Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-c73dfavgll
Target 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye
SHA256 08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818

Threat Level: Known bad

The file 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:43

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:46

Platform

win7-20240508-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9109E-9B90-4003-B786-1E272E72BE91}\stubpath = "C:\\Windows\\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe" C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2997367-45EE-4a6d-800A-06E97D37E978}\stubpath = "C:\\Windows\\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe" C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B} C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93DD83C-028B-4ca1-BB61-2A3507D47695} C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93DD83C-028B-4ca1-BB61-2A3507D47695}\stubpath = "C:\\Windows\\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe" C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32100AD-63B7-4759-A591-0FD33F67C60F} C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89685C1C-617C-4cfa-8A26-9812EBC61243}\stubpath = "C:\\Windows\\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe" C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9109E-9B90-4003-B786-1E272E72BE91} C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}\stubpath = "C:\\Windows\\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2997367-45EE-4a6d-800A-06E97D37E978} C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A369E39A-89B5-455b-B7D6-782D83E63C99} C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A369E39A-89B5-455b-B7D6-782D83E63C99}\stubpath = "C:\\Windows\\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe" C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A} C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85796DE0-F775-40fb-B4A8-48D33281E574} C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85796DE0-F775-40fb-B4A8-48D33281E574}\stubpath = "C:\\Windows\\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe" C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE} C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659} C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}\stubpath = "C:\\Windows\\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe" C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}\stubpath = "C:\\Windows\\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe" C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}\stubpath = "C:\\Windows\\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe" C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32100AD-63B7-4759-A591-0FD33F67C60F}\stubpath = "C:\\Windows\\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe" C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89685C1C-617C-4cfa-8A26-9812EBC61243} C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe N/A
File created C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe N/A
File created C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
File created C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe N/A
File created C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe N/A
File created C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe N/A
File created C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe N/A
File created C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe N/A
File created C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe N/A
File created C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe N/A
File created C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
PID 2224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
PID 2224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
PID 2224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
PID 2224 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2672 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
PID 2700 wrote to memory of 2672 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
PID 2700 wrote to memory of 2672 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
PID 2700 wrote to memory of 2672 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2200 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
PID 2724 wrote to memory of 2200 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
PID 2724 wrote to memory of 2200 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
PID 2724 wrote to memory of 2200 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
PID 2724 wrote to memory of 2588 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2588 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2588 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2588 N/A C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
PID 2200 wrote to memory of 2556 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2556 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2556 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2556 N/A C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1644 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
PID 2864 wrote to memory of 1644 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
PID 2864 wrote to memory of 1644 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
PID 2864 wrote to memory of 1644 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
PID 2864 wrote to memory of 776 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 776 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 776 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 776 N/A C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2404 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
PID 1644 wrote to memory of 2404 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
PID 1644 wrote to memory of 2404 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
PID 1644 wrote to memory of 2404 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
PID 1644 wrote to memory of 2504 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2504 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2504 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2504 N/A C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 700 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
PID 2404 wrote to memory of 700 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
PID 2404 wrote to memory of 700 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
PID 2404 wrote to memory of 700 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
PID 2404 wrote to memory of 1156 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1156 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1156 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1156 N/A C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"

C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe

C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe

C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF603~1.EXE > nul

C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe

C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2997~1.EXE > nul

C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe

C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9776C~1.EXE > nul

C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe

C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A369E~1.EXE > nul

C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe

C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED447~1.EXE > nul

C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe

C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F9F5~1.EXE > nul

C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe

C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F3210~1.EXE > nul

C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe

C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D93DD~1.EXE > nul

C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe

C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85796~1.EXE > nul

C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe

C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{89685~1.EXE > nul

Network

N/A

Files

C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe

MD5 b9ca2756661f6ee51a0ff13b10912f8e
SHA1 b080d8acabbdb86b7546fb63f840b6ccc7fe2374
SHA256 e8643dabb769720ff888aee633972dd8a7cb6a92ce479c642231211d3ce8971d
SHA512 381fb4880b47cacca9b7eef8a0d811b9ed987936e086747421d9b15770507881526600519ff88ff47546c71a89b1a20cd0dd374dc0bb56824ca94b9a622a567a

C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe

MD5 8817d652f8f96852526e324ad6178adf
SHA1 a3b41c32fe867d0b017bb12936672e95ba1256bb
SHA256 bd5270320f98f53058b984a8fa208ae9a4ef4cfb5ca6e05af6f9b48bf0a203a8
SHA512 a468f970c8930fbbde6a2928f38a7b8239505e40510699cd3335ff44f2b1c2e9301603e7959259cde125e69d570b1b0c23b8bddcf0421bf636aec4a6040ae44f

