Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-dc836ssame
Target 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye
SHA256 2d9369dc9317b9d668139c100f78be2db8979ad4c67a3c62b91185ece6601adf
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d9369dc9317b9d668139c100f78be2db8979ad4c67a3c62b91185ece6601adf

Threat Level: Known bad

The file 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:52

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:52

Reported

2024-06-13 02:55

Platform

win7-20240611-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}\stubpath = "C:\\Windows\\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}\stubpath = "C:\\Windows\\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe" C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0244D1D-6623-436a-B4EA-792A36025D0A} C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6} C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0761930F-1464-4463-BFF1-492FF1D93677}\stubpath = "C:\\Windows\\{0761930F-1464-4463-BFF1-492FF1D93677}.exe" C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746FB130-6065-4883-AB49-C07C9FCD2278} C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0244D1D-6623-436a-B4EA-792A36025D0A}\stubpath = "C:\\Windows\\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe" C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31969637-6768-4d49-8F05-AFA506ACC880} C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31969637-6768-4d49-8F05-AFA506ACC880}\stubpath = "C:\\Windows\\{31969637-6768-4d49-8F05-AFA506ACC880}.exe" C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8602491F-B75D-4a3f-984C-F0807537098F} C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8602491F-B75D-4a3f-984C-F0807537098F}\stubpath = "C:\\Windows\\{8602491F-B75D-4a3f-984C-F0807537098F}.exe" C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45BD9FAF-2A2D-494a-A602-529AD7F68D69} C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CD81D8-6261-452f-A5ED-DAD95599FAE0} C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0761930F-1464-4463-BFF1-492FF1D93677} C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746FB130-6065-4883-AB49-C07C9FCD2278}\stubpath = "C:\\Windows\\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe" C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BEB2A8-5244-4f3a-BD5A-93258638948C} C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}\stubpath = "C:\\Windows\\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe" C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59EE138-D7BF-4353-A41F-122628B33833} C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59EE138-D7BF-4353-A41F-122628B33833}\stubpath = "C:\\Windows\\{D59EE138-D7BF-4353-A41F-122628B33833}.exe" C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}\stubpath = "C:\\Windows\\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe" C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505FE572-2CB7-4809-B9A4-238336B1189A} C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505FE572-2CB7-4809-B9A4-238336B1189A}\stubpath = "C:\\Windows\\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe" C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
File created C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe N/A
File created C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe N/A
File created C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe N/A
File created C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe N/A
File created C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe N/A
File created C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe N/A
File created C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe N/A
File created C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe N/A
File created C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe N/A
File created C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
PID 2000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
PID 2000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
PID 2000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
PID 2000 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2612 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
PID 2640 wrote to memory of 2612 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
PID 2640 wrote to memory of 2612 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
PID 2640 wrote to memory of 2612 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
PID 2640 wrote to memory of 2096 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2096 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2096 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2096 N/A C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2488 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
PID 2612 wrote to memory of 2488 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
PID 2612 wrote to memory of 2488 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
PID 2612 wrote to memory of 2488 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
PID 2612 wrote to memory of 1836 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1836 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1836 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1836 N/A C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1596 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
PID 2488 wrote to memory of 1596 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
PID 2488 wrote to memory of 1596 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
PID 2488 wrote to memory of 1596 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 1120 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
PID 1596 wrote to memory of 1120 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
PID 1596 wrote to memory of 1120 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
PID 1596 wrote to memory of 1120 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
PID 1596 wrote to memory of 2872 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2872 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2872 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 2872 N/A C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 3036 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
PID 1120 wrote to memory of 3036 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
PID 1120 wrote to memory of 3036 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
PID 1120 wrote to memory of 3036 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
PID 1120 wrote to memory of 2824 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 2824 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 2824 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 2824 N/A C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2748 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
PID 3036 wrote to memory of 2748 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
PID 3036 wrote to memory of 2748 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
PID 3036 wrote to memory of 2748 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
PID 3036 wrote to memory of 2780 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2780 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2780 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2780 N/A C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2700 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
PID 2748 wrote to memory of 2700 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
PID 2748 wrote to memory of 2700 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
PID 2748 wrote to memory of 2700 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"

