Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-e2jp9aca9w
Target 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye
SHA256 32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd

Threat Level: Known bad

The file 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:26

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:26

Reported

2024-06-10 04:44

Platform

win7-20240508-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D}\stubpath = "C:\\Windows\\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E}\stubpath = "C:\\Windows\\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe" C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31} C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D} C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702}\stubpath = "C:\\Windows\\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe" C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C} C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C}\stubpath = "C:\\Windows\\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe" C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}\stubpath = "C:\\Windows\\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe" C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773}\stubpath = "C:\\Windows\\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe" C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9} C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}\stubpath = "C:\\Windows\\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe" C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F} C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E} C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9} C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA} C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773} C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}\stubpath = "C:\\Windows\\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe" C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702} C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31}\stubpath = "C:\\Windows\\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe" C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA} C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}\stubpath = "C:\\Windows\\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe" C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9}\stubpath = "C:\\Windows\\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe" C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe N/A
File created C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe N/A
File created C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
File created C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe N/A
File created C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe N/A
File created C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe N/A
File created C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe N/A
File created C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe N/A
File created C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe N/A
File created C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe N/A
File created C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2708 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
PID 2264 wrote to memory of 2708 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
PID 2264 wrote to memory of 2708 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
PID 2264 wrote to memory of 2708 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
PID 2264 wrote to memory of 2692 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2692 N/A C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
PID 2708 wrote to memory of 2820 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2820 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2820 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2820 N/A C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
PID 2752 wrote to memory of 2316 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2316 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2316 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2316 N/A C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"

C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe

C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe

C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10794~1.EXE > nul

C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe

C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B303C~1.EXE > nul

C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe

C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{028D7~1.EXE > nul

C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe

C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{80140~1.EXE > nul

C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe

C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1C01C~1.EXE > nul

C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe

C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26D32~1.EXE > nul

C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe

C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8441C~1.EXE > nul

C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe

C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0EE8B~1.EXE > nul

C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe

C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFFC~1.EXE > nul

C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe

C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B88D0~1.EXE > nul

Network

N/A

Files

C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe

MD5 7c2c750a390c08138b28045ec14e5da9
SHA1 628ac48125906a3cdb5f0d91c38330f24c66e58b
SHA256 16a0cbbca6817b8f0523053b15f7bbbbf00deb764163eaa66c2cbc0ebb4d4633
SHA512 ce0937c20e4133c6ed6ace6553ba037f2de0ff009a9f7c8544c9dcc555a2739a1271540e12668039bd781ea8cfd69aefa3ede44f3f77ef73c7d2639447e3bc94

C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe

MD5 1cbeafb668317a7722c6466f66085ec5
SHA1 c81500d7ce44b2c736a0006d51fd250dc5bfded8
SHA256 0241153823616050013a1c4b7f5d9e45ea38ab7b2c223b9c80f1c72397621e4d
SHA512 b368b330c85104511a02710cf50f1a8c7c67f0e1ba45ee86d7c7d7fdd543c48e05394c18d154e63b6e4f80ce8080f7d8dc5e3b6424d417e43b216949aca201e9

C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe

MD5 32abf136737b41587b273bf80e2eef3b
SHA1 95ba1edec3b4c574f10ff360d816ec5bb5e15c06
SHA256 4fb461a9b65778ccf66886b0d27676db8d917aea3a9c82d22fe620389571961f
SHA512 11c8388a6406885ef401300ab43f795fcbdc114de916dd2faf409dccc0fab0f2096c94986667c53c4a07f0ffd6de5a72f5661d6a2fd6dd1cf428a212e7f3e447

C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe

MD5 8f17fea1e1765e222a3ec6e30f75aeb2
SHA1 9ed24768f56862f69b05d038f03b2fa737c708e6
SHA256 8a58d79e41ccb0eca29ccc3d594577f49d645826a9ba26ea99a49a98c0f7bd26
SHA512 e4b1ef49b3affbb378e21c04c66b1a058e6290afea83851440fd537384a00db970ae7f33aceb6d4dbd984461da6cbc818ecf25331831bed62fcf96766af3462f

