Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-t9lbdafe35
Target 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye
SHA256 818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8

Threat Level: Known bad

The file 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:45

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:45

Reported

2024-03-02 16:48

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}\stubpath = "C:\\Windows\\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C}\stubpath = "C:\\Windows\\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe" C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C} C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803} C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3} C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}\stubpath = "C:\\Windows\\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe" C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}\stubpath = "C:\\Windows\\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe" C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8} C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}\stubpath = "C:\\Windows\\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe" C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C} C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}\stubpath = "C:\\Windows\\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe" C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6} C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}\stubpath = "C:\\Windows\\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe" C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA} C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8} C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}\stubpath = "C:\\Windows\\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe" C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}\stubpath = "C:\\Windows\\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe" C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9} C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8}\stubpath = "C:\\Windows\\{8550E314-E587-465b-8CA1-259E76846DE8}.exe" C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8}\stubpath = "C:\\Windows\\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe" C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3} C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24} C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe N/A
File created C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe N/A
File created C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe N/A
File created C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe N/A
File created C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe N/A
File created C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
File created C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe N/A
File created C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe N/A
File created C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe N/A
File created C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe N/A
File created C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
PID 4444 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
PID 4444 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
PID 4444 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 4672 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
PID 1848 wrote to memory of 4672 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
PID 1848 wrote to memory of 4672 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
PID 1848 wrote to memory of 756 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 756 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 756 N/A C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 1624 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
PID 4672 wrote to memory of 1624 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
PID 4672 wrote to memory of 1624 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
PID 4672 wrote to memory of 2732 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 2732 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 2732 N/A C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 4172 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
PID 1624 wrote to memory of 4172 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
PID 1624 wrote to memory of 4172 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
PID 1624 wrote to memory of 968 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 968 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 968 N/A C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 3596 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
PID 4172 wrote to memory of 3596 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
PID 4172 wrote to memory of 3596 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
PID 4172 wrote to memory of 728 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 728 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 728 N/A C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 1904 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
PID 3596 wrote to memory of 1904 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
PID 3596 wrote to memory of 1904 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
PID 3596 wrote to memory of 3344 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3344 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3344 N/A C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 5024 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
PID 1904 wrote to memory of 5024 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
PID 1904 wrote to memory of 5024 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
PID 1904 wrote to memory of 3868 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 3868 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 3868 N/A C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 2600 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
PID 5024 wrote to memory of 2600 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
PID 5024 wrote to memory of 2600 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
PID 5024 wrote to memory of 1632 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1632 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1632 N/A C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3188 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
PID 2600 wrote to memory of 3188 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
PID 2600 wrote to memory of 3188 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
PID 2600 wrote to memory of 2724 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2724 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2724 N/A C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3276 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
PID 3188 wrote to memory of 3276 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
PID 3188 wrote to memory of 3276 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
PID 3188 wrote to memory of 3728 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3728 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3728 N/A C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 2188 N/A C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
PID 3276 wrote to memory of 2188 N/A C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
PID 3276 wrote to memory of 2188 N/A C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
PID 3276 wrote to memory of 976 N/A C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"

C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe

C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe

C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2519E~1.EXE > nul

C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe

C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C226~1.EXE > nul

C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe

C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B619F~1.EXE > nul

C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe

C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B97A~1.EXE > nul

C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe

C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8550E~1.EXE > nul

C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe

C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D630C~1.EXE > nul

C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe

C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{080C1~1.EXE > nul

C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe

C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1789~1.EXE > nul

C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe

C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E33~1.EXE > nul

C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe

C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2771~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe

MD5 e904e8a83fad10d0a63cbeaab5a3bfb4
SHA1 949575c2c873809366776ccb91f533fdcb0ed451
SHA256 c84fafa2c241b628c88e757da4497fa9f07a843753b26678da76b82cf396dd05
SHA512 b9cdd94c98ecd6f2c927c1f695a2c90be1a988324105fa4d69f559e925de58d3bfb77aebd61854e8f61b7ec87fbb3f504760b6a38ad654b25dbd75033edaf39b

C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe

MD5 f625b9c6f1d28d9c668c3cdcf058f2fb
SHA1 4baecf07fafdebafadb1cd5cdd2d22a7524e3202
SHA256 06a7c78b5211b81f5e28a250b678d2d8fccfa6f448b8726480fba25b955056fa
SHA512 baf12093ba46e1f916e1aded68eaa2e710d8061027d012a9d06515bb2dabd372ab150f96ab562276cec7b598d19f57217fa833565e2ee13a6ccbce464889c568