C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe

C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe

C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4B71D~1.EXE > nul

C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe

C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{45BD9~1.EXE > nul

C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe

C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{505FE~1.EXE > nul

C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe

C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{75CD8~1.EXE > nul

C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe

C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07619~1.EXE > nul

C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe

C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{746FB~1.EXE > nul

C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe

C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0244~1.EXE > nul

C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe

C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31969~1.EXE > nul

C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe

C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BEB~1.EXE > nul

C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe

C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86024~1.EXE > nul

Network

N/A

Files

C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe

MD5 0ff4bd1c7cb141a68c1c7b4b40cea049
SHA1 d9d6e98303b67424f643abd79ba2d064452dbbb9
SHA256 0baf1d448347bc10870ac60be3beb9250910c5a9a49dbd62c3673cf4274c36c1
SHA512 42cc17983d46f722bd2640fe7f1cff18658e823be6a29023fade2b47b88af70da2bcc2d73345cba97dcf839d986d0800093f4349af147aa36aee8b667abfaa31

C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe

MD5 d3004ee00d113c4d432c58c5e24314ef
SHA1 94756de3788561656e293591a49ec4d7ea3dd70f
SHA256 aec09f500d5ed435f6a707269c74b0615cd9f1a7b4ef82c4cfbc878736c79a3c
SHA512 020d5e7ae78a0c87ba381a8d096a15d781a933f61766392dd63161e6136d0f1566e3e540dd09828020e7f50e194d5a7f72ae1ca95f722e41304defbbcef094d3

C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe

MD5 6c0773e996a713d66ba846d6857dc2dd
SHA1 d224584a99f601e1e8a24233a98fd812e8a9af80
SHA256 08775c760c63d40521addffe9021a001b206448d28c795e35afb993fa394ee00
SHA512 11c8a4056ce699ad2507ff0000c2dc0ee2b0fd945313efbdf8472eb54cd8b5e232d90d8bc94f0df6d14ff41a6f367a5fe38fd5a5162da0e695160f0df1209783

C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe

MD5 f8f3376f9feccb9cdbd01ad9cf815fb5
SHA1 c15b6e3c77df388a49d1073a13b8cbecbab68a57
SHA256 94d0e999434d2a15a5e78964920c95acd5116074b009e23ef4160b50b96ce772
SHA512 abd770f00aa87fec23a48a0df2e5e9d68cc586c60e4f80f41d12e296f0db6e2572c52f283497b5384ff620b3dd205fc418bf099de8b436affc2a1533aae4a6e3

C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe

MD5 c9c0aee36bafb5470c56b10534e084d5
SHA1 187d299536cb9bf7ebaa44e2685bfb184f5a8d65
SHA256 6f84f384f7abcb1047288e030fccf09fef72f3421095d1c9157e6f163d91bcfb
SHA512 a98ed5549dab500fc918b5ec9607682a1b2898493084f73e21250e64aa445047e5a075d88c93309e41af24d5a114849014d0b57b238f8c5008eba568278700f3

C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe

MD5 e14de76e34ca00544ef7ed266cfa4de7
SHA1 4bcd0cede9b77934f72d942943f2f2944806b7f8
SHA256 0cab79ae07ba27ec5617ace7470f6e22a6d763a9d5d464df32cdae92b4bb33a9
SHA512 e1037db50589c9c729c189b97b9063008341ef4e88105b0703350961092a6bdedee65274a82552421e1f7014e15f54e632479886f5daa50009446e5316dc0188

C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe

MD5 781fc567b14f3ff68f883d1cc1d3229b
SHA1 d7dc0efab11731cf9bdf5277df3e718fa59ac505
SHA256 1f01c1cf3a0c448ffec524be1ae99cde98090fb1ec7d5384945145da643196c9
SHA512 d00828504385b214ad269786cfd12d80a9fe02f7476870839ea73afafe08889b67aa09d66b652390ad7d755a541ebb3c4890f932b79d301c2f001082eac8ac47

