Malware Analysis Report

2025-03-14 23:46

Sample ID 240603-gk34nsdg9x
Target 2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye
SHA256 d32e94cc155927325cbfc77b11b484858b78467267dea5486a2c33dad67d9db1
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d32e94cc155927325cbfc77b11b484858b78467267dea5486a2c33dad67d9db1

Threat Level: Known bad

The file 2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:52

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:52

Reported

2024-06-03 05:55

Platform

win7-20240221-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81267C97-6232-4926-A2E6-BDA6A81A1615} C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA846BBE-CD54-44e8-880B-B24FF40C36BE} C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}\stubpath = "C:\\Windows\\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF300A2D-F9B8-458a-9158-CD5898757131} C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9} C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BB6053-1538-498e-888D-2454C4DB0E62} C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}\stubpath = "C:\\Windows\\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe" C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81267C97-6232-4926-A2E6-BDA6A81A1615}\stubpath = "C:\\Windows\\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe" C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA53F5E7-7862-4fa6-9217-B6309E82D047} C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A} C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}\stubpath = "C:\\Windows\\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe" C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2366735B-93C7-4245-92CF-9B836D90F00F} C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}\stubpath = "C:\\Windows\\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe" C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6F1B7F-B217-4037-A6E2-290D3EB97899} C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF300A2D-F9B8-458a-9158-CD5898757131}\stubpath = "C:\\Windows\\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe" C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA53F5E7-7862-4fa6-9217-B6309E82D047}\stubpath = "C:\\Windows\\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe" C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}\stubpath = "C:\\Windows\\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe" C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EF5686-3A97-4e72-8AB8-DE73691E9264} C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2366735B-93C7-4245-92CF-9B836D90F00F}\stubpath = "C:\\Windows\\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe" C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BB6053-1538-498e-888D-2454C4DB0E62}\stubpath = "C:\\Windows\\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe" C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A} C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}\stubpath = "C:\\Windows\\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe" C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe N/A
File created C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe N/A
File created C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe N/A
File created C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe N/A
File created C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe N/A
File created C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe N/A
File created C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe N/A
File created C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe N/A
File created C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe N/A
File created C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe N/A
File created C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
PID 2188 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
PID 2528 wrote to memory of 2688 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2688 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2688 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2688 N/A C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2556 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
PID 2392 wrote to memory of 2556 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
PID 2392 wrote to memory of 2556 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
PID 2392 wrote to memory of 2556 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
PID 2392 wrote to memory of 2384 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2384 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2384 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2384 N/A C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1468 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
PID 2556 wrote to memory of 1468 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
PID 2556 wrote to memory of 1468 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
PID 2556 wrote to memory of 1468 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
PID 2556 wrote to memory of 2476 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2476 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2476 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2476 N/A C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2768 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
PID 1468 wrote to memory of 2768 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
PID 1468 wrote to memory of 2768 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
PID 1468 wrote to memory of 2768 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
PID 1468 wrote to memory of 1924 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1924 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1924 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1924 N/A C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1884 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
PID 2768 wrote to memory of 1884 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
PID 2768 wrote to memory of 1884 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
PID 2768 wrote to memory of 1884 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
PID 2768 wrote to memory of 764 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 764 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 764 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 764 N/A C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 320 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
PID 1884 wrote to memory of 320 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
PID 1884 wrote to memory of 320 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
PID 1884 wrote to memory of 320 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
PID 1884 wrote to memory of 1536 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1536 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1536 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1536 N/A C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1404 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
PID 320 wrote to memory of 1404 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
PID 320 wrote to memory of 1404 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
PID 320 wrote to memory of 1404 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
PID 320 wrote to memory of 1292 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1292 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1292 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1292 N/A C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"

