Malware Analysis Report

2025-01-18 13:51

Sample ID 240613-djgbqswarl
Target 2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye
SHA256 be4668006df8565ffaca0357c893aa37abb3944a05dc9e0a78a8fc2a92f6bb65
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be4668006df8565ffaca0357c893aa37abb3944a05dc9e0a78a8fc2a92f6bb65

Threat Level: Known bad

The file 2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:02

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:02

Reported

2024-06-13 03:04

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{628CA689-CC90-448f-83D3-B7414AABAD0B}\stubpath = "C:\\Windows\\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe" C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1573C7FA-F78C-4f1e-8768-B3F1722561B7} C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7899518-DCCB-4c85-AD87-EE6E8278FB81} C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}\stubpath = "C:\\Windows\\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe" C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}\stubpath = "C:\\Windows\\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe" C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA844BE-E404-40c8-ACA4-471761615BBE} C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{628CA689-CC90-448f-83D3-B7414AABAD0B} C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}\stubpath = "C:\\Windows\\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe" C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31015644-E030-45e4-BE8E-BE772204E538} C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31015644-E030-45e4-BE8E-BE772204E538}\stubpath = "C:\\Windows\\{31015644-E030-45e4-BE8E-BE772204E538}.exe" C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A} C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA844BE-E404-40c8-ACA4-471761615BBE}\stubpath = "C:\\Windows\\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe" C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{568B1055-CF89-4c07-AACE-23D348D5E479} C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77} C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211} C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63173DD3-A043-4979-9D78-E028F52FA2E5}\stubpath = "C:\\Windows\\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe" C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}\stubpath = "C:\\Windows\\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe" C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3} C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}\stubpath = "C:\\Windows\\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{568B1055-CF89-4c07-AACE-23D348D5E479}\stubpath = "C:\\Windows\\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe" C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFA1471-9856-4ed4-BB02-81D88383EE8D} C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}\stubpath = "C:\\Windows\\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe" C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63173DD3-A043-4979-9D78-E028F52FA2E5} C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}\stubpath = "C:\\Windows\\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}.exe" C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe N/A
File created C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe N/A
File created C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe N/A
File created C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe N/A
File created C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe N/A
File created C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe N/A
File created C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe N/A
File created C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe N/A
File created C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe N/A
File created C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe N/A
File created C:\Windows\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}.exe C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe N/A
File created C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe
PID 208 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe
PID 208 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe
PID 208 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 380 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe
PID 4572 wrote to memory of 380 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe
PID 4572 wrote to memory of 380 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe
PID 4572 wrote to memory of 5008 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 5008 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 5008 N/A C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3556 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe
PID 380 wrote to memory of 3556 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe
PID 380 wrote to memory of 3556 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe
PID 380 wrote to memory of 3652 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3652 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3652 N/A C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3024 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe
PID 3556 wrote to memory of 3024 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe
PID 3556 wrote to memory of 3024 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe
PID 3556 wrote to memory of 3916 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3916 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3916 N/A C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 4792 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe
PID 3024 wrote to memory of 4792 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe
PID 3024 wrote to memory of 4792 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4288 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe
PID 4792 wrote to memory of 4288 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe
PID 4792 wrote to memory of 4288 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 1860 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe
PID 4288 wrote to memory of 1860 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe
PID 4288 wrote to memory of 1860 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe
PID 4288 wrote to memory of 964 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 964 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 964 N/A C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1856 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe
PID 1860 wrote to memory of 1856 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe
PID 1860 wrote to memory of 1856 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe
PID 1860 wrote to memory of 392 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 392 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 392 N/A C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2064 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe
PID 1856 wrote to memory of 2064 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe
PID 1856 wrote to memory of 2064 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe
PID 1856 wrote to memory of 1208 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1208 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1208 N/A C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4352 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe
PID 2064 wrote to memory of 4352 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe
PID 2064 wrote to memory of 4352 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe
PID 2064 wrote to memory of 2628 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2628 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2628 N/A C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2852 N/A C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe
PID 4352 wrote to memory of 2852 N/A C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe
PID 4352 wrote to memory of 2852 N/A C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe
PID 4352 wrote to memory of 1808 N/A C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe"