C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe

MD5 cdca9b33fedde9a4bfa8467cc54a6666
SHA1 8690d99555f03cddfe10b9d2905788c4c650960d
SHA256 5eb687e1a261dc43e28ebee11401335efc2bff90f70186a89c797c5159d6b3c2
SHA512 425c6b7b28055be958f646b1cb8c9560a9544ff8402bee6ac165ca84a1720582eabd21bb474bf91c83394051b4ab5209e597863afe90d53d513d8d54c19bf7a1

C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe

MD5 c34daf0ff0c2db9aa6c619c21ddbfd37
SHA1 4e901782334d80d9aad083cfe5e9f1d165297a02
SHA256 aac4b5267cb997c45cc21132407cefb2ccdc8fc5b74d9a6ca60c8a8515938e50
SHA512 8777cecf8a417e191cd04783007d3c63ad5f9c9c85e58ed00508aea1becc48ef1895fe4a49d14c8ea9c2c1eb36f7cb3d638b5fe40d05851699e3b039f7b395dc

C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe

MD5 c927f29ce27be9cd8a0f0c17430da951
SHA1 db74dee01aeec937729f99779aa351c25af72fe2
SHA256 8140acdbef506542bd3736cc338dcab4eab86e4b58cc7dadd02720adedaeb77d
SHA512 1d3a6066ac417db1984b3528313f6c65d2b7ab3128bf78df3e2211a2994eb72d2a4f4eb43b07c19df9787bc6c2dd9c4b984c1a1a0a0d5e312158cba3ef64bfcc

C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe

MD5 cf1b5d9ff12e2d8d23e2d937420ea6a9
SHA1 5cdedb6fe64b40d0c07c09d3f88defbe33060711
SHA256 a08781e10e0270ca1e6f25616bcb35b31c281d9b1009ce57b1b45ecb652f7fc8
SHA512 0a7323e6b0ac0cb2f19ffa8a8141bb5597ecb398a4a46eb51b8ecca962429ef5ba310f67361c53638b3dd8f23ba150b5eb87d765f258840c64774f3238268220

C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe

MD5 5b944cc48aa80445754ecb73fe94767e
SHA1 0e34b62e6a48fe90c2520d04924dea5fa2def0b6
SHA256 4f18f6fc52863001a1dec92979986171eb3940e46af8c5d2973097972e941af7
SHA512 142cfccd2f0e281af7ba19f423610c3c22cacf6c989ad41ed3cf19dcdd9a350252f5824323cee6882b0c0ddf44dd97c3003405b13c065000ecf286322fd56e6f

C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe

MD5 c9e8992deabf78659a6b84688a6d0992
SHA1 d5de0218d2e9951d0e04f9dfab2325600d041b74
SHA256 b1edb2400e4fce70e19b910372e1fc843a86c42444e0b35bf70adb925d1b533e
SHA512 547aff14685b26d6500ef64cbae07767d4351d15af8aa67e084bad54b83ba792590619c2918bd4b0d40e8a084671aa83cf6e7fb30a79579df131aedd51c694c8

C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe

MD5 f43427e664148170aba2b37861057efd
SHA1 fe0dfd6bed8cbc9e969f161addbe7ee727896414
SHA256 c8ffdb4c735e1425a3a55ad89fcc57d5df30cde9ee3578cf2cfaa078a2124567
SHA512 2a07b60ab92b84c13e38a20500d154dad5b3a86e4dce6c457ae9e4704a3bc1cda6a85852464c6a3e32447771700c713252e25c383afd6dfb59e944ea999f009d

C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe

MD5 5c4ff13e4a6dc60b6e4c8177b7ee714e
SHA1 59519188b796f62ae848c3bde354b026e8f2bf36
SHA256 f3d0f052ea4960aa5eb9dc54e879edc516f38a71096854af3f7cf603fcc64b3c
SHA512 73abe72e47b23acd90957482970a95c8c136f1cd1691a1e87dfa8688e370fa8f05dd7a54720b675bc849023405d018ae33bccc8ea9ef100b4d2772309dce5f05

C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe

MD5 51b6334063f4dbe29dd3517fab7186e1
SHA1 d63f66873f06c7bb1ea989faa419c191620b39b1
SHA256 4d1ddd706f23ff4e685d63ad106e00b6d5aed11d47da48645ed8967430f3d527
SHA512 d424fce9c63cb3603b5d7035373c889a5e4fb13c63ab2a6d10b47f897fdbcb5246fc94661d459dfed225b08212530486b057823831ec59d26c117776c6626e65