C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe

C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe

C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FA846~1.EXE > nul

C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe

C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF300~1.EXE > nul

C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe

C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AA53F~1.EXE > nul

C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe

C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC37~1.EXE > nul

C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe

C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDB2~1.EXE > nul

C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe

C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23667~1.EXE > nul

C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe

C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16BB6~1.EXE > nul

C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe

C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A6B~1.EXE > nul

C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe

C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0EF5~1.EXE > nul

C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe

C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0E6F1~1.EXE > nul

Network

N/A

Files

C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe

MD5 8d2b53700b45061f90185d1400cead08
SHA1 c211665773ec4317ae19ce8b44cd975084ebfad0
SHA256 5d09425efe9e916638a1856207b81e13126a1341b44269d8ac4c05c06b25f17c
SHA512 b7845adb2bf209972bc3969c0c6f480ce18d271ed0a84ffdd07d987b233d85850053f16fce4ba8877d35338805790eead4fc80e4f6788c32dbf3a5bd52fe3e45

C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe

MD5 f96dffc6c1e38f3d912ccc45da81c73e
SHA1 648ae9156c1b88a86a7070cbbe2c08c0e77cdc08
SHA256 7f0058dbafe883c4c11a3e8f93033a9e70a0a7a968ab68d28515805f19182f9c
SHA512 bcf020e85f3f9cf15922d0baea2aefed1dc3232e8852406a950f964c13fe493fcce4ba6aaa4c026d62e10bdaaeddea6f3712266d6b786cfa8a3eb4da3e694001

C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe

MD5 131d7b0739ab4c5b6e5801da22949d9a
SHA1 e6bc9683f3c09581d771756b79e15458e8df23ea
SHA256 12b3d69e6fa210a5f1f7037e7ca6697324f27b2a5523934e0ed30ab951b08ab9
SHA512 cf4f46f52b9893e69077f1ec0b9e3b930b0eefb2f4cf98d3982d04229b7650926406897d74e7348575ef4401396fca1e586b98b2fbdd72cbf07d5d5c1872f6dc

C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe

MD5 ae07989076476c2cbcb9deed75b69acf
SHA1 19bb5e6150e72e85e101d9a3889380c4c3c394ba
SHA256 2adc794068ecc749c526c5dd63dd5c89168d94ba7d6794882f97dab3b5f6ac37
SHA512 01bdd00b778b057e2b3eeb807b081356db88cb13f37deba71408cf8fb5b132c111daabddf608d1b6bb49e8a68d059c80e40f899431b9af55003ef61dc813cca0

C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe

MD5 beac2e4f7abad46c4bdff98035d9bca0
SHA1 e199be741618b39a804c2c6f643b5b93d3c6cdd5
SHA256 bf95471605c2827f1f2f1f270493e38d251d7a07d439111c047fabe7186f2723
SHA512 e1bed5acc850d094e4604a78d24bc25984bb6a383f7d92cdfd53af81d5aada2c561ef51771c00a11a550eb8b50192e3de6dfc074c1f0ee5442844ddb829891f6

C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe

MD5 426f36fecc559c6f61f643eddc5005ef
SHA1 a4f7b968d68384859b834e4853402b138d56f638
SHA256 49c8f885bdc1ff4722d5c500431caf6c610db310b8bac54b1e5b7be3311d2c31
SHA512 9651e290d6c384ad42f0e726c73024e47a77183c8b09f4274d5cebfbd6b4ec3e58d3c2dd305305ec47ca194a2dce65fe6b7b6490a70fae770ccc0e0fff41d7c8

C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe

MD5 efd69e53fe69d20415f3cbaf6242ba1f
SHA1 232edeacba17cc41e67acc9712b845cd84543e0a
SHA256 f6cbfd862332d6b919dc282267bafc1125688f95c84cd36b4b1286c3aac00214
SHA512 c7e5d18f81bf6d2d9ade477237ceced727d9e8089f5a046130ce3e69e0317edba484d689c48114c4892ec361af67ab374da69cb0576aa6d96b18d35b2587f3d5