C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe

C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe

C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD4F~1.EXE > nul

C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe

C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFA84~1.EXE > nul

C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe

C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{628CA~1.EXE > nul

C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe

C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1573C~1.EXE > nul

C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe

C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31015~1.EXE > nul

C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe

C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{568B1~1.EXE > nul

C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe

C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4EFA1~1.EXE > nul

C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe

C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63173~1.EXE > nul

C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe

C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E4EF~1.EXE > nul

C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe

C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A7899~1.EXE > nul

C:\Windows\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}.exe

C:\Windows\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C9EF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\{9BD4FF55-399B-40b9-922E-F1A6A34B0D0A}.exe

MD5 c3e4cd3a98fedbce4b137d8c61a340e9
SHA1 49b0dfd78387f69d819915c03393a50967b0451a
SHA256 befaa21709cb8178114e01f177f5603c91790771c04a400de4a0552053e8277f
SHA512 3a86716ab780446162f428fc1dd14cf5cd67c3e5b064d5dbf4c5944ec5b828052586b2d8bb10c3ba923ef0463b30a3499b6d915477af737facf1079b41f7e915

C:\Windows\{DFA844BE-E404-40c8-ACA4-471761615BBE}.exe

MD5 d7c37531e6d354102a6c02b0b3cc426b
SHA1 d305b6ae208ded5a8b3021515f648b4d9caf2b80
SHA256 956bfb2d95d884f45f79d15f5892b3236acf71d0b7ec50183721e194a6f55346
SHA512 056197117223e6d260faa476e4f701509523affa769e31b442c539876c15eddfd5ed0e9deaaaee6b0de809d64502dd5d2a9956d67cc99d0a2683260b98b8c08a

C:\Windows\{628CA689-CC90-448f-83D3-B7414AABAD0B}.exe

MD5 eea3e89d2b6afa41a4d7f71a9e00d99c
SHA1 51ccf437e4bb08230ddc21e467ae6476fa321585
SHA256 40041684112ed3dda81196d08fd6c8f3d910c0ac08be366e37ff7bfe450f3351
SHA512 5c0fb69cac2a294d1637b4871cccd0af3bbdfcef37ed230a6e23cb58191d2cd907ba9c35c9e3606bebd163ef538e6e29c3a22e6cd9f660f3f1570f2d2cabad1d

C:\Windows\{1573C7FA-F78C-4f1e-8768-B3F1722561B7}.exe

MD5 e84873160be697875f352a82a4d8b275
SHA1 24f2e83470406eeeb2acfc920687443690e9a1af
SHA256 c13a7b6526f90f814fc4e67d8aa79e30ae480ffc603352377316dd3e48cb2023
SHA512 5ba4feb8affacab3abd67d95b9fd09bc32ae423a3d153fd71e42418ae03917f6c2a6a8fa30e953a7a3f5a8f1061c2328dbea06752c82c3d98da116de189c8fd6

C:\Windows\{31015644-E030-45e4-BE8E-BE772204E538}.exe

MD5 c6b24235cb41e5bb32db197b9c2f7c99
SHA1 8da9eb0081f1de4a8331aa114788cb1878b00712
SHA256 f9fb9137561271d55a951337faf079b60776c20dd569b2c8aa87b1501ad0765d
SHA512 445fcb3168067f478e9c9d03778c139961a920ddfff1154853cfceb78bd06d1842f652011d836da457ca01c27eb57f4faee8c44e2a3342fa185b1b540130fcc2

C:\Windows\{568B1055-CF89-4c07-AACE-23D348D5E479}.exe

MD5 cee35a362ffee8933ccd39f77a63c4c2
SHA1 4440ca21946d6587d3061dac645064b1fbe7cba2
SHA256 756ffa87119c70627001ed2d1bd1b16f79113bcc24676b7c44c3c018cf854565
SHA512 d838a10a3843d95ee58011e1091316c366fcbd570e99117df008c8e01e84f4be1eed0a839e806a6623315edb83c900926071468cf39b90bd126c9d13b39876e9

C:\Windows\{4EFA1471-9856-4ed4-BB02-81D88383EE8D}.exe

MD5 5fe3091c52aec97f0b5b63576ede7fd2
SHA1 f0a50a78a449efc17f80d7df5129c49f4b1c4428
SHA256 0d168d60fd6a4817bf93442bda74531cd40fac4d627c56369d40f05afaaeb94f
SHA512 48cb8462c5f8a89876595c3d852f758d0193c77e8632b2af93696730e6f8673b9c8e6ca8a905bc5ad7f9a9bc234d54df6043d4fa8126d4c477613077687ec4c3

