Malware Analysis Report

2025-08-10 21:44

Sample ID 240610-e8q3xacb5z
Target 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye
SHA256 217ad59471ba98885cc8a3b4f0a8bf890d0082026ba6e92db4ee83db29dc3f06
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

217ad59471ba98885cc8a3b4f0a8bf890d0082026ba6e92db4ee83db29dc3f06

Threat Level: Known bad

The file 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:36

Reported

2024-06-10 04:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}\stubpath = "C:\\Windows\\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe" C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}\stubpath = "C:\\Windows\\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe" C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1} C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}\stubpath = "C:\\Windows\\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe" C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6CA15-E29F-433f-A59E-3255A81E6483} C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6CA15-E29F-433f-A59E-3255A81E6483}\stubpath = "C:\\Windows\\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe" C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}\stubpath = "C:\\Windows\\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17765F30-865E-4280-81CA-1A2B9BFA3BCB} C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877} C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B} C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D082B3A-FBA5-4547-9657-F137337C4BB1} C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD5788E-F672-4914-A220-0F7D214265FB}\stubpath = "C:\\Windows\\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe" C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E} C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71861140-3D32-420f-BCDB-976D9D8786E2}\stubpath = "C:\\Windows\\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe" C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD5788E-F672-4914-A220-0F7D214265FB} C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAED625-28E8-4ed6-86D0-09B21354944B} C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAED625-28E8-4ed6-86D0-09B21354944B}\stubpath = "C:\\Windows\\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe" C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9} C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}\stubpath = "C:\\Windows\\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe" C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}\stubpath = "C:\\Windows\\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe" C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12} C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71861140-3D32-420f-BCDB-976D9D8786E2} C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D082B3A-FBA5-4547-9657-F137337C4BB1}\stubpath = "C:\\Windows\\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe" C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}\stubpath = "C:\\Windows\\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe" C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe N/A
File created C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe N/A
File created C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe N/A
File created C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe N/A
File created C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
File created C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe N/A
File created C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe N/A
File created C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe N/A
File created C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe N/A
File created C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe N/A
File created C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe N/A
File created C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe
PID 2904 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe
PID 2904 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe
PID 2904 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 768 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe
PID 2512 wrote to memory of 768 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe
PID 2512 wrote to memory of 768 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe
PID 2512 wrote to memory of 1548 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 1548 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 1548 N/A C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1020 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe
PID 768 wrote to memory of 1020 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe
PID 768 wrote to memory of 1020 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe
PID 768 wrote to memory of 2324 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2324 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2324 N/A C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 3752 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe
PID 1020 wrote to memory of 3752 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe
PID 1020 wrote to memory of 3752 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe
PID 1020 wrote to memory of 1544 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1544 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1544 N/A C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 4376 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe
PID 3752 wrote to memory of 4376 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe
PID 3752 wrote to memory of 4376 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe
PID 3752 wrote to memory of 1968 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1968 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1968 N/A C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 4600 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe
PID 4376 wrote to memory of 4600 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe
PID 4376 wrote to memory of 4600 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe
PID 4376 wrote to memory of 3784 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3784 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3784 N/A C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4804 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe
PID 4600 wrote to memory of 4804 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe
PID 4600 wrote to memory of 4804 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe
PID 4600 wrote to memory of 3580 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3580 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3580 N/A C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4772 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe
PID 4804 wrote to memory of 4772 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe
PID 4804 wrote to memory of 4772 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe
PID 4804 wrote to memory of 4540 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4540 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 4540 N/A C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 5040 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe
PID 4772 wrote to memory of 5040 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe
PID 4772 wrote to memory of 5040 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe
PID 4772 wrote to memory of 628 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 628 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 628 N/A C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4856 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe
PID 5040 wrote to memory of 4856 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe
PID 5040 wrote to memory of 4856 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe
PID 5040 wrote to memory of 2972 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 2972 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 2972 N/A C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4944 N/A C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe
PID 4856 wrote to memory of 4944 N/A C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe
PID 4856 wrote to memory of 4944 N/A C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe
PID 4856 wrote to memory of 1112 N/A C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"

