Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-c9eeds1hnb
Target 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye
SHA256 16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175

Threat Level: Known bad

The file 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:46

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:46

Reported

2024-06-13 02:48

Platform

win7-20240419-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040C519-27C1-4361-8F4D-EE788A4999CB} C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860CCA45-D390-4aaa-B743-EEF6A923076A} C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE9C394-35EB-4bc2-9392-22007027FEC6} C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE9C394-35EB-4bc2-9392-22007027FEC6}\stubpath = "C:\\Windows\\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe" C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}\stubpath = "C:\\Windows\\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe" C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7} C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3639F753-306D-4545-A65F-F9EF26B1B393} C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D} C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AC68E8-60B2-4fdb-837B-2FED732128BC} C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04985B9E-B464-4f2b-B4CA-584A8E64E879} C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3639F753-306D-4545-A65F-F9EF26B1B393}\stubpath = "C:\\Windows\\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe" C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}\stubpath = "C:\\Windows\\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe" C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649B4ADB-6932-4d60-8A61-7422D7576C94}\stubpath = "C:\\Windows\\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe" C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040C519-27C1-4361-8F4D-EE788A4999CB}\stubpath = "C:\\Windows\\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe" C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860CCA45-D390-4aaa-B743-EEF6A923076A}\stubpath = "C:\\Windows\\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe" C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26876394-7762-4a75-9B9E-DE6FF40DEAE3} C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}\stubpath = "C:\\Windows\\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe" C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04985B9E-B464-4f2b-B4CA-584A8E64E879}\stubpath = "C:\\Windows\\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8} C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}\stubpath = "C:\\Windows\\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe" C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}\stubpath = "C:\\Windows\\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe" C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649B4ADB-6932-4d60-8A61-7422D7576C94} C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe N/A
File created C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe N/A
File created C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe N/A
File created C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
File created C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe N/A
File created C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe N/A
File created C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe N/A
File created C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe N/A
File created C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe N/A
File created C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe N/A
File created C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
PID 2812 wrote to memory of 2768 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2768 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2768 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2768 N/A C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2488 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
PID 2616 wrote to memory of 2488 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
PID 2616 wrote to memory of 2488 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
PID 2616 wrote to memory of 2488 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
PID 2616 wrote to memory of 2600 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2600 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2600 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2600 N/A C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2508 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
PID 2488 wrote to memory of 2508 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
PID 2488 wrote to memory of 2508 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
PID 2488 wrote to memory of 2508 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
PID 2488 wrote to memory of 1512 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1512 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1512 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1512 N/A C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1536 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
PID 2508 wrote to memory of 1536 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
PID 2508 wrote to memory of 1536 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
PID 2508 wrote to memory of 1536 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
PID 2508 wrote to memory of 2700 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2160 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
PID 1536 wrote to memory of 2160 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
PID 1536 wrote to memory of 2160 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
PID 1536 wrote to memory of 2160 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
PID 1536 wrote to memory of 2368 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2368 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2368 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2368 N/A C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 352 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
PID 2160 wrote to memory of 352 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
PID 2160 wrote to memory of 352 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
PID 2160 wrote to memory of 352 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
PID 2160 wrote to memory of 1664 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1664 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1664 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1664 N/A C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 1844 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
PID 352 wrote to memory of 1844 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
PID 352 wrote to memory of 1844 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
PID 352 wrote to memory of 1844 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
PID 352 wrote to memory of 2788 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 2788 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 2788 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 2788 N/A C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"

C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe

C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe

C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04985~1.EXE > nul

C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe

C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E40BD~1.EXE > nul

C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe

C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2C8D1~1.EXE > nul

C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe

C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{649B4~1.EXE > nul

C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe

C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3639F~1.EXE > nul

C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe

C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9172D~1.EXE > nul

C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe

C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A040C~1.EXE > nul

C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe

C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{860CC~1.EXE > nul

C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe

C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE9C~1.EXE > nul

C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe

C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26876~1.EXE > nul

Network

N/A

Files

C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe

MD5 4bdcaacb417d93a45e0de1c3dd03bb71
SHA1 e29146f85c2fd25beac4d18112faefae3bef6e09
SHA256 820d42182f964907afe576e37c197ad66bb2f50ab24cb735c7f01bbfe04e5861
SHA512 c70de25713ff407f9a794e0c082a2d2023c4dcc3bb226ab4de8b9b8b7e4c7ed215209740a7a6d5dfb676405c930ce62115e77bdf0306439e733877ef552ab3b5

