Malware Analysis Report

2025-01-18 13:20

Sample ID 240613-dhw1sssbqg
Target 2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye
SHA256 ec7b4a1ae9f2de1893e9cbaa281bfb9a235c28496eb4736d95ec1511c0f608f5
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec7b4a1ae9f2de1893e9cbaa281bfb9a235c28496eb4736d95ec1511c0f608f5

Threat Level: Known bad

The file 2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:01

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:01

Reported

2024-06-13 03:03

Platform

win7-20240221-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6} C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FBD1418-2156-403b-A878-7AD6DFB656DF}\stubpath = "C:\\Windows\\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe" C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}\stubpath = "C:\\Windows\\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}\stubpath = "C:\\Windows\\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe" C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}\stubpath = "C:\\Windows\\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe" C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FBD1418-2156-403b-A878-7AD6DFB656DF} C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}\stubpath = "C:\\Windows\\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe" C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8} C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}\stubpath = "C:\\Windows\\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe" C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85AF6275-389E-4792-B89F-953D9B0BFC9B}\stubpath = "C:\\Windows\\{85AF6275-389E-4792-B89F-953D9B0BFC9B}.exe" C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6} C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0} C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}\stubpath = "C:\\Windows\\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe" C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90BFC7A-B066-4740-B2F9-2973B32D5690} C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}\stubpath = "C:\\Windows\\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe" C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}\stubpath = "C:\\Windows\\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe" C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C} C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA175B0F-906C-477c-AB1D-CF2F6B05310C} C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF} C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4} C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85AF6275-389E-4792-B89F-953D9B0BFC9B} C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90BFC7A-B066-4740-B2F9-2973B32D5690}\stubpath = "C:\\Windows\\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe" C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
File created C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe N/A
File created C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe N/A
File created C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe N/A
File created C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe N/A
File created C:\Windows\{85AF6275-389E-4792-B89F-953D9B0BFC9B}.exe C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe N/A
File created C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe N/A
File created C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe N/A
File created C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe N/A
File created C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe N/A
File created C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe
PID 1924 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe
PID 1924 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe
PID 1924 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2568 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe
PID 2124 wrote to memory of 2568 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe
PID 2124 wrote to memory of 2568 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe
PID 2124 wrote to memory of 2568 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe
PID 2124 wrote to memory of 2684 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2684 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2684 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2684 N/A C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe
PID 2568 wrote to memory of 2452 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe
PID 2452 wrote to memory of 1648 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1648 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1648 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1648 N/A C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe
PID 2136 wrote to memory of 2760 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2760 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2760 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2760 N/A C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2316 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe
PID 2724 wrote to memory of 2316 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe
PID 2724 wrote to memory of 2316 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe
PID 2724 wrote to memory of 2316 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe
PID 2724 wrote to memory of 2204 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2204 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2204 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2204 N/A C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1088 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe
PID 2316 wrote to memory of 1088 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe
PID 2316 wrote to memory of 1088 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe
PID 2316 wrote to memory of 1088 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe
PID 2316 wrote to memory of 1784 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1784 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1784 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1784 N/A C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2348 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe
PID 1088 wrote to memory of 2348 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe
PID 1088 wrote to memory of 2348 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe
PID 1088 wrote to memory of 2348 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe
PID 1088 wrote to memory of 544 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 544 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 544 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 544 N/A C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe"

C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe

C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe

C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6305D~1.EXE > nul

C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe

C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8D6~1.EXE > nul

C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe

C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B90BF~1.EXE > nul

C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe

C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5D19~1.EXE > nul

C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe

C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC1C5~1.EXE > nul

C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe

C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BA175~1.EXE > nul

C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe

C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4B31~1.EXE > nul

C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe

C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FBD1~1.EXE > nul

C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe

C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E58F~1.EXE > nul

C:\Windows\{85AF6275-389E-4792-B89F-953D9B0BFC9B}.exe

C:\Windows\{85AF6275-389E-4792-B89F-953D9B0BFC9B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03A5A~1.EXE > nul

Network

N/A

Files

C:\Windows\{6305DFDE-1FAF-46c6-BBAC-EEC7AEAECF7C}.exe

MD5 d40facb328595ce41c207a08cfc3007b
SHA1 1d2a72577670fa5261270c35dbdafbb35982246e
SHA256 58f914366a29f0f7ece636e4806badd6232050d103104197f8bf2cf24b84c620
SHA512 d95ed5de391f352c3e1032b4f559ef59febbc8777140643d64e352af39b5963bbfec2f15c77fcae434beea9a152f1d26b43033f8e8ec8efe5956e614a40b1059