C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe

C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe

C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C09~1.EXE > nul

C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe

C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71861~1.EXE > nul

C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe

C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17765~1.EXE > nul

C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe

C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD57~1.EXE > nul

C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe

C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D082~1.EXE > nul

C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe

C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5FAED~1.EXE > nul

C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe

C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9C7~1.EXE > nul

C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe

C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{870D9~1.EXE > nul

C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe

C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8EFB6~1.EXE > nul

C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe

C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B280F~1.EXE > nul

C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe

C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E3C6C~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe

MD5 f525c457fd36e3daea2c04c5d583f9de
SHA1 d806961b706b1d9fa312c7ce93f1cf542942303b
SHA256 32ae747aa704f83b21e32aba3d92c344c0eaec0d686d536fb0f7b4578ae783b9
SHA512 15b3f9b2f323f8756d6a291f55f8236fa6299c677535a8bea7b4bd9d8261f80d94a5090553f2b7c6f5ed8941a4ea504f1f5dc7dd369ba16da5c639dc700b97f3

C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe

MD5 566002ce1cc37feda46f991a088c5705
SHA1 7cf852a1e01e88adb47247d4ca7ab11ec9b91b7f
SHA256 6822c9e708329ea2a506e35ceb5445f0c0fc02f814d1c86d9ab7b1bcdcddd12e
SHA512 aadeefda1dce920782cd264624b0894bf718b847a25c412ecb8ef56576de407ef5116cc3704e86a8881bff4d54aeac348243cfbb202a65d7b4323142bfc0a41e

C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe

MD5 ec0ddafb0dc5d6d36ebf1e13e7ab8d49
SHA1 20109b1ad05b0899d77fa10867b576a80db82e65
SHA256 66b4d9c2fdf2c4e726472c92c715c171ed6fc984700031526d3fca7d5d99957e
SHA512 6bdccb429ae951e4f920fb385540f7a14bc0cd4d2cb54d33a903ef36c6765cbed4761cd8a9874fe0ecb0dee595b3f81054ae9537256177d1224b4777488c1154

C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe

MD5 60c5ca33c809537254bce118f01f44b4
SHA1 0506c984c999cca3e828fb812df0d84eec68cb7d
SHA256 53d6098ac477fbd0ebaf0811c0ac21c24ced2f741b0b225f9a0e406230594063
SHA512 69b165e45c1c19bffbc58137eec89cbeddd4df037fbf6e5ee0e48a102d51ae9d1d173faf85787f2fffa3bf69c8e8c8f6bf1436ea5eeda951d058823dfeb815b9

C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe

MD5 b0e6c82c4aca7d40dc66480c2ef252b5
SHA1 3a29562f24a913be23a87146acf16028e8f73a68
SHA256 d3d3870dd4857a9e61f97c18077b1c1b7ffa41b0361440d86bf93495219e4a9c
SHA512 9f2074c3ff8ce282c4df3607e4e3cd3a604d756a057e1986850ed334c2b644091da4bc3e0f24a6e35c7101c4cc14444f2a816fb5b3289e93b78becac983e9715

C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe

MD5 0830fdd3f0c7fb64b0e4ce0a24239db6
SHA1 d89be98f4dbfe7c7ad238f1cdecacc450b7474b4
SHA256 ee578b4ffe0f835683980a239fac2fda7f6ece8825901e8134eb460cad3b5b28
SHA512 5e6598c477eb906a1ecae5332beeac0b27a79fb8a48b3878326c7b953a8fc40a86fc0acb1884a56eb318bac0745d20c2e613c87898254c41e69f68081a6c5f82

C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe

MD5 6add06e35dbab36d94e88668ec23d48e
SHA1 6184b0635e654efe933638d37eb43b853964e1b4
SHA256 02b1c25e0defe87a2e8d011947756e1b42f9785b59909bb36899c8907d40e028
SHA512 9c2f121dae1c4a8ec479e82102c3553d37aa9f2ddcfaff7f4e65c93a82f6e9043c3eb6030416523eb19ff206caed248a5c40fc8ccb349161fa47cf50b33e6ed8

