Malware Analysis Report

2025-01-18 14:07

Sample ID 240613-c7s5rs1hjf
Target 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye
SHA256 a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f

Threat Level: Known bad

The file 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:43

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:46

Platform

win7-20231129-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C748D5E-7236-4342-8B1B-CED67D0E616B} C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DA5C50-ECA5-48c1-B051-58D39C953E04} C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F} C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A9266-C867-4256-9B13-F763FBA2CD68} C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF8FF41-D816-4f96-866A-00B5D753F12D}\stubpath = "C:\\Windows\\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe" C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE} C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BA3A96-770C-4284-A5BE-E0B26D14D494}\stubpath = "C:\\Windows\\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe" C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}\stubpath = "C:\\Windows\\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe" C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}\stubpath = "C:\\Windows\\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe" C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C748D5E-7236-4342-8B1B-CED67D0E616B}\stubpath = "C:\\Windows\\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1} C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}\stubpath = "C:\\Windows\\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe" C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}\stubpath = "C:\\Windows\\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe" C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E945-2370-4254-B4EC-185B5068A5D4}\stubpath = "C:\\Windows\\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe" C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BA3A96-770C-4284-A5BE-E0B26D14D494} C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DA5C50-ECA5-48c1-B051-58D39C953E04}\stubpath = "C:\\Windows\\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe" C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E945-2370-4254-B4EC-185B5068A5D4} C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}\stubpath = "C:\\Windows\\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe" C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A9266-C867-4256-9B13-F763FBA2CD68}\stubpath = "C:\\Windows\\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe" C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF8FF41-D816-4f96-866A-00B5D753F12D} C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11C081F-7763-4ed9-940C-B03C49B9AA2F} C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A} C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe N/A
File created C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe N/A
File created C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe N/A
File created C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
File created C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe N/A
File created C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe N/A
File created C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe N/A
File created C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe N/A
File created C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe N/A
File created C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe N/A
File created C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
PID 1972 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
PID 1972 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
PID 1972 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
PID 1972 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2720 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
PID 2164 wrote to memory of 2720 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
PID 2164 wrote to memory of 2720 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
PID 2164 wrote to memory of 2720 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
PID 2164 wrote to memory of 2744 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2744 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2744 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2744 N/A C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2660 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
PID 2720 wrote to memory of 2660 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
PID 2720 wrote to memory of 2660 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
PID 2720 wrote to memory of 2660 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2668 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
PID 2660 wrote to memory of 2668 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
PID 2660 wrote to memory of 2668 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
PID 2660 wrote to memory of 2668 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
PID 2660 wrote to memory of 2452 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2452 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2452 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2452 N/A C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 3032 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
PID 2668 wrote to memory of 3032 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
PID 2668 wrote to memory of 3032 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
PID 2668 wrote to memory of 3032 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
PID 2668 wrote to memory of 2896 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2896 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2896 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2896 N/A C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
PID 3032 wrote to memory of 2760 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
PID 3032 wrote to memory of 1976 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1976 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1976 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1976 N/A C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1940 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
PID 2760 wrote to memory of 1940 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
PID 2760 wrote to memory of 1940 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
PID 2760 wrote to memory of 1940 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
PID 2760 wrote to memory of 2408 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2408 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2408 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2408 N/A C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 2772 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
PID 1940 wrote to memory of 2772 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
PID 1940 wrote to memory of 2772 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
PID 1940 wrote to memory of 2772 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"

C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe

C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe

C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9C748~1.EXE > nul

C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe

C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33DA5~1.EXE > nul

C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe

C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF1F~1.EXE > nul

C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe

C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA0F~1.EXE > nul

C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe

C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F86A9~1.EXE > nul

C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe

C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF8F~1.EXE > nul

C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe

C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18D4E~1.EXE > nul

C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe

C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0E~1.EXE > nul

C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe

C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95BA3~1.EXE > nul

C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe

C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D11C0~1.EXE > nul

Network

N/A

Files

C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe

MD5 d5a2728f40d835e0a9ebef1fb0673a8f
SHA1 e1dc5e347b7395b440834c50e9e595e9a2f237df
SHA256 87b6c1be91e91cb185214e5ee28e41a6873ee8f7f60f5dc7e3729be807ba70d3
SHA512 5ff51dcc0382b8f8478aac39c90f4847354bdf90c7bd6d9d531d97e9cf636a73680c65ee5f0dd65734eaa285229d1e61fd9c687702095facb6b1473d599cf26a