C:\Windows\{63173DD3-A043-4979-9D78-E028F52FA2E5}.exe

MD5 c53965db35f14292fd0d6c4754c843ab
SHA1 cc6623136da41f91152fdd8839e18bd6935b1d78
SHA256 c171790a57ba714f917a1691a2751ba2e4938ab1d7c0950af7adfef1581ee147
SHA512 e59524214fe46a92a345c67a129bb59bdcd1a5131dfe7b00679824354b11bb3311a5540b2f2b070a99b786606685f5239b25e8c896a062158e2aad0c9d242ebf

C:\Windows\{4E4EF8AB-A394-4d4e-9AF4-ED0A460F2E77}.exe

MD5 13db847aa1d7e91e191cf2647a16d6d1
SHA1 ca07b79d9a52979273d0965ab3a57997aaef6c9a
SHA256 c83893160f759f68cd2aedee155a9f48caad915df06322c01cb41d64116da325
SHA512 62e6275de20583d9a4fdb1afb190f8c8547423c6a369422ec19d45f0289f32a99d061385c24994ae1b3a614a487d48886d665c860e842b31de99e7000e2f1002

C:\Windows\{A7899518-DCCB-4c85-AD87-EE6E8278FB81}.exe

MD5 088cd0f5392af6db48f8de12c28c6eb2
SHA1 4aa15906842ae3809bcab4819f81844436eb36a0
SHA256 55fa12f7a6777995e18f940aa3df69a88ff6a66ab9ebd5d7ee72674f9179953a
SHA512 6413540821b37d68201e15bb53c178d865099b1485cd115c8643350fb23dfdcd408847729cb08ba0ecf6d32af6abc4083ad66fc45949a0119fe3b48f781976d9

C:\Windows\{5C9EFF1F-CC57-4d0e-9D9F-250A4A8F11C3}.exe

MD5 6f86b77ef26d267b0c9224edcdba5654
SHA1 63941b3562747992f02ffe7c74ed330076712704
SHA256 e62c207dea502abe39fcbbee3c6fb7718f6fbc153fd8995a548b86f4eed4ad0a
SHA512 f0ed37f484ace6a3898f073930c27399ef3f8e862046d038ac92141d134db449884f0848f053250864f4ef46c483e92040ed429a581612401297e66543659f17

C:\Windows\{2A3B892D-CD44-4b65-BF3B-8F7BA5497211}.exe

MD5 008ff386c292783e6c9dc7bdb4c19ec2
SHA1 8e9d6e2b1d80f3d7f7c5ea7c9af9ee65ea997969
SHA256 938c212a27a18f33bf10abdcd8a2f94a92abf9074cd81b79585863f71ab7fbc0
SHA512 3e55b63fcf501b77a0759e38c822036896ed693c9b4afff4201a2e9ab6460362f3ee9eb99d12df10e0160a17b32954fa1a36c2eb78f5b51bd6969d46aa33ec9c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:02