C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe

MD5 673ba67fcc04d970e1598453be0585d3
SHA1 57d84d21b033fed4d40ed94439b2202e77bef7b2
SHA256 484dfe549d38679b24d4e1b46b1006a06a4e1111021f58df06bedf761744df79
SHA512 d6f44f21df28aa355183e88fe17f7db1e72847d96ff99c9494e3c63084f684a33449afa169f35d8646dd96ce2a6726224a8dc44366d13525ccea2d76592a5a22

C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe

MD5 8a0465d4d15eb29937b79bbef8821aca
SHA1 b1bf83b3a25f29bd2d098c20719c1b3e99ad4943
SHA256 7e4f1c54d77abf019e4d399780702155faddaf9f0866c4c52c830529273df4e4
SHA512 ecac6993d2ce71c0df09650aedb2ae24803ba1e4ad997ef5565b3e2a471a77a7b6c9f8fee5e722a5212f5f5a83b3b9ea51625ee65ca25ef51e0cfe6d893ad9f2

C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe

MD5 054ceae164d6c8a641efc5a169cf7d20
SHA1 57c6a886630cfc64fbe0a7076915b0912bb275bf
SHA256 0bc1fb0e2be107fcebc053b02a49fb99a8a6123c1a924e00062605b2afb40bf3
SHA512 3d2831e2ec0a134ea2081ec7fba2147d7dfd419945187233a3b0e87691e139215855f7a9ff863d7add1d9783a67f93554de4e78d94b1f6cf87bf6071a6e74fbc

C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe

MD5 1f508a1a32aad5e17d8b7149eed768e2
SHA1 024e5ffec8186ac6792f8f8c4dcc44734ceec6bd
SHA256 748bb46cd687e1a265ffbdd734ab5637487fa8ee22be6b832d5cde1875455c41
SHA512 6446bc486df39b2a390ad2db6f7edf397fcf4729da6b8170973648cc1d31edd642c18845247bf4d5e00ae4b2e6e0d7e0e578ee7447b733f10bead4a01889d34b

C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe

MD5 a8148d82f247fbbd4c0e911fe02c4571
SHA1 7684b0cc7afc227faa70a3773775795a20870841
SHA256 0a2b4387212addb43087d27106ac0b69bde961fe504ba8bfe0b72b892f0c7f87
SHA512 b820da41546ea1e2dfcf2db228fc464624e9d15b8b1986d55d3080fba6d884986b47ed4095222664fed3efe4d9abc1e9ab32cb6462db432841f87d5d204b0062

