Malware Analysis Report

2025-04-14 03:26

Sample ID 240612-sh2zdazbkh
Target 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye
SHA256 d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25

Threat Level: Known bad

The file 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:08

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:08

Reported

2024-06-12 15:10

Platform

win7-20240220-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D720150-FD29-4b00-B773-6E26D31A25C3}\stubpath = "C:\\Windows\\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe" C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9} C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}\stubpath = "C:\\Windows\\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe" C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9658269-6E39-414c-970C-71E76E12B82E} C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A957A1E-5F98-4be2-B6AE-5FC556041B95} C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2D836C-C713-4b5e-9A38-7DED43D9101B} C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}\stubpath = "C:\\Windows\\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe" C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2473B04F-11E1-48bf-960C-45B02D17463B} C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9658269-6E39-414c-970C-71E76E12B82E}\stubpath = "C:\\Windows\\{E9658269-6E39-414c-970C-71E76E12B82E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E8A389-E4D3-420f-BD5A-875CD7746411} C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D720150-FD29-4b00-B773-6E26D31A25C3} C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}\stubpath = "C:\\Windows\\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe" C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}\stubpath = "C:\\Windows\\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe" C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9594D5AC-CF0F-474f-B59E-3020576EBFE2} C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}\stubpath = "C:\\Windows\\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe" C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D0866C-FABF-4898-95AF-350E7079D445} C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D0866C-FABF-4898-95AF-350E7079D445}\stubpath = "C:\\Windows\\{90D0866C-FABF-4898-95AF-350E7079D445}.exe" C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E8A389-E4D3-420f-BD5A-875CD7746411}\stubpath = "C:\\Windows\\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe" C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7664B354-13C0-44cd-9959-285B55A67C8D} C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7664B354-13C0-44cd-9959-285B55A67C8D}\stubpath = "C:\\Windows\\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe" C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49} C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2473B04F-11E1-48bf-960C-45B02D17463B}\stubpath = "C:\\Windows\\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe" C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe N/A
File created C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe N/A
File created C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe N/A
File created C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe N/A
File created C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe N/A
File created C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe N/A
File created C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe N/A
File created C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
File created C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe N/A
File created C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe N/A
File created C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
PID 2040 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
PID 2040 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
PID 2040 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
PID 2040 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2504 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
PID 2464 wrote to memory of 2504 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
PID 2464 wrote to memory of 2504 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
PID 2464 wrote to memory of 2504 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
PID 2464 wrote to memory of 2676 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2676 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2676 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2676 N/A C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2732 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
PID 2504 wrote to memory of 2732 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
PID 2504 wrote to memory of 2732 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
PID 2504 wrote to memory of 2732 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
PID 2504 wrote to memory of 2484 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2484 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2484 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2484 N/A C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 556 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
PID 2732 wrote to memory of 556 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
PID 2732 wrote to memory of 556 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
PID 2732 wrote to memory of 556 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
PID 2732 wrote to memory of 2636 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2636 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2636 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2636 N/A C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2780 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
PID 556 wrote to memory of 2780 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
PID 556 wrote to memory of 2780 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
PID 556 wrote to memory of 2780 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
PID 556 wrote to memory of 1940 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1940 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1940 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1940 N/A C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1768 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
PID 2780 wrote to memory of 1768 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
PID 2780 wrote to memory of 1768 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
PID 2780 wrote to memory of 1768 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
PID 2780 wrote to memory of 1960 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1960 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1960 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1960 N/A C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2264 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
PID 1768 wrote to memory of 2264 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
PID 1768 wrote to memory of 2264 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
PID 1768 wrote to memory of 2264 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
PID 1768 wrote to memory of 292 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 292 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 292 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 292 N/A C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2784 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
PID 2264 wrote to memory of 2784 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
PID 2264 wrote to memory of 2784 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
PID 2264 wrote to memory of 2784 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
PID 2264 wrote to memory of 1612 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1612 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1612 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1612 N/A C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"