C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe

MD5 15ac04327674cb3c511eb80b37a8205c
SHA1 0691e341ceac2b9e6383c36e81d371541b447e05
SHA256 cc9d7087b8820552acd5a4fbc0113b21a17d25005908cc9fda698a6666b81eda
SHA512 5860a33d58084d2cd0aeb5bc9b014cfcd1cd341e26366fd3f5376a9d11c8ad1591221b3e05c6f23971a590eaebfbe06d01e7359ad21d14b45d340a8483e4d5e4

C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe

MD5 eb0111f0f0e4cb4190064121613d0bd6
SHA1 c67693986926a7099e1cd5f93482401eac5b7a97
SHA256 ed1e4ccc7accb1ce67aa9ea75eee37c236eff009aecdf90171aeae3edc54fb11
SHA512 226237c4d19ec6a3c179f4fa8216af5996c89076b6e5d527ce08ebf71dd38d81446e162988cc70809e36839b7e271f0faced508b2790eb72f209e9a31dace377

C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe

MD5 8ad4e2ec5080bcbdbd9b6bff36c266c1
SHA1 8f60e343c73665c6051e8d5726df713d825af971
SHA256 885388e2da1da36fa00dbc3ac1cee1adadf7870027dceb6755cc748cf5abb3cb
SHA512 38752f6a03a59e3415ff0f5489931a1b4e6f3dc4229768190e4243e3cb932200e5eb6dd48d668314b1b1b5fbf4bd1254b65d4a211441cea373e3dbe3188df5e1

C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe

MD5 47ea89c92d8b695ed2bdbfb2188f2c5b
SHA1 638dd1566751cdf32145535b63c351ac5f91aad2
SHA256 c403c4cc26b6efbf43e76f7b3249d24b3d9c32aadb3bf75fdbf840e85f3878e9
SHA512 3166b53375485a8ef40316d63363b194b5d30abe15dd43283071fd8ee1b14f4dee20fc5cf1adfe3f38745047d22d97f3c8a4d7c454b3501649b3b89700ead7bb

C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe

MD5 e45e796a8ca92de1a58558505163dfeb
SHA1 5dcd257259f1ebcc069481fd99b3e548c90497cd
SHA256 e5ac24180ef8fe260b8b06b5d00c61475e5c4939893ae42c2a048487b3f56edf
SHA512 77e1eb484d58329d4184d6b2b25d3c53db0dd28bcead0856cd26e0c019dc14f768afbea17650e075ef9ab541c3b2b24313ba9b7b76dd31cf40bf4ffd3e0e5ec3

C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe

MD5 863a852135fe62a52596bf704159d36a
SHA1 2cac4b461da9d4a8b4df30da52f20f7f2ad7fa91
SHA256 b52f3cda897fca2beead34e08e941f16c7b9f2c0b83ac05e63b6ef668e3c4dc3
SHA512 4d85535617e262bdb79da9b6ad2c32bcf2b485d564a0dc7aeaeb91b0f6ae8b27da07fd779648353af06d3294a2e0751d6c0d161da23707bb541751d68a365105

C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe

MD5 7ed226c3e2880cc71aaecdca5a4a5550
SHA1 fe4345f38f059309fce810f17b3661040c5ec749
SHA256 02bddfa355e3e2ca035c0e59681adbbc5d5e319197d6844027bae7c62856df65
SHA512 668e81c5ce237fea5d940de424ff41805957351e477f4ec8e7d98f28bee06d1d427c40bb66f1da55e6d756f5e25eee0d94a1e75fa1f9f5d21a017a754e7cf8a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:26