C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe

MD5 efc663a94c66617487f54027d1d7abc6
SHA1 48d3b49064d722367ea1528f28d1276bac7c5b94
SHA256 0c3b559bb2302ca76bcaa403b82a9e7aaf623d1677e750f3a8d2bade26f745a8
SHA512 be1182c4b368731c535f0054cfedd125072196eae62a5a9a7d4a217e333f4a3a6f8f64b1c9b201e624ef98f71687efe87d996756d2ac717b078bfbebf9e9d401

C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe

MD5 de4f789e133f4d017e82430e867c9860
SHA1 d9ecdffd971c01bff902c71112609d23e6bf36df
SHA256 47d34486921eb0417df556cbad315034779232efe449f6ac2623a7048d5d21a0
SHA512 e337a9000788d82e2b71fa43009d3a936c05bad643cc9211a43ad0815965ce5c7f839080585c8ff66c63126a0fc382294ca0b456bb07328383b6d91240990d23

C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe

MD5 bad273cdd25901f0e62b4594498b3feb
SHA1 eadbc95b7bcfaad68b4a89282d2ddd90d7b175db
SHA256 9a3be17c5059bb855b691e1c70cd6f0a452732893e392f9c6b136b6ca10bb4c1
SHA512 bcfd7b4c2aa300141304695214f1e4f329874ebec9d7582472f5984ac12a950183e4232cc481cc6b4b94e50eaeb89cd4527f43500f3be8e24470cfedce2a699f

C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe

MD5 b2e34dfa0ec6ff047f98cf292cdc73cc
SHA1 000b86a4c3c9fe619f3200feedc275ce3e54e30a
SHA256 cd7c15ff17433300917060792974e90d668c05d393daa06a489193f2854b4400
SHA512 1d5ee903e64784a73c64570bd0f4cb99a46339a9cc58903305057e33d52d9c379ff990359948853a63c9b8cffda753597d92e48aa244895d5fb9979544058e40

C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe

MD5 d765da34a8eecb0fc3677ffff7bb10b8
SHA1 28dc7241e739c133abaf891c73472a926ebc8d21
SHA256 fde11c6011534f5256cb60e9c2975f8cc815986bc2a419b96c07bf71df2e7260
SHA512 06e9b25eb1d90c853e67dc79bb190517526ce0a7170f9783f21ce3b249cad2e60875c669d9686c1013dc0a035fda8becce80a819e96a076f101152294e521c8e

C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe

MD5 3d43d2c21c9d5924c72fcc4da8c1d50a
SHA1 454339ca9374107b9b851891a69cb364c6cb3791
SHA256 3e56ce4b521d2c283ba6d74813d67fa5ba298688a9e897406f4270d816e47db2
SHA512 4b9190c19c6bfe3c0cb17bddce87eb5abeef85fedfe37cf4c3f91dc1d8bbd85caaf14f78b156a0be904a295939b84af17e5137d183e2d3f951c4f68942236850

C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe

MD5 48a9d791ba4af39e65a957c3f01a00b3
SHA1 90e92cbe041c505c39f96d271498c1f3aa393e98
SHA256 6d8fc6f88a0c7b4d6e6054a4cd50d728317df513111af9220996ce1a97460f1e
SHA512 b59857b2393569f05acd5e2d1771d6be7b8a101b41b8388d9e7d5363c208b24c78d0111444bdee6f064feacc02c0171ff736c7e78709918f1c3b8b22dd8cfe5a