C:\Windows\{0E8D6BFC-4469-41e9-AB37-6499075FF8F0}.exe

MD5 ee5aef0c59a7626895f89911a6317089
SHA1 249ea70884924b6bc358c1f37bab2450c8cc4019
SHA256 3c6155aae4eb96023efd0253547686d616c80bc55716152fa99f42a041fad4eb
SHA512 336790f090806aaaf8d1f8d4dff24d165b43db6893bbdf90b493a675c98f2fbe86d50dd59241429f512169b67dd03b8f8f54962c608a253f09a79704ff09f7c6

C:\Windows\{B90BFC7A-B066-4740-B2F9-2973B32D5690}.exe

MD5 deaa4eee61e323036a27e8264b189ca1
SHA1 afc4e91e4ca851f5e5691888271a265edd7404a0
SHA256 afebf7844651d4ba4082855cb7abde181ddea78585e2b9aaedb29b61bc7848e0
SHA512 ce4a7e8a1e74d7052dd1abf5c70bbb90f76eafb82ff0aefd66443868082b9a4717d4a56b4af25593f9f28d7d7f2fa14f1da7aaa7354aea67d5d226839975ff7a

C:\Windows\{A5D1997A-BAA7-4646-BE29-418A71E7A8B6}.exe

MD5 cb8d689fad9c9598be3b739e29cf6999
SHA1 c52ea16c6bb23325d1a75c169523f9c284b7aa5e
SHA256 85146ce968d372d9d9be78fe65a79cf24271c7ad19215eafee9b10e4e279534e
SHA512 8c6565af70c38c5a2b329ef06f4884b355ae563cd210038dfa7b0b09b05142b226f15f65f667962446974065526f584bc78b2b87a2c7add6a9378d2c2c977ae3

C:\Windows\{CC1C5D55-22C0-4376-9BC3-F01E11C725D6}.exe

MD5 70b565a50103d5dc1f9f944e0ba5023f
SHA1 1466631853fd679cdc29a15acf3a25539747d1e1
SHA256 ad6b166ac3f8216a0dba7d90be217fc5ace10bc0185d07e447462e77f0477027
SHA512 9c56872ee5e949f0e24fc7272ec4b70dcab57eea591f869aad7bf831433d8d530251f221ea06ad876fc3ab91894275b338859f291fc16da35430d84011061c11

C:\Windows\{BA175B0F-906C-477c-AB1D-CF2F6B05310C}.exe

MD5 452ebc79300ec2cc74d07578443c3f7c
SHA1 95b86516da4a213df4d0084c0b2ef5e86575747b
SHA256 f509ac435f2a6a2f6f85679921a48d364acb4c2e0428275cda1f6d4e4f55b5a0
SHA512 6c5103b2191c0199e31e83d499b8e09a348c3d4d4233aa9a89478d495648bfecabe231d84413a6fa31b20c9b5278e3157d9e23f186f9546e6f19ebd14477076c

C:\Windows\{F4B310DB-49A5-4a5d-81E4-CB5A4D890BAF}.exe

MD5 35e9b69aa9106a7cb96e103296f8c5c5
SHA1 79d0430fb9dc9f179956e1d6f301546556b7e391
SHA256 bf10ffa860a00a1b89414265ee5e059694dfca14162ec983c2e24d3e2bcc63e3
SHA512 c7ec036a0545c5d2a55f47abf4fb820a1ef9e3cf1a2c74bdbfc918b64555cc2583d6ad7acd8efc99e6d6366d0d51e4924c2b3e9b242b6850316b8e5e07f8eeff

C:\Windows\{4FBD1418-2156-403b-A878-7AD6DFB656DF}.exe

MD5 d19a85e6fcbc4505329b00a0f6f90bea
SHA1 b352a0f5c92c3c4051b9cf4312444354061070e7
SHA256 fd54bf4e8baebbad2ee609f9b2971715f48d580ff308f10982f186a4cae367f9
SHA512 18f264c697fc21dcb4e85cad71e107a6662a24bbcdb0ab873ab2bbf2e1138c7c54e782637551df17830a7a58f75c5285a90393a80646b3f23ed587794e5c2bcb

