Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-c7khmavgjr
Target 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye
SHA256 ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def

Threat Level: Known bad

The file 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:43

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:45

Platform

win7-20240611-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8519853-3D29-4512-BDA8-434C5C695304} C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561880D2-6A4F-4635-84CE-92609B6E78AB}\stubpath = "C:\\Windows\\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe" C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B54440-EFDD-41a8-B51C-B2A2F84400A6} C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E1B225-C919-45ca-BDEE-C1E6989C54CC} C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}\stubpath = "C:\\Windows\\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe" C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926DAE6-41EB-4e57-B8CC-93CA9278979D} C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561880D2-6A4F-4635-84CE-92609B6E78AB} C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2ABF10-80D6-4a62-BFAB-95150665A248}\stubpath = "C:\\Windows\\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe" C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8} C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}\stubpath = "C:\\Windows\\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe" C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545388F7-5839-422f-871F-519685AB2725}\stubpath = "C:\\Windows\\{545388F7-5839-422f-871F-519685AB2725}.exe" C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8519853-3D29-4512-BDA8-434C5C695304}\stubpath = "C:\\Windows\\{F8519853-3D29-4512-BDA8-434C5C695304}.exe" C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}\stubpath = "C:\\Windows\\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe" C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2ABF10-80D6-4a62-BFAB-95150665A248} C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF7F36-7711-4d03-A083-EA12CF9AF238} C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}\stubpath = "C:\\Windows\\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe" C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}\stubpath = "C:\\Windows\\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545388F7-5839-422f-871F-519685AB2725} C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17} C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}\stubpath = "C:\\Windows\\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe" C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078} C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}\stubpath = "C:\\Windows\\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe" C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe N/A
File created C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe N/A
File created C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe N/A
File created C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe N/A
File created C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe N/A
File created C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
File created C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe N/A
File created C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe N/A
File created C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe N/A
File created C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe N/A
File created C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
PID 2804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
PID 2804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
PID 2804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
PID 2804 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2736 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
PID 1808 wrote to memory of 2736 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
PID 1808 wrote to memory of 2736 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
PID 1808 wrote to memory of 2736 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
PID 1808 wrote to memory of 2764 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2208 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
PID 336 wrote to memory of 2208 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
PID 336 wrote to memory of 2208 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
PID 336 wrote to memory of 2208 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
PID 336 wrote to memory of 2200 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2200 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2200 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2200 N/A C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1448 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
PID 2208 wrote to memory of 1448 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
PID 2208 wrote to memory of 1448 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
PID 2208 wrote to memory of 1448 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
PID 2208 wrote to memory of 808 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 808 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 808 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 808 N/A C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2192 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
PID 1448 wrote to memory of 2192 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
PID 1448 wrote to memory of 2192 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
PID 1448 wrote to memory of 2192 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
PID 1448 wrote to memory of 1056 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1056 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1056 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1056 N/A C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"

C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe

C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe

C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C926D~1.EXE > nul

C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe

C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54538~1.EXE > nul

C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe

C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F8519~1.EXE > nul

C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe

C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56188~1.EXE > nul

C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe

C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05B54~1.EXE > nul

C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe

C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2AB~1.EXE > nul

C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe

C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAF7~1.EXE > nul

C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe

C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CCD~1.EXE > nul

C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe

C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F01~1.EXE > nul

C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe

C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18E1B~1.EXE > nul

Network

N/A

Files

C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe

MD5 dd6207f4e74aa65aaadfc1928cccbc25
SHA1 a5e988c838790eec389e681f4a9a32a0894c0f34
SHA256 3d1d907f81bdb69e4a2b9e30afe9955c8d19c679bd891fe4a704135b787feb5c
SHA512 d0fa19158f9808389813324f8d6c23875d9bc6a5f27897cabcd35b7c9fa1356ed845ef1891f94ed0c5b689f9371f9164ff0d74530aeeffb4a53836cfd6ef463b