C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe

MD5 5424f1594f81897d89c2f6c44baed10d
SHA1 d87635add6aa9fafe1d34df2aac3a83f845b0343
SHA256 8f477dede05b732c49195e4893bdb32f5579eb0b64295df9579a33531cb54acb
SHA512 d41e61e8cbd75c8b99ed6db888bcadae8525cd270c3f48fca071bba7fb3ce1bb757aa98ab0f4c86139cf87410b70d7a359142d0abf2c010a9b8119495773dbc8

C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe

MD5 2de85eb6793a2f34ffcbdc7e228405db
SHA1 27283c276817e81fc95eb3101137af3331b2392b
SHA256 4f2b35d9350d7cb23e7c791e95b1eaf3eaac5fbdd58fa55386315e43b9afd540
SHA512 302f6822e94f2026a4fe07e8583c1d78e602d3cb3ecc91f4774a739f72baae23c1311bfea551a2b53ce1d0de8415b2c45e922ddb3d87793fe64ed6de54dff6f7

C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe

MD5 ca6bf83cd647c63402760cc75911c2e1
SHA1 03c846e74e3dda02d0680c57207825e8fbbb91d5
SHA256 df6f9fb4f90dd184cb71d2fda956eb00fcf7ef172ff83ada7ea3b3f1c0c6e66c
SHA512 1a32c9fbca89beca7bed1cf57ec78d2f1476ca1bb2f9b78f171c66e45526da8952e2db6cd37490b869ba21735716c245ec24de9b4e77df1355f9253cd3909522

C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe

MD5 9b566c164fbb41f9510053c41a0e594b
SHA1 3ea6f3aeac3483b468886feb581ed444e6fe9798
SHA256 cfc160e74be263f34bca3a7262f06fd62329186b280eecab08e7d3ec7de825c6
SHA512 a8e70849cc0455484e60e71d055da71fe13422654e8d59311d05396882898d27d9ebb1eb332bf8ce4c76f46346e7c2fef11448ba743fea6c8aa7d32d00a52c23

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:52

Reported

2024-06-13 02:55

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE} C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}\stubpath = "C:\\Windows\\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFCB991-94C6-484b-932C-FCE0F483953C} C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115D24B6-F88F-4b65-9606-2C0A80530B5D}\stubpath = "C:\\Windows\\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe" C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49} C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6915B993-2171-4c6f-9E24-D53711C2C3B1} C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28} C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}\stubpath = "C:\\Windows\\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe" C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6} C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}\stubpath = "C:\\Windows\\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe" C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F48177-1F32-48cb-863A-3602EF773218} C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC} C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333} C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115D24B6-F88F-4b65-9606-2C0A80530B5D} C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6915B993-2171-4c6f-9E24-D53711C2C3B1}\stubpath = "C:\\Windows\\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe" C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFCB991-94C6-484b-932C-FCE0F483953C}\stubpath = "C:\\Windows\\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe" C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F48177-1F32-48cb-863A-3602EF773218}\stubpath = "C:\\Windows\\{C5F48177-1F32-48cb-863A-3602EF773218}.exe" C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAF9596-C2CA-4548-98A9-C7B73C45D504} C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}\stubpath = "C:\\Windows\\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe" C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}\stubpath = "C:\\Windows\\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe" C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}\stubpath = "C:\\Windows\\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe" C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}\stubpath = "C:\\Windows\\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe" C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
File created C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe N/A
File created C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe N/A
File created C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe N/A
File created C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe N/A
File created C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe N/A
File created C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe N/A
File created C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe N/A
File created C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe N/A
File created C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe N/A
File created C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe
PID 4296 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe
PID 4296 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe
PID 4296 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4516 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe
PID 4524 wrote to memory of 4516 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe
PID 4524 wrote to memory of 4516 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe
PID 4524 wrote to memory of 4624 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4624 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4624 N/A C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4144 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe
PID 4516 wrote to memory of 4144 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe
PID 4516 wrote to memory of 4144 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe
PID 4516 wrote to memory of 4796 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4796 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4796 N/A C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3036 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe
PID 4144 wrote to memory of 3036 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe
PID 4144 wrote to memory of 3036 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe
PID 4144 wrote to memory of 4876 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4876 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4876 N/A C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 3476 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe
PID 3036 wrote to memory of 3476 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe
PID 3036 wrote to memory of 3476 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe
PID 3036 wrote to memory of 1516 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1516 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1516 N/A C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2052 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe
PID 3476 wrote to memory of 2052 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe
PID 3476 wrote to memory of 2052 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe
PID 3476 wrote to memory of 4916 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4916 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4916 N/A C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 452 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe
PID 2052 wrote to memory of 452 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe
PID 2052 wrote to memory of 452 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe
PID 2052 wrote to memory of 1064 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1064 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1064 N/A C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 4724 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe
PID 452 wrote to memory of 4724 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe
PID 452 wrote to memory of 4724 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe
PID 452 wrote to memory of 4720 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 4720 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 4720 N/A C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 776 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe
PID 4724 wrote to memory of 776 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe
PID 4724 wrote to memory of 776 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe
PID 4724 wrote to memory of 5064 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 5064 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 5064 N/A C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 3104 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe
PID 776 wrote to memory of 3104 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe
PID 776 wrote to memory of 3104 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe
PID 776 wrote to memory of 1656 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1656 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1656 N/A C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4576 N/A C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe
PID 3104 wrote to memory of 4576 N/A C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe
PID 3104 wrote to memory of 4576 N/A C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe
PID 3104 wrote to memory of 4200 N/A C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"