C:\Windows\{2E58FAB6-45E2-4edf-978C-47843B0AC6E4}.exe

MD5 6c9717664bd0bdbe757786f82ef8bf44
SHA1 03ef7a2207cde81e8f76e5e9bc71d04b8bee5575
SHA256 16665fbf8d3f4b874f885c6a733d50ee4e1b0f454097db8b08d8214d972807f9
SHA512 d49605a49929d47fd6434dc934fc09168d908b8c19f3eb08bdc631e5f9a6a6e2442931fcad1e4a1ea13301885b357d377680f46f9e75f70246abdd92be94953b

C:\Windows\{03A5A3EE-6390-4e3a-BCC3-0283AE1846B8}.exe

MD5 c9dd3fd13017b6650b73c33e7d52c3fe
SHA1 d8c63e0d16d9ce8a8ea0261bcb3a654d3d69cf6d
SHA256 fe824d0d776e30a08652ca02e35f33bec2d7850984fbdb09e4286906a08fb715
SHA512 b391e281b9ebd400a55534cad83321514672dc0c0e950ead841ca3ae4afe9d52ded3e63346f17ffa0b7111a67dbb31b5dfb64894c8b1c17161dadb0e0cbc1509

C:\Windows\{85AF6275-389E-4792-B89F-953D9B0BFC9B}.exe

MD5 903d88306df154b11db315b05cd49d84
SHA1 61d9532d38a8a249dcd93dfaee4da2d9980dbf20
SHA256 2cdee0632ffa75a943a0ccaf9933337fe834ff1affde103f5bd5ed2cc348ea35
SHA512 b1dd1e2709fc88ccd0a75046bb24ece24016c730fe51ba99c9bd611557ad0a4a4aa9d73cb82dcd3fe592979e57200707e431832dee72dc70100e33b302035f2a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:01

Reported

2024-06-13 03:03

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85460FA-55DC-4007-94C7-9808C0D6EDB8} C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD1C45A-AF16-4db2-A431-823B91C1449F}\stubpath = "C:\\Windows\\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CE3972-6704-4097-A264-8BDA0ED5B185}\stubpath = "C:\\Windows\\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe" C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD82C94-7B1B-492f-860B-BD629934DEBC}\stubpath = "C:\\Windows\\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe" C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A} C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}\stubpath = "C:\\Windows\\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe" C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}\stubpath = "C:\\Windows\\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe" C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD82C94-7B1B-492f-860B-BD629934DEBC} C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BE32A06-EDFE-4f86-A307-933629691955}\stubpath = "C:\\Windows\\{4BE32A06-EDFE-4f86-A307-933629691955}.exe" C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11FB74B-D30B-49ff-B358-8F3D75D29E16} C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}\stubpath = "C:\\Windows\\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe" C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD} C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}\stubpath = "C:\\Windows\\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}.exe" C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD1C45A-AF16-4db2-A431-823B91C1449F} C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CE3972-6704-4097-A264-8BDA0ED5B185} C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867} C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E686DDA-DE15-405d-8753-B43A95286220}\stubpath = "C:\\Windows\\{2E686DDA-DE15-405d-8753-B43A95286220}.exe" C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}\stubpath = "C:\\Windows\\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe" C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA5624B4-F9F8-482d-8C29-184DD4184A5F} C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BE32A06-EDFE-4f86-A307-933629691955} C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}\stubpath = "C:\\Windows\\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe" C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC} C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}\stubpath = "C:\\Windows\\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe" C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E686DDA-DE15-405d-8753-B43A95286220} C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
File created C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe N/A
File created C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe N/A
File created C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe N/A
File created C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe N/A
File created C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe N/A
File created C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe N/A
File created C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe N/A
File created C:\Windows\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}.exe C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe N/A
File created C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe N/A
File created C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe N/A
File created C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe
PID 3032 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe
PID 3032 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2324 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe
PID 968 wrote to memory of 2324 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe
PID 968 wrote to memory of 2324 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe
PID 968 wrote to memory of 2020 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2020 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2020 N/A C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 4488 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe
PID 2324 wrote to memory of 4488 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe
PID 2324 wrote to memory of 4488 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe
PID 2324 wrote to memory of 4636 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 4636 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 4636 N/A C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4128 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe
PID 4488 wrote to memory of 4128 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe
PID 4488 wrote to memory of 4128 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe
PID 4488 wrote to memory of 4744 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4744 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4744 N/A C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 4832 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe
PID 4128 wrote to memory of 4832 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe
PID 4128 wrote to memory of 4832 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe
PID 4128 wrote to memory of 1012 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1012 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1012 N/A C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1800 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe
PID 4832 wrote to memory of 1800 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe
PID 4832 wrote to memory of 1800 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe
PID 4832 wrote to memory of 932 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 932 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 932 N/A C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 368 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe
PID 1800 wrote to memory of 368 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe
PID 1800 wrote to memory of 368 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe
PID 1800 wrote to memory of 2476 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2476 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2476 N/A C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1604 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe
PID 368 wrote to memory of 1604 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe
PID 368 wrote to memory of 1604 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe
PID 368 wrote to memory of 1380 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1380 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1380 N/A C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 5104 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe
PID 1604 wrote to memory of 5104 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe
PID 1604 wrote to memory of 5104 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe
PID 1604 wrote to memory of 884 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 884 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 884 N/A C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 2788 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe
PID 5104 wrote to memory of 2788 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe
PID 5104 wrote to memory of 2788 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe
PID 5104 wrote to memory of 3660 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3660 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3660 N/A C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 700 N/A C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe
PID 2788 wrote to memory of 700 N/A C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe
PID 2788 wrote to memory of 700 N/A C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe
PID 2788 wrote to memory of 4064 N/A C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ee45b7191d0d62b1370d393e842ca361_goldeneye.exe"