C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe

MD5 5d3c182cbed4bc96523469d9a6d5b59d
SHA1 c32457f68bc6a257fa81de3fb6573c9ae07790a0
SHA256 1a47a527e4fa9361cb95174f5d13c0ea4b63301579912c45a907882474dfc2d9
SHA512 98eec11bb00ccf89bcc2271d7c30f5a4115632a21273dc6bbaa049f2fbe81d5a475e1b27ab7dbb07bf22ea0355d620bd8442e25c01785c599a76f35feddf41e8

C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe

MD5 6fe938b77a80e830b1ad1e08e640da74
SHA1 115dd4ce07a6ca0cfb2b7b8be0f037392880fecb
SHA256 43cf001817325a071a449ec74508fa4381ac1367b820bf8f4d21a0b4220ed401
SHA512 adddbb20dfa7d78e2f2d34542a555058c7e8a0b1d6f273e0435be15ba95a1d84aeaf1ffa8513dca2deb4158c7173470add010c4238dea33361f7cb17821dd0f5

C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe

MD5 59cb914f2c06052837070acf5ff38c23
SHA1 ee549b72a00eb9ce1934c111955153a118723666
SHA256 736a763175cc62fc014a4eb1b2b0d00da9458d09a1f414ad0f2204c171b0b502
SHA512 2b5fa1993a276af757698e8e7ff0e08c29e46045e1dfac46f53ecc8d5a7e21a55e0a6a8d9b64a4212c196edbc22142ae353d693b9810b000811bf5f200e66d24

C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe

MD5 e56ecf9f0f61dc3ba9e14144aede4296
SHA1 afe40211ea764cc945db026b6fadaaa702d6c8ca
SHA256 251c4e18fe00a9fcb2c88d3f65e2a58b68ae818419a666d9b661b75089ff170e
SHA512 e2049e25f1ce2e3686e17012f6e4107bf55ad8843218784a95deada507086dc663792ac012434c1bf51d55ea79d54a90e594eba24d5776fcd797ddf0e8dbe442

C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe

MD5 2e2f87d2cf2cdcfc67419428ca5de118
SHA1 880a164227821dc42316abad1f87abb25c9e859a
SHA256 01d66ee5a9f8249eea0e25f464e03daa0a7d90ada22febf464c7c5d5629c2da8
SHA512 2284adf003b0ca87fcf9114f5952f64acb0d92f57ba7ffd9865080e0db01eb43312cbdf1c874e3903bf26bc84ac1d8452998eadf28f068f207aa56113c3a7f16

C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe

MD5 026c6b7fd173bd872809a3b0f369b82e
SHA1 62a7f030f14dfc4eea2f3f10b1e4f0d29fd3cf8c
SHA256 368398404a7c94fbf48140322392181480a403ac1f9822501f4453ec4208be1a
SHA512 3ec6927ccb0d3d39e0f074834a901f18aed881c1b65f57d732a7fd0d64eecf4a94a196615d5c6223a30cc7a092ac6961a51967fcf72bf5507c18fb62040c10c7

C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe

MD5 de4e612c33f5cc7ce173afb1e9f42d3e
SHA1 b53bbd2700890d73e1357e8fa4d662108efab76a
SHA256 e2ce5ac8de893b8a6c1502a1dc1da43ddd3567ee66b957d0e982a5267a57dcfb
SHA512 f203e9499b73c8d4baf1a3ae07f045d51d7161607785df40f4b9eb2dc42f21785975a39e758f91b0f486000ee75bafae95963b01390fc720cbe8cb6328f66215

