Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-fblbtsch33
Target 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye
SHA256 0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9

Threat Level: Known bad

The file 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win7-20240215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}\stubpath = "C:\\Windows\\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66572100-77AE-48f3-B508-EC39010AE0BE} C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}\stubpath = "C:\\Windows\\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe" C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F16710F-609B-44eb-98AD-6781E8A5C6C0} C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}\stubpath = "C:\\Windows\\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe" C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E} C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3} C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}\stubpath = "C:\\Windows\\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe" C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29} C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66572100-77AE-48f3-B508-EC39010AE0BE}\stubpath = "C:\\Windows\\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe" C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}\stubpath = "C:\\Windows\\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe" C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}\stubpath = "C:\\Windows\\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe" C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8737155-FE68-4a3a-9183-4811E2F23581}\stubpath = "C:\\Windows\\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe" C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E59FBF-8120-4fc1-B334-2317DE71C53E} C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}\stubpath = "C:\\Windows\\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe" C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E} C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8} C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD} C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6} C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}\stubpath = "C:\\Windows\\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe" C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8737155-FE68-4a3a-9183-4811E2F23581} C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}\stubpath = "C:\\Windows\\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe" C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe N/A
File created C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe N/A
File created C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
File created C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe N/A
File created C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe N/A
File created C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe N/A
File created C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe N/A
File created C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe N/A
File created C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe N/A
File created C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe N/A
File created C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
PID 844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
PID 844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
PID 844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
PID 844 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2920 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
PID 3052 wrote to memory of 2920 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
PID 3052 wrote to memory of 2920 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
PID 3052 wrote to memory of 2920 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
PID 3052 wrote to memory of 2564 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2564 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2564 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2564 N/A C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2464 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
PID 2920 wrote to memory of 2464 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
PID 2920 wrote to memory of 2464 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
PID 2920 wrote to memory of 2464 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
PID 2920 wrote to memory of 2832 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2832 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2832 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2832 N/A C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
PID 2464 wrote to memory of 2256 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
PID 2464 wrote to memory of 2256 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
PID 2464 wrote to memory of 2256 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
PID 2464 wrote to memory of 2172 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2172 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2172 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2172 N/A C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2988 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
PID 2256 wrote to memory of 2988 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
PID 2256 wrote to memory of 2988 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
PID 2256 wrote to memory of 2988 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
PID 2256 wrote to memory of 2104 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2104 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2104 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2104 N/A C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1748 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
PID 2988 wrote to memory of 1748 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
PID 2988 wrote to memory of 1748 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
PID 2988 wrote to memory of 1748 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
PID 2988 wrote to memory of 1688 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1688 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1688 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1688 N/A C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2704 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
PID 1748 wrote to memory of 2704 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
PID 1748 wrote to memory of 2704 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
PID 1748 wrote to memory of 2704 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
PID 1748 wrote to memory of 2536 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2536 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2536 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2536 N/A C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2840 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
PID 2704 wrote to memory of 2840 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
PID 2704 wrote to memory of 2840 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
PID 2704 wrote to memory of 2840 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
PID 2704 wrote to memory of 1792 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1792 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1792 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1792 N/A C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"

C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe

C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe

C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0744A~1.EXE > nul

C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe

C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F167~1.EXE > nul

C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe

C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BEF8~1.EXE > nul

C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe

C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{66572~1.EXE > nul

C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe

C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53A9D~1.EXE > nul

C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe

C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF88~1.EXE > nul

C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe

C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B787~1.EXE > nul

C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe

C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA32~1.EXE > nul

C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe

C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8737~1.EXE > nul

C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe

C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E59~1.EXE > nul

Network

N/A

Files

C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe

MD5 d6968f78757bdef61603001fa11b7e82
SHA1 877ea307bc94f1e3fdb17164cc636ae2bcdaafd3
SHA256 89c23028f1792a1205d543bab26fa602cd51c47da6649d790caa40e50553a57c
SHA512 e841fe3204a41e2ab2359bd301e692bce5696cb3c4a9c6762d90fa79080d23b014a79915db0c085864fe7403f05d70dc133b49f6212cd185b588281d3fb50e13