C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe

C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe

C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E9658~1.EXE > nul

C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe

C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90D08~1.EXE > nul

C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe

C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul

C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe

C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D720~1.EXE > nul

C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe

C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A957~1.EXE > nul

C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe

C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{444CE~1.EXE > nul

C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe

C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7664B~1.EXE > nul

C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe

C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F2D8~1.EXE > nul

C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe

C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB74~1.EXE > nul

C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe

C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2473B~1.EXE > nul

Network

N/A

Files

C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe

MD5 d61c1b340ca864c5f43da8f67b0938ce
SHA1 6ad44309c8f8ffcbc271c4e29d58a223bfd576b4
SHA256 e688377351db23c5c1134aa1d3bc2b4650ec0f50ed479f00dcc1a106c8cdb3b2
SHA512 202f95ab9e9d3869aab34d62f0b1adcde513afc2b8b63dd54fc36ab22111b46acfccf3e699da3de7063df34344966d2971e365bc8cf3c13f88878c600eaa3b00

C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe

MD5 7976da946ff1f539e73b7957b3c6b41f
SHA1 a283d5a43bd277e37d1cd9e686115b00529bb5a5
SHA256 ef914edc10f11258cc44c29c658461cd67d98888c09a2f9e5b8ccb6277fa5b90
SHA512 ecb3ab658126e38200697c23b7acf0491f85aa14b53b2467b6e68bcd86e859a24904298bc6968076ee9ee896d5897c342f36b20c60294b5a5fea2a3d8cc1198e

C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe

MD5 b36c72743b9a151376da8694be4f061a
SHA1 77ba3b5b625034cc00ea6f64579336007d381c3a
SHA256 7ce5156531d1afa2f30df1e5c85072b981ff4a97127caff1c0c2ede437514e38
SHA512 7811b539502af77e302ea8f59e240fd021b54a4b13c9a23f7ababc850bc03d1ae77b5663a134ee1d82e718fcf15a609a57724a1f961f80be8c83984f12e3b5ed

C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe

MD5 8c7cfa29a508d0bb026d676231bad248
SHA1 c397c32b5b623af89df6985b75ffefdb4bd6f8ff
SHA256 4d36a874237eacd91c1b168c1afe029f03cebb54a29bcb4358f3caec83b8fa79
SHA512 ba8b8bf1b0d72e4176b25350060bfca18d3588f8042aa69fc10c4525e107a7e7a529c0e7fc972cd48608e4c5924078930466cfc37a5f346c9decb941bcb35b09

C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe

MD5 4bdc70ad8185003ad786ffdce909cae6
SHA1 38bcc654f794f4991623f3f78eedd838dadbe658
SHA256 135ae1d3872b936039938536ed1df404529e4720eef2ca26f627db444c1c22aa
SHA512 e48e36cb930d68722053c4ee1827b72c5621d870f00cf03f8ab16729fcd8d090767a19a8179bfd8717bb806df7d5828671ced4bc1d0c5677ea5110fda22d554f

C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe

MD5 d947157fc1656fccd3599184302b2076
SHA1 3c6853394f9c206241a232b752b956ff62338527
SHA256 fc8b25969dc26a682c56b793e57a1615fe6db333a144333e6a978ad159c12197
SHA512 86ab712a19fd4c07ae016549572d3c1a38c225a200a01a31ac750edffea649676f67752746ef91e47f957af0775e7cc9a34c473e5025e3538d9ee63878b35987

C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe

MD5 a0ae086f0fcaea46dc0e772802d2f36e
SHA1 ff0ce6c09a818f6a4b5ebf06c10b9b8739de7092
SHA256 3d3c8acc253c7ce7dfb74a237124c61eb8686d7c0de9ad2557acf4c873cd7a72
SHA512 442579a8e4870b873f0f4b3ff9d8d2a018b26c8b07a56828355401f42515c04d878f7ddb887a27346699bc2357932b72a5a0d99d48212ec026a48c561e20b048

C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe

MD5 2a214477a7cbeaabd959ad4e4126b17f
SHA1 627c9bb0d0182cb9bd85967adad7db982cf94323
SHA256 b3a124e61a262af3ad4a104abe0ea0fbcca8813dad4452c137aaf85c353a5708
SHA512 70eb77772750e477affa956794596d14c49a9b58e4309cfc0e8562fbe1566a27754b8257f4efa5cd3e9db5abb72676951df864aa627d1f14d878addfe8cdcf68