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:45

Reported

2024-03-02 16:48

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F} C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E} C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E}\stubpath = "C:\\Windows\\{597C775A-3953-4c21-B557-DAD3D246475E}.exe" C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809} C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97} C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE} C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}\stubpath = "C:\\Windows\\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe" C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4} C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C} C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}\stubpath = "C:\\Windows\\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe" C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A} C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F}\stubpath = "C:\\Windows\\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe" C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE}\stubpath = "C:\\Windows\\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe" C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E}\stubpath = "C:\\Windows\\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe" C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14} C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97}\stubpath = "C:\\Windows\\{56E9F424-F572-41d6-A41B-302837EABF97}.exe" C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4}\stubpath = "C:\\Windows\\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe" C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A}\stubpath = "C:\\Windows\\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC} C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}\stubpath = "C:\\Windows\\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe" C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E} C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809}\stubpath = "C:\\Windows\\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe" C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe N/A
File created C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe N/A
File created C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe N/A
File created C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe N/A
File created C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe N/A
File created C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
File created C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe N/A
File created C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe N/A
File created C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe N/A
File created C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe N/A
File created C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
PID 2200 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
PID 2200 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
PID 2200 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
PID 2200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2548 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
PID 2068 wrote to memory of 2548 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
PID 2068 wrote to memory of 2548 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
PID 2068 wrote to memory of 2548 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
PID 2068 wrote to memory of 2532 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2532 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2532 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2532 N/A C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2940 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
PID 2548 wrote to memory of 2940 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
PID 2548 wrote to memory of 2940 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
PID 2548 wrote to memory of 2940 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
PID 2548 wrote to memory of 2980 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2664 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
PID 2940 wrote to memory of 2664 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
PID 2940 wrote to memory of 2664 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
PID 2940 wrote to memory of 2664 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2600 N/A C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 524 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
PID 2664 wrote to memory of 524 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
PID 2664 wrote to memory of 524 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
PID 2664 wrote to memory of 524 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
PID 2664 wrote to memory of 268 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 268 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 268 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 268 N/A C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1652 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
PID 524 wrote to memory of 1652 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
PID 524 wrote to memory of 1652 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
PID 524 wrote to memory of 1652 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
PID 524 wrote to memory of 2164 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 2164 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 2164 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 2164 N/A C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 848 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
PID 1652 wrote to memory of 848 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
PID 1652 wrote to memory of 848 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
PID 1652 wrote to memory of 848 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
PID 1652 wrote to memory of 1976 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1976 N/A C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 1100 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
PID 848 wrote to memory of 1100 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
PID 848 wrote to memory of 1100 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
PID 848 wrote to memory of 1100 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
PID 848 wrote to memory of 2644 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2644 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2644 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2644 N/A C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"

C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe

C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe

C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E78D6~1.EXE > nul

C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe

C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA269~1.EXE > nul

C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe

C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9621~1.EXE > nul

C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe

C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA995~1.EXE > nul

C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe

C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E9ACF~1.EXE > nul

C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe

C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3C120~1.EXE > nul

C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe

C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{597C7~1.EXE > nul

C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe

C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC6E~1.EXE > nul

C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe

C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56E9F~1.EXE > nul

C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe

C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E641~1.EXE > nul

Network

N/A

Files

C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe

MD5 1af8d243e85a1166fda3e18c475edbfe
SHA1 3eb3c2f47b5ab5339b324fe07bece1c6f87351bc
SHA256 1c69f1665f599ea7c84f5d3dfae7187d2a99b6be65e2443471548a72a747be31
SHA512 eadade69cfc62f2d7f979e39d51948f21256d92e39faba9b01ec00da40c95f55d86c6ec428d085358dec200a56f980ea4e636c28cd23d871b0a8611d58f78dfa

C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe

MD5 3eae0282abd018b2239c8c3e6449f4ce
SHA1 e38c6e196dd5819e0207abc64348741625090141
SHA256 163f6d475075cb930bf9b99bebcf0cc3bcaecd0fc5ead30dc09670945e0a3a49
SHA512 5ed537a35e45e5c6ab8b0091bb3a503c95ac5114fa6f07c22ea3b30507a6bdb65cb51b9c5bbcea686cf9f9d5f6e0a852b98bd12cb7487fa0bca27b848c2d8aa4