C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe

MD5 fbafb884ce838020496b5219ca93e091
SHA1 2cf1764ad58b1baf25f7dd194226a7417ff2eea7
SHA256 b50c4bc9acf8d0d8187415edea4126510ed688f321b62d1c3276cd8be7c59d67
SHA512 9d27a44facc5965ab41a3f21a52ba7284d8f659df50b15c27bd73985836e56f37301aa6bf448183d01dd80fe5f6f481d2723c21706c34b69faedc0902c37fc1a

C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe

MD5 c96e6c6112fed39a68fa4e468031661f
SHA1 3abf59abb1ef313328105ea74e0bf390eeb94b6d
SHA256 3e91ce757f4b31e999b0b80f44e8275aab6c4228a66cbf6a88f16850672c68e7
SHA512 145d0a520b0f8e680449dc87e7bc90d6333b8f1ea3aebc04855ce6b663e209bb788ec2bcde176d021b5589daf428db2a3a7bd0af5d7fa3c2d064a03d640a754d

C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe

MD5 4a9aca397b58bcf4cb45649f98f3c21f
SHA1 94ab4e67633bdb71288c5e644b0f37917f463336
SHA256 70da9d99425796be7a67ea9a433b8af7220bd92be9e7892fa0e247a151f69be2
SHA512 f6aed6e8740439ddc14139ac5fd48261b4becc27c52d852e6af859a6224dd6d214adbff9571a5bbd08e9376140e96caac84bc32df70d61e3a7bf818d47a0daa2

C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe

MD5 905a0604a2b3897c188c0bfed862bd9e
SHA1 1ebf684897d753abbb47f03f896659eb58758be9
SHA256 626a1f601772b93ee98a817ea6fa40371b119b8670cd5cec1aefaed1c20a703d
SHA512 644aa3c1e524e92af85fee0a30a94165ec09ab43e127d983a3d2d495b73afd807a195e29db1e91103f445538a2a86d9a2e5b2dbeb6507a4bf54df14639c92298

C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe

MD5 4fc8e14cbdcbcfa952c045dadd154b1c
SHA1 a48f9b1a0ebf748266b81f504f6f533a1bb1a280
SHA256 02d32dd134c7927f2271c69e9e9518b5be28f4b5a42d0f9709ac5d33248bbde3
SHA512 61548e6c7555226ec2aa900b28e24c99e16e96831dec91942af859d1a36a6f9266116d564a15541686dca562f143107fc14cb38e7e748cc7a7982f455dee92b8

C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe

MD5 aebb1e88604caa4f9d444fd31d47659f
SHA1 fd62fc281139afa9c1fdbcf5d2775fb397a58dc1
SHA256 8cc9c1a45c31b6963829661dd71b7ddbe60092071441a392976d71fe2b347616
SHA512 da0d34c7eefe0dfd6bdd30850d3473373f6cfa28cadf2cc7591584f82178475b56bd4dab4e558b7a9da16f5070b654999f05cad5e2505bf3c4df24961798f074

C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe

MD5 a8d035d2a3fc8aa88df6aae43b17dbd7
SHA1 edbb869fb2429c6e65143ae2629f580b3b073e05
SHA256 287f4998d86a600a7e295ec9dd9320fb62ee20d53192005d781e15ecb3508bd6
SHA512 f53230ce6d4143b35028bb69139ac01ea3fe519c445d5dce226b1ca74acbefff9ce70e30dca53ec706152d814abd2f41b935cbfc841675ae53ce63cff54c3d73

