Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-glvtpadh4t
Target 2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye
SHA256 5ccfe0b40b6ec665f752ebac66c12558b4b987ec716d6e22db495388df57019d
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ccfe0b40b6ec665f752ebac66c12558b4b987ec716d6e22db495388df57019d

Threat Level: Known bad

The file 2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:54

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:54

Reported

2024-06-03 05:56

Platform

win7-20240508-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44B4254-9B52-471d-B70F-42BAF794A13A}\stubpath = "C:\\Windows\\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe" C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F69BDE90-4A04-406d-A2FF-1119A0F35E69} C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71581408-3C2C-4b3a-828C-EB7A94492DAB} C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71581408-3C2C-4b3a-828C-EB7A94492DAB}\stubpath = "C:\\Windows\\{71581408-3C2C-4b3a-828C-EB7A94492DAB}.exe" C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1132057-952A-4365-9945-D35435E2C9D6}\stubpath = "C:\\Windows\\{E1132057-952A-4365-9945-D35435E2C9D6}.exe" C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A26742-0014-4b9c-84BE-34192C2E42FE} C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BEA092-6497-474a-B1A4-55EEBD8AF719} C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}\stubpath = "C:\\Windows\\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe" C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44B4254-9B52-471d-B70F-42BAF794A13A} C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}\stubpath = "C:\\Windows\\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe" C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F84650-5581-4dad-8BF0-7F1DF5058A46} C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F84650-5581-4dad-8BF0-7F1DF5058A46}\stubpath = "C:\\Windows\\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe" C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE74FCD3-F452-4550-8F33-68BAD6F52437} C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE74FCD3-F452-4550-8F33-68BAD6F52437}\stubpath = "C:\\Windows\\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA2FA91-4B32-443d-88C5-FED832668A23}\stubpath = "C:\\Windows\\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe" C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}\stubpath = "C:\\Windows\\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe" C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A26742-0014-4b9c-84BE-34192C2E42FE}\stubpath = "C:\\Windows\\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe" C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1132057-952A-4365-9945-D35435E2C9D6} C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA2FA91-4B32-443d-88C5-FED832668A23} C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2} C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}\stubpath = "C:\\Windows\\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe" C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F84BFE49-A18D-4b57-93FE-594A95DF22D4} C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe N/A
File created C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe N/A
File created C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
File created C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe N/A
File created C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe N/A
File created C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe N/A
File created C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe N/A
File created C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe N/A
File created C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe N/A
File created C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe N/A
File created C:\Windows\{71581408-3C2C-4b3a-828C-EB7A94492DAB}.exe C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe
PID 1904 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe
PID 1904 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe
PID 1904 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe
PID 1904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2588 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe
PID 3052 wrote to memory of 2588 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe
PID 3052 wrote to memory of 2588 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe
PID 3052 wrote to memory of 2588 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe
PID 3052 wrote to memory of 2840 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2840 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2840 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2840 N/A C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2128 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe
PID 2588 wrote to memory of 2128 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe
PID 2588 wrote to memory of 2128 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe
PID 2588 wrote to memory of 2128 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe
PID 2588 wrote to memory of 2500 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2192 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe
PID 2128 wrote to memory of 2192 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe
PID 2128 wrote to memory of 2192 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe
PID 2128 wrote to memory of 2192 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe
PID 2128 wrote to memory of 1328 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1328 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1328 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 1328 N/A C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2652 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe
PID 2192 wrote to memory of 2652 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe
PID 2192 wrote to memory of 2652 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe
PID 2192 wrote to memory of 2652 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe
PID 2192 wrote to memory of 1500 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1500 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1500 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1500 N/A C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2360 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe
PID 2652 wrote to memory of 2360 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe
PID 2652 wrote to memory of 2360 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe
PID 2652 wrote to memory of 2360 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe
PID 2652 wrote to memory of 2424 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2424 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2424 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2424 N/A C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1752 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe
PID 2360 wrote to memory of 1752 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe
PID 2360 wrote to memory of 1752 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe
PID 2360 wrote to memory of 1752 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe
PID 2360 wrote to memory of 236 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 236 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 236 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 236 N/A C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 1100 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe
PID 1752 wrote to memory of 1100 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe
PID 1752 wrote to memory of 1100 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe
PID 1752 wrote to memory of 1100 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe
PID 1752 wrote to memory of 2020 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe"