C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe

MD5 b2e66b0a0262df27c28f69839ed87f12
SHA1 0e747af242a7d087b83fcaca292c65ce88f0343e
SHA256 c8cb54409ef10a73243370293d9329b97dd67c7daf03c63c6386ffe50c741136
SHA512 48100724717dde4ad672919581b0f49a225616b704cbb7233e04f5e4deb46651c0a31159c6fe48f9b14d9f790c853bf595e4be5e6c436a2bcd37ab9ee47d6ea2

C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe

MD5 3c967a3462f3fc21f06b0dce61a8266d
SHA1 f10fdddedaca7322f84e012c566a0e019e06338e
SHA256 5a1adb6c46dd7bf69164fffba9f79bb0be1fef3bfce60381e67cea9a601dd974
SHA512 f0e787217da56675dddef871e7b806972c3419e64b77beaefbd10db7c3e271a6813ecd512c4b9857e6ba121fffb26fd7ec8c868e208949b4a5f27887049c2173

C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe

MD5 eae671b30987b1f2acb959844e4b021d
SHA1 c357992d44bdf7f7f0631d113656fc38c5f88c14
SHA256 f017fc9186ff847797eba4e4abbd276a548476805162c08302584f4ce175513a
SHA512 62bf5c4d9ae13e993aef9f86245f041b63c2078c9a3a362c63e701da0830e02452c468c6a689707a601c6fb367c6d1e8c25957f8cd905960d271da110afa1c61

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:46

Reported

2024-06-13 02:48

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46848500-0E00-4449-BDF7-A66C703A28F0} C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46848500-0E00-4449-BDF7-A66C703A28F0}\stubpath = "C:\\Windows\\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BAE1876-E743-415f-8237-B09D7EDACB1F} C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BAE1876-E743-415f-8237-B09D7EDACB1F}\stubpath = "C:\\Windows\\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe" C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56808A0A-68F6-47b8-9246-2767CF8C15F7}\stubpath = "C:\\Windows\\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe" C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E1456F-6660-496f-9657-416278A0ABCB} C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06BD1F7-41BB-492e-9606-6C40580821F6}\stubpath = "C:\\Windows\\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe" C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F22BC1-8921-4322-A9BD-D9731D705996} C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F22BC1-8921-4322-A9BD-D9731D705996}\stubpath = "C:\\Windows\\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe" C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}\stubpath = "C:\\Windows\\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe" C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE2271D-99BA-41a5-8CA8-522714A8D969} C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE2271D-99BA-41a5-8CA8-522714A8D969}\stubpath = "C:\\Windows\\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe" C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9} C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}\stubpath = "C:\\Windows\\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe" C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06BD1F7-41BB-492e-9606-6C40580821F6} C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476} C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}\stubpath = "C:\\Windows\\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe" C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}\stubpath = "C:\\Windows\\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe" C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5} C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E1456F-6660-496f-9657-416278A0ABCB}\stubpath = "C:\\Windows\\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe" C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCCAD1C-7D6E-482d-802A-F4376215EF34} C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}\stubpath = "C:\\Windows\\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe" C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481C70F3-8DBC-4a4d-B218-8944C058DEBA} C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56808A0A-68F6-47b8-9246-2767CF8C15F7} C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
File created C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe N/A
File created C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe N/A
File created C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe N/A
File created C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe N/A
File created C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe N/A
File created C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe N/A
File created C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe N/A
File created C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe N/A
File created C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe N/A
File created C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe N/A
File created C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe
PID 2960 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe
PID 2960 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe
PID 2960 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2316 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe
PID 2832 wrote to memory of 2316 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe
PID 2832 wrote to memory of 2316 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe
PID 2832 wrote to memory of 5088 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 5088 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 5088 N/A C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1568 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe
PID 2316 wrote to memory of 1568 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe
PID 2316 wrote to memory of 1568 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe
PID 2316 wrote to memory of 4404 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 4404 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 4404 N/A C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 3476 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe
PID 1568 wrote to memory of 3476 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe
PID 1568 wrote to memory of 3476 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe
PID 1568 wrote to memory of 456 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 456 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 456 N/A C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3368 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe
PID 3476 wrote to memory of 3368 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe
PID 3476 wrote to memory of 3368 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe
PID 3476 wrote to memory of 1680 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 1680 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 1680 N/A C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2352 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe
PID 3368 wrote to memory of 2352 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe
PID 3368 wrote to memory of 2352 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe
PID 3368 wrote to memory of 2772 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2772 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2772 N/A C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4320 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe
PID 2352 wrote to memory of 4320 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe
PID 2352 wrote to memory of 4320 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe
PID 2352 wrote to memory of 3408 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 3408 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 3408 N/A C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 2468 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe
PID 4320 wrote to memory of 2468 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe
PID 4320 wrote to memory of 2468 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe
PID 4320 wrote to memory of 432 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 432 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 432 N/A C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 4464 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe
PID 2468 wrote to memory of 4464 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe
PID 2468 wrote to memory of 4464 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe
PID 2468 wrote to memory of 4212 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 4212 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 4212 N/A C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 3420 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe
PID 4464 wrote to memory of 3420 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe
PID 4464 wrote to memory of 3420 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe
PID 3420 wrote to memory of 2320 N/A C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe
PID 3420 wrote to memory of 4644 N/A C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"

