Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-tw2ffafc47
Target 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye
SHA256 e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a

Threat Level: Known bad

The file 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:25

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:25

Reported

2024-03-02 16:27

Platform

win7-20240221-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308} C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}\stubpath = "C:\\Windows\\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe" C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B} C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1} C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1}\stubpath = "C:\\Windows\\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe" C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72} C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED} C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}\stubpath = "C:\\Windows\\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe" C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}\stubpath = "C:\\Windows\\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe" C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382} C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308}\stubpath = "C:\\Windows\\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe" C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B} C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF} C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF}\stubpath = "C:\\Windows\\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe" C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029} C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331}\stubpath = "C:\\Windows\\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe" C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382}\stubpath = "C:\\Windows\\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe" C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B}\stubpath = "C:\\Windows\\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029}\stubpath = "C:\\Windows\\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe" C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058} C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331} C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}\stubpath = "C:\\Windows\\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe" C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
File created C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe N/A
File created C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe N/A
File created C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe N/A
File created C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe N/A
File created C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe N/A
File created C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe N/A
File created C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe N/A
File created C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe N/A
File created C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe N/A
File created C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
PID 2148 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
PID 2148 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
PID 2148 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
PID 2148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
PID 3052 wrote to memory of 2552 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2552 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2552 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2552 N/A C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1992 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
PID 2568 wrote to memory of 1992 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
PID 2568 wrote to memory of 1992 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
PID 2568 wrote to memory of 1992 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
PID 2568 wrote to memory of 2092 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2092 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2092 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2092 N/A C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 684 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
PID 1992 wrote to memory of 684 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
PID 1992 wrote to memory of 684 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
PID 1992 wrote to memory of 684 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2812 N/A C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2860 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
PID 684 wrote to memory of 2860 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
PID 684 wrote to memory of 2860 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
PID 684 wrote to memory of 2860 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
PID 684 wrote to memory of 2096 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2096 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2096 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2096 N/A C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 840 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
PID 2860 wrote to memory of 840 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
PID 2860 wrote to memory of 840 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
PID 2860 wrote to memory of 840 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 872 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
PID 840 wrote to memory of 872 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
PID 840 wrote to memory of 872 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
PID 840 wrote to memory of 872 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
PID 840 wrote to memory of 2640 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2640 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2640 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2640 N/A C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 2788 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
PID 872 wrote to memory of 2788 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
PID 872 wrote to memory of 2788 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
PID 872 wrote to memory of 2788 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
PID 872 wrote to memory of 2800 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 2800 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 2800 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 2800 N/A C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"

C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe

C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe

C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9D783~1.EXE > nul

C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe

C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E80E0~1.EXE > nul

C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe

C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF0D~1.EXE > nul

C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe

C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E2B1A~1.EXE > nul

C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe

C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB23~1.EXE > nul

C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe

C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5968B~1.EXE > nul

C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe

C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA3E~1.EXE > nul

C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe

C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FACE4~1.EXE > nul

C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe

C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B781B~1.EXE > nul

C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe

C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C20C4~1.EXE > nul

Network

N/A

Files

C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe

MD5 63393dc5f2d8462fed30e99a982145b9
SHA1 1ea90a41924e78400f9a812baf11c962d23abcad
SHA256 09018fcce6c99670d23f2dab37e7df97df099d1798194a748682ea21c95a8483
SHA512 1eb2bd904dd1666760a1402f5a999899981050cdc1be7ed38d75e6dabb803902a7d473f3cfb4a4d2d66b7c2ad8d17af355be4e7a9aa09be69d55ab26e737d836

C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe

MD5 b795287c559170a3c78b914a78446eb8
SHA1 ba94c6b5a62083f661de4f9380d92cb7b2efc42a
SHA256 5ebbb616b06d61d3a53fe3a8af49322319a28967c9fd23a590dea006497c87cf
SHA512 e573355a58f4537eb7e54a09edf29d469ffe16093bc9f47b91d3a7e627d7c524f4e16ee35fc301033c4c35bb0f08eb6e4b775fa819ed3f178ac901dc7072a48c

C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe

MD5 d32fd6dbc830e6e551d8e65545e725fb
SHA1 a740bae30157a11d94da31870d099083cdeddd2e
SHA256 ff222733f14727a891d7547df8181af53e9c1b9a4af2419a8f869c46df7cb4d9
SHA512 fbacdfc30573276f24247a2d90e6c83e6c883f551e3a073d01eb5e0f82f763de0b26a995e8c86f1b428574438e24c1f45d2d7ee69acac749803bafbcb0d6683e