C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe

C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe

C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD1C~1.EXE > nul

C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe

C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53CE3~1.EXE > nul

C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe

C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD82~1.EXE > nul

C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe

C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE32~1.EXE > nul

C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe

C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B11FB~1.EXE > nul

C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe

C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15BE4~1.EXE > nul

C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe

C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B6F4~1.EXE > nul

C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe

C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BA9E5~1.EXE > nul

C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe

C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FBB~1.EXE > nul

C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe

C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E686~1.EXE > nul

C:\Windows\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}.exe

C:\Windows\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8546~1.EXE > nul

Network

Files

C:\Windows\{DBD1C45A-AF16-4db2-A431-823B91C1449F}.exe

MD5 e251a2e188cf4a89a265fd47ca07ef8c
SHA1 9d66de970c235b9bf54f93ea6cc87d6d20ae738c
SHA256 f043bb97d37660fe1e9275fa5225c670309bb755ab3c640e90b762894f3da530
SHA512 e2c4f9ac78c1a40ef323350efaa875b5fe72bd91d41271da664031590dc8270700702a5b0ad434d06fe02e89899bee6ca3c2c239c4a6ba52ecc97e62f8ed7f09

C:\Windows\{53CE3972-6704-4097-A264-8BDA0ED5B185}.exe

MD5 62035f4e045a86fe1d11d33c0339842d
SHA1 3a4dc06a18279a65cfb200e83dc44aac2215e13d
SHA256 37ea1c7c35163e25baddbb67ada45a98cbfaf2a5b17773e2db8d9ee198a58e2d
SHA512 e7a3322a38c24fceb6187eef69a60c4ce1385d183fa02c455689206a4d96ede94043736b88fc6eccb6d52c818b05c773331f487208705bc6234ea76347ccb799

C:\Windows\{1AD82C94-7B1B-492f-860B-BD629934DEBC}.exe

MD5 b51f3bcc389831fe2bda31f9dfddf3c4
SHA1 21684c72703ea969f930dba5a21d01d659811670
SHA256 474d5b0048f32c5e38940299ca1aea62e4781b62bd7b53eacbf06964b3d84b66
SHA512 56c6102756fcdb3ab32297b679afa28d11847e2e2c017ded55ccdb69c77ea78521f123625b5729ba2fdd54fe1fc8f24448dcf384b9f7415234b5c8c55300e058

C:\Windows\{4BE32A06-EDFE-4f86-A307-933629691955}.exe

MD5 889b21b9b44ab798ae9ebb82fb35ff50
SHA1 83e743d94f5eccb797b41d92df0f68cfdc364326
SHA256 bacbe7856a71d7b0c9bca16bb5bb0fc7c78db7584abbbc87097b7d53f4ccc2cc
SHA512 c75c037bdfeab8c2da3b73d4e482a6db503e39159d4a6b360f9092de1c697e22de7172a53d65833e6e01b2fad54ecda60200bc1a7e31144136c3f66e00207b18

C:\Windows\{B11FB74B-D30B-49ff-B358-8F3D75D29E16}.exe

MD5 0ec098b147a6e36e1db8f553c8fc209b
SHA1 2c89241630d592b13522a85d331c021fe924348b
SHA256 0e19af2a689dd8b8e82f34245541fa6bcab244bb52e157a50b52bba03355ea97
SHA512 df4865a399f947066ca0751d127c5dc7053e66b7fcb83a2d61df96264bf3056b1f65622ce4768ee1e7acc205bf8ac1be0f6e87778a83e8c7916a7e575ee6dbb8