C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe

MD5 3affdc6a1cc46c57f2c3a0f483dc6b88
SHA1 767699a7ebe2f788e52f427bfde56e673892724f
SHA256 7cfbcab684017d1368563a35922c13f99f92e2ae91392478633a470bbe207268
SHA512 819db71f575379f1c2194f3ebcbd0695138bc5d18007e6a6a57bcd57cd4c9f03a44a9ace6633e24947959897aa346f2b25bfc207eeaefb4f20d10f7943de0fb4

C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe

MD5 da6ab89146eb6f9891773ad4ff9132f7
SHA1 b1d73345b8df66498a81de0fd7f22ecd8f3296bf
SHA256 48a4f6f882f09c7cad61094dbe2f52f1f82fc87964f5c638e978687653280c83
SHA512 daa1f8ae6948edac87eef7678844ebdc298e2b331921a438889f07335b3e92cf8443b1940fa4c6582bddb874e5ac59f6d44bdf220b1cc398ea591f1b03d1349a

C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe

MD5 f5f706d665ff8ad90dada98315e09e34
SHA1 ae8e79b2eb1cc10803f47bc57c39fda801482ec9
SHA256 4cdf52ee15b1bd3551597d772315c3bb58a89b6254a743bcee58775bbef70c47
SHA512 17f294151d5d490e41dfc2c7ec1f35197e79d2cea097d14729d07b989ad93950cf037595aad246630d363c415a0cfe2bbef40b6d25850449eff34350a9fcbc33

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE830B-2C50-44b3-862B-DA04E37C7126}\stubpath = "C:\\Windows\\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe" C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900951C4-A370-4c61-A8C8-75CD5528D398}\stubpath = "C:\\Windows\\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe" C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F41826-941E-47c7-A1D2-705271882C58}\stubpath = "C:\\Windows\\{B7F41826-941E-47c7-A1D2-705271882C58}.exe" C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF216A8E-6648-4801-8188-C43F8AE53620}\stubpath = "C:\\Windows\\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4244FDBC-15CB-4241-8D0E-9E776E61580C} C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE830B-2C50-44b3-862B-DA04E37C7126} C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4244FDBC-15CB-4241-8D0E-9E776E61580C}\stubpath = "C:\\Windows\\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe" C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}\stubpath = "C:\\Windows\\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe" C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042651AD-36D6-4fd5-8F1F-B34B992131E0}\stubpath = "C:\\Windows\\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe" C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B660DD36-227F-4aa2-BEC7-833B5269AEFF} C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE3ACA3-82C6-4a82-B779-20640363C2F9} C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7787983-2EEE-4e24-BCBC-14D4D35958AF} C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}\stubpath = "C:\\Windows\\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe" C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF216A8E-6648-4801-8188-C43F8AE53620} C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3029469-3CF9-48ae-AF7A-85929468A5BD} C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042651AD-36D6-4fd5-8F1F-B34B992131E0} C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7C1863-535E-4e86-AA06-A3EAF27B7562} C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900951C4-A370-4c61-A8C8-75CD5528D398} C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}\stubpath = "C:\\Windows\\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe" C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}\stubpath = "C:\\Windows\\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe" C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F41826-941E-47c7-A1D2-705271882C58} C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1} C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}\stubpath = "C:\\Windows\\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe" C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3029469-3CF9-48ae-AF7A-85929468A5BD}\stubpath = "C:\\Windows\\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe" C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe N/A
File created C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe N/A
File created C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe N/A
File created C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe N/A
File created C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe N/A
File created C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe N/A
File created C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe N/A
File created C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
File created C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe N/A
File created C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe N/A
File created C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe N/A
File created C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe
PID 4900 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe
PID 4900 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe
PID 4900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2168 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe
PID 4816 wrote to memory of 2168 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe
PID 4816 wrote to memory of 2168 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe
PID 4816 wrote to memory of 1912 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1912 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1912 N/A C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4396 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe
PID 2168 wrote to memory of 4396 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe
PID 2168 wrote to memory of 4396 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe
PID 2168 wrote to memory of 1528 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1528 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1528 N/A C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1808 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe
PID 4396 wrote to memory of 1808 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe
PID 4396 wrote to memory of 1808 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe
PID 4396 wrote to memory of 3124 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 3124 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 3124 N/A C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3664 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe
PID 1808 wrote to memory of 3664 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe
PID 1808 wrote to memory of 3664 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe
PID 1808 wrote to memory of 3476 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3476 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3476 N/A C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 4696 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe
PID 3664 wrote to memory of 4696 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe
PID 3664 wrote to memory of 4696 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe
PID 3664 wrote to memory of 5032 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 5032 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 5032 N/A C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4616 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe
PID 4696 wrote to memory of 4616 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe
PID 4696 wrote to memory of 4616 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe
PID 4696 wrote to memory of 4048 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4048 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4048 N/A C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 3732 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe
PID 4616 wrote to memory of 3732 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe
PID 4616 wrote to memory of 3732 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe
PID 4616 wrote to memory of 3616 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 3616 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 3616 N/A C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4952 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe
PID 3732 wrote to memory of 4952 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe
PID 3732 wrote to memory of 4952 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe
PID 3732 wrote to memory of 4464 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4464 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4464 N/A C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2844 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe
PID 4952 wrote to memory of 2844 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe
PID 4952 wrote to memory of 2844 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe
PID 4952 wrote to memory of 4316 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4316 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4316 N/A C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2436 N/A C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe
PID 2844 wrote to memory of 2436 N/A C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe
PID 2844 wrote to memory of 2436 N/A C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe
PID 2844 wrote to memory of 2128 N/A C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"