C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe

MD5 37f171e2534b956a8c6126ec37bb7aa0
SHA1 6be84998584938e3b11d4b4bf7016b35cd847a03
SHA256 7058c91285a6232730e0c13b6d6a097ca1e9810f34c1ee42ff1d51ccf33e262c
SHA512 6d3d92dcb814c20ee0280cdcf0aabbe47911a7b461b539eae0839a2242493992e2d8b6c6aafba4bee364620a9eadc7c123b82181b9a616e39c77bfaf3809b281

C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe

MD5 17c2571af7e9e17c604b4ba87fde2a5c
SHA1 c3a23d83aa5b7389c40e07b21e7f89b67f0e8a7d
SHA256 f0fcff1af5d6c202939405cb0c6223b8655a6b5fe98888af9232f73522e60510
SHA512 d7d41a0c676380b39af91bedb8d813f82049321f30b549f4e17aa8f7f76780e0e734cc13d29488f70cec982beab58b73bcf4a1be44349f09b90046e5464150bb

C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe

MD5 f6b268eade266418f413cd97569c6560
SHA1 5398f90785fd15f70fbffa1905b257e3c1196ee2
SHA256 283176c68403342b5b071f15a7dcc5b2bd8a46b2b56b5b8f411dede75bd30386
SHA512 79f47c437bec876abe8dad227d9a0f684b0122c14f0656170a1c896a18c3caa7f0fe03bc1609e720d2155c9eae21139418004c1917211b4d4abc17bef8d3dff3

C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe

MD5 ccb7c37fe6385586b5d4cf32d91e46d7
SHA1 80f7c6dc3944bf452b68d0bfab9fd4b6fdb8770d
SHA256 fbcdb2025e5e73d32ca98c1849d2d2fbd390ed2923dd25d33515a39a1a007124
SHA512 2771f47dc1fe62f24eaca2fd1bad1e3347162accdb6fcb8d296a7fc86f1cc342f48129b174323cf4e2e114c53aa5e3de752c0a58c71e04b26fa1ef9b9786efc1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:52

Reported

2024-06-03 05:55

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}\stubpath = "C:\\Windows\\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe" C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0F0170-6B4F-47a5-9267-2F5231398AD9} C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}\stubpath = "C:\\Windows\\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe" C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D} C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD} C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD6283E-EE52-4450-90E8-2AE68505C77C}\stubpath = "C:\\Windows\\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe" C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F17EA-7D05-4688-BB77-D889F91CAD31} C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F17EA-7D05-4688-BB77-D889F91CAD31}\stubpath = "C:\\Windows\\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe" C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}\stubpath = "C:\\Windows\\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe" C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}\stubpath = "C:\\Windows\\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe" C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86307BF9-1763-464c-9C41-C9B961BF4F5D} C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}\stubpath = "C:\\Windows\\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe" C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}\stubpath = "C:\\Windows\\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe" C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC569677-4B9E-4e79-B848-5CABD6A75979}\stubpath = "C:\\Windows\\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe" C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA} C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}\stubpath = "C:\\Windows\\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe" C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86307BF9-1763-464c-9C41-C9B961BF4F5D}\stubpath = "C:\\Windows\\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AABAEAE0-19D7-41a8-AC36-84738DAE2044} C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}\stubpath = "C:\\Windows\\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe" C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC569677-4B9E-4e79-B848-5CABD6A75979} C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD6283E-EE52-4450-90E8-2AE68505C77C} C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1} C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616126DC-B702-4fcc-972A-8E27CA4F2E3D} C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9} C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe N/A
File created C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe N/A
File created C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe N/A
File created C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
File created C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe N/A
File created C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe N/A
File created C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe N/A
File created C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe N/A
File created C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe N/A
File created C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe N/A
File created C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe N/A
File created C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
PID 2428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
PID 2428 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
PID 2428 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4996 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
PID 3648 wrote to memory of 4996 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
PID 3648 wrote to memory of 4996 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
PID 3648 wrote to memory of 2620 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 2620 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 2620 N/A C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2456 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
PID 4996 wrote to memory of 2456 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
PID 4996 wrote to memory of 2456 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
PID 4996 wrote to memory of 1256 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1256 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1256 N/A C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 5036 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
PID 2456 wrote to memory of 5036 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
PID 2456 wrote to memory of 5036 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
PID 2456 wrote to memory of 2852 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2852 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2852 N/A C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 4784 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
PID 5036 wrote to memory of 4784 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
PID 5036 wrote to memory of 4784 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
PID 5036 wrote to memory of 3148 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3148 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3148 N/A C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4492 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
PID 4784 wrote to memory of 4492 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
PID 4784 wrote to memory of 4492 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
PID 4784 wrote to memory of 1692 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1692 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1692 N/A C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 4692 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
PID 4492 wrote to memory of 4692 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
PID 4492 wrote to memory of 4692 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
PID 4492 wrote to memory of 3908 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3908 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3908 N/A C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 4624 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
PID 4692 wrote to memory of 4624 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
PID 4692 wrote to memory of 4624 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
PID 4692 wrote to memory of 3536 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3536 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3536 N/A C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 1252 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
PID 4624 wrote to memory of 1252 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
PID 4624 wrote to memory of 1252 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
PID 4624 wrote to memory of 1868 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 1868 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 1868 N/A C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1188 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
PID 1252 wrote to memory of 1188 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
PID 1252 wrote to memory of 1188 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
PID 1252 wrote to memory of 404 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 404 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 404 N/A C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 3672 N/A C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
PID 1188 wrote to memory of 3672 N/A C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
PID 1188 wrote to memory of 3672 N/A C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
PID 1188 wrote to memory of 4660 N/A C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"