C:\Windows\{15BE43EA-7D0B-48a5-A38B-EF804634D7BC}.exe

MD5 087544091ab8388f601b3ed4e057c1da
SHA1 7824c38f3349038461d97b9b101ed342df7c71a0
SHA256 c9241cbea3d8e7f3e04544821bb923ed9de90150bd89897b876fd5f7cf775a71
SHA512 3cd9e59ae4c1fbca16832d0f90e1fdd8c62e93a2375929d8e1b52f7a703569cd29cd3ddb4e8401cb17236150dcb52a7bc512543304b676647a1c1f7789608ff2

C:\Windows\{2B6F4C4C-D6E9-4182-8B1A-71F1617CDF7A}.exe

MD5 15a4d65d891f65bbbfd9de661c066551
SHA1 9363a928cb048d2dbedea384350a5afda6019111
SHA256 fbd7d754c1ebeac1a4d6adcd3d76598b12f435c917ee9ffa677b1f24f7663ca6
SHA512 44855135c38c503356e1b87197bb0ecf6d3a0a7fd8df66b962636a99519c019a49d81e057ea60793dc79c794072142b7fe1da106c1d81dc3b6e87f32a892ebf3

C:\Windows\{BA9E58A7-D2A7-4cce-931C-F713F68A6CFD}.exe

MD5 e0ab4b3679c904fa25250e2b4d6fc770
SHA1 8799a4dd01f32ed25587c63d99270e6860cff0ba
SHA256 313453cc65c77e124a92f7472fe1f41b1fc18ebf962a7190d9179ecd9296af0d
SHA512 eb06cc392b8deb7edc54549489c051023446646ee4e816cb0dc541fb432a8e2b2d429b48829959e0090952f2a9866424afa74803d7fa80a886101fc9d16c30b8

C:\Windows\{D7FBBA46-CF4E-463b-B0E9-0D5CDEC1A867}.exe

MD5 ee3f6d1a6aa0bb205d032d0739d975fc
SHA1 b71e2e12a72a8dfc2aef5d3fbdde5d250f1a88d8
SHA256 6dccd0607d492aaf302e53d20dc8e5249f52e70ee9f6516447c54f4bd438cac8
SHA512 53cbaa3b6a5439549e74faf6e61465ee0c7cff60d44a549b1a24b5fdd1174146e0c41160843e65477d7c3f79c6e1d494732cdc9946dcd42293c08a0904e03d8e

C:\Windows\{2E686DDA-DE15-405d-8753-B43A95286220}.exe

MD5 04754879906c789818b883d76dc3390e
SHA1 dd57936eadd00b9fb944566e2b7b0e6e5fcaef92
SHA256 51beb13b583ce155de7b4726ed5e1f60ee60aeae3b569e084bb71e3bdfccf51a
SHA512 d4072b9e315fce2802fc1435bbcf56cb3ac723cd829af9439c4e0512aef55e3e7094b7ac84bcf453ffc1d4d73635f8c4521169fb1cea9f9fcedd2c3f7e542f8e

C:\Windows\{C85460FA-55DC-4007-94C7-9808C0D6EDB8}.exe

MD5 66a2175774f3a2e847482e5afee8c3af
SHA1 f5df3c83b1f6c7e54a555da911fcd7808108bac0
SHA256 df446c2099f2055942197c4839487b9c944ec1605003d5e50f2d1bf2291d148b
SHA512 f12abe8da36d8cbb03792df7ea6efb417452776e9ed8e5e8c463de6b74f420fa507f25ca21410e3c7c57eb3b47a9cb8dd2e6594c9548b630501ec9aea8fc962c

C:\Windows\{BA5624B4-F9F8-482d-8C29-184DD4184A5F}.exe

MD5 c48a5dc6065a42242960932d4696eec6
SHA1 0498f875f31ba5b435c647097fa7c25f96527f36
SHA256 dfa43687a318091086b53c312d790b21c79d65e03ddae21c4c441d127ca05196
SHA512 eb1da4f16c2b2ea0b2c0b8b7469239f2d9a11293a120b59f2ea70295d72f8b4e7969492a5f1284e2a80d407b8742258e3f62ce9d93c08194de11ec0d707b42a4