C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe

C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe

C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF216~1.EXE > nul

C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe

C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4244F~1.EXE > nul

C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe

C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4B168~1.EXE > nul

C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe

C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A3029~1.EXE > nul

C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe

C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EE8~1.EXE > nul

C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe

C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7C1~1.EXE > nul

C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe

C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04265~1.EXE > nul

C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe

C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90095~1.EXE > nul

C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe

C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B660D~1.EXE > nul

C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe

C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE3A~1.EXE > nul

C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe

C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F41~1.EXE > nul

Network

Files

C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe

MD5 c4aff1f04f302c6b3647866a1916d16d
SHA1 446ebff989a5f4760a605eee840be146abd1e3e5
SHA256 8a4fd84f848a7fce182786d88af05e059a15c72c666775c259171c4ea27f2b1a
SHA512 92fd8438362f1d1d9908a3ef05c9a6cc5a21f8b4bcfd661d9b95f2fbdc00ac94745760e663f843443ddae7aca21db998cb58965981add00349d6e11770647adb

C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe

MD5 80b1dccf5a3880b075b42fa587acd58e
SHA1 484845ed9b565137ed69473f76012d32ef5c32e9
SHA256 c911c1ef0c416cb1c2b671806000f1304b3c4746904e7f3367151d99de94b227
SHA512 64f4172978934c628d6741137029ed97035b24978a54dab80a4d94eee7805b609c1e7ec6a49f60b35b02cc2d5cc67c47332181e641bfab948f527d50e8d1936d

C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe

MD5 a30d2a948a1a25871f3a8b0751a47483
SHA1 8a073df53d7a67553900a8a733c5786d58fe9784
SHA256 16391069052c280220145d37784192f9034136fb0ce387c87f0036c25d9ea59a
SHA512 f878a629b657b6431572cc35eacf7d04637193ce71048834f73695d582613f6af5a91d7fb7efa325a7ab027c85fa98f736d0ff00d8a7f520ab3512a4685efbed

C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe

MD5 a344ee53899d3203ed2f4b790cf83494
SHA1 dce69d1f0a03484f93f5a696bcd2f7af7d72fd78
SHA256 ed8d0a037b87556fd2af1506395a9184643efed2b16dfcd281a014986c96d8a6
SHA512 c003a9c93e460a4d3afae9165f6465437e4975a4288d4e0a3efee8fa8ee71cd28c077820f1de244b17a48db10d8710ed5422d67200817b76d0f61be892c760d5