C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe

C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe

C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86307~1.EXE > nul

C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe

C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB00~1.EXE > nul

C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe

C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF75C~1.EXE > nul

C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe

C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AABAE~1.EXE > nul

C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe

C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC569~1.EXE > nul

C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe

C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD62~1.EXE > nul

C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe

C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{435F1~1.EXE > nul

C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe

C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B8D~1.EXE > nul

C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe

C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8209F~1.EXE > nul

C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe

C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0F0~1.EXE > nul

C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe

C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4A3C2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe

MD5 8b0214bec5b3bc2500030f930226d898
SHA1 c02a00fdae849a59be41a5c7c627b045fce11703
SHA256 e624b26e9abe86b85ed00580116213b8b6c024edb69b296e76dff079f1f5f013
SHA512 3d34b20b2cabdda26d17b950832d91b04df1bbcc80a47be8a0df37c69d89ac4830de1ed718dc46cbbeef3a4380f8575f4e949c68c9d632822e3aee2870ffd4d5

C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe

MD5 bb64dde487cead9c101c748099e1ea1a
SHA1 556f4e71e1f98fc46dd75823494b6d6549830074
SHA256 2c8b551e4b56807be8dd0adeac85256c5992ccfcc4f33f38b4f13b69b309afa1
SHA512 d02c84761025cb48e25d8183487aee90529f9191bdf6c651884c3a5ce7fe43343e239154e028ce3e118f3d916979bca9bfb799874025e3af54a1b6c2afec5c66

C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe

MD5 b60efc1743117391409232640cfc90af
SHA1 d23124fd1041099fa8c615b078d8ba3e0474719e
SHA256 78c36c814382712e9b33fc39081c70dc4b2648c06e9208f7409e420bd25330e4
SHA512 f59a70ca3a830586954495cf7704d1933241f9b2ad04880d297b644bcf79927a60b57b63ca13c4272b48a3b27ceab455d081d39cdb04bcb660bd2443912fb6e9

C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe

MD5 e1c1f82064aac3e0b6e918f9f423b4ac
SHA1 b735644d0de8f65ebb81a2578c841e0d3b75b5ff
SHA256 36bf8f517817af5233e9d6e176f7025c726b0d89117626e36d19e0f679e0242a
SHA512 6235a069a1cf08ac6bcb4fc99ee71de7670066e63b532bb9f1ab85ddbdecc56fbebdb4a50b3f545bc2281ad6fb46addc0a7ff8263c4cbc7fe1df1ed7eab90039

