Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-fbgcwacb7w
Target 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye
SHA256 dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735

Threat Level: Known bad

The file 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win7-20240508-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1} C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26CEFD38-CACB-4149-8932-4763B5CA0A32}\stubpath = "C:\\Windows\\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe" C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF} C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078} C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0} C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26CEFD38-CACB-4149-8932-4763B5CA0A32} C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}\stubpath = "C:\\Windows\\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe" C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}\stubpath = "C:\\Windows\\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe" C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}\stubpath = "C:\\Windows\\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}\stubpath = "C:\\Windows\\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe" C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}\stubpath = "C:\\Windows\\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe" C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}\stubpath = "C:\\Windows\\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe" C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F95182-EA2A-4579-B49E-EA318A32B022} C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F95182-EA2A-4579-B49E-EA318A32B022}\stubpath = "C:\\Windows\\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe" C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F} C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA10BD5E-2492-487d-A96F-8BB505535B22} C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA10BD5E-2492-487d-A96F-8BB505535B22}\stubpath = "C:\\Windows\\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe" C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4F59A5-D42D-49d6-836B-C49A25129D58}\stubpath = "C:\\Windows\\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe" C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}\stubpath = "C:\\Windows\\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe" C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F73098D-B9F7-479f-9FA2-2562DBCEC950} C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD998FDE-4686-432b-A2F7-92D9F0CAD667} C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4F59A5-D42D-49d6-836B-C49A25129D58} C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe N/A
File created C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe N/A
File created C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe N/A
File created C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe N/A
File created C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe N/A
File created C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
File created C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe N/A
File created C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe N/A
File created C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe N/A
File created C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe N/A
File created C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
PID 1992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2624 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
PID 3024 wrote to memory of 2624 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
PID 3024 wrote to memory of 2624 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
PID 3024 wrote to memory of 2624 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
PID 3024 wrote to memory of 2508 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2508 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2508 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2508 N/A C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2832 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
PID 2624 wrote to memory of 2832 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
PID 2624 wrote to memory of 2832 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
PID 2624 wrote to memory of 2832 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2136 N/A C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2212 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
PID 2832 wrote to memory of 2212 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
PID 2832 wrote to memory of 2212 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
PID 2832 wrote to memory of 2212 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
PID 2832 wrote to memory of 2188 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2188 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2188 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2188 N/A C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1440 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
PID 2212 wrote to memory of 1440 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
PID 2212 wrote to memory of 1440 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
PID 2212 wrote to memory of 1440 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1848 N/A C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1496 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
PID 1440 wrote to memory of 1496 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
PID 1440 wrote to memory of 1496 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
PID 1440 wrote to memory of 1496 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1660 N/A C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1608 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
PID 1496 wrote to memory of 1608 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
PID 1496 wrote to memory of 1608 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
PID 1496 wrote to memory of 1608 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
PID 1496 wrote to memory of 2028 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2028 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2028 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2028 N/A C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 636 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
PID 1608 wrote to memory of 636 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
PID 1608 wrote to memory of 636 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
PID 1608 wrote to memory of 636 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
PID 1608 wrote to memory of 996 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 996 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 996 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 996 N/A C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"

C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe

C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe

C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F730~1.EXE > nul

C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe

C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A03E~1.EXE > nul

C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe

C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA10B~1.EXE > nul

C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe

C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DD998~1.EXE > nul

C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe

C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF19A~1.EXE > nul

C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe

C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26CEF~1.EXE > nul

C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe

C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7CF~1.EXE > nul

C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe

C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4F5~1.EXE > nul

C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe

C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FE993~1.EXE > nul

C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe

C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F0BA~1.EXE > nul

Network

N/A

Files

C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe

MD5 86c173566b0caacc21e6abaaa327b089
SHA1 8919ed34a8b9e360f804ba2a352e7fc6c81f8b6f
SHA256 962febe74cf2477a3b3be1f5e57256b5569866e6088cf7f1be20e261562713be
SHA512 abf5aab0dd3a2a7013b718d25173fe3e80001466defa37413ad6351eccc60196542b3eb0aeb7a49b94e4e3d3313d32f9e50f523dffd2353b33e822a2f153c879