C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe

MD5 582820ac45214e67b85b03cc72b1515b
SHA1 28572f7cb3b9501a1318627a811bcd99ff8c24bb
SHA256 1b101072b7239803e5ce07428a156bd60b8ea1434e08207fd3e4536d8ad1c371
SHA512 e738fc39df7cf2a983682e03a066e01ef219e02cb4a6b0631c27e22171fd94651dc33e5b9ea3bdbbec2d170cd0101bbeca8a9bff44eee3e6b096132730f71aae

C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe

MD5 0125484002fd1cc31d79d1074092e92f
SHA1 ff9ba070583e9132d2116ac41f742e230db077ff
SHA256 178d4a984edf6bd5e87499b22863b2c11d4569783248746a3f4609f5367f62cd
SHA512 77bb2061a809879e8f8801fa08b83cbb0e275f294cf06ad5923f509330c421cbbb4f904790c2d02912bd294cc78d35aea9f43855383edc06928c005a711dcc7d

C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe

MD5 f85ddaadabfcc79a6d51bdc5236e71d0
SHA1 8583d679b82b87161f3df2a907ab2998ecb2efd8
SHA256 1510edcff34d80fd3dc6ff45069fd825af3067ed9e463d1204d6e917ff375dbb
SHA512 d846b9e009efee7c3e555721572fb5d3623c974022a77ee1b78553cee202e6a4d5c04c990659ce362e8910fed9fc70243133773a140771e7a7f5b99bafd09014

C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe

MD5 9ff40a19f749adeaa0869b382f22b9d2
SHA1 a28a07fa272e5a5122ddb66d39eed578a6765ffb
SHA256 c5b58708eafc12e6ab53032829f305367894d69ce635d76eb279f30ef41e1f5f
SHA512 12dd512d956f174ffe61ce10c77abffba51186470702d66976023b8b707852b163028f6b6dd9309029e4167cc2a5aebc0c3fff7afbd82bda423db62563d4ef68

C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe

MD5 fe8a3f275834f30c70169b2d7349caad
SHA1 a109aecb01f7bbfcef8544753a494b1e0dbf2a3e
SHA256 de5a1df0423384976f6d811ab51a3158df5f71e65de77458a19d02ef6c19e394
SHA512 9079b98ae23ef15213b14cd14b0a134a76d10d6411024ca48c788e9dbe94016976a7f052a20e34c14f9890c3b33ac430fdbdb8cdfe698819e043c6ae4ccfcda3

C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe

MD5 b98d232b25a8d58bf4c0474aad6ea9a0
SHA1 b75826c242f09288d333046b16b99297784c5191
SHA256 c5b93ce35edd7e881e3d4879cd208e96293c9ec6ea7b1e5f8716af7df342a0a1
SHA512 cc47769e14f80328a37fbcff6c5b76645c8e068b2ea969f68e4f398f624227fad031d617cd93032990057aa823638ccf50c0476ff6c889e273fa52fe0e2d38bf

C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe

MD5 ae08bfeae7d4432f95830bceb7b46f04
SHA1 d5543728bbb8802350b4e5f09a8a9f42a50d6d46
SHA256 4fe120ecd98afb6766f318b0b84d891e50e2a724f08b45561b6eaa4431fa35b0
SHA512 2fca97612c45e0c5da7af946cf561620007c3796d929bc278f9528d433b903e57d4a8f8c42d837b5402451fee3b3a64772d57cb726129689c2e271d278e37298

C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe

MD5 f993395b3f6da2a276d12e182a725929
SHA1 10e9ab5071f13928ecdc427380f4a966a4bd00bb
SHA256 d706667e5473358f7731b83c4c673a37717c7090e58cf379664fb581ebffedc6
SHA512 eea0ef975538c6cfefc542455d24f3c69b1c96350570b969693d11c3847f09bc1fcec9f8e5c24078c8d01971527937c9d6dce64a47b51b03b6f736b01494c2ed

C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe

MD5 d582459d75c8b00df3d9c0d1bfa39e44
SHA1 8c26f2969372212aacf92ab9159a50947cda8666
SHA256 c38b529a398651c99b561e5a106aef72e5473339751a5f72e1ae6ad362eb2d56
SHA512 f7990ed248c0ee694dfca2154c8db8e4df99f8aa1b2c9d6b72f3fba0a9b991c3bb843f2a076146da38f5d0c4431963a5b25c586a64a1692fc153ebe90f500bcf