C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe

MD5 49049346af258627d01ae70b91a16541
SHA1 5bbe7e9f7c6c4dec34c211dcb76bc7a19cb64d67
SHA256 976d634c7aa3948acda98ebc7d466e904108d2ae5019f58164edcc85014e172f
SHA512 b1b7c24cb5f3a734ff8235b50683beb8d16f040be72eabaa10f613b98df08632c81cbd9a1d7b499229be92eb622fa0298da0ff1662aa2801edbabd93c921e264

C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe

MD5 c05bc2524c7bc91ce26959fa288bd798
SHA1 45c1fc45d6307bed9ce13d12ceab8133fda0cda0
SHA256 6563db7ad3c3a4f037038951396999dcc2d0071f382c141c0d6d159ba3b5ef17
SHA512 2a65945b356d22d05d19773d002f7c30cac9ca7c75de8f102bb4a8ef09dcb022c4cb2f5e6fb4329c715d36b68e19764b9d09b93390959058fe194380842e716e

C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe

MD5 f9a76c0d53e94f95efd3536b2f13fb87
SHA1 b65c9ab2e3b9723dbd7f1b312dc31e4b3f78b965
SHA256 ceecd74d6328ddbfe3eb27b63f913b88c6cbc2ae491a73b5c438f2ce9cc93f5d
SHA512 e1676ebb910daf9e9bac90a47ae3cd1b462a2da6ce5a96e4f9086d6ead863f06edbfb383632dbceee8e876bb2b983f6ee4bb637b124e1fad05d03abd40d50869

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:08

Reported

2024-06-12 15:11

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764A7453-7E3D-4118-9362-B820E09F31D0}\stubpath = "C:\\Windows\\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe" C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7} C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3A01C3-35FB-4895-B380-BE75925C9A81} C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6062F3B3-C015-43be-992C-64699251F174}\stubpath = "C:\\Windows\\{6062F3B3-C015-43be-992C-64699251F174}.exe" C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B} C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0} C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764A7453-7E3D-4118-9362-B820E09F31D0} C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}\stubpath = "C:\\Windows\\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe" C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3A01C3-35FB-4895-B380-BE75925C9A81}\stubpath = "C:\\Windows\\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe" C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC210350-E339-49bd-B050-A142E5950595}\stubpath = "C:\\Windows\\{AC210350-E339-49bd-B050-A142E5950595}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}\stubpath = "C:\\Windows\\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe" C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3496395F-CA8B-435a-9524-70995A6FE94C} C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC210350-E339-49bd-B050-A142E5950595} C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6062F3B3-C015-43be-992C-64699251F174} C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1} C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A167D6F-3850-4c96-9765-BBD0608B61B6}\stubpath = "C:\\Windows\\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe" C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}\stubpath = "C:\\Windows\\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe" C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3496395F-CA8B-435a-9524-70995A6FE94C}\stubpath = "C:\\Windows\\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe" C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}\stubpath = "C:\\Windows\\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe" C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F63595F-6305-4aba-83DC-2A2F219295D6} C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59} C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}\stubpath = "C:\\Windows\\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe" C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A167D6F-3850-4c96-9765-BBD0608B61B6} C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F63595F-6305-4aba-83DC-2A2F219295D6}\stubpath = "C:\\Windows\\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe" C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe N/A
File created C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe N/A
File created C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe N/A
File created C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe N/A
File created C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe N/A
File created C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe N/A
File created C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe N/A
File created C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
File created C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe N/A
File created C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe N/A
File created C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe N/A
File created C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe
PID 4180 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 2160 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe
PID 400 wrote to memory of 2160 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe
PID 400 wrote to memory of 2160 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe
PID 400 wrote to memory of 4884 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4884 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4884 N/A C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 316 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe
PID 2160 wrote to memory of 316 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe
PID 2160 wrote to memory of 316 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe
PID 2160 wrote to memory of 2404 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2404 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2404 N/A C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 3872 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe
PID 316 wrote to memory of 3872 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe
PID 316 wrote to memory of 3872 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe
PID 316 wrote to memory of 4372 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 4372 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 4372 N/A C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 1852 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe
PID 3872 wrote to memory of 1852 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe
PID 3872 wrote to memory of 1852 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe
PID 3872 wrote to memory of 5004 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5004 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5004 N/A C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 936 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe
PID 1852 wrote to memory of 936 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe
PID 1852 wrote to memory of 936 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe
PID 1852 wrote to memory of 2668 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2668 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2668 N/A C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4912 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe
PID 936 wrote to memory of 4912 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe
PID 936 wrote to memory of 4912 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe
PID 936 wrote to memory of 4008 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4008 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4008 N/A C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 1992 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe
PID 4912 wrote to memory of 1992 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe
PID 4912 wrote to memory of 1992 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe
PID 4912 wrote to memory of 852 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 852 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 852 N/A C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 632 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe
PID 1992 wrote to memory of 632 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe
PID 1992 wrote to memory of 632 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe
PID 1992 wrote to memory of 3876 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3876 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3876 N/A C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 1948 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe
PID 632 wrote to memory of 1948 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe
PID 632 wrote to memory of 1948 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe
PID 632 wrote to memory of 4128 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 4128 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 4128 N/A C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1480 N/A C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe
PID 1948 wrote to memory of 1480 N/A C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe
PID 1948 wrote to memory of 1480 N/A C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe
PID 1948 wrote to memory of 3496 N/A C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"