C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe

MD5 6e3388c50359eee501880d7db4ab923c
SHA1 ec010b2ec4333808ceb3ad05271249c496c99a41
SHA256 253934317d6c7d9ac9e251d2afd26dfd31de886dbba4119b07a4c6889e671f59
SHA512 80d678a85153413522e36bd744b36ad7a47688941d0cc271afff9acca97dd1281ca921d45f2cf38bef5ebcec4efb96b52f643841978130639159c6ff0e7f77d8

C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe

MD5 4b1831ed0e7a887f13d60ea18ee51517
SHA1 5136c38f6acd4ccf91ac267970deb1c2c7872e8f
SHA256 d39c424f17e6601f2012198895df980f21c0af27efd7103b29095259e4943c38
SHA512 3b115f0dadad7671ed782e2f0d620fce789b041575f6f1ec4d09e627ba5c6f9e3d657ce3a91641b8e6e8c0395a3716471582d0d04018c0a375e2cb5092b129e6

C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe

MD5 222ceb24b063460367b15d20ac50e647
SHA1 19362a4db8b571a6b7e3d54a19b578076b9324f7
SHA256 d1d33ff2637972c2c962384096e8b3d0b76924e3952448769288513154d6d26f
SHA512 4886e58835fb1cae960c1bf7cabefdf60a1fa187fc5dad5b5d3cd38a50c5483da944b315bfe838dffe135455748a67ba49182d9bdff305e9be09c5295dec9ed1

C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe

MD5 4f9fdf351c6aadd588d85ce96f190718
SHA1 455335ca7c64ba757a5f0dab2a4461c30b5bbd80
SHA256 ee66e704ef4653b16fbe71187701abae2f37bd7d8c80a5107a2a8129a54ad1ec
SHA512 fb0976917b4ff965e96b28e3df749d2f85a10e3133b7f8a8c956ab12e047023ed0f17ef05fb1e556e0d113807a562a311c294dbc2edea9c125c6c801c2e61dbb

C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe

MD5 06b23b0881a1818f34864746dd112c88
SHA1 5732b8b9d11d55c6aedf262961f54511b2f9b670
SHA256 6a097d3df8d80f47abb5d31d908ae4f049d6cb1fcba45ce0a6480d1b19708698
SHA512 60f7dc5dc045dd59c24ecece3d0b97ada6c4f560f36ffc32e80244019a42315d5e63c5eac20bbeb4e8a4b126c5abd80504fb3ef2cf161c94070d0ba989bf11a2

C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe

MD5 f1ed5321098f0867cdb4c03bf0a77a65
SHA1 97ba541940e8186b7a95f9807810b3da886cb98c
SHA256 9c9d8a0186daf27c1f0e07006b569feb0e8e4bff51ff760b53e0d2f6b8e2986c
SHA512 f2f1f317f996ce6d44e0b4352e35b1c2869c931cb6b2e6163e1f4ff9e93c88c90ee20863a19623cffea51fe32c9a0c29a5dee574fe287e9f5a53d0ff84356803

C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe

MD5 147823e0c53c16c294cb7f028439c109
SHA1 8a22e34fe8e789e09d1f808977e2bad9524caa43
SHA256 9126f9979e7115fcbc5e82f75d6533650372d04c1fc6ab105357ea6fc97ce631
SHA512 d479e13298ef55686b68b8b0233941c8fd434d5a22f7f064ae5f954ba7d97db41629854f63c95544d2eedf5bc7c75dc61706644b1f2b731d8f391c8b25c30ee1

C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe

MD5 ef562588cd9aff34783ebd38b97283ae
SHA1 68a9bd45ef78a88bafb46358ed7001fa4b6d26fa
SHA256 eebbd185eb71c78c261c6a882aaccc9ca906b6241285dd25d0fcec781c92d3c6
SHA512 9051d177a2a867495f850e3ece85abcb4a840120d6cd34f8c0e336be6df4d5a141812d466c37c3d78fb19c7c899c0c7abe88fd38031025c6f10d3e32bc403c80