C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe

MD5 3d363cac09b5134cd2b56d0fc250b765
SHA1 e00ab189d0a0dc246493491e75a2dd7576d80cf4
SHA256 d8e2303749dc69cbfd6dce9c6e52c0a995f37716395f702373015b8ca503a46c
SHA512 c0bf5137cfb49ee95efeca7f284a478ab7819aa1101b5f69a73d0086afb3fbcac42bb52fcdaae37b1231ebc18be2f4aeea25f7e530bbfade7526859f0834528d

C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe

MD5 adec2a26f204cec484bb5171d4052753
SHA1 b2e69c5f8613b74e1df6f5369b8e9ce1d7ec3dca
SHA256 9be68bd6245dec8cb505d6c6e91a157476945e6581732c69b81253fc23ea3928
SHA512 01dad3b7b8c84f26880dc94c659a25d50f65fdb4748d08a37975592510f41af99e5c4bf38a0e4ee0158b339e4a996d440906c6e8667bc1ea434bb943207c5a9a

C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe

MD5 e2255dd83854942a246cd6a729e37879
SHA1 9216149a758bbab7e921784cdd788c201ec76528
SHA256 8654e26c9a65a65dc532d2f37659661684f55f0d3dbc94e850236c052f6073d0
SHA512 3e9a4e88b8bcb6d6ed77a0688f128fe0070c6b3838138af17547359ba1b8808bb4e90ae2d7c17795e0400c71d7e3830543ad8bd7a457cdd09cede821c97fc51e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6637B389-4DF6-4011-903A-9067E6D3537F}\stubpath = "C:\\Windows\\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe" C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}\stubpath = "C:\\Windows\\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe" C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BA756E-3FA1-472d-83DB-CCA960A2D447} C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0616B9E9-57E0-48b9-8B57-580031C8D141}\stubpath = "C:\\Windows\\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe" C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}\stubpath = "C:\\Windows\\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe" C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E246F3FF-1943-42a7-A797-C3A54A99D3DC} C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC397DE-0841-48d1-8751-CC0E16F24771}\stubpath = "C:\\Windows\\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe" C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE} C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5} C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0616B9E9-57E0-48b9-8B57-580031C8D141} C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}\stubpath = "C:\\Windows\\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe" C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6637B389-4DF6-4011-903A-9067E6D3537F} C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4D370F-EF84-417f-A850-C48194A23B68} C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637A2255-BE5F-451d-AF77-820B161257AB} C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637A2255-BE5F-451d-AF77-820B161257AB}\stubpath = "C:\\Windows\\{637A2255-BE5F-451d-AF77-820B161257AB}.exe" C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}\stubpath = "C:\\Windows\\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}\stubpath = "C:\\Windows\\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe" C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B} C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B} C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}\stubpath = "C:\\Windows\\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe" C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4D370F-EF84-417f-A850-C48194A23B68}\stubpath = "C:\\Windows\\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe" C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD} C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC397DE-0841-48d1-8751-CC0E16F24771} C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}\stubpath = "C:\\Windows\\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe" C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
File created C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe N/A
File created C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe N/A
File created C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe N/A
File created C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe N/A
File created C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe N/A
File created C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe N/A
File created C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe N/A
File created C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe N/A
File created C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe N/A
File created C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe N/A
File created C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe
PID 1840 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe
PID 1840 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe
PID 1840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2828 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe
PID 1212 wrote to memory of 2828 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe
PID 1212 wrote to memory of 2828 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe
PID 1212 wrote to memory of 224 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 224 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 224 N/A C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1592 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe
PID 2828 wrote to memory of 1592 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe
PID 2828 wrote to memory of 1592 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe
PID 2828 wrote to memory of 4800 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 4800 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 4800 N/A C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 4920 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe
PID 1592 wrote to memory of 4920 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe
PID 1592 wrote to memory of 4920 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe
PID 1592 wrote to memory of 4560 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 4560 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 4560 N/A C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 840 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe
PID 4920 wrote to memory of 840 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe
PID 4920 wrote to memory of 840 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe
PID 4920 wrote to memory of 544 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 544 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 544 N/A C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 4716 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe
PID 840 wrote to memory of 4716 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe
PID 840 wrote to memory of 4716 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe
PID 840 wrote to memory of 4972 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 4972 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 4972 N/A C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 1580 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe
PID 4716 wrote to memory of 1580 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe
PID 4716 wrote to memory of 1580 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe
PID 4716 wrote to memory of 2724 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2724 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2724 N/A C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 464 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe
PID 1580 wrote to memory of 464 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe
PID 1580 wrote to memory of 464 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe
PID 1580 wrote to memory of 3136 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 3136 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 3136 N/A C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 3640 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe
PID 464 wrote to memory of 3640 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe
PID 464 wrote to memory of 3640 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe
PID 464 wrote to memory of 4656 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 4656 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 4656 N/A C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 4544 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe
PID 3640 wrote to memory of 4544 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe
PID 3640 wrote to memory of 4544 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe
PID 3640 wrote to memory of 4356 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 4356 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 4356 N/A C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4344 N/A C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe
PID 4544 wrote to memory of 4344 N/A C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe
PID 4544 wrote to memory of 4344 N/A C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe
PID 4544 wrote to memory of 4104 N/A C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"