C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe

MD5 28f0f4207f2202acc027d77a0cc73075
SHA1 a0a08dc819507d3a375e07103ca78d9cb00534b2
SHA256 6bf6c9f92296190651f32cba015a32bbd872a14157c7380f6d01b941f98aa0e6
SHA512 5087d0d26942b800c1b874ad2c9b9fcf32d556033262752de0a98cdcceef78a56209625dfce5c5f1b4a68cbd3316b2a6ad37d57ffcfad4e8c367515488aaee2f

C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe

MD5 9c0f1ddf503e82b2958e3a488eef45a5
SHA1 26f24cdf1121e4983a12b0e593d3bbb7d183c30e
SHA256 282e66cd1f52c08c57676ebc3cd95338ef3ee9fcaaf7133383470746f13c3c37
SHA512 084bdd1f4c8a533a9f3196edc282902f8942f0deebf5ce5dca11f9b56e6c5a0c39834af8dff63fcc6c6f276730c89b2e6f872c7d4f1aab9a78b1a7aff54d79df

C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe

MD5 c65e8b9e5edc5870f00f3319256eecc6
SHA1 1da239d2b302015bc200c34d56acaa709b4c0aed
SHA256 055b43ef786959ea6286bdcea12f09c91736d31caca75cd940877d0513f130e5
SHA512 c62316cf16f0d3143cf06422d0de845130874d2f30608c925781f0b53e322b5c8b7f3f3fe34f5d2c6407efe1bddb6b0a9caf182345b287c29f99a85838bef9bb

C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe

MD5 71b6f0fa3f4fb9f7564bfed9ff806519
SHA1 ecfe1609f48be007c8ec8f719c0c398f6dadbb9d
SHA256 0acdd013a5949a6d3774703f22ee05c9aef478240a2ed521756be2efd8a48eef
SHA512 b22a5028fe73d4652345ce7d01fe733b610ff8fc1ec6af6696a4afe0da4644f30de955c506938a50563385ad77461a4a5eb1436b2fcb68579d73e94c3132f82e

C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe

MD5 3dee73dba0f88b29b39ef58f8eb0dc97
SHA1 fbd1d468587c7b0ed309d64431851a5d24064064
SHA256 c54bc53d389ff3209acabae369752e6c472a8ae4359ba72cecdcfa244151d3d4
SHA512 f345f90fcbb9230d1f86957de34a0372c3f42ab71f939e2d71315f80a3c3d1eaf80cbbf2a7827741c62a471bbfb84e9245fc521a1e33d722053e4d2239e3ef09

C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe

MD5 f939e63c4cf1c1dd35bb0ec54fe76e90
SHA1 5435385eb818c06459fc249ea7ca8d0a72518637
SHA256 9c19b5bbc201ee5015b6f51e3d457e317c4521ca082c7084bd4edaa62d65736f
SHA512 3e895af2387efc9aa5a7e6eb4b2d90f5c301d93ebc3c95ecc10b5a2c4e62ff88a6d6725fc45921db6d4265b5326414a26b695d67e122ea0a6ec9cfa718ea2181

C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe

MD5 242224bb020c83093609444c21499ffd
SHA1 2903bcda21d3b1bf0c229db02237b120acecfa2b
SHA256 493f1f0fafda31ab80629013e0ea926e26c029641dfc7c56781e3159d647f1f7
SHA512 0599d2670d9e1cd2354b554c392f459b8bb10939685a3d50362f6de694deb631470edbc11c08631b66f0fc4329dc6ce29244da7396838b98a19c88348c0132cc

C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe

MD5 50b1445e4eabdc993c368754ef6aedfe
SHA1 3613e89413e2dc2cf6f55db0abc4110edead3ce4
SHA256 1af6f15c78539e8616aa42caf03393a77c683491b643887e755dc5263f2276a1
SHA512 bf607e7d012a1ca3ee83e10a22a851cfc38142ee7e9f72cdf0acf414f50177674b3e1db501ba3f5cbefac58d957fc4e25e9598b6895779da70732e45acc5facf