Reported

2024-06-10 04:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A}\stubpath = "C:\\Windows\\{06DB9891-8343-4caa-822E-60B5E012922A}.exe" C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD} C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}\stubpath = "C:\\Windows\\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe" C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}\stubpath = "C:\\Windows\\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe" C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}\stubpath = "C:\\Windows\\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe" C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704} C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}\stubpath = "C:\\Windows\\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe" C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A} C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9} C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}\stubpath = "C:\\Windows\\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe" C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31} C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9} C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E} C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E}\stubpath = "C:\\Windows\\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe" C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}\stubpath = "C:\\Windows\\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe" C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E} C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31}\stubpath = "C:\\Windows\\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1} C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}\stubpath = "C:\\Windows\\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe" C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811} C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6} C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}\stubpath = "C:\\Windows\\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe" C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704}\stubpath = "C:\\Windows\\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe" C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2} C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe N/A
File created C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe N/A
File created C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe N/A
File created C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe N/A
File created C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe N/A
File created C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe N/A
File created C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe N/A
File created C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe N/A
File created C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe N/A
File created C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe N/A
File created C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe N/A
File created C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
PID 5060 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
PID 5060 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
PID 5060 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4188 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
PID 4032 wrote to memory of 4188 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
PID 4032 wrote to memory of 4188 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
PID 4032 wrote to memory of 3196 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3196 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3196 N/A C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 2088 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
PID 4188 wrote to memory of 2088 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
PID 4188 wrote to memory of 2088 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
PID 4188 wrote to memory of 1636 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1636 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1636 N/A C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 3680 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
PID 2088 wrote to memory of 3680 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
PID 2088 wrote to memory of 3680 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
PID 2088 wrote to memory of 2716 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2716 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2716 N/A C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3092 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
PID 3680 wrote to memory of 3092 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
PID 3680 wrote to memory of 3092 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
PID 3680 wrote to memory of 3900 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3900 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3900 N/A C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4892 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
PID 3092 wrote to memory of 4892 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
PID 3092 wrote to memory of 4892 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
PID 3092 wrote to memory of 4224 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4224 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4224 N/A C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3744 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
PID 4892 wrote to memory of 3744 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
PID 4892 wrote to memory of 3744 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
PID 4892 wrote to memory of 4688 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4688 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4688 N/A C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 1708 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
PID 3744 wrote to memory of 1708 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
PID 3744 wrote to memory of 1708 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
PID 3744 wrote to memory of 2612 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2612 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2612 N/A C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 112 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
PID 1708 wrote to memory of 112 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
PID 1708 wrote to memory of 112 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
PID 1708 wrote to memory of 1888 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1888 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1888 N/A C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 2636 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
PID 112 wrote to memory of 2636 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
PID 112 wrote to memory of 2636 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
PID 112 wrote to memory of 4856 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 4856 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 4856 N/A C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 4056 N/A C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
PID 2636 wrote to memory of 4056 N/A C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
PID 2636 wrote to memory of 4056 N/A C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
PID 2636 wrote to memory of 2604 N/A C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"

C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe

C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe

C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0104~1.EXE > nul

C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe

C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A68~1.EXE > nul

C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe

C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD4CB~1.EXE > nul

C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe

C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E8825~1.EXE > nul

C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe

C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F50FC~1.EXE > nul

C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe

C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{253CE~1.EXE > nul

C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe

C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{129BE~1.EXE > nul

C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe

C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0BAF~1.EXE > nul

C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe

C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6109~1.EXE > nul

C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe

C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06DB9~1.EXE > nul

C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe

C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA2E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe

MD5 d2b566b208dd8db8a9d12bc97169351f
SHA1 29feb60c0598ada5572c70ea3084c66ff1935519
SHA256 142899008b4852574767770070a70ff208310acf32cc381a43dfce5ce67b734f
SHA512 95fdc3806e0ca1a089df41227f87cfb321d0fb3fb861786ee90aac7cf7ac835272bc979ef87dbd85232c7f91e3b95237d134f6143e062fbf3b1e297649439a1d

C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe

MD5 e01abea8d50e1c91c18d6887bed33a29
SHA1 ff616546bee9aa5047a998dc5cd65951ce4d113f
SHA256 025fda0d9a27a811ac20b7a46f664103039557180c09c3789e4ed8e3e04218ff
SHA512 fe79362bcf8c7850f6b0c757a34cee48012cc90801dac27d37e173be234b32a156338fbb903f38473b14de02f938d41f654eaa02bda29fb208a8d821cb97ac68

C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe

MD5 5a3c70114c8e0edc502fc16b02391be7
SHA1 33840bb2840bd2385a6e789a7a1849130732ec3f
SHA256 285d27c2154ae895a14f7a2fbbd2c748fec1eacc1ad0274f316979b81f3c0d3d
SHA512 3168e07d23932c7302f7d8af9b8e3fba7317f2ccca7e8252b8b98732eb7add542173e41fab0d4bea8ad1a38569455ab0b0eec2ca285a7103c7ef17c10d42ab4b