C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe

C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe

C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE74F~1.EXE > nul

C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe

C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA2F~1.EXE > nul

C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe

C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5B88D~1.EXE > nul

C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe

C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D44B4~1.EXE > nul

C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe

C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F69BD~1.EXE > nul

C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe

C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F84BF~1.EXE > nul

C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe

C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1132~1.EXE > nul

C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe

C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06F84~1.EXE > nul

C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe

C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A26~1.EXE > nul

C:\Windows\{71581408-3C2C-4b3a-828C-EB7A94492DAB}.exe

C:\Windows\{71581408-3C2C-4b3a-828C-EB7A94492DAB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6BEA~1.EXE > nul

Network

N/A

Files

C:\Windows\{AE74FCD3-F452-4550-8F33-68BAD6F52437}.exe

MD5 d93eb3dc5a8e1ae32bb6895a45198a16
SHA1 afb94e429836b37dabdee2163822bcd582267ae4
SHA256 b5cb0fd79985f6a8ed83c4dc1a17eac5a187e45660a3bfb57294a7821fe00ad5
SHA512 f4a4159f7d487b21c6113499bbefb6b6289d92c9a9d7fcddf8e2e8ea2bce5c6138d15e7f6770bb9b9ad53a1f9ba709a193aa5443cd80b9ab22d8445fb051f157

C:\Windows\{3EA2FA91-4B32-443d-88C5-FED832668A23}.exe

MD5 e85fae0d4d878f73e3526047434fecc4
SHA1 edea0ed1ed827d1669b4765ee26c4e737f4a3b45
SHA256 89de24bcf1b01491ff8732570b6fa5ccc76385fdd84697d82f18828a34efcbc0
SHA512 de42d19355e5c3463214f43eb67aa565ffc259192f532069b3195a9f72a417291e3fefe338bc4d1fd143ee7e324e0a98f88e2a995079d61451f06eb4feccca8e

C:\Windows\{5B88DA58-FF35-42ea-A373-A4EB7AF98AE2}.exe

MD5 5ab6bf9ca1e70cb56b0a376fec149e2e
SHA1 ed59886d79c4395297030b0c53e7e1c790d1bdb1
SHA256 d31fd82410985ca8aa5b85905843a40e1fdfe31c05f1b1a022075597a041c41d
SHA512 93b67deb0e6cd1f5b0b39979444039b85a25aefbba0cb3f17fe7cb402e410eaf03e794cd239afe9853b04787d8dec6fd71358ea7d858850e0c76d735bbbf5220

C:\Windows\{D44B4254-9B52-471d-B70F-42BAF794A13A}.exe

MD5 ee33fb7f2a4738c3fb726ccfd5672dd2
SHA1 f99929eba7d1122e6cdad4481666e58e100bf009
SHA256 db4a4e1fd5dbb9e43d09defc0abb5eeffe1cf435968d3a0ae4f3acf7c1ffc7d4
SHA512 deb3e17efac0ef4fdae7973072ab740dafd3cac8cad58903a4a573b44f0e449d7ee6fb3a091ef1775a96cf3eb5641d83b775bb8efd72d2751183c9e879043fc3

C:\Windows\{F69BDE90-4A04-406d-A2FF-1119A0F35E69}.exe

MD5 db251276dcdf7e264010fb6044568276
SHA1 b533899247de5b0b71ae014d992e64c031673317
SHA256 a2e82956bef0833bc8563ea18e9d1316d9f656157bd677a857b38a2cb3d1c1d5
SHA512 5a886c71789d902447830e9728a8e85648d8f9f5ce2e1d576a153403e4dc9bfc585bee45a2cc44c93779e87da4fdb8a8027028a563a63a89ecdbae56cfe63432