C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe

MD5 d7b16169956ee57994ffbf793d32ca91
SHA1 2569af9facb0cd606aca13d649ab33d4bd8be7db
SHA256 bd3189154e86c37f126f961d87bf6eed1d9523c3a41be9cd3f7fa1671975a00f
SHA512 a097b2516e2845f0b772fbc36ac36474e5b39f9efc4c22aeab881b3467d1b2bf062deca3c4fc3e6b46a7e5f54d25ba4fed218ddd820cdd4e43f8fb69a568b4ce

C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe

MD5 32b7df794f0fe3cdf5dcdd9de14e1c6a
SHA1 e498c2892a3969072ca598bc945bbc48cf105ac5
SHA256 d245c83887f56522c72f3249c64f411c37019c8a9902956e350e7196cd2ed7cd
SHA512 2588f3484a4ac885cbb0b9e05e55e46e3079a66e6549e73c5f22c757e6470fd47ff27cfca30645f18c4e4dbb99c487bb7416415e9370b6e896ba4105918359e6

C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe

MD5 efc762434d5b3ac247388d623ed5ba9b
SHA1 bfffea59aa30090bbedb73d8394e2a493ab84289
SHA256 f0bf41cc6fd2f45358d9ffcec7693b0abeca36474e31ba1e3118bdc19c9929ad
SHA512 16ffd095cafd3a0b84042589c2a7328b2de85d6ade79d392b98d6893e350079ee4f3493716b2efef48e9004b55f0c04227cc5d52a18b3c0ade406186a8c4cd41

C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe

MD5 8e034af0a745e8cdc638fb0ddb74c4bb
SHA1 7d567dc3bfb5440d574bcce83792e49c25dcbe4d
SHA256 492cec2a3e50d990ee5d12cd74cd3d0d639802f8a9654df9a691ec7b916cac56
SHA512 cecf6c2fc91174abce6e13905803feafa5d5cedd279c3f652c19d4393a8a736fd3ef58a3ab7d44901f332572ed08f1e6034ffa6c05360151a731cf3963d38b1c

C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe

MD5 eac995c40d5ab3580b820e74a4973e1d
SHA1 e6639b314b31ef907e682afa9e086e20be3bed8d
SHA256 1a4e5ee6f88b5e6d673c10042e2cec32005a120c4c2d7703aa0a817decc26664
SHA512 f00d815894a26ca68353810b99bc81112428f0eea6ec090765dc343fd429d73ac672a9eb903244fbdf737e524b398d0e36305094e94571f22222317bfb5a84a3

C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe

MD5 135bbb2a4f2d2ab744a638c8180f4893
SHA1 49f5be33fc2fb2f5775a8e7dca8d7ddebffd590c
SHA256 641cd230089fc7cf178a16c2f4cdbdcaa8fce3ce108a6e98e24b7ba1f6330019
SHA512 3f377f49bab00dafda4c9f3574c5120e1741735c57bbaab0492373a57eb400b422725852456eedac02cd7d2dc4c0a425902d405d9c67588c66186d401ce590f4

C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe

MD5 025aa65efc04ebe37fec855cf756e6ea
SHA1 5042789341e747242db862e83d4f3bbedda536c7
SHA256 01c057eb3019b575d3e5eb7e48840c1d34db77844fa8db13a8d0e9c76b96a680
SHA512 2571e92126c040e266f0829ea2c65b013f3df6421503ae4d3f33b05f6d2c90cb8083a20ed1c1889dff199f5b3ed0e76ff01f25256db6ad45edb51ddf6e542850

C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe

MD5 eda735b0f6eb1678fc12249e6ad5d801
SHA1 e074d8d1e7e2d05a9d3dab1693cddee780157e09
SHA256 f8583f18197a65b7500841d452ac60bdd86d86b8bb3bd26b16051fd533fac95f
SHA512 dacc68909226826196ce6836a46a4d3d8831ba13924f393a3abe64abadbc29e49ec63c5641bb8c8458a3d59a5c151c7c48f85f17625327e63c6c9d2cb2bfa90d