Reported

2024-06-13 03:04

Platform

win7-20240419-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1128C0BB-8342-470e-BBBC-AFB033ED5229} C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}\stubpath = "C:\\Windows\\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe" C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4470A3E8-65D9-455f-879D-31F4196DB91E}\stubpath = "C:\\Windows\\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D} C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7} C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26} C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4470A3E8-65D9-455f-879D-31F4196DB91E} C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C5B1313-83EF-484b-83BA-14348167C68B} C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}\stubpath = "C:\\Windows\\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe" C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1128C0BB-8342-470e-BBBC-AFB033ED5229}\stubpath = "C:\\Windows\\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe" C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}\stubpath = "C:\\Windows\\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe" C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AE66F0-0BF4-4022-9F66-94B7070DE00E} C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E714727A-2982-4ae4-86BC-FC053852EF8A} C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C5B1313-83EF-484b-83BA-14348167C68B}\stubpath = "C:\\Windows\\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe" C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0193B062-FD41-4fa9-A774-E5AFF0D41A80} C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}\stubpath = "C:\\Windows\\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe" C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E714727A-2982-4ae4-86BC-FC053852EF8A}\stubpath = "C:\\Windows\\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe" C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE} C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79BED50E-D700-48cb-86FA-B074367F767D} C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79BED50E-D700-48cb-86FA-B074367F767D}\stubpath = "C:\\Windows\\{79BED50E-D700-48cb-86FA-B074367F767D}.exe" C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}\stubpath = "C:\\Windows\\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe" C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}\stubpath = "C:\\Windows\\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe" C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe N/A
File created C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe N/A
File created C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
File created C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe N/A
File created C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe N/A
File created C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe N/A
File created C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe N/A
File created C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe N/A
File created C:\Windows\{79BED50E-D700-48cb-86FA-B074367F767D}.exe C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe N/A
File created C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe N/A
File created C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2656 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe
PID 1728 wrote to memory of 2656 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe
PID 1728 wrote to memory of 2656 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe
PID 1728 wrote to memory of 2656 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe
PID 1728 wrote to memory of 2740 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2740 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2740 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2740 N/A C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2760 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe
PID 2656 wrote to memory of 2760 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe
PID 2656 wrote to memory of 2760 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe
PID 2656 wrote to memory of 2760 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe
PID 2656 wrote to memory of 2736 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2736 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2736 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2736 N/A C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe
PID 2760 wrote to memory of 1704 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1704 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1704 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1704 N/A C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2484 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe
PID 2580 wrote to memory of 2484 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe
PID 2580 wrote to memory of 2484 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe
PID 2580 wrote to memory of 2484 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe
PID 2580 wrote to memory of 2496 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2496 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2496 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2496 N/A C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2220 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe
PID 2484 wrote to memory of 2220 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe
PID 2484 wrote to memory of 2220 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe
PID 2484 wrote to memory of 2220 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe
PID 2484 wrote to memory of 1864 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1864 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1864 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1864 N/A C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2400 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe
PID 2220 wrote to memory of 2400 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe
PID 2220 wrote to memory of 2400 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe
PID 2220 wrote to memory of 2400 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe
PID 2220 wrote to memory of 1968 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1968 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1968 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1968 N/A C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1052 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe
PID 2400 wrote to memory of 1052 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe
PID 2400 wrote to memory of 1052 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe
PID 2400 wrote to memory of 1052 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe
PID 2400 wrote to memory of 2204 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2204 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2204 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2204 N/A C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fd59f458ffdbd6fd780cf66d4043aebb_goldeneye.exe"

C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe

C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe

C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4470A~1.EXE > nul

C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe

C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5B1~1.EXE > nul

C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe

C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0193B~1.EXE > nul

C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe

C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63A10~1.EXE > nul

C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe

C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B796~1.EXE > nul

C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe

C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1128C~1.EXE > nul

C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe

C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F56BD~1.EXE > nul

C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe

C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55AE6~1.EXE > nul

C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe

C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7147~1.EXE > nul

C:\Windows\{79BED50E-D700-48cb-86FA-B074367F767D}.exe

C:\Windows\{79BED50E-D700-48cb-86FA-B074367F767D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B7DDC~1.EXE > nul

Network

N/A

Files

C:\Windows\{4470A3E8-65D9-455f-879D-31F4196DB91E}.exe

MD5 45315cff198914617b7ec94037ad8219
SHA1 0442681b80d79bacf0a127be87bb1442a9fdee11
SHA256 ebf9dfab2cc24f3ad799424872b7653c497cdd4e9921026f7d11fe6ab8d58333
SHA512 f920920f3cb0c46b73e8b0ad7eb91ef6e88f99c6fcdf7b52d4f8ba0e5d1621134830388607f0463ea66aada362ca87bfe54df0a83330380cb33adfd0ea1ed3c6

C:\Windows\{0C5B1313-83EF-484b-83BA-14348167C68B}.exe

MD5 4e4ec4489013e2c823299e3013fbad35
SHA1 11797e160c39595a32eebff4b9775242a363ac90
SHA256 e7b23415d7e28114dec43ffd6e8f7cb619ffb2f39cc7b02bfaad03bf2efcb6f4
SHA512 f936eabefbe4b57b72a75f6b99e8bb2b4d695f4c5d1810f3527113283c5abeccf83f10684e02fe71ee050d64b12ed3a0fc9c947731d7d662fc9e71e3547933e9

C:\Windows\{0193B062-FD41-4fa9-A774-E5AFF0D41A80}.exe

MD5 ad7cd4285f3ac793d0f1532c6ebc50ef
SHA1 7ad35822f18ea40c3e6bdbe80bffd48f23f87c0a
SHA256 3e897bfb03731a652a9fe82542c7f4a5e45b8cf9ee5936ff9471383576889f9d
SHA512 80bc442be21e624f6806f6bfaf0432239b05d99527bba077507bb021f6fc328ff8f9e5608660f03cd443752726e75c7db0a6fdeacccb4a648463f781dbf11618