C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe

MD5 8ac47d31ea4ff4fbf83d61e6880cdde0
SHA1 5b3640a7ee8b2dcda35de24cfc9c6b740abd5352
SHA256 be9262ec02966d881aa897a907fba6adc58a79a2bea5607cc7bc41dc6c3a3d4c
SHA512 1326fe53ecf98b8bba721906e9a80373e63ff23cececabd2b2dc0cc0b36093a8df645096f99e0f2d89007a99817ce97d93ff420d838bcb80e108ce0983a44825

C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe

MD5 c3fb4cc8cdcadd622ab6e94d2aebb776
SHA1 d4a240951216d46fa281b8c72ea91e4cbc2fb7a6
SHA256 3096852ed8cfd3cea8b076e534cc19c7297b81f8ee99d97d773e325c207f75ed
SHA512 502d8ead7a1212e4f51c168fd2fc61fee4b564a22fe538c3657fb8e955a6df8752fd2a4941bbfb0671df86eeaedf538015dd978f4a04a751fcd504ba3f979820

C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe

MD5 a5411af724a5e4be182f3149716ff5c5
SHA1 f24612c1eb97f1f0543c16ff4e48e53649a7c52e
SHA256 aeedeb19e293ee0f7c3ae62bc33950b47738de939590cd8f434090fc3f5104c9
SHA512 5c4fcd1eeee7cc6bfe04c3adfe69a0707f2a7376bec73ce766414a2a0176a39a3dc0acc96ac3ab53462f567b603219063abf457028a643bfdad152af965ae9a5

C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe

MD5 e4ad3f270657b214c7d89032e9f9852c
SHA1 049de04d0257b8fda57ed1ea2cf6de4032f7a6bb
SHA256 b9963407feb3f39fc92c26f05f866e6e12816ddedd3a214941a86ef96e0a24c6
SHA512 703cf6e511ea15cf7fafe8b194d08c9521b2217329fdd6ad436a39a7bb46279a4b7e0808aff270621956edf299b3ab602775f01a2d4f79809a1e6df26aa8fcec

C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe

MD5 49f60d68550465e426559cb2c5393c65
SHA1 09fd34158dabfd6b1955c452184577a642f467e9
SHA256 d637e59a73b98735644a614b2d3033088c9d48760c97e6dd706af35b7b2ea57b
SHA512 8bcdeb055a37e1ebfabb1bdcc4422c7dc147d4d3d4d965f1412b29dda8e07ae974c37c47e2d0b8f77a31672e288f55086c0137b0fcf89520afe649f3ca8dca38

C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe

MD5 4beca00462435f975d09579144fde3d5
SHA1 0bd96603aeb6448c5b07804d0edc59ac88adb9af
SHA256 ff6663be3a55473abcbe7e44a5f38fa8c9fa40be9538da4c8589580538df4e7f
SHA512 fdf8a68949a422aaaf0cb220ee956dc4eec8343a2fa0331b39e0d9b2e7d9c512bc548c67dff1ad1046202ee0edefa3ce1053f350418aa8aec99bf4de1314ba53

C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe

MD5 754d24c398a62e079e27eac9ee566eef
SHA1 06aebdea23c9b616cbbb86a0f11b83f100627867
SHA256 1610bc5cc5bb8b418e2a5542757cd870dce47c1e510d99ca69d9bd8654c8dadb
SHA512 38b0faf1d80f30e095b843ffde89b87f80b18f8fdbd17b51e84587f6c06f0d075495bf1aa8a0965252a17001fed78ada1921cf77c65ecf52d177b9cbbf8e11ad

C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe

MD5 24b2a49d3a4e8315791b85d5916a0a16
SHA1 b1630e2fe86002eb07952fce33add4334d1c8359
SHA256 e21798e1eca4a0df775ae5e68a9290ba6c45a63f62f3d547b84bd8a9b2a50638
SHA512 de87bc496a6f4596c70a1b2be686a29ded4a11582cc9acb166e4ea34189c98eabb87c68f599c4c1fa3b3f65058a43807d6b8f9b414701aa34669b2b26761b5fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:25