C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe

MD5 67ebfca75694b65c350ec54f8e53d5dd
SHA1 ad3da2e0ee922e59cacb6dd91e885bd8a257393e
SHA256 42c829b93cb1294ba7d2a54e87ccd67486d8929344b64072f1a7daab2bab382a
SHA512 26125aa5f81ee27a54612f5e2cfc18dc6d02d6e1b47b7286ec926862f0547aba1fa12723d368f88cfc4e3cd54dacd87b582fa3dace2209bd974e79e2f4d6ad7e

C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe

MD5 c4ddbaf73167c38ec392beee6aae1b50
SHA1 5d8fd7c901ae786ddbe2e81438b1685c7a705160
SHA256 26910f10ea894c83f32d0b18ef19f2c05b963b3cc80a07b2c04443cb89ae506d
SHA512 f40e5ee709d202b230905b41fe66a5bc47fed5a2589226575a8d5963b77d2ae8ab89b350a5ce4d2637a074a6e3be437b9f2f1745fe23276b2335ba8ec9c177f6

C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe

MD5 e9b381377d0df4ed61f43cd75f82ce36
SHA1 a310102a90ad1444f0d22467c95e26eb31409107
SHA256 41eb0cf5153859ae8c7ad56467e2fc6278337f549a8491e6d7e51fb9afd15e66
SHA512 4985bfb190ce1e20b1011d70012d227a17fcea45062a35e9252b82b17c6adf44c692570c4a24a6992a57f862571bed6a6b5f6bf02d85a979c10855c8d939ca52

C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe

MD5 2f4d09ebffa6d2adeb8a72722eb2892b
SHA1 71d43b3ac2ab81414db79a91a1b8072114321582
SHA256 3787df0773358b4c344712a6ddc716ac925f69242643ce33939822dca96943ae
SHA512 1a69a6e7f053feedec1e4467cc5383918085e088e5eb09a3b5d4fe476a1263713602a78288e6ea3a9d19c8308037a7af0b75c70c6d15e4317a361003709b187e

C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe

MD5 bba478116d06c7c0063c5ef82c445195
SHA1 0bb943aef7c182c9a00b104fabd6c98f70af50bf
SHA256 c00d54c6828718ff019b8806aaf8a07ba6135b88e134960bc99dcda08078ba43
SHA512 070e76043f56d9597104a2f6a6c2e7d4d3f03a612267bbf4492dfbd0019b2c3245b0ba5516a0cbb3fa6bb3333dd0acca8c7a1ce67366fcd8249928ad929e69fb

C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe

MD5 5751b58bced3236ef5b1d9317d0755ee
SHA1 1c8f945dbd979e848de57cd47dc33446442b00f3
SHA256 516b4df0c8a946c4c531422465865ae99e3c2cb9a77a43527cf37e5aa98e2520
SHA512 647b7c484f8a92543f866c4742a6a5fd6ea740c71abe13344b6e9b8c8aca0b017487a7926b96600efb0cea33104b2a5fa56d41a4276d6ac7ee479c848e776f64

C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe

MD5 0bb26f79349e18b0be1fdaf977919e50
SHA1 1b0c8d96c56ab01b955bfd8ee2ed07967ab85508
SHA256 c0632b2cca657bc14d4d92a75b9e76ebb50ca04cc27ca71fb5624c948cc027a5
SHA512 eb8dad88797d02d04d26489e36bda20270ef7fbe644de8fedcac524b776d95f249708f9d28b96e210bf99be659c23fd3710f5aabea7e05973a931870cb917f1b