C:\Windows\{63A108BA-3DAB-4d62-AE26-66B7D73A0EE7}.exe

MD5 1d04baaf5af29c4303db18f7c2887853
SHA1 4f424d5997b97f83977cce4cd8ff87d3504a8f08
SHA256 7281bfd677c867f14802da8d39ffaca37fa09e0ab029e8592281f1e40cbccdc2
SHA512 56c6e7ed628e348c824391e3bd3a0efdac4558ce2dd4883fca84cc1e05126628490783d40e1441c2bd9d4751a22637cd0202a057889adda7d6ec93faff15f5fb

C:\Windows\{6B79612B-1DB9-4070-8D1B-C85FCA73B53D}.exe

MD5 ac40d05dfbdbd0e5849c8c5e8efad53e
SHA1 9b0bf6574effe39266a2bc112eb40ae6d02099d5
SHA256 b9dd0fa01b6980ceca6758f28e7b6481331f66c030a6546b295f83494ad91127
SHA512 45e109952298940725b19364877bb8b5ec29aaf4fa1b60524672f23dbfa56cbd21433f928268909bbd5862bd336a3f1b057075447753e99871777b8a2aa04a71

C:\Windows\{1128C0BB-8342-470e-BBBC-AFB033ED5229}.exe

MD5 0820f88fad6ab39619f2ad512d865321
SHA1 46eda2d6f27989fe04921533c98e01486d87babc
SHA256 5287a488f26f925461b5369bcf8938d1ee9233bd8ee1d7de6490ea0dce98ebac
SHA512 ee4ba22d710e8d3e873c6c6d155791882e2563e6010fa9de6de4b420934da65cec12eb2e7e4c9e6918a935c058b12354eec9f3d66c11f5f1312d238960d243dc

C:\Windows\{F56BD96D-3B56-4d2b-B0D6-A542B9A00F26}.exe

MD5 3626896ea6a122f17d2bfc764f70e3e5
SHA1 c3b6355069efca61a4ff9921f00bc3c0d76b8065
SHA256 b557fd8273045648a70f952b00aeda01a810fca44f039bc82180e0ca1bcf2075
SHA512 c1bf2192209824573fbd150c0404bd618e238d77f61f85e6ab4ec4783465602d5f2d736e0fc15508d1ce7055ffc36df41ee9f6f3d63fd4a68cfacacf5b047d36

C:\Windows\{55AE66F0-0BF4-4022-9F66-94B7070DE00E}.exe

MD5 a0df4faa276fc99164e5214944d0dff9
SHA1 82d30a4f48b6eaf9ca0a58e87f9bd78b12b55519
SHA256 86ad733337eec74094bab41d39404db29f004440b70dfdd35ef6997ad8b40baf
SHA512 17dc3a29415d931267c49654695ffa443a7b24fb50d27a4989687fad8884b1b8e438279b1a0e83f872451c27c8d4dcae1118e77f16bc49346b12d67d5c560640

C:\Windows\{E714727A-2982-4ae4-86BC-FC053852EF8A}.exe

MD5 881f0ba88927ee23132b8f6ff4a13242
SHA1 aa5ef0cff21ba35f248441500962de5cb052ee1c
SHA256 2dd5bfd5996dac0863a2eddd2b1614cd13c733c404b19f547f5f4af0f08c4cf3
SHA512 879f6dcb0e2e873d1d8c6e8361b96d3c8b56fdcb250e69f132ea44b534f5c074587ec05cfd8cd1645279b7df8d33dd7e4c6c294567eadd90a01309218346a13f

C:\Windows\{B7DDC141-0E8E-4c93-8B68-7CB6DB0BBBAE}.exe

MD5 270ae327d09718b032bdc9ff577802cc
SHA1 cc21feb8e6e089ac6e5b392f4d61b841827524f2
SHA256 4664cd3f4381a0aaf29922fa184616788fc2fc8666c33effcd792c992e64b06e
SHA512 cd81847a92ab02e015d90e4e856d6380c06a703bc03a862fabac5532c303ca249eedf92855488bb91d5981adbe2d3f0abddcdec0310f3c224f9213e3fa00b525

C:\Windows\{79BED50E-D700-48cb-86FA-B074367F767D}.exe

MD5 06941ebeccc9206b7edc159e3d8d3c96
SHA1 44131edaab1b888b2b444b11929d1b41f615e475
SHA256 04d81bdda3456d8b46c2d756e5a761ab20784b600688f80cef7d85394cb86aa7
SHA512 1e6fe55386af120326c91620b28d01b5f1104b96f3c38b457ff0d7bfb1f5484aeaec39f21c619d08ad31c4fc51b55a02a6f73777d5dc206f6e92569592b9bac9