C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe

C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe

C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46848~1.EXE > nul

C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe

C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53C0F~1.EXE > nul

C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe

C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E14~1.EXE > nul

C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe

C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAE1~1.EXE > nul

C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe

C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B06BD~1.EXE > nul

C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe

C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4DF9E~1.EXE > nul

C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe

C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4F22~1.EXE > nul

C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe

C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1BCCA~1.EXE > nul

C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe

C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{481C7~1.EXE > nul

C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe

C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3AB~1.EXE > nul

C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe

C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56808~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe

MD5 6330e82b17dba974b7da345b07b8eb9d
SHA1 90bff3b8cb6b75426d9587133af92e7350337016
SHA256 6bcaa6a1a93d769946638dee71a51c791d9e5095dba52a708bb8360bca50a9ae
SHA512 6b03eddf2a5f1f73ddda8699253af825fe9478cbc34938a53f9f64e14f19385834bbfc0846759c38ac7e4b39f06f5499b0466f184adec9c21623fab57e73a783

C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe

MD5 b18394bf6b68e3bc4951dc885d9389e4
SHA1 566132d2844982f4f45ddfcbe25a364cddc4e2e1
SHA256 3cae102e44729c752ae612a837abe95d703df08cf82e32f3860f01d6d6f4d3a1
SHA512 139fc49e0bef6aefeb2077d3855703f0d93016494643831f79668081ca79dfbbdf1c99f8bf0d3906ec4f088f6a6e1b705019ea87b914ecb1ac6519638e04ae21

C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe

MD5 5d8a60b5e2d25aae3ab95d664964346a
SHA1 730733ae14d90d6c0501f2ce9827680396ce2b27
SHA256 73bc6a740c5c5ae48e18ce6c7b3d7a04017ec1b3c6e4e7635729fd15c0120632
SHA512 1663d34d89a8fad5aaea48869a93c2ae0e922c4627b1c313f6300df488cf9c6fc9e1a2a604dad06a257035fea482b649fa4c5aad0d2d9f7828660f60a2b40ca3

C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe

MD5 52818b3ec6105da335c74ed4583ef945
SHA1 2899a4610b90acf422bc6c563fb307ecd650c3cb
SHA256 113143a3bf4f2cab5c14210ffc823c5a6b65ea668f7e1a0670be2bcc71165579
SHA512 42433027b6684ed811006451259673197d5369b5639cd66b905f146da2455681d7c1641e19e82a651e5f70bbd30ca13658d1c24844a260ed08ae7f038e2bd022