C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe

C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe

C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC210~1.EXE > nul

C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe

C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6062F~1.EXE > nul

C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe

C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2818~1.EXE > nul

C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe

C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A167~1.EXE > nul

C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe

C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FEC~1.EXE > nul

C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe

C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB61~1.EXE > nul

C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe

C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34963~1.EXE > nul

C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe

C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{764A7~1.EXE > nul

C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe

C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9627D~1.EXE > nul

C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe

C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3A0~1.EXE > nul

C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe

C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8B4~1.EXE > nul

Network

Files

C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe

MD5 6c54c6a52015c2f05385ef7f5f45ed72
SHA1 1da4daf60fee16a301b9fa45e871306baad98d6f
SHA256 9314eb643b0b657f796faa9d5f1825134d2e77bdecc9ab1235e628c75f7dc00e
SHA512 7bb671613476a06c7afd7e89cfb9eacdfcd7607609f866b134b52f337ea633a77e03857fb2e7d16761f39ee7001314de3ca3fc6c3509864c455a5f0c8ba16d58

C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe

MD5 3e8131b48998aabe5a1fd4e9c05f4cbd
SHA1 73132e63dbf6334f2f1e9937006e1a1f9f0f9795
SHA256 6640775106cdc9d27ec3bd976a30776762f6dbd2dcdfa978a68c46d79d27f91b
SHA512 aa81f34e1b2e7370858a90f24fbff3eef7d30a35149d81a891c08d28817bad2a94301341f027a26ece55987be4d5cd6e783e7ffa46cc5b4fd28d427503e16a18

C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe

MD5 386dab9a669f45835798823a0fc5bdac
SHA1 a03c2f8c4fd7d0b919737df3bd7d9ce90a6822ee
SHA256 d701ab229765308b29c6ccb821a023b6a96a522b30bddf599d5e6f1824f4cdf4
SHA512 1b8994d8746ce9849300b21f27c44e6b2b03a332971e8deda45a915fdf6a05bae11d99e86df92501ed1e82e7f16c8caaef0b8be92bc8c606c3fb574690cd3dc9

C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe

MD5 05087ea9588fe9195b60934b94b3d176
SHA1 83b52108e04d4b6b25acb52c6c7f1dfb5792a018
SHA256 1456d8003b3427021167eb08db2a56026723ee6bd4989e252f04de091c090119
SHA512 f49724ad66072a0703706118ded2203c3235692be1a8b092ee787f0c5a0199633f405d98c7e0e9bd979f9195187c80cc6a8d888e61656212ee1f8e356d0d37e9