Reported

2024-03-02 16:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}\stubpath = "C:\\Windows\\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe" C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F}\stubpath = "C:\\Windows\\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367} C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}\stubpath = "C:\\Windows\\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe" C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}\stubpath = "C:\\Windows\\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe" C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}\stubpath = "C:\\Windows\\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe" C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00} C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC} C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069} C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295}\stubpath = "C:\\Windows\\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe" C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7} C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC} C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC}\stubpath = "C:\\Windows\\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe" C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00}\stubpath = "C:\\Windows\\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe" C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}\stubpath = "C:\\Windows\\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe" C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}\stubpath = "C:\\Windows\\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe" C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652} C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5} C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE} C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F} C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295} C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC} C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}\stubpath = "C:\\Windows\\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe" C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}\stubpath = "C:\\Windows\\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe" C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe N/A
File created C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe N/A
File created C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe N/A
File created C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe N/A
File created C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe N/A
File created C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe N/A
File created C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe N/A
File created C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe N/A
File created C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe N/A
File created C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
File created C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe N/A
File created C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
PID 4600 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
PID 4600 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
PID 4600 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 4504 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
PID 4812 wrote to memory of 4504 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
PID 4812 wrote to memory of 4504 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
PID 4812 wrote to memory of 668 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 668 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 668 N/A C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1176 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
PID 4504 wrote to memory of 1176 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
PID 4504 wrote to memory of 1176 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
PID 4504 wrote to memory of 2544 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2544 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2544 N/A C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
PID 1176 wrote to memory of 2316 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
PID 1176 wrote to memory of 336 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 336 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 336 N/A C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 3716 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
PID 2316 wrote to memory of 3716 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
PID 2316 wrote to memory of 3716 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
PID 2316 wrote to memory of 3880 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 3880 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 3880 N/A C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 412 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
PID 3716 wrote to memory of 412 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
PID 3716 wrote to memory of 412 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
PID 3716 wrote to memory of 3848 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 3848 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 3848 N/A C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
PID 412 wrote to memory of 3532 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3532 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3532 N/A C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2320 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
PID 2184 wrote to memory of 2320 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
PID 2184 wrote to memory of 2320 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
PID 2184 wrote to memory of 3304 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 3304 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 3304 N/A C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1604 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
PID 2320 wrote to memory of 1604 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
PID 2320 wrote to memory of 1604 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
PID 2320 wrote to memory of 3184 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 3184 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 3184 N/A C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
PID 1604 wrote to memory of 2424 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2424 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2424 N/A C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 3584 N/A C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
PID 3096 wrote to memory of 3584 N/A C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
PID 3096 wrote to memory of 3584 N/A C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
PID 3096 wrote to memory of 3200 N/A C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"

C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe

C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe

C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05A41~1.EXE > nul

C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe

C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF590~1.EXE > nul

C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe

C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1145~1.EXE > nul

C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe

C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D773D~1.EXE > nul

C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe

C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74128~1.EXE > nul

C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe

C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{280C3~1.EXE > nul

C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe

C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1334~1.EXE > nul

C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe

C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B698C~1.EXE > nul

C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe

C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCB0~1.EXE > nul

C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe

C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53FCA~1.EXE > nul

C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe

C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A44F~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe

MD5 a7550814e5ceddba2d236c68c9db7b2f
SHA1 9480fc49bd0108653d69505669526dd7f0c3c22f
SHA256 aeb3b20f58906aa5059e94ac0dc85cee0565b2ce0768b110989598c9bb94e543
SHA512 c0d87b2d33f3306df59ea77bdd5e43789d247e237d3a10dbe0116cd60ee00491ebddb8ff5d814c76c8bec85bd12a97c0cee29718451451ded99520d06329c631

C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe

MD5 06556908af90a5bb64d4890210f92435
SHA1 72aa27784c401dabb2fbdb6ef9652fdbf38850f6
SHA256 0ae4abb2d27b0995cf291fa97d3c59daa6612c21166113faeb90c2937f771f4f
SHA512 446d944c14f77a1da669dc0173679df4a247fae36d6996e2f981da398a91e8eaa0f7f04ae47ddacec3c01a77a08621471418f576ee3b2db45e8f20e7137f0c91

C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe

MD5 476190ed351ec4740a1af77cb50ac150
SHA1 4e5ab03a8b389d03af222d3be1a31829be26962c
SHA256 8ddeb6a3018c9cf9af0e63179133d1833adb478400de61c6f1166803f2df4270
SHA512 89d186379ee8674945b827de393ebb6bdbe03d8dce1f831d8aeaf598614926f9ccae25c178493e3dd9e1774e949af2c7fa9e3cfad028e8753245a1e24dc23a32