C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe

MD5 d1561b08d909bc5a8ae5ca232e2a390d
SHA1 9b3458caaa276aa77e45a9ce138cf9e72e9b239d
SHA256 7e6f111c6afedfe9cf2d562e01d4afa3c60ca2eb1093b462a3f5a06517305abf
SHA512 7a1ea5e424809bb9925755e2392bfc09a18dc22bac2848e9df1c71932ff129f9cff6f1f4c70c5fd108490ad6330d1c4327306163757d6b4494e72d0474cc4d9c

C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe

MD5 8c410f82059069f48c5d8412f3d1ff6b
SHA1 5311c7a63b716e7ec7dadab5c70553aae69f4889
SHA256 639f06c6cc5d3f8cc5774fa515f54f52a1e1ee682f916d587ea265dff234e8dd
SHA512 b221455b9165ee45c41d89c09dc0ad68f2eda8839ec48caf710d41c566806e7474f738d83f0d9d431a916564adec80d2d211704d719b668c9ffcf30764bf15ca

C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe

MD5 2ab91ea56329d55276ddbdc2dddae5f2
SHA1 9029a23e6c049bccc224c9fd9d833872ae086f0a
SHA256 0d3b0626e425fefb3b792d65f5b6325640ed3ee3a7338035b3834eba87b7d45e
SHA512 37906f3e5a72ba3b3cb74b80a8512b052624c1fb650b219dfbd3023a6d4147b1178e9fccf050047ce20d62f53a7d89dff06a16151ca488cd33017dfcbd3d29ee

C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe

MD5 89bc1fdc570ddd668954fdac05fae0c7
SHA1 bdfcb5fc2071b8be252bf70ea4286abdaf26f367
SHA256 4c64e535c7ec1778db20433f798209525368c5f7d7c870b687a3bff27cfe7430
SHA512 f72aca269bfe99cd51177da17fb5c34592c041f2ac820fd2106ee2cbc06bfc93e59a2f1cd2e2f48881f4a862f1b6536a85538eed71698e8b45a74ff1fd937d8d

C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe

MD5 d3696475b1bea8af8ae23b281a9fba38
SHA1 cec6c6f87f1a011c6e6ed882b8fa62d9af9eb376
SHA256 598503bd08ee9a709f6d7d338b8947f5cc70a1620d7bd61f1ddb20f00387ca5a
SHA512 715dd4d7aca7161f70c71b421625e4d8533e2b25c6ac831714a010c2f0397d91fe452ebcbcc8c6183e4157219fe7eb5a353e708a3e83bf16e23be1ca21a9bea3

C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe

MD5 0851e42f69a0cdd92b311181b1e83f86
SHA1 eda6f27da237e41114ccdf41889402b7c24425be
SHA256 6e08abca14bcdd3e6de675159b6494c03252d32de1ca354863caabdfeb7680d5
SHA512 7524aee80b418f8f50782c1086dbe96ace304e6f8d0b7d6ec0a6a4da9b8ea49af8a6169b67a540eba9f8e0298e878610d4f1b2d716e00b087501a80668d69a50

C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe

MD5 fe0744636adf1b2d83ca574cff49393d
SHA1 2ee8880c3e08124e15c5eaaacc825153c4d74041
SHA256 4427e477161a3a56cc340733ddca46c2c96a2610d722fbf38b73fc52090c8ff3
SHA512 223fa35598639c4a16287a66e8730cd32fca82bdd5dcbec751aba66ced86470713ac3d2c202db9a816551c025893dad74810c9bf48a91443752b5795b52cbecd

C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe

MD5 c1a96e40801bcc856fe401ff5a3edfa3
SHA1 b5b952378ecef2cc0e5c57bea030c96584cadbf3
SHA256 167af03c569b595cc015a2af6d5efd1cdc37573520b9aaade1aa1ba60b86a191
SHA512 d3d79d7d670f5fcd28a40f6ebceef270faa38c8e824eb91060800186a00be1d18868ca944897fc575a82c7ab03c9751c78e6aaf548ff33f7c838a8ab6d5c84f1