C:\Windows\{F84BFE49-A18D-4b57-93FE-594A95DF22D4}.exe

MD5 3a088d68f6d89d8616f7027ab1f794ca
SHA1 d86327a5a49c736113c21bef5e320a199cc5dd60
SHA256 1580edd52b470481b0b0fb281e783e63392ba11716f78f00a883af220ed1010e
SHA512 aac438586e2283bd3f8d41607b85c5b6c72eabc5e6fc45aa216d0d0485566eebd42fe80f8e0be47dbc3c39c3199beb44b2cbe2d1cefca23e495b903295ed4c5b

C:\Windows\{E1132057-952A-4365-9945-D35435E2C9D6}.exe

MD5 c5f4394d9854de2ea764f2948322a142
SHA1 062c6618f81e966d6c3368ee7c72943363d871ce
SHA256 7a37491b73a8535e403e5507b01672df77e2c8320a704f94e36f9c454a7ebe8b
SHA512 311c6b0f53bf86b47be7935a2969b3de2b411fb506555c0bd612e622e4c3c8ac220c0d8e8cfc3a1e02714a04ea34a9a2d783d8173046d11b04b8995b891bc6d8

C:\Windows\{06F84650-5581-4dad-8BF0-7F1DF5058A46}.exe

MD5 158151b8717f96481ee0f93af5af0e3d
SHA1 4aa122f181a57dc6ae23579f6f122dc31c8d581f
SHA256 70aecc4d8328ceb00430b0dea709b782c18368404c287b074fdf1896f29788ca
SHA512 ffc183fa2716df52fe9f83a404eee430e093d6cd9dc5d52fce19d735766c68a617624ebfee8c9f647ef268622a2d1029e7234407779837b58e9e1b59ef991803

C:\Windows\{A1A26742-0014-4b9c-84BE-34192C2E42FE}.exe

MD5 38350660047c884e9f94d02e3dd23123
SHA1 df9c611f8513eb36563fdacfb2b0201783ff1172
SHA256 40af574028249c1eb571ab16b0cdd0c596278af60e5b62188406efc713361f90
SHA512 5d599fe60aad7b525fc6d295e28e37a3b2d8fb26b8aca2745a43b2047a283791f545d3a5521914e92ded2d64a32a203e5604ed6854d9442cd69ac06b07f14619

C:\Windows\{C6BEA092-6497-474a-B1A4-55EEBD8AF719}.exe

MD5 f982630768851d63bc56d459f57227c5
SHA1 4c2d928efcb6877e8b4f938a8c36ff45e6abf96e
SHA256 9c704047c0d0465b894c1b7d75c23dcf05e42528c64a366d5a7fcf0c3c260845
SHA512 c6b64c273cca4d1d8bd471d1bfd7f00e035ba82611a013290665f6669321e1a57c7df91316e0c83d3e7187409938900f12311d7eabec948119e2b6ee64e9a94b

C:\Windows\{71581408-3C2C-4b3a-828C-EB7A94492DAB}.exe

MD5 c7243635a9095fee23dff3039e36ef5b
SHA1 b63890dfaf5b4e81287df4c4b2d938e1265cc69b
SHA256 83dbfe50b8481473ce6a7745740ca32bf8c5dfd19e207e548cca413e16dec2fc
SHA512 8fcee7316e2f2c5c02b5480dda10ddca4354c77ca36daf9ea37c080f9c359ade6e1fabb5e18dc43ddad6198f8a97ad0c4b289d10e4a0df09f5ff7784ced0b85e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:54