C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe

MD5 63496a663cf80c04bd1a8013932051db
SHA1 cabef2e745be4f0bf42dd6e345c0fd3d9b9d958c
SHA256 76121bd0b5afc4f021707461b552c137b6c628d33bc2e5ea9a47ef317811df93
SHA512 9273206fdfaed99724beb9396188de24d15bba788e4df1ab22e129cc6449a93da22add947aa67029dbf7d281e8ab67b2cba19d5cb507e9b55f31c118eb568a54

C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe

MD5 2de345ffaa5fc9a54cf8d203651457d3
SHA1 29649874ef298e5977266d2172bbffc344274e61
SHA256 015ee27a72650314b90084ff0b97955f1d80b864728390b3d93477fc7bd413dd
SHA512 529381786394afc1d7c71ef8058a939e7ea3c1c3584c4836dd2b02ade2b8705362015a22eb94638dc06d55e6b5f667057a0af1086aa329b4724d88a6d1152fe4

C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe

MD5 d91e159db83f6e991d2edbc75100c43d
SHA1 3becb2fd7b4f4a141f542daec824c05c799cadc0
SHA256 e288847f94b9561f60b82b35856a51caca76ad381baf38afd2c75d49f3e72d71
SHA512 5e0cfbdc4f45a1b8329fa76946931d32f2f4a044f1b97a8513f9f4fbc51dd9134c7491c2c29433e15da9f2fe979d4cb956c8d198e91de7fd0773777209eeb7e5

C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe

MD5 4c9fa31fb9b23340cb293ee6b19fc12f
SHA1 d5615a2162383b95855c0aff123f18d9fed1cd0e
SHA256 fc1dfe89163ec96026341b5b996383eae1657bf4382b49ecd3a0c846850dbc99
SHA512 b17ab89450460e92c85ab5a67b63fe803faa74ee344f4690c9c81e31a2ae09633f1f1ae09dc6b2b1652bec46c5c6306b3400e623fbc3be923b4ab52ac3ecb3a4

C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe

MD5 cb56216678cbe1c8c04bb174cf61b548
SHA1 270bf37f78b17bce6a4879f44c8a77a662ba98ab
SHA256 210e1065f01360794b86cf66364007d4fd17d48c9881d8768d52ab1da28a0e75
SHA512 78b46053e59fb442a1cb7a51bad0e9aa6c8cdc992a54fd5d0f41e3152cc23810c584a9e164f9d81bf848b521b65a1cc5976db02503e1c4d9c099021f82629fd3

C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe

MD5 4b8cb53c1cd076eaf9f05ac1e4e3f397
SHA1 2abe56f609844b6bfea3922ad253c4e76eb61b80
SHA256 0024cb315cefe4140677100db5468c87557aaa9715b268e8f91a2201aa12f708
SHA512 1867f03639a99b6a8bf67b2e1626dd40ea2b73ac52ff6c65c1a544d534254d6c9c20d19ed3e3d4041228d464ffada615d18056e9a6c3faea96a1e3acc33c59e5

C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe

MD5 52a6508c83201961279cffdf15166ad8
SHA1 687a35703df12796f771fff8871ba46448c24078
SHA256 a413c57847b54e725f79c6ef322f32472c6cd044d2c915ee7005db360dab5638
SHA512 e3d1f2288733650e712f227bbe6025d3ac2dca8a517291adb89ae7b7e3273478be631a27d32cbd5a779d75ed04370035db06340e8494b53556323b392020805a

C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe

MD5 849aafc33d8e9e9f802ae9635d93271c
SHA1 f9431ed1c778401aa507d428a490da841c6dc935
SHA256 cc61ec33126ff3adcd4c6000bf49c7efe0ed19ce92e56c69ed82d1da0eb25dda
SHA512 d5f3669f7639ad4cb4cdc8fe59c60fe6308a080cfd4132337a9adde3f79030ea7e636bb409e17fece7e77a7334e882ae0af92d8081b8a70b7e634b875067740b

C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe

MD5 6620dcf96063862d0c76038b19b90ce8
SHA1 9b459e3c57b50816220ed43c35dc3ba366179de0
SHA256 4ac32cc2406c9d8b7c7686654c0a89968412a4f588c76b61e2f3f7ddf59a5180
SHA512 708230c1661ed1b7acde2b33b48423d3cb2eaeef7680b1c8c83a710064ffa9a03952bcb0c1dcbaaf1b439556b264ac13b27cda04fbbd47d450e4b595e5d971fd