C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe

C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe

C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3CC0F~1.EXE > nul

C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe

C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2B4~1.EXE > nul

C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe

C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0616B~1.EXE > nul

C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe

C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B0D9~1.EXE > nul

C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe

C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9DA~1.EXE > nul

C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe

C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E246F~1.EXE > nul

C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe

C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6637B~1.EXE > nul

C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe

C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF4D3~1.EXE > nul

C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe

C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B66~1.EXE > nul

C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe

C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{637A2~1.EXE > nul

C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe

C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC39~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe

MD5 4a9f295f12361b31a2be8d9e1874ba6c
SHA1 fdad61ae6432bfb98103f158afb2ec34b6869d52
SHA256 5cd30a713122bd08c173a59f5d46e11ae7a96990fa115257b24f06d1d80220db
SHA512 b3181e6058e9aff2c3bb4dd30f471b6e4605890bc176be3632fcae3990df483f967b219c88ef806e536ef91982dbfb85c3dc8c51a70a3d0f83142ede0db88ef1

C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe

MD5 54c49d60d7db3b5adbe0a228f8e4544e
SHA1 606d64a86f5ee780e798b076188cd39c797f9de9
SHA256 abbaa5d7a02b4edca40d8c68e69fb96aaf9ec2c31b24b18e95ec1b91046f4042
SHA512 8b3fcd20fd018ac95386062e4e60d1b4408609f8dc0d0884c0029a8ba34633737f26c45d4a94e8d47108a51f7cf1d9ba410387f2167c1e74144eec1d3d136c91

C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe

MD5 75c59107af92dcf89165c131ce744329
SHA1 75cdc91b01093ac07de1f45873d28db8710ac647
SHA256 dd7505560cf1c8d31ae177731438a95710b40213279a583df6fef509139de6a0
SHA512 03c94d15306bb7567191a65edb35cf57e03897d7dddc9e17e9ec1e2775dadaf3bb554c8b5d702971ed17ac89a5171c3647683ead90935c3fd195b3a130341ac2

C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe

MD5 70a5a8c106a0413b101f09a0540f6c58
SHA1 3b82e1b13539786c1f06897d915bf42ba07d97c8
SHA256 afc38917ab9e8c32188e4dadc125c3fdf8457848dadf61f14f154185535cf8e9
SHA512 e2f0120d3450cef209df2a8aede7341c487738d0b214a7f4079081a29e6208a79a6f1c1be649f43da0aac69cdb7f6c11481d3a652b93b5f0488c82714b57b06a