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:36

Reported

2024-06-10 04:44

Platform

win7-20231129-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD} C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F} C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D} C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94291FE-B657-432c-8159-AAC33DDD501E} C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94291FE-B657-432c-8159-AAC33DDD501E}\stubpath = "C:\\Windows\\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe" C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE8E632-0485-406e-9849-E49210494B1E}\stubpath = "C:\\Windows\\{FAE8E632-0485-406e-9849-E49210494B1E}.exe" C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9} C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}\stubpath = "C:\\Windows\\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe" C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}\stubpath = "C:\\Windows\\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe" C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3} C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11B590A3-BB8F-4ede-8A4D-562822A67EE9} C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912} C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}\stubpath = "C:\\Windows\\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe" C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE8E632-0485-406e-9849-E49210494B1E} C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}\stubpath = "C:\\Windows\\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe" C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}\stubpath = "C:\\Windows\\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe" C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}\stubpath = "C:\\Windows\\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe" C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}\stubpath = "C:\\Windows\\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6338978F-BCAD-4d63-949C-8573ECCE4DA8} C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}\stubpath = "C:\\Windows\\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe" C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237ED862-B60B-46a2-A742-0FFE06B67861} C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237ED862-B60B-46a2-A742-0FFE06B67861}\stubpath = "C:\\Windows\\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe" C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe N/A
File created C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
File created C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe N/A
File created C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe N/A
File created C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe N/A
File created C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe N/A
File created C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe N/A
File created C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe N/A
File created C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe N/A
File created C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe N/A
File created C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe
PID 1072 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe
PID 1072 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe
PID 1072 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe
PID 1072 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2572 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe
PID 1692 wrote to memory of 2572 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe
PID 1692 wrote to memory of 2572 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe
PID 1692 wrote to memory of 2572 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe
PID 1692 wrote to memory of 2700 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2700 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2700 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2700 N/A C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2576 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe
PID 2572 wrote to memory of 2576 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe
PID 2572 wrote to memory of 2576 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe
PID 2572 wrote to memory of 2576 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2520 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe
PID 2576 wrote to memory of 2520 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe
PID 2576 wrote to memory of 2520 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe
PID 2576 wrote to memory of 2520 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe
PID 2576 wrote to memory of 2912 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 952 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe
PID 2520 wrote to memory of 952 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe
PID 2520 wrote to memory of 952 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe
PID 2520 wrote to memory of 952 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe
PID 2520 wrote to memory of 1532 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1532 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1532 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1532 N/A C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 320 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe
PID 952 wrote to memory of 320 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe
PID 952 wrote to memory of 320 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe
PID 952 wrote to memory of 320 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe
PID 952 wrote to memory of 1928 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1928 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1928 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1928 N/A C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1536 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe
PID 320 wrote to memory of 1536 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe
PID 320 wrote to memory of 1536 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe
PID 320 wrote to memory of 1536 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe
PID 320 wrote to memory of 2680 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2680 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2680 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2680 N/A C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1452 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe
PID 1536 wrote to memory of 1452 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe
PID 1536 wrote to memory of 1452 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe
PID 1536 wrote to memory of 1452 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe
PID 1536 wrote to memory of 1480 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1480 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1480 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1480 N/A C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"

C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe

C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe

C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E75E~1.EXE > nul

C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe

C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F25~1.EXE > nul

C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe

C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63389~1.EXE > nul

C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe

C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F87BF~1.EXE > nul

C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe

C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F9429~1.EXE > nul

C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe

C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F47~1.EXE > nul

C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe

C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{237ED~1.EXE > nul

C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe

C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FAE8E~1.EXE > nul

C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe

C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9C36F~1.EXE > nul

C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe

C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46BA0~1.EXE > nul

Network

N/A

Files

C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe

MD5 2a08099eafaf0bbe3823a83c1832edf5
SHA1 dab3e972e7fd146afe18b16d4b0d77e634bd01bd
SHA256 7082473916159f7fac92ffbb31d520042ee369d8d06dddad8ff4412b7e1224d2
SHA512 9ae3c513c2970ee3cd147369c10f9afa6f45c96fbc7a81b3ffc5bc33261914ca32299556352187c7aea6d13049846d0c4b50122b9123bebb9327147a7ce60b8a

C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe

MD5 906dcd9f351d59f90e3e0c845ce8b4cc
SHA1 6e903394b6674d5d8abf0eada1b6ad21bbd31f81
SHA256 911a0a0e65b36365090d49fc0f5e2718557a8a382e8cf9788bce2ffc900c46d3
SHA512 af5b9bc3238c447df6101e27ba9429d71e41afbb9565e54c7757c5d0f48f18890bd64026f0db7b7099c948fdf886e588069fbb26c81c3dd2fb987eaea0bcfd20

C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe

MD5 8554308bed12145c16cb3dbc272887d8
SHA1 ff486d4aea1de99d79ab614ad1da3e8d6b094605
SHA256 807309d49a17d872ddccdcf0b117f5720ed4f0b5778982245937d1c04550b8ae
SHA512 e90dbb482836d734b993cca683abb68e3aafe38ec0f57db8225fa3c7d410bf973bcd7d64f47aab25bd6a0ae0898a5848f80e8ee628d73e7c1e97f766cf7ef44b