C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe

MD5 33e54f31b0366ca0c464b4ee20a74179
SHA1 7350e81d602520276f6f27c3b2af7280c62002ea
SHA256 66a5d2fbca5b26981e5890a6b2e9e5cf5be0ef3b1c2326719b138ed3a56c3a5b
SHA512 a8accebc39c8c0a594f9f92c176c48dc7b0d56bd87bf759cd9e870c6944bbce51ea974b5e06d22bb7c816868ccb64469465b354adfb5c4209dee25a53b9d020c

C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe

MD5 5f1ca619e93b29551179991e94680791
SHA1 46f63d97b3319e6f2114d8744d257ea94719480e
SHA256 08263f012108e55ff2ece7e1c68978749ec736e357905572d382787ea69e517b
SHA512 9be65e23105946f9a60e5e06fea5befa7d7e27742af452bb86b2c7e2c5786dd5c65a88c5d6276da9ca6aaaa7bbe795fffa3807299f878d1f8c99654f140c1dd8

C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe

MD5 69b218057d9b389cacd6114acf67bed9
SHA1 3d95ad8c2775f79ded6737a08be9caa797e305b6
SHA256 b7c6bec42e76a653b75d9aef53fc3ffeee12f22d029e828e35fdc35fa1a7284a
SHA512 53c8c4b68f68e0c2a96c9f5b9920ce6e76808294b86c569ff72c27cd3285f06eb45960f32edbb02b80f8284090fcfb7779b11885b818c9e507a6ea0eecd77b89

C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe

MD5 925b95acfa0fbfd4a98fcf78862fcc9d
SHA1 2dd267475aed9239910d67ce01a4c149b4862c17
SHA256 7332967736e398452fbeef1e0446fa1ed17d57e1a8493e8fe93aee8d48338571
SHA512 9092be452605837addf16ed3164476c6ab9e4f9eed86bcf24e7089ebf2ff09f351cab1089d1b6c60073b4982c2d64ca56ca44b4f1661afaa09067db3cbfe276f

C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe

MD5 e1c50ce7815060a6d4d67cdc1ebe741c
SHA1 62e0ea2036b085926585e0005dd25a597f11a850
SHA256 4cd2daf4807ae9796dde5499470c59e6130def4c8b863b4b8bc25bccb1157c43
SHA512 774155704f091bb9d0627529d6ffc3b52a6edd1af51f7ff6d6d145e3fff853e0c43b877b8e5ead5f8b3a58503eadfbc5306e4c6d769b6c40c7f0c3dcfc255a54

C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe

MD5 999bc602103e596bc62ef02dc244e756
SHA1 ba48e8c8793b84974298bd08d4c185235c497d8b
SHA256 bfb2d9714ca08d1036d98cd5e37121c60136b042f45b0509b3b2b97ad96804fa
SHA512 4237d27e82b4a5227145f857a04d4c67891da623d9948cda408b73991499b720480adf893c29e3f12f63da481b5027ad15309efa4be14efec68fa8671c0a1776

C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe

MD5 454cd84b8be4da2d7641ca9dfe92c086
SHA1 509afe27faeda789f96f8bc526e5ca2a0019779a
SHA256 00a99635c2cbf4c3bdb54ca64e27991ab81605c60d97144934cc0b3393efbf51
SHA512 b567527d6b4f35ac4b601da24e72915565a0abee232c8537e034b40ca881420ff918103254d7ba5e47fd783815f9a5098c1ac9fa75654d33296a6648fa428bc0

C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe

MD5 f5d20c83b101abeccce972148c8addc3
SHA1 8cc7b18f818d9d3e8e8d91ee9c07b502ab17f450
SHA256 b89404662b87a445894d339c294b6a8ad282728630650c91f4004e4d4e58f17a
SHA512 b83b49452d3c9fd3e2add3b56a2b4e1956805930d8c3bdab14b398fe87050b7cf4f40f31922752b44e04e42542a92bfdf19c51943fa54f99f1000a1c3c0258f3