C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe

MD5 1a19e4de92906450edb23801f7d77d91
SHA1 52127d6dfaf3a065c83b38bc8e609724715d9eb8
SHA256 4166747fe72ca40f3f0a407157ee2c7e8d348391b3ace545d2ff232a01ece2cb
SHA512 6b806c89f7a588a16ea787793fa7642df00e95d1813157430757fc650509de88b5c1595ae882fa6070a724f914d950710ad94f51abe694013d03c81f7f07ab9f

C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe

MD5 35940dc33e05c586e209f0aa0c5b53e4
SHA1 99af0e8808164db6b99231b37e7139241821a028
SHA256 2c62ec96836f6ceecf118774ac83fbe2270a89a08d46ac4e83c84123cd8460a9
SHA512 a66fa9bce69ec36e6a5902bc831c8644c44d2941e00fb0cd88d5834021de20aff759ab8dca3dda288fbd51ce14be9fd7c31f58086f7d2e4966fc886cc84eb5ac

C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe

MD5 ff393d52f8fb0c76737e38d234ec86f1
SHA1 5055310a968e21c205e51d775dc4b6987f29e78d
SHA256 95d81901257aa1779a1d6333b639db7483934042d3be474f311fedbc738ee1c6
SHA512 a70c8d77b70d45c29d063de796205c08bbb05ce4559f951167ab27d5e5139d37419aa134d4a4cd0ceede56800a650bfa889693e6080ce06882a5e5a02066f9c6

C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe

MD5 72c6d65afdb9caa5c2371709c2cbb292
SHA1 b7469549f81ee1d6d4fc0e783b2cf1cff2791852
SHA256 dc999c0ad01083542f5a4c1888daa8444dd2c61f907ca501fcd3126acaa11ea6
SHA512 085727ae3be52eb8bc9594bbb9f33c5eb34929fb53610e85b79baa5ee433049e85b9349a724ddec6da8f41db215b2231877906af1d0c5c20b999ef0fca7a223f

C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe

MD5 d7c46603a6f76f15955d4ea38b504dab
SHA1 32a00578fd77278bd9b6c7597707d4c8efbab5a3
SHA256 1ef87b990b6c1ed496161fc6142b1b1051436a66bfa8823be0fb3f7f8d2a78da
SHA512 d03d866c6e3772053dfb1c0d91ddb85507c2f3fc9db242760067d91562568bb16ff9b2e3637f47574dd88b6a312beefb70abcce1c3d496c944f04b24f4917c29

C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe

MD5 dac83364b9dc8f2a6c4903af5a5fd70d
SHA1 1c10aa8798ca717e160fce55ccc4e80d913e66d4
SHA256 c4a7f7e5b104ce8c58448da18b79224dbc1f6d0110dbc6be6d23b9e922e3973a
SHA512 ca1ab2e46816c7cff05ab076f391e7d496946abbee1e4f89f2980171c0ba599ab8a6a985235c1371a1e03ab88e58fa5bf0dea11cf3b0aae830994eacbb300fca

C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe

MD5 4e8cbe8777372e30faa652861db31a0e
SHA1 fc8016316acdee379902c555be3d5b846cce02f4
SHA256 becf8d4df316bfa5745344ab15d64b8153c9eb9097317fa9486a773eebc3863d
SHA512 06a8a6e1f38e888a7e9031438cb668e18a8ff47c0d1655bf2551267f2dfa14b86d4fcca780cb923f44b4edfa606918b334e0f87cffc1a07ae4f0abe2b779ff94

C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe

MD5 8d88eaf96f85c6740be57c213c610769
SHA1 2e88adb866f12e14d743c370a4565bd3be8af96c
SHA256 c9478e768a735b5bb33b64ffaf4119e7c296d7e21e01f61891b14566b1ddb7ed
SHA512 810278758452830e4e96e1e08e1e3293c48a32e6a5c1c6ca5b418d06fe46d958022c480857d2d0fb6cd7f30f4c05b712441c7bdbc8d4b69cbdcf5025cca00903