Reported

2024-06-03 05:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{180CE071-AFA8-469f-8237-0D684ED15B9B}\stubpath = "C:\\Windows\\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe" C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E574702-6458-4453-8CA4-8534A39DC7F9}\stubpath = "C:\\Windows\\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe" C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}\stubpath = "C:\\Windows\\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe" C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}\stubpath = "C:\\Windows\\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe" C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6} C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A6C776-283E-4282-A5EA-FF1786AE6679} C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107} C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}\stubpath = "C:\\Windows\\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD8670C6-6D0A-47e4-B579-C3721C078671}\stubpath = "C:\\Windows\\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe" C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92751F6C-53A7-4a27-97A4-A737FE0C817A} C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92751F6C-53A7-4a27-97A4-A737FE0C817A}\stubpath = "C:\\Windows\\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe" C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A6C776-283E-4282-A5EA-FF1786AE6679}\stubpath = "C:\\Windows\\{F7A6C776-283E-4282-A5EA-FF1786AE6679}.exe" C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E574702-6458-4453-8CA4-8534A39DC7F9} C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD772A2D-4A6B-4d5c-A406-F38E12403C00} C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14843B2-7205-4a4b-99E5-CB57A567496E} C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14843B2-7205-4a4b-99E5-CB57A567496E}\stubpath = "C:\\Windows\\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe" C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381} C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883B9851-BFF0-4b6a-8F56-CE46725EFF44} C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}\stubpath = "C:\\Windows\\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe" C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD8670C6-6D0A-47e4-B579-C3721C078671} C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{180CE071-AFA8-469f-8237-0D684ED15B9B} C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}\stubpath = "C:\\Windows\\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe" C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D} C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}\stubpath = "C:\\Windows\\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe" C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
File created C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe N/A
File created C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe N/A
File created C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe N/A
File created C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe N/A
File created C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe N/A
File created C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe N/A
File created C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe N/A
File created C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe N/A
File created C:\Windows\{F7A6C776-283E-4282-A5EA-FF1786AE6679}.exe C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe N/A
File created C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe N/A
File created C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe
PID 2752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe
PID 2752 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe
PID 2752 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 4860 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe
PID 2396 wrote to memory of 4860 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe
PID 2396 wrote to memory of 4860 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe
PID 2396 wrote to memory of 3996 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3996 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3996 N/A C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1200 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe
PID 4860 wrote to memory of 1200 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe
PID 4860 wrote to memory of 1200 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe
PID 4860 wrote to memory of 2960 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2960 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2960 N/A C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 4336 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe
PID 1200 wrote to memory of 4336 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe
PID 1200 wrote to memory of 4336 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe
PID 1200 wrote to memory of 860 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 860 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 860 N/A C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4768 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe
PID 4336 wrote to memory of 4768 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe
PID 4336 wrote to memory of 4768 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe
PID 4336 wrote to memory of 3372 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3372 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3372 N/A C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 732 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe
PID 4768 wrote to memory of 732 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe
PID 4768 wrote to memory of 732 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe
PID 4768 wrote to memory of 1560 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 1560 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 1560 N/A C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 3516 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe
PID 732 wrote to memory of 3516 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe
PID 732 wrote to memory of 3516 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe
PID 732 wrote to memory of 1236 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1236 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1236 N/A C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2528 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe
PID 3516 wrote to memory of 2528 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe
PID 3516 wrote to memory of 2528 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe
PID 3516 wrote to memory of 2112 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2112 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2112 N/A C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 628 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe
PID 2528 wrote to memory of 628 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe
PID 2528 wrote to memory of 628 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe
PID 2528 wrote to memory of 4920 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4920 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4920 N/A C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 756 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe
PID 628 wrote to memory of 756 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe
PID 628 wrote to memory of 756 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2412 N/A C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe
PID 756 wrote to memory of 2412 N/A C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe
PID 756 wrote to memory of 2412 N/A C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe
PID 756 wrote to memory of 2532 N/A C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_27e9afa001da14b6afe70b6d9471bffa_goldeneye.exe"