C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe

MD5 bd6c11a34b10c48ca647b7f83aab694f
SHA1 cd97876954250ceb313669f24720c47b98257943
SHA256 e7d2481cdc7690da97df636d38495c57dc5dcc19a317be1bc9d18dde808367a1
SHA512 c73e3dbb7e664ee91adcd457ab4b7b79a177fae1358d231b52bf2d4a96edb6e9f4f76dd944c0967a32a172ddc69d9fc2b0bbd294a196c74ba41fc553fab53dbb

C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe

MD5 9cd1212f74caa727fb870a10162edf94
SHA1 8c1e44fe7195aedfb4257dbb107e2b175d76ecf8
SHA256 98b1a48762c70322281d3144ba53b1c48d1fc68c5e3a90788f52562bc70b9386
SHA512 1f456326065c5017c23bf6b035e9ca01c66cc3b060c85776c1210350fda2fb58cd96a986cb5251c38c339fce2e77502904282d9256221315408dbfde8b25d2c0

C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe

MD5 06237ee806ce922031c1070c3f0e149b
SHA1 ee0d5f7437581f107c5e81140656d7454d84a641
SHA256 51d4121b82969e15d423056c94bf55ce648d01d35fc8f864529c8f79eaae5783
SHA512 300e1e491565c03e00bded5190c62e61c6353bdda7d53d27d19470dcf5e82a1b256e488b3fdaca854e61e235f506138ef8b51fdd02994611e67325b714d83e25

C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe

MD5 9427269a112e23fc510d45d280bde90c
SHA1 84de051a2c001ed70863cadf1d590f13080e7c3e
SHA256 e24a2af642d83eecd396ad95a885864c58cf29154966ccb80d1d2584b8bbc032
SHA512 4dc43c2f2a1262dabb658a7cab272964b8d11956f3e954d1cbef9b0f089d5a634e92437878d8417ce2fc5072bb2e6e52a30f9084d37c2059bb9d6917f9abccaa

C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe

MD5 d410cca892a5f5579f4211be0e35b250
SHA1 c6e3393043c80b8b86d95bb1af8ce4bc266adb22
SHA256 55d1a7508d5d56acaa8cbfa7d3277b2e04eb09fdebadf337d923e394b82d52ba
SHA512 2e5f335afd6e4475eb2df36651515104264d1b2e89520e493a2282fb4eac9eb7a1a42b6b8544eba52c97fd77819128145d63ca0886911a8ac937a008ae8f7c56

C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe

MD5 f1cec4e92653c69e8e28f28a6307ea8b
SHA1 f086c9bd85f06fd71c8f9516977fe75f15836159
SHA256 5266e7680713e7d5af19c75defad94be5a89c4baa00358bc6a2b971e51226f9c
SHA512 e24be535eb4aacd879126ce19464e5c9adacf187354ce4a1596a090d6c287c02fa2a63ec0cc91135962dce665eac0e17b5aa1796808d61d20366def49f338347

C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe

MD5 3ee5a03464a173929a4007599b041735
SHA1 782b00e3c3ec3072234ab4a5c78674ef22940be2
SHA256 aa66cffc663d03edf403c3b262338ecdf3360d976cec5875d6a50379fee18e68
SHA512 3ee2f35759d47b08f33a3fcb1b6a5708d3ae9886914c954799604aa80493f65305267f4b3a0ccb503e5aafe4320726f8644bb57aef6f88214a2d18a84064b92b

C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe

MD5 d4c746b63547a1e06e396422214997b6
SHA1 47e413f4261bc31e858485060fcf6e83f92607ac
SHA256 fa27dd9c4038cd9b92a9cd479d982aebdd790f8acd78ce85a9f82f8b06a0d987
SHA512 1f4a9828ccdeafb7093fb03f8b2207cc3282b1d94b51635e0a311230412da838c0c46be9d13b0865d1fd74e8827bfba248e3b3805d197cede407952a3783e2af