C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe

MD5 18162b7e22a31f7c8a000390a2567fb8
SHA1 0f8fb50b57dece84a5ed8d77c1f0d275a5137666
SHA256 f7ced574ac1014f7eedd1a319a5f4c1f7d1bc29b1977a56905cf76bc9218757a
SHA512 eaec5756b66ed3d8222a87e78339ddb87ff01ac2b7613748088e7cbb9cfad77d75b0d233316e41efda291816196c931dde603d8ecfdd99e18da3f720ee69da8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DDA32-A32C-48f1-B396-F10578B85F88} C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53} C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}\stubpath = "C:\\Windows\\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe" C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EE1678-47DB-4127-B95E-B3C0C59ED000} C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A} C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}\stubpath = "C:\\Windows\\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe" C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A} C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7} C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}\stubpath = "C:\\Windows\\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe" C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5727686-89AE-41a2-994D-5C5DE0A6DF51} C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}\stubpath = "C:\\Windows\\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe" C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}\stubpath = "C:\\Windows\\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe" C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59} C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA} C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}\stubpath = "C:\\Windows\\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{563096DA-A26F-43c1-8D39-1A21628BD1CC} C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{563096DA-A26F-43c1-8D39-1A21628BD1CC}\stubpath = "C:\\Windows\\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe" C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}\stubpath = "C:\\Windows\\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe" C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}\stubpath = "C:\\Windows\\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe" C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}\stubpath = "C:\\Windows\\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe" C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1968C11-8F5D-4b34-9BDF-9296CE594F97} C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}\stubpath = "C:\\Windows\\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe" C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD} C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DDA32-A32C-48f1-B396-F10578B85F88}\stubpath = "C:\\Windows\\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe" C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe N/A
File created C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe N/A
File created C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
File created C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe N/A
File created C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe N/A
File created C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe N/A
File created C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe N/A
File created C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe N/A
File created C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe N/A
File created C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe N/A
File created C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe
PID 3700 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe
PID 3700 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe
PID 3700 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4152 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe
PID 1504 wrote to memory of 4152 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe
PID 1504 wrote to memory of 4152 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe
PID 1504 wrote to memory of 1384 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1384 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1384 N/A C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 1124 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe
PID 4152 wrote to memory of 1124 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe
PID 4152 wrote to memory of 1124 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe
PID 4152 wrote to memory of 2964 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2964 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2964 N/A C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 4680 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe
PID 1124 wrote to memory of 4680 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe
PID 1124 wrote to memory of 4680 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe
PID 1124 wrote to memory of 2744 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 2744 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 2744 N/A C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4520 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe
PID 4680 wrote to memory of 4520 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe
PID 4680 wrote to memory of 4520 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe
PID 4680 wrote to memory of 4620 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4620 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4620 N/A C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 228 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe
PID 4520 wrote to memory of 228 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe
PID 4520 wrote to memory of 228 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe
PID 4520 wrote to memory of 3116 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3116 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3116 N/A C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3424 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe
PID 228 wrote to memory of 3424 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe
PID 228 wrote to memory of 3424 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe
PID 228 wrote to memory of 3444 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3444 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3444 N/A C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 3680 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe
PID 3424 wrote to memory of 3680 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe
PID 3424 wrote to memory of 3680 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe
PID 3424 wrote to memory of 396 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 396 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 396 N/A C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 4412 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe
PID 3680 wrote to memory of 4412 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe
PID 3680 wrote to memory of 4412 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe
PID 3680 wrote to memory of 1912 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 1912 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 1912 N/A C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 3380 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe
PID 4412 wrote to memory of 3380 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe
PID 4412 wrote to memory of 3380 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe
PID 4412 wrote to memory of 4424 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 4424 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 4424 N/A C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 5008 N/A C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe
PID 4744 wrote to memory of 5008 N/A C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe
PID 4744 wrote to memory of 5008 N/A C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe
PID 4744 wrote to memory of 2616 N/A C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"

C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe

C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe

C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2860B~1.EXE > nul

C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe

C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{43AA1~1.EXE > nul

C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe

C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56309~1.EXE > nul

C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe

C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{934F6~1.EXE > nul

C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe

C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4AC6~1.EXE > nul

C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe

C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31C8E~1.EXE > nul

C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe

C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DD~1.EXE > nul

C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe

C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D42~1.EXE > nul

C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe

C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1968~1.EXE > nul

C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe

C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB76~1.EXE > nul

C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe

C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0EE1~1.EXE > nul

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe

MD5 fb3df0518d8a18c1af948f8f89649ca0
SHA1 8c60a1fcc96eb0d8fdee6fb91f8c804a8b76ded0
SHA256 96da6fa87153eb42d7d69c2e9efd738ebe530b383590a616cfb152c0fde59fa4
SHA512 6e4d6a5789aa2422a7c0faceaef7a4dcb9434615defb82a6a44a2a8e795f7b6748bd040dc51a7d76608caf9e14324bd350a8c6767cca105baf77b6f0072def29

C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe

MD5 7ae5641a859503f68e53b8214d59e167
SHA1 662035c52b43214a48b18c87ce333086d290ac0b
SHA256 8efa056dd48560133ee96e0eba15ad3f3d6e203fce7803eecd3de6e7b83268f2
SHA512 368212d6d6b3b680457becce7ee8f6922141192121d99bbb2e7c72dad14f142e164468e1940c1fdfb8840222acfddabf8c418f1fe1dca3b665ddc5c0d6ad876f