C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe

C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe

C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{794A3~1.EXE > nul

C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe

C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C1484~1.EXE > nul

C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe

C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD867~1.EXE > nul

C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe

C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{180CE~1.EXE > nul

C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe

C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92751~1.EXE > nul

C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe

C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{78DA4~1.EXE > nul

C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe

C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{883B9~1.EXE > nul

C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe

C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E574~1.EXE > nul

C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe

C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9989C~1.EXE > nul

C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe

C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27763~1.EXE > nul

C:\Windows\{F7A6C776-283E-4282-A5EA-FF1786AE6679}.exe

C:\Windows\{F7A6C776-283E-4282-A5EA-FF1786AE6679}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FD772~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

C:\Windows\{794A3DA1-7472-41a2-A4A2-4F7B4A7EC107}.exe

MD5 cd3c507f5dc73b759b4a6eafc7a0574d
SHA1 5be80498e060130791031f43a768ee70cf580302
SHA256 cefc8613afb1b443cb9aaba43fb59b467ed76be509ef6572af555e202a41b17d
SHA512 df4013eebfc06416b24d47b4ad160afd0da549f5161bad8d3ff36125c14cae35707d967d0bdd3ec2aff641214dc0fd61632e7bc9d03676b6922b339d441aa3aa

C:\Windows\{C14843B2-7205-4a4b-99E5-CB57A567496E}.exe

MD5 7589a8b957c47abb4c3f4e394c99f6a4
SHA1 dcb7488c2c7fb3e8348ca0ec77587d8f6e5146c5
SHA256 eb61cc481212df400a08451494e80c76ffdd5ce3afc5194dfea631df490a4a72
SHA512 c504b616bd27a989d0effa9f926c1357758ae8d0fdf45d0da4050a81da555f424db59cadcec232ab387cfd5b6741d439b3447766aa745967ff1dfa7b3a3cbc81

C:\Windows\{CD8670C6-6D0A-47e4-B579-C3721C078671}.exe

MD5 e378145fd78377200184a6e92fc1af7d
SHA1 9eaafa2176a565999d6b0d65c33fbeeb057e265d
SHA256 6822c0e39fa679b1303e59d2da63aa650162606a91c421fa50ba882937212264
SHA512 87b52d70fd1ab35b9e6fbe2d32ed22b0d1ebfb08fa9a45230b64dc0d57d1499f46ca4600ec279215e25eb1ed54fdd3585adedd41a25513f56d0ab83f342920ee

C:\Windows\{180CE071-AFA8-469f-8237-0D684ED15B9B}.exe

MD5 21e05d9755a3fbb22475cb2706ccd822
SHA1 286a301b6cadb518551b8f8977944aafa3d09555
SHA256 e01bc5bb8e02b2bdffc9aab16eeb32946d4d902e4b4b793aa61ccbc7da58f725
SHA512 451485506fee48de0258aab6c2583303b628e1df57cec0c7bf5fb07fd76536148c55b907eef307a0f16de93ae18da25abf350d1735caaa24bf0c599567ea9da7

C:\Windows\{92751F6C-53A7-4a27-97A4-A737FE0C817A}.exe

MD5 520795aa4c16ad8f0fcf536b82ffaef6
SHA1 95213d4d0266c5193a0093519e7a0837706c609c
SHA256 3453c35aca6d9a90582518a72210823ac5291a1ca5ac1d502f52f9fb761958c1
SHA512 85e59f222e46994cdbbc2944db3d84f7e9b971aa4e4e3eede0a580f0e214f241fbc608f3bde292ca3fe428b2d35a49bdb8b01dd9e25579e9b9594cdd37e2a9ac

