686eddbde4e15322d0444744af504bff286c8c579dfe6fbfce084cdee4a90b8c6c8656606fcbee6e4c838e0b3a4f68481849480769030bde99

C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe

MD5 f16e770826ff4462e8ea7f16866df9aa
SHA1 7dfe5b0cef9c89c8458e3bbec9c7a51726dbc17d
SHA256 48e73a899456d636f5340d964c7880a21b56627027a2b5357e0ce4f33077b789
SHA512 5371a2ff27a53a73b192f87d43e009d64b0508a32b7a93ef71b4f3676a9b6cdd020d2744621396c535a64c58e8be8ddb78f8ffc5eb7c1049b4e69b7aeccfb79e

C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe

MD5 00299874b0236e63b864946a74b883b2
SHA1 01bc8acdebfc8b18d70d9a9f963d406dbf911007
SHA256 8054743345aa2dd9b2883008ad3923ed27820451be67f300584f28fc40168b84
SHA512 b2f9c6a01c718e0c1793d9c77e2c13ef440d17d39ddafc46d19c8bcb83601096c6da7910ec3cc7fcb40d8164d6ee7de7f4b29979aae0b9798a7ed315ccbecdaf

C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe

MD5 4400866ebd747de0f8ee31efbd45a142
SHA1 2bee6dc889dbcc5603a72035a375268b22e2614c
SHA256 76c35aa9552bb2765f3cc88c0b1bd9c8ae872f66950a2e30613c8876c647e141
SHA512 1f9683dfdadad10dc5e8cea251b5dcf044dda3d7b2a5ab9dc0de3395a4b117baa3808b2ca5d03abc29f4b11795395ed62d81b8757194ea0a762aa7c4e8e1cf8d

C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

MD5 ad6196546a8f3d314f1b1abece0037b5
SHA1 e8fc2843f287980e4d694e6ee9f7acb8753cf746
SHA256 953330cd1265fded3b3ef3c02000701408e968c67ff641fa93161e8d1643dc44
SHA512 db48e077d4a3bfd017b8b9f8abe774cb93457f2f5c5ee8c21c5ad19a2cdabeadeb7b04b17bb33adea4249bb5a0b8c61db2d12ed974248fffc6ec4e0b8f3ba56a

C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

MD5 53a9770db007d1d593fb65817fb49e09
SHA1 b82608c523b289bc5441d4b8c8a02f3c5b891019
SHA256 c1120b4d6ebc4a7791a78e30b432d825425d3e44589926eed4b6ac43e7257382
SHA512 19c91614b9b69fb239fee8e3109e5e089751bdaea05d1e473fcb84e0233f69e97d276835873c4d9be8c917c17d15159da9b5ab932e15d83db9789131bd9723a5

C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe

MD5 3ca176834e19e1fcce55c4459ee3aa32
SHA1 7b29dbbb64e26fa4512219ebac4d8b67e54831e4
SHA256 aaa31616c2d975d821d8b8aebbfce02551aaca01f73b6bc9e41e5bbe31ece0e3
SHA512 e842cfa02da49db2c9cc624ec17fa2f81a1dabb4044912ea433e6dc5bbc1c157b19f79bf5d14f2c3c7eac2914035f289879bf665d8005e67a9d61790f0184164

C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe

MD5 c7d92ee3be68f611ec3f16bfb9c050b5
SHA1 552622e8670500582f035564e83f3c5853ae2e61
SHA256 fdce9c01927dc47795e839c0dc5436941dd50fbcc698df34b077a6ac6dcca968
SHA512 81e90887aa1606656dd37414306b98dfda57ca2b4202af1e762d30b26f00b76c62d778fd86d4dc3c4c1e7df49c9200188fc87f7535d59706746ba85cac795aad

C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe

MD5 d7675d543077f692bc244a8842998afc
SHA1 5a991601e4e59211cdb933c1c5312e71810023a8
SHA256 5b985511687f7d186172b5f4eb368d80be565cde0bfaf1240abcc4bb93ecec60
SHA512 fa8234ec01b23137389432e458ea0e015f70ba239d0324e98f16cc3b396e3362636d3d680284a5a93916e5eb3ddc4ea4085a4efc4ca1d61079b0f532ef5b5c5b