C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe

MD5 9920f034e1716ac3e57b936e26175dfa
SHA1 0d23da044db24e3c457d2f6fb6f3bb3464443f66
SHA256 17b592db16327d4060aef985a6b813da0231c6de8b9411fbea3453b5743e481f
SHA512 e4cd7d34f8789588dab78be95848b99d5cff971bfb4ad963996b15c89c20f2c3076af5d4b7af56fde95f43bc5cb319396c764f762183f8146f5900617fd0a059

C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe

MD5 99f31fa3f09e3e43d31abb147cd76c67
SHA1 a2b8e2b135fae3c2f3ed3146dfac5524c9ffa7c8
SHA256 9af42b747b9557ac1d4080ca540c81357b4620d6d71bebd84c99289ad6526e87
SHA512 95edc5c15c07ee088608d9669b18773dad4280d0364e1161b826ee61b760ef05db51152111b63d4f4c35fa2b61679fe9d5dd359b9ed6cba153a1d508a819dba8

C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe

MD5 d11d9d6c3844442a6e6fe8d483a53503
SHA1 56d99ebeca3968f679daf2ff9a5e96ec6ed1b0d3
SHA256 a43e4c43eb94086c4fb9e1b2d6b0bc87befd1f1f5162fca162b94b9f459ac742
SHA512 6f7b62a7a3c202acb4aed9373de979b57b5a99f6bbd8e1e2e3882d2d9669d4709cdb4cbcb7cfd11f1595661f5704a43bf0c9b09a044b467f8a8f17135fee6259

C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe

MD5 67e34111094de90c4494b766d030be72
SHA1 923d4593162cde0aeb1adec433f8a2f580f430e0
SHA256 6f28c17c97a02d7c56aa42464b462c6a53887d45d5a3ab63a65e34cf4410b812
SHA512 820b42c3453d70b2f548c8d30e1c029d4685a31517af8a827bea24c80d9f777524bcc9949475259b63a605e0906667ab635b840e77ac380caa8be04f8b0906e6

C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe

MD5 13036470e6262b0678a48e5aa22db949
SHA1 467d366b6f81d161baa862e1f614564b08c13388
SHA256 db91de036d9d8282e55d03d658bc34ab92988d8bbc2bfda925be4ebb2f6f83ce
SHA512 b3e2df1c5d8cc3c35cf9e881616b53d380d23f11a68a60c3a947a15b834757fd4c52a5d3ad0c1ca1e9886c7ee0dbeb4f5f85fb18ede818dde2643baf5807a1dd

C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe

MD5 3f8eb29480fde8db52871375b41a16c4
SHA1 b55ed6de288b54127bcc41063cb43e85b8d9ccab
SHA256 099bf060ecef0b60aab531695820cac264295477f16cdd8ce77fb009ecd2ac0c
SHA512 5f1b7a20e63a63ec66cbb344c65015c00702b2a4fd624d65fcb56bdc494bbb0c4ba2b71653a3cba8e691fdb544b0dbeba5808bc74b1bdc33fd500af6ec31f92a

C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe

MD5 da47fd70ddce133256948ad54a162788
SHA1 e211ad6c02b9a89fb3df37624c0c53c68e530288
SHA256 83ca8cbd823cb92492d448a6b4db5344378593fee45a521cc82585203a452872
SHA512 e82257081d50c26236caacd486fa363a8c90a396059db9be9cea7d4af30d1cbb2dcbe1c19f7288ab32de9cd3aff29d5790cde4becfaffaf57d90a93839568bd6

C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe

MD5 0cb814b990523afa7f8dbde2cd3886c1
SHA1 f3efdb7851867dfe2095626769e71570f0a28350
SHA256 7a8a0b9274639c250da0c79a7cf10c5ea3c1bb2528fd01fa1b708f42e8ae91eb
SHA512 6c9964b4c4fb74e3bd525b31b49dd584b23155aa5e8d83c7f5e3f9308d1e88da0dcf230b7818496b44fe426b7388b57f6d70fb4b6479071a847d110128a4e292

memory/3380-39-0x00000000038B0000-0x000000000398B000-memory.dmp

C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe

MD5 4bd3071b52f423e6a01b3ee8803454e2
SHA1 14a2a6ba6fe54c2898dc135f9278757ee1c5acb8
SHA256 a10edd37e0a5d1d7937953f77745ef3cc8a9e168674c3c84851cd73b2619f30a
SHA512 d2824fc47069f289887cac96dfb53b243a3a2ff565b416cb5a4cb9b26b2f91ffcf52a8f69336c78424ce47c005ec15d8d2bbc2d4753f1d4371d3c7986ff02e62