C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe

MD5 bb884f39fc82199aa70b287cb4c08df7
SHA1 6ed4de95c877eb5ccc5d0145292e5dad571c0317
SHA256 8eabfe90f0e2db642addff503c40f6999e870f7638a968de3d64f9b037f14fc8
SHA512 c612ee4325d021d634ef386eb91955e84c9648a05be92cc9592bdf8491cdfaf3b10edd3377df2da181d5247bb15b2aab4f43b7f553b928f340787d219c54230f

C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe

MD5 864e9c667f122ccc22c8a4d7f37fe887
SHA1 04e0ff59eef2b6ffd5469de3b7560c0ef0072ae5
SHA256 662725ea473bf3a717b70afc2976aadc055058bde2d5f3c26fed0a3ef7bf5ac6
SHA512 0bdb2f107fdfb948517b8157c93303efcf05fa3d16351d263cfc76f5b9ba0b074318b90ec6ea5874a9697fd704f1727c0780b7212503cdd3df787503b8b63e34

C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe

MD5 96e3b55fd1c63d4730bed8986d48aec3
SHA1 3be4627493c9d34e59bc49db315ae572704120f1
SHA256 65b37a5196e732b1055f2d5332d5d19abc4648295ecb75503d54770aa3a5fce6
SHA512 e0844e092503c2a6f02ebad150e717a5def30b39c48aae69d67ae6388e963aa2c9f2bdbb71e197440800c706b35459dfdc88464fa0f12cf8c94cd9b6c1a645ae

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880} C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}\stubpath = "C:\\Windows\\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe" C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D018DCC-20B1-4859-8016-A6A8A570A740}\stubpath = "C:\\Windows\\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe" C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0883C9-91F7-416e-8D41-423E7FECE663}\stubpath = "C:\\Windows\\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe" C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C3CE43-5EDB-4392-886A-9C8E850710C4}\stubpath = "C:\\Windows\\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe" C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE611F99-0E39-446a-8918-AE3DC8D61DEA} C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49496341-2A68-4c9e-85D7-C07D08C35280}\stubpath = "C:\\Windows\\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040B4ABB-671C-4e34-BC97-8CEF2D607407}\stubpath = "C:\\Windows\\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe" C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}\stubpath = "C:\\Windows\\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe" C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}\stubpath = "C:\\Windows\\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe" C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}\stubpath = "C:\\Windows\\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe" C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46D709-0177-4623-930A-519CE3BF3E17}\stubpath = "C:\\Windows\\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe" C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6195716-AE9A-45f9-8F48-C1D4AEE70017} C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0883C9-91F7-416e-8D41-423E7FECE663} C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{899B4096-D491-442b-9141-37C67BC4DF16} C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}\stubpath = "C:\\Windows\\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe" C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D018DCC-20B1-4859-8016-A6A8A570A740} C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46D709-0177-4623-930A-519CE3BF3E17} C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C3CE43-5EDB-4392-886A-9C8E850710C4} C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F} C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49496341-2A68-4c9e-85D7-C07D08C35280} C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040B4ABB-671C-4e34-BC97-8CEF2D607407} C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9791BA93-6E33-40f0-A5FB-5257BDAF337B} C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{899B4096-D491-442b-9141-37C67BC4DF16}\stubpath = "C:\\Windows\\{899B4096-D491-442b-9141-37C67BC4DF16}.exe" C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
File created C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe N/A
File created C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe N/A
File created C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe N/A
File created C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe N/A
File created C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe N/A
File created C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe N/A
File created C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe N/A
File created C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe N/A
File created C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe N/A
File created C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe N/A
File created C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe
PID 3556 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe
PID 3556 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe
PID 3556 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 1700 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe
PID 3688 wrote to memory of 1700 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe
PID 3688 wrote to memory of 1700 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe
PID 3688 wrote to memory of 4360 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4360 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4360 N/A C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 792 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe
PID 1700 wrote to memory of 792 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe
PID 1700 wrote to memory of 792 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe
PID 1700 wrote to memory of 4088 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 4088 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 4088 N/A C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 3664 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe
PID 792 wrote to memory of 3664 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe
PID 792 wrote to memory of 3664 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe
PID 792 wrote to memory of 3700 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 3700 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 3700 N/A C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 672 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe
PID 3664 wrote to memory of 672 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe
PID 3664 wrote to memory of 672 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe
PID 3664 wrote to memory of 4560 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4560 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4560 N/A C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1208 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe
PID 672 wrote to memory of 1208 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe
PID 672 wrote to memory of 1208 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe
PID 672 wrote to memory of 1612 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1612 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1612 N/A C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1796 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe
PID 1208 wrote to memory of 1796 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe
PID 1208 wrote to memory of 1796 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe
PID 1208 wrote to memory of 1012 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1012 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1012 N/A C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2272 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe
PID 1796 wrote to memory of 2272 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe
PID 1796 wrote to memory of 2272 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe
PID 1796 wrote to memory of 2460 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2460 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2460 N/A C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 4680 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe
PID 2272 wrote to memory of 4680 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe
PID 2272 wrote to memory of 4680 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe
PID 2272 wrote to memory of 3248 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3248 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3248 N/A C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1476 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe
PID 4680 wrote to memory of 1476 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe
PID 4680 wrote to memory of 1476 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe
PID 4680 wrote to memory of 4528 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4528 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4528 N/A C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4264 N/A C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe
PID 1476 wrote to memory of 4264 N/A C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe
PID 1476 wrote to memory of 4264 N/A C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe
PID 1476 wrote to memory of 4424 N/A C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"