C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe

MD5 d085c1f10ba21a7c895405764b136c45
SHA1 b3c4aae5284965fb49ec57b3d96350cf0215c825
SHA256 67f19e5a1685f6e5552203704cc24c6b11e57384df0a20c80b5a471eb7f215a9
SHA512 2a9ed37f42b3e52e64228f49974a9b61a137904d6f55b2f04ffae568c3b98f41e89be7a0b78b5bd9a938acf6c25afde613d2aaa398a4042a471b4e08d1a6c8d2

C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe

MD5 cbd785abcf81395e5c6b35576e8aea1a
SHA1 7c775cd2c4e4f976caf2be3e661f846d33d9d0c5
SHA256 b44ca5a968304e99877f1b27ed4113b7f0cc50ccf0981ead55138ea13ae9c6f0
SHA512 829dee45d7a916248c9423a2686d76548b16be282d4659fcc63da0ade81b0e26c37eb5ac16feb7a916b29de041ab378b5d223e9c228ed8a17e8fdaf0f359f531

C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe

MD5 6a2822ffd4ed5318b03dc9f758c229a2
SHA1 37b0da5f3dda82fd3dc472f8505dad6b265c4f91
SHA256 970d921525c8283246ada37ac5d5bab8593f1ec1f529de75bd783c33905be603
SHA512 fba191853b1cc5835401e6d43547bd717d7be4bcef9a66bc86ab7a7d107f55ebcc367beaddb30a370919e76606afbd6948b9b24586198271d99ffcb613b40d8b

C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe

MD5 809133b041504bf7f98e1490bfe4c547
SHA1 d88348d7a20744e6cf63155fc23e981c57213071
SHA256 ee9e4f0957467cb91fb75dbb89a98d076dea870d850fd850072f010aab9e6324
SHA512 1a27bd55ae1506c5c3b8522295d53b43e80d7ae5bad4cf6fc6860e131068dcdbd29de25ddc5ccd65c8ce29910e88dbb34db4fbcd03b54fed451eb89bcfdb867f

C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe

MD5 bf1fe7ac730308e273e3c764511d100c
SHA1 8f5c21e27a93de03b55e1b0c9db257bdc683e378
SHA256 53b8b828e3243bbb8af7fb68aa92f1ea03abf8b5ed4b2066e014cad660b626f7
SHA512 0d78c8a05a0d7ddcfe82adf0b8b2552c84540930d349c926a764e22a5d1c0b16b69df86c91ccabeaa554d2d44db57367b041c0101b59553f727f0e8f9c9493cf

C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe

MD5 926053ebf3c2f2d4c3d76ac70763063d
SHA1 96dab02f33ef525f6bc9ad76f948258e7350f133
SHA256 e263634f8dbd02139ef290ca34069c6e0ebc60b18d39478702b5b2ea9025a8b5
SHA512 b38a29c8bfa7e269ae68d3a2330a681a2e43bd7bbc313021a9ff82e6dc8b010bf94cdac71019341e02c9bdd30862fd60dc88afe5a95f9c8db21297ce1a41e2f0

C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe

MD5 8e53448751cfebff2ef7d89238e1acb5
SHA1 fa4de38c2654d31d15cd20f5bc87b666435ae966
SHA256 b18ffc49ec76934012fdabedef156aae6691d7de3d015a01b164b982e2aa4d4c
SHA512 e10cf90e6c9da96f93dbf71d39eec7f114474d8744878dbfbb7f43266d1b747b6498ec54d6c47b8f421f4edd622e00e97aa34052097e8df462f66ced7e1ad1b0

C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe

MD5 b4a0ae726cfcb78fdf1f477b3e1522ae
SHA1 3aa62d0de78a84c0919124c725e341d61eb5a5da
SHA256 7f81be6ee1fa4b10fc077eeceed4fbeae17c662aff9e935a44c82eae1110775c
SHA512 cfb5beaa31f255d81ba5b51387311d8b96082e324604cf94e4129795260cf80b63c260f3021ec29b9f5f75206be003ce4dfff855903f5b2a1ef3390b56b8e04c

C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe

MD5 347ca2aea7503c1720a6f089cfe52209
SHA1 3d63cdd15a388e8fd0950b1c1202679b93df4b22
SHA256 422bae897342bd627003b08b0f458f50043c6088112aa70ada2d9aac4923ebf0
SHA512 49b408ef889e18fc538aec0f1533f2f39e27ce2967b76e64e50d90e48bfd3889ddf53815a3b674018e0760e072afb7e7af70ec13b4f2ebd6c634ad0a907dc92f