C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe

MD5 f2d228b795efe4cbb5871d2c81b620ec
SHA1 b6e07f7f4a38e749fa1f2a8fb7f9487095612705
SHA256 8ca3afdf5bf9bf5241f7e110e2f194e1ae7129e906460fde0c7b9a28733051db
SHA512 01c651ab81469cb2ead698ee88eaf5ae47e8d3bb2fbf1ddef92e54d78736cfa451931e7664ba5130063b94963dd85ce14e183bec51f8c33a85e116199212a88b

C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe

MD5 a25120adad0fbf02b217e74f315ff8fe
SHA1 f0ea5ad2888c4b4d5f6d6a121e148b5e6da388b1
SHA256 19bb956bf55904efc20c191ef7914ac7e52f17d69896432532eb0a92d1e9fc3b
SHA512 1dd4b046c2e55d269db88c8195c3de98bd4c8437bba623665ccc3ba40b19229f8c99fbc469f623d60a0f8cc68f24c0da526815b79403580dbf46b9f44de40acc

C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe

MD5 b0b36adedea9cd24c8cc204607b6bd25
SHA1 80ab7514685d107b8d2444010d91af05b8a88eb3
SHA256 b45b36bdc844dab6ac79d38ef1e5173f78dbd9e6c5e81a3ac9958fca530e71a1
SHA512 4d2a5b0bc6e1ce24bf011e3e1d3b784ef3517317574258ed8f2b90d9afa33ce7cac5420955d03e5a1ddae9b40b430301556098bc4794b02c94549a5ce381130b

C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe

MD5 2438c121fad1801bd2971fa4c01ccc3d
SHA1 d22d455b618f5a0130ac1780c260fb0a1c236235
SHA256 9780af70f2538843fba5d6f03b25eb1556f5b07337829c69504a004c4a2184e9
SHA512 bafb443a2b08cc665dd2a3351a934b65e4d4a656f7c5fdee67346032afdbe95946ea911a008a550f23ec9f0fde57a0359ad40fd264ef729c9cd33c6737580630

C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe

MD5 cca3c3f0993e2143a45d30020b85a103
SHA1 914617912e7dc70f67973d435319cd681281866d
SHA256 f131e4ab9f0b288d90c0a761c413728df6e5a3a9bc84f215c9f16ddeca0dbf01
SHA512 75e1b04aba611083706061d3093d5c764d5d02f9e19907acd15d66c337e0f6e59256203279208482df03af56b0f84f233cd4a3e0092ba21d01922bbbbb034f24

C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe

MD5 4ea4f34111352841d7189f82758b7518
SHA1 c7e647f598b9e4089aaa30f9ea4b19fbf74a9a3a
SHA256 5760270864fccb8a833a7ff759e99888e8ac1776698eca23990e94caf97659d5
SHA512 50856173bde070e928872e4676216e12adf44480ce71e99fd0bfc0bc4d0e2533cf608b7bd59ea972d66f93c612b961ef9fa7dd122050b4c4fdaabb1267560c31

C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe

MD5 40cb3e66b6ce3f9527f4644121c3b720
SHA1 aa1f54aeebd7f5073bc9ef58e4ddd1ef802e4f60
SHA256 8d55bad02b17f7aa7ec3cc0614a6f1ff67d97b561da974bc20478a3c425c4974
SHA512 e3a2f4761b62590e3f484efd1e19fb2c7e1991016dd5ee7118c7ae80571529d6d551188b09617c4010ac40e409b8d6c058446ceb0a090af18614ec0514c8f029

C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe

MD5 8594730746e040a31d48ef1afa462cc9
SHA1 2107fd8ddda8b42d7888606a7327109c04a54144
SHA256 97fdf06e38852d02360891e244b039855e9eaa48d69d8856abd661e194e84d0f
SHA512 a8d5e09af37c51efb664ee4fb369315672b3ccc3a97af2b5b35b1e536d021d621974a4ace77bfc30ff03e2deda276dbf4b240927b0f84b927a0cc073624b9e24