C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe

C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe

C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49496~1.EXE > nul

C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe

C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{040B4~1.EXE > nul

C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe

C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC31~1.EXE > nul

C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe

C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9791B~1.EXE > nul

C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe

C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D018~1.EXE > nul

C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe

C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DD088~1.EXE > nul

C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe

C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{899B4~1.EXE > nul

C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe

C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3E46D~1.EXE > nul

C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe

C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41C3C~1.EXE > nul

C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe

C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EE611~1.EXE > nul

C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe

C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6195~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe

MD5 ba89e21ddbf956b4410b215cdaf420a2
SHA1 0c5853b5ef41a246ff1276d3628ce907091d833b
SHA256 05bf3f70a9a371e7d19a649e3953c4b97559bf9ecf9b6be084dfd39770ed6230
SHA512 8da89c432d10b1788b92e80462f1e17a52f103c3eacaad172b4cf17ff5b43e9e2ed0d685dc948dd8f7337dd724f5efa61f2328486e05e484cde54c3fd5cd702e

C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe

MD5 e57ea85cbf1d17ea7be0c49c5d039c6d
SHA1 1c0bbab0b2a01ad1dea1ed3afd9e798dc63afdc0
SHA256 e1be7697b9c7952fa040776a4f2bedaa7b5aa48ec6ef8c3adbb608b60fcb062d
SHA512 0fe656a879d67c5c37c52a294ae750e3212ac0e2239f590b8abaaec11abe157f395738f04d7d3485d574ed959999bb8250cbad910cba58f675f4bef427f662a5

C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe

MD5 b4e23f2f31ee913c36b87665710e748e
SHA1 fbd1223adacc06aa9602cf87368686887b9cb75e
SHA256 1b72edf103965667a2f918901052bf1a714a91ea48779ee55edc3bc5788341a9
SHA512 326c9749d94adcf7f7883cf69f9043909d2728742adb626a2d63e5a784dc9c19c34865eed9dbdafefdf2f45024f1927aff869364b120b89805fd266990132d36

C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe

MD5 a12990cd6df11e77df25d0f3d13d18ee
SHA1 609d2ea5b3d646b302c961d286188b7cefb6ba72
SHA256 01c0c9d3201a8cf64f05bfb94337ff9a6ea6d1b19fb62d9865fc6f46330dc7dd
SHA512 24038e8d09674c8006336ccfc13134f54a41c06472fa27055ad083c029ecb0f251879b80bdf97947055990d6acc727171e2943c33a7724ac2cc7c14459ac2d0a