C:\Windows\{78DA4EAB-67EF-4b80-AD3F-FC3269C64381}.exe

MD5 0412655879c9a2741cdb5822060e6dfa
SHA1 3118ba7108e77b654dd1743d10f442ab1989e925
SHA256 95144fa6d94a65cb7058768a04890be4a8c14cd60df3090c1837c2b610f56bb6
SHA512 0961f52624db37fcb064627a19e453f84a6305bcec5e3711a04548ee82f1c8997f09df76ab44f2b6ef83ecab30d2a208dd8b12e4091fd05643f2e431dd269abb

C:\Windows\{883B9851-BFF0-4b6a-8F56-CE46725EFF44}.exe

MD5 ba722625dbc35e30a7a7e7316f7fa8d5
SHA1 d7998468a02a9571f0372d2b9d599dce0b7f4f96
SHA256 a161ffde969dace2500c7de3ea5cfcb560b663999a6c6cf8a7f5aafe9ba42e6d
SHA512 b6ea36c5de4a1f9faec737d412469bf9dc24005561ad5d97216cfdb2137f9359c2dda1b90925a164d016a0c3b1084c624031c87e456a8798d51bb648a03b5b70

C:\Windows\{4E574702-6458-4453-8CA4-8534A39DC7F9}.exe

MD5 ee259aceb76368ebd1f507239780f9ff
SHA1 c567009f00a7292450d7ef4b0506b182cccfcd28
SHA256 dcc18173d223ffc8d36a941c0f954035c295badd8abc89ff6f49f0e076b3225b
SHA512 e3dcd79ed8bac6adc9d9c3f19f4b99a7aff193e9e6d7ad64a23b2a32a5a6a4749dc04a63a33f9b3c6e80b532472c2716811422f0307a5e4804b7024161a9fd92

C:\Windows\{9989CFA0-0150-45f8-B76F-6FFC4D581CA6}.exe

MD5 4f568bee77c8f574659d1838e35fc265
SHA1 c926368a1af098427b253fa4ab6e9259ad552bd0
SHA256 04ce8d9cf112913f7cf7414d46f680f1054119966bb96318040b9e7fb11f5d05
SHA512 0ced89ebb1a4d140e32288e55e2f4c70df9a62dea6baf72d9e4da2232e774a5cff2fd2c149e4f960f8ef6d1126eeeebd510bf9f760361ab188c69d63dea72e10

C:\Windows\{27763C0D-8AE3-4303-A4DF-A11F432C1B3D}.exe

MD5 6a7682b3ae93ddc572ab2dd95036b789
SHA1 8e70a5b1367a6565bd0db1271f74e8a98f1621e8
SHA256 42e6e913e1e2cc627a8c0385d6e9e0114eab3ec9aae57b4dab7e24e7bb94ec08
SHA512 6e7e82cb8b87973b7527465b6cae124b5336cf4909f93ec3154329c46b1320eece4526d8d0db10c4f5441f7886d20def6e09462423ff8977aff42f129ce0516f

C:\Windows\{FD772A2D-4A6B-4d5c-A406-F38E12403C00}.exe

MD5 f990a27298c189b0256e5e605c89b915
SHA1 c7d393a2f271f1c889a1305964f003d6139c1183
SHA256 6281860f94b43aa6625b628e8a2e0fb2877c8627bfccfd1f1a45fa0af570eda4
SHA512 7cbfe797c312e90ed783684fe01397f185444f27a8f494a1ca2821a01776fd8c87917fa8179c7250174486d4b7105ad22e27111a65239f4805d872c141543332

C:\Windows\{F7A6C776-283E-4282-A5EA-FF1786AE6679}.exe

MD5 f3e993482bddad2a96d628f23fb1096f
SHA1 3901e860b37261be0bf9d73e7266468873e45222
SHA256 1a323fd6b9354c74b313326a27458a3eb4d3fd8d4a0f1f5c13e05137d653b691
SHA512 740cf8c80dce6f39a080a734c4252b9b1315ccf0484cd67a543e5ad039cefab9d42f0207c61d106546d9a35f3969c4a1ccc8ac268f09e9a895e904b9efd18d0e