C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe

MD5 e5e8106a44cf4650c40008bd90b8f38d
SHA1 6ab7a3a06ddc7ff94003053c061382aec1d85a70
SHA256 5f6019b78d9c4eff83b6bc799749a7594974ea449e2e5d580844be0e0ff6715d
SHA512 3256b170c4c692ebb60baff5176cdd116da302746ece5f6cd40939e9bec735f7917980154ecfcd3ef41d585eaf96b97c4c63679a865cbf16b7afd376c98bc9b7

C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe

MD5 e412c4c763fbb5b392981a0eb49caebe
SHA1 79630549bcbef1f109f1fbbb8880d6ac895350e1
SHA256 3b21fc6d70580fd0e539d6bbc481966032b7a598731a36a3ef7debbbfd2806c9
SHA512 7e4739f3cdfe94f6d83d66f69f699d4ea739d9007a7c589070d80bed4950063210dc26ea681dbd08e83536b7b22fb375673099253a1ad49f015862761c527129

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D642A007-FD9A-449c-B528-A53A097A7BCF}\stubpath = "C:\\Windows\\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe" C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1560311-87D3-4cf0-93D7-E8265B722BA7}\stubpath = "C:\\Windows\\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe" C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61838062-CC67-45fc-84D2-1481564F0F90} C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C0E007-6DFF-42ac-B040-B62DC26901B8}\stubpath = "C:\\Windows\\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe" C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39624838-6A19-430d-A8E8-0532DF60B7FE}\stubpath = "C:\\Windows\\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe" C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF} C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498E330C-5C31-4b57-970A-FB5D78B142E5} C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB006AE-933F-4359-8C3F-F4F29C04721E} C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498E330C-5C31-4b57-970A-FB5D78B142E5}\stubpath = "C:\\Windows\\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe" C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA8725-2998-4907-B91A-9F6518F0CEA2} C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52677632-ED47-4064-A25E-FA54B0B2B3C8} C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52677632-ED47-4064-A25E-FA54B0B2B3C8}\stubpath = "C:\\Windows\\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe" C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD69A26-F94F-4630-A452-954FC69F7212} C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD69A26-F94F-4630-A452-954FC69F7212}\stubpath = "C:\\Windows\\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe" C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39624838-6A19-430d-A8E8-0532DF60B7FE} C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}\stubpath = "C:\\Windows\\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe" C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A} C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}\stubpath = "C:\\Windows\\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D642A007-FD9A-449c-B528-A53A097A7BCF} C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C0E007-6DFF-42ac-B040-B62DC26901B8} C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}\stubpath = "C:\\Windows\\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe" C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1560311-87D3-4cf0-93D7-E8265B722BA7} C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61838062-CC67-45fc-84D2-1481564F0F90}\stubpath = "C:\\Windows\\{61838062-CC67-45fc-84D2-1481564F0F90}.exe" C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB006AE-933F-4359-8C3F-F4F29C04721E}\stubpath = "C:\\Windows\\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe" C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
File created C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe N/A
File created C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe N/A
File created C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe N/A
File created C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe N/A
File created C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe N/A
File created C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe N/A
File created C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe N/A
File created C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe N/A
File created C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe N/A
File created C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe N/A
File created C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe
PID 1784 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe
PID 1784 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe
PID 1784 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 4728 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe
PID 1800 wrote to memory of 4728 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe
PID 1800 wrote to memory of 4728 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe
PID 1800 wrote to memory of 4644 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 4644 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 4644 N/A C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 684 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe
PID 4728 wrote to memory of 684 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe
PID 4728 wrote to memory of 684 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe
PID 4728 wrote to memory of 512 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 512 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 512 N/A C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2652 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe
PID 684 wrote to memory of 2652 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe
PID 684 wrote to memory of 2652 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe
PID 684 wrote to memory of 624 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 624 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 624 N/A C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2248 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe
PID 2652 wrote to memory of 2248 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe
PID 2652 wrote to memory of 2248 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe
PID 2652 wrote to memory of 3780 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 3780 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 3780 N/A C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2320 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe
PID 2248 wrote to memory of 2320 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe
PID 2248 wrote to memory of 2320 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe
PID 2248 wrote to memory of 3576 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3576 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3576 N/A C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4108 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe
PID 2320 wrote to memory of 4108 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe
PID 2320 wrote to memory of 4108 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe
PID 2320 wrote to memory of 4492 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4492 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4492 N/A C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 1760 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe
PID 4108 wrote to memory of 1760 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe
PID 4108 wrote to memory of 1760 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe
PID 4108 wrote to memory of 4716 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4716 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4716 N/A C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 4044 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe
PID 1760 wrote to memory of 4044 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe
PID 1760 wrote to memory of 4044 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe
PID 1760 wrote to memory of 400 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 400 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 400 N/A C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 4316 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe
PID 4044 wrote to memory of 4316 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe
PID 4044 wrote to memory of 4316 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe
PID 4044 wrote to memory of 2244 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 2244 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 2244 N/A C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 1500 N/A C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe
PID 4316 wrote to memory of 1500 N/A C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe
PID 4316 wrote to memory of 1500 N/A C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe
PID 4316 wrote to memory of 4020 N/A C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8