C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe

MD5 bede3e0ae9c12d211e91b980474195d4
SHA1 69046e0a21b64b9003c651c4f36e46868d60bd43
SHA256 4539c18a48ff8013a24f563817d86e789fdec4e2b95b62e356fb8a111700a816
SHA512 3231be24719f41e596f1df564ff7354c8b213fc07991e36a48ca48aa6dcaa091399bbafac119466d990233e5428ca55c6b823f5a8c1db2ca32d1d6754f5900eb

C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe

MD5 34a80bdd54c8eae4ecd64c6fe76a9f30
SHA1 8bdad8e1836f41727afbe1645ef07a8410907c69
SHA256 fadae684c495841f6ab9197aa72872ff9f7fb6211e2187dd2305d018ee24ceb3
SHA512 01aa638582380f1df55c355ccf5529a94703035f0a86d83b808afb4e9c4ae963a30ce0e519457fa2536f5c00fd4eef388d349b8d0161d6e7a00cb92cab3a1c0d

C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe

MD5 696da16c0744330c710076b5fe8a5ca9
SHA1 e13c9ed5be10cc8b88010593680fa4bd4e71f4ea
SHA256 db4c58591993c1b1776d1a68d239a9397d85f36bdb3d5b79c43dc63c4cb61912
SHA512 c3b3db2f2b6b4afea948debd20380b2356ffe28043ea17181baada05b62f22bb89b2621d7e234cf0ffeeaf4a1bb47aa1262c7ee6696c1546dcf4a1532cde74f6

C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe

MD5 b7a5849516ebf596a8968519f434dd04
SHA1 ea7f786e125337be151fdf2846f0f1a2072ba985
SHA256 6a5b6e360cb1f4e734d92194878630f4a702303eb665bc549a71401df21ff6fe
SHA512 b597f29ffa0a22780f6e5ebc6a4ccf50b812c4a103776654798e7bc1448c7cfa1467db7359ef3c61b67c5d072260df5fbc74e64d82a9e6c1d7e9683b6ef2caca

C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe

MD5 8efcbd69ffd5aaa08efd686662da4aa3
SHA1 90610c5802b4b88fc3c948d5b73ceb0013af350e
SHA256 2b4695b9ca803d2c6126f7f3b4924cfbd0a8f5cc6fc265c81229b7e2f798969e
SHA512 bbc69c6962b7ebe93a13b00bd314110d706ec2a68a72783d72e87cee542bb4e275aa90d24979634f2447cdeba3aa59cce843dadc93862cb35d7086b7e6d8326f

C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe

MD5 c00874c804063598462f2db14c6990a4
SHA1 c52eaf0cdc62d7457f9681f403a80a03f212a73c
SHA256 495d50eaba92c93e8e962fecce442075dff12da0b16f72dc66cb40e333104c02
SHA512 db5a2987147a1c0985fd37683fadb8100467b9c4df10a67be22088c3e84cec79c557f8d41b7458366506118b81f0a0158539479244c18aa7ab2bc7e98fd94441

C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe

MD5 89372dcd8f842643ff47feffeef2fc57
SHA1 2b562a7ebef95c1caf88bd26f7d61e92455f0bde
SHA256 fc3fb6c61573409fa15d6ac0e39b3e1d617ad6338fd288c44a0afd7ec998edc2
SHA512 ad7efeb592bbd9a399c4bf3029adea9f61d53e3cfb582a5c3c7890c0dcfa6627992932e1d62d66461a2275e2c398c51ae69d3aea433d2b4e0d90f5e4a55b3d32

C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe

MD5 8a169f855fb37098aca2896d4a104a56
SHA1 84c1a5cae26fdfd02f71373e3693163de7db118c
SHA256 b7fe7f5b89e5ba5c4c6eed4913a23a3d8e58f94480941eb018b2b9e57a1367f4
SHA512 fffca775c11e6294b9715089ab8aae3f8d65754e449913b443c31e4ea61d98bd8763b82a77d188ed60991cda79d59287e5d8f209f2fad840cc3ee78375985fb1