C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe

C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe

C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF4F~1.EXE > nul

C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe

C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C79~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe

C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFCB~1.EXE > nul

C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe

C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FEEA6~1.EXE > nul

C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe

C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F48~1.EXE > nul

C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe

C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DAF9~1.EXE > nul

C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe

C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F30D2~1.EXE > nul

C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe

C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AEA~1.EXE > nul

C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe

C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6915B~1.EXE > nul

C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe

C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{115D2~1.EXE > nul

C:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exe

C:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D55~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe

MD5 509194960e32e1e3677fb350549cedbd
SHA1 a1f00449b69ef2eca8d6ba5ab602abcfe358703b
SHA256 1f0df1208bc996e1a7165f887e5d4b5e1fe7db36e9f700b1ee171f8b3e5704f3
SHA512 95efb27cabf1f0a08778a37ab78f082c5ad88fabcf9b67d368f8c8c2eac53ce47462b71a6a736102b18eb080826ee5927d27c7ab8d457e1be734239acfc0247c

C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe

MD5 49d55df98811ccc5a2915e12e6a34b4a
SHA1 65202f2906513dad966a221a7657b02c2b1d6023
SHA256 ccf4e40e6aba68d5a45e4681c675579eb8ea7bcd4bfbd6f4983d31fa08d17d90
SHA512 58c587637505fc6b8ccb1e563ccd5f236f8457cbb279eace366554f7f3d91b2fafbb638028551ed75013dd6eb165d9667703c486318fab4b552887394fec9c94

C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe

MD5 dfeb09425ab5cccd2df5c17685153f5d
SHA1 e23ae3638077fc928876ad694bf25b5c656c877d
SHA256 2946231b0127c898ab37137ae93021a951ec27dba782c94498d32caf8c798166
SHA512 50754669896fef7e3dade01b5740172188ce3d8c390a6e16d8b12fa95df58d6f94f6d0a22e84a72be9ce778a5e173154a65d2cfd3f963917a478694777319ab8

C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe

MD5 59ed078ef9d21ebb25137b719604537a
SHA1 bb87dfd5eb264897919cd35fe1436ed0f461f75d
SHA256 4e2781986606404edd811182cc6d7b782109840367a8e33b5d3c929e9e54e37f
SHA512 c14752950136e60d11e6e508529a2312f8c03e68c10d1327db8dd91bec9ca46bacd048b990ec72199b1131bd06d76480e6b9ae5810ec5d262e4d66440430c4e9

C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe

MD5 4c5a14ad9a398128d9672b99f49ebe6c
SHA1 3958f472803bd5be896d6e6d0e5b3b9c4fe5a980
SHA256 440e58d04b9e62604c6a651951500e809156d483e45c34a9c0525d217d6923e3
SHA512 4db013bc72d5605b142c86161bc73458c8b4d0eb2d016a0b02aab4536e3762fe8d4e94f1139bcdad8bd96ddbbbdc5d2c42f929b05d6c39d1585aa227d151b4d4