C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe

C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe

C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA8~1.EXE > nul

C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe

C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{52677~1.EXE > nul

C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe

C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD69~1.EXE > nul

C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe

C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D642A~1.EXE > nul

C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe

C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18C0E~1.EXE > nul

C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe

C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{39624~1.EXE > nul

C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe

C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F69~1.EXE > nul

C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe

C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{498E3~1.EXE > nul

C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe

C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3728D~1.EXE > nul

C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe

C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1560~1.EXE > nul

C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe

C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61838~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe

MD5 b8aa223fa794b14065d91fd978dee421
SHA1 757e0f9e33323e950d788d52b60dc038744cd839
SHA256 d8da933dd2a7c7db766eb6dce95ac93a29ce581ed8d6eaf968a6533dcd25a00b
SHA512 dbed7ae9782d2ab059e232c14442bf20c03c2d4af40ae9a66f0518035b75bf3dc459ccfe54e0bf2299716e7fcf9460def958809b496b133fe536081f06590b42

C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe

MD5 e2e51107d906657fbda7e7e72fadfe44
SHA1 6b902aff13bedfa071698eee7da18971cfffec4e
SHA256 496d5c6d4980acb0fe1ad9b4b8f69d78474b9b52d6a79c6b92575dfbc00fd796
SHA512 93ea8a18413b6868d92b8ab5f099fa232726aa2ee04d724ce009a1b033a82bdb7afc8bfd5cf0dbf71390ccf9063d18e6419533229180393450a9343baad13b22

C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe

MD5 ee8d7961de30ce5658b6e18c4679f262
SHA1 579f35cf59a53fe1b96d2464dc223c556f75fe93
SHA256 06c69179112f43b5ae70c024d4eace70876f9f6b451adaa2d6615f837ab9660b
SHA512 1e929621356a7a135b371435d3746434870b3b4d2b8919b5ed7ad1b6956374769e3477ca5680aad9a5d2a90b09651d7d68b3b4e4e2bd00f56f802be22d7040a6

C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe

MD5 9f2c944a8e2a50c8d94a549f536d292d
SHA1 9df011f7940c9cac9fd1921c3d67e2d357302dae
SHA256 a62bfb06332e0e4b21d0d2ad6d3423b3462e5d181926a26f478f4d3b95581fcc
SHA512 9570bfc08eb41a5e9251672a26fbd145b025fb54b640fdad49843d9dbfec072b76e8cd8d4bb4a3041c490bd5e7823438b9cf8ebbd42967ea6afd2689eaecafa4