C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe

MD5 b133a395152a574aef68ebda3df3f7c1
SHA1 e3b921dbf44897c925ba8c130e34eaa982f0e39c
SHA256 41277493cb685edb1ebe777067ba642730ebc63cb96f5459892f612ca9639e5c
SHA512 0f0073b248228ad42ec23ca892df74ddf76e44a59e86e8e0d9bc4b15c9588009c7add83fdff86dce81ecdc5d8e5b1741c805c6bb546217460f5b95eb7bda9859

C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe

MD5 7207e0984edb624194323b4ce56f3ee2
SHA1 1719c25058024013fd0fba7bec0409fb9d0bdd99
SHA256 fa6d0855592936c49dc8fe84cb8e3f9c8c116c30a559b7bc886296daccfa5c7a
SHA512 6f81c19c37660c35b4b9a27711cc937a0296d3add3dfa60b400cba9c3e2b627a147c6b5366198609f965897f5774f9ad9fb54b512588b91d26c6700ac829eff3

C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe

MD5 30e9d7e86c9d27d336a925727be48279
SHA1 570623c239e1846c4801cd8b723cee69cb519319
SHA256 aaea71ae11f46132128650aa8fef0fe28e333ba6d9866aae5c3ab3525237640b
SHA512 cccda9a10f522c31a94d342999bdb927c04dffb5e25113684828c859b1773a16026f2f0bb603431d178e50a274e6fd72c22b350ff9de8b0900ef0995c56537d5

C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe

MD5 94a700766612c95b9e917a3872e2cd1e
SHA1 b4155c868206d4489535fd6d2dd89671b0462275
SHA256 295cc22064c817b331476f10065928099ed408818d1e8e36b3bea7dff32d33c9
SHA512 86d578548abe92ff164eb3d5bee38f4c57249f679d7b90a1ba86939f5849494aa43c5994fb2aaea2a67ddfcebe7cc4a095d2a6373c5e0a8a369dcec10845e7d0

C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe

MD5 a105376e4cffd62ae4370502068f9b64
SHA1 6c29f5e16170572fa51a0cb3eaed2726eeefd68a
SHA256 d27febe4422f8b52ec8e9db8d8e6df8233938914061501fe6ac09dc0b0158a01
SHA512 f5bfe0ec52663a46296928f1e7da3a4087048f37ae385029438f4d97aa6d4a8892579755b4dd905f63eca18c8912b02680c8e4484e13d727cef95578103c2d06

C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe

MD5 49867ae2470c9bd8dc19dad00c6173e2
SHA1 16648246a887d00fb8ae785df9590817644074ba
SHA256 3c8e16e4099b931e79eb26a275b748157ac6c3d1dce550473e6fad8138690e42
SHA512 4eb1b033565ff266173ec957c60167c30edc72e4680936941fd80e72baeacf439733aff439ae91c91091a0f8e050d0fb853a0f81c7a61c1e50c49b42fc4e4396

C:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exe

MD5 086d2c94804af2753fa079f39b641ca2
SHA1 73c9e10472fb8f3d1802b5773ba6e3248ce411a0
SHA256 501279ace150fc257919fb584ee1b657b3f3e8a705e03a590be2ea14577506c0
SHA512 1ebb59934fc4fbf7062b850d96d5f6a02937907596940b51f36d96473778e464c7c272c6e3fffae1e4266775677db0db1c5b1f09a43ae85738de2012837a1416

C:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exe

MD5 d6af5a96dc90688c7abfc1aa58c26a32
SHA1 425d8898babe3bfe52003ffeb293949ed2f3e0ab
SHA256 80329085660f9b348e81559dff2e597ba341b4a434054a3166f47bab6725acec
SHA512 0d2d9272e53f5a04d45f885dd2fe2c97ed3f238577481c9fc2e156c22dc640e82062d8f2ddbb92e6f77049b56c7553ca882c2aeb29a99e157e6bcd9732a69269