C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe

MD5 3023096b3fe9dde77aa7d9cda9e7669e
SHA1 90d6ea6390f60d89abe56a43b6db672f88fadc97
SHA256 7a2840b653d54a74b1111d88445d8f901e755d58603251381d3b8337fd2b4956
SHA512 fe086ca31b0d35e017e4f399105f140c53c7ef16483c6802e851b6438ca45aa012cc403a3b69998c2566c9eb944f695961ed3df5d49c51dfdea9bfff490f3905

C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe

MD5 881f4f0d763622fd4b5700e5b4f22c8c
SHA1 b0ffc995913277dfe5419eecb643d61a8828baab
SHA256 c80b23b059368ec59c5e503a22ff538ad7bfb9fd33c70552768c4828b4cb4be4
SHA512 bb667fa6051c0ceca483616482471021e823bc954ae88246e5db043600ce842a8e1a67ec441c4ff6352c4a9bf4e31bffbd9d8701d770143ba21c60de76b182ea

C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe

MD5 2d4668b0602e0ffcf5f95bd13f0c8028
SHA1 ed2e461afe1a0faa19bc0119b5242ad352ac2776
SHA256 9f34256356399cdc571abce50bd8517adde5937a5dd7101ab09a6106f9129b80
SHA512 333a109aeade2918553673ce40f95a94bb0f73581d56c5330d1d7b5dd3fb38aee43830a01b62e59a03fa9f72db21711fbd956e7dcef78b7c983d49ce4e4c55b8

C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe

MD5 7dcc0395ef3b72e02447ddec77b8ae9d
SHA1 a20cbc7c65cace112d2c4357920007cfdffd642c
SHA256 aeb42dfb444e91bf187f1ab8469d1d2e8bfa1202d76bd4e2a149c41cad0301db
SHA512 bac4e14b87b69b7459fe219ceac483695006cb8d033d6d1edbdfe88e4cc0375ed7c960d2fe6f1df25c0ca7201b44efa827f5336a023303a51b28f46fa8839dbc

C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe

MD5 9c2aa551ed1e247fa0d43b124bbdf055
SHA1 d3a010baee2cfb38dd34cb8f298fb4b53bb76e48
SHA256 0022acc25e0f4bcacb62005377db4d0d0ea18bc561133599a50b9f72d2ce1f93
SHA512 07948a5910302abe89508e13d3b62d94cb0779e9bf503370c97e3638c2ce581c83105ab9be94d6e00aa66c7572adfe55009768c3057250f87bf467e0f23ef1fb

C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe

MD5 4a400717ae300b7c1f5e1526e2e117a3
SHA1 26fb48a7ca969526a7f297a4478b771bfbd42a55
SHA256 e88f6d07475cab9ce1d000a19459afef520e6f392e7d301becf48dcffb8b98d0
SHA512 524bf5562f279cdd90bd3ded6d5959df9f2c6869972263def43389f0bca067b2302639c468ee5ca37af9c71e727fff530088bbfe99bf8b29a4ea961d56ad6022

C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe

MD5 58cd0a45b21b2d06f0b8d285a2ec31c3
SHA1 004c4d73e3ab08a2f8b93d256bb41e9a0a63fd54
SHA256 0bcd47aa2c3afddaf8f66c99411eef958f00bb450e3865000c5c3011e4d4a920
SHA512 851b7d1381fdec8b14c25ed5c138e86147ff5d512d28de55661311ad2e7dccb3b82fb24d61d427b536f220c60c6ea5cfa1c33e23c5a73305bc948c4fbea9ce61

C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe

MD5 8e3ce6da73c7ad2b679e067e9afe026b
SHA1 66553748a905d13e5a00e28947541686e628435a
SHA256 92e179326c4c0e6701fb7275a4e305fe98e600009529c4bc534c8460a2be50a7
SHA512 f05116ddadf78587d84b0466c1b4485cda324bc235cd42ca37da0518765f909bb4ba24a1496e3e078338ed7cea4a49fd6904189c4fb4c3441f6cd77b6baf626c