Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-dcevbsvhmm
Target 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye
SHA256 a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee

Threat Level: Known bad

The file 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:51

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:51

Reported

2024-06-13 02:54

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{817878BB-966C-4369-ABB2-4CCEC114C9C6}\stubpath = "C:\\Windows\\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe" C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}\stubpath = "C:\\Windows\\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe" C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E45B0C3-8C3E-4423-8D79-3669119EC76E} C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62F2553-5BF4-4b31-9444-DDF82792DD7E} C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6} C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}\stubpath = "C:\\Windows\\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe" C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F569C1-F86A-4333-8D4A-2F40C686676F}\stubpath = "C:\\Windows\\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe" C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}\stubpath = "C:\\Windows\\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe" C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{817878BB-966C-4369-ABB2-4CCEC114C9C6} C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}\stubpath = "C:\\Windows\\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB1530-EA53-482e-B63E-594765E3390A}\stubpath = "C:\\Windows\\{40BB1530-EA53-482e-B63E-594765E3390A}.exe" C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06} C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}\stubpath = "C:\\Windows\\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe" C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F569C1-F86A-4333-8D4A-2F40C686676F} C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}\stubpath = "C:\\Windows\\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe" C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB1530-EA53-482e-B63E-594765E3390A} C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}\stubpath = "C:\\Windows\\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe" C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}\stubpath = "C:\\Windows\\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe" C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937} C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0} C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91} C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5} C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe N/A
File created C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe N/A
File created C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe N/A
File created C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe N/A
File created C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe N/A
File created C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
File created C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe N/A
File created C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe N/A
File created C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe N/A
File created C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe N/A
File created C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
PID 2188 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
PID 2188 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
PID 2188 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
PID 2188 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2260 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
PID 2744 wrote to memory of 2260 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
PID 2744 wrote to memory of 2260 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
PID 2744 wrote to memory of 2260 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
PID 2744 wrote to memory of 2276 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2276 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2276 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2276 N/A C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2448 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
PID 2260 wrote to memory of 2448 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
PID 2260 wrote to memory of 2448 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
PID 2260 wrote to memory of 2448 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
PID 2260 wrote to memory of 2720 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2720 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2720 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2720 N/A C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2992 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
PID 2448 wrote to memory of 2992 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
PID 2448 wrote to memory of 2992 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
PID 2448 wrote to memory of 2992 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
PID 2448 wrote to memory of 2800 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2800 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2800 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2800 N/A C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2964 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
PID 2992 wrote to memory of 2964 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
PID 2992 wrote to memory of 2964 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
PID 2992 wrote to memory of 2964 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
PID 2992 wrote to memory of 2968 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2968 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2968 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2968 N/A C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1716 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
PID 2964 wrote to memory of 1716 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
PID 2964 wrote to memory of 1716 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
PID 2964 wrote to memory of 1716 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
PID 2964 wrote to memory of 1760 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1760 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1760 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1760 N/A C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2672 N/A C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
PID 2168 wrote to memory of 2772 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"

C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe

C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe

C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59E6C~1.EXE > nul

C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe

C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A0F9~1.EXE > nul

C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe

C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40BB1~1.EXE > nul

C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe

C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6E4~1.EXE > nul

C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe

C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09ACA~1.EXE > nul

C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe

C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E45B~1.EXE > nul

C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe

C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C62F2~1.EXE > nul

C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe

C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53F56~1.EXE > nul

C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe

C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB3B~1.EXE > nul

C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe

C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DCE~1.EXE > nul

Network

N/A

Files

C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe

MD5 ae47fd39e0f524895da97319b80587ac
SHA1 0033db7047bc88bdbbe8bc7af059dd084aa63de0
SHA256 0a66691c7b8244f9d10db0d448fed9f960b04dea2f91735358cca6f5e2319f1f
SHA512 217ced15ab0543b3f2bfa4b591df74ce9d686966cc04048833c221f86c647d95127198bb42e5234712f8c51a4f51cc794da7f7301792008760ca2052652ee736

C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe

MD5 e9b4e42e9ffa52439529cb9736ded565
SHA1 d56f67306b06d4e8a5eb94718a921da8bd3901e1
SHA256 2bb97e956d9d3f366f0d7d6e034a6d03a0aa35ff9fd535d2fd74eff856139028
SHA512 dc357b5b4840ba1fd4fc0eb79c0b93b770980289340192501c8e6a453df5216737d7f1c97911e6e5896d2427402afa7b4051f22a7fa5c69806c00b9702524323

C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe

MD5 230b1e0d572eca2cac4686e3ad668ede
SHA1 f75ff287e912990e17b50597d7aee10660669667
SHA256 fb87f438f5cab1d7df302820272bdf30fa83a0d46ef8c9deb6a1f357a5941771
SHA512 2d313b39db72020e9639e0aa403e3bee0040d4e6b874e1eba626a437fd0ce16a83f0dcfbac183e986a2e684747562c9ab70d4307f63bf2bf83e76c9d96d29913

C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe

MD5 10318d868331c153afc3ad9ad75ce019
SHA1 0bd18dc0de878dd2c2042d383cb44deb09b4edf3
SHA256 262b6071d87b78168afa3623a91a53e86f6a1ee44b6b826d66273aa5ff56ac6b
SHA512 eeb38cd2851b3a3e134c282a65c5c0de7a79d75bafe2c3c6cba641abefe9fe55b4521d661618ae3048d8d7e84ac7972f85ec8ee98fe0009a2cef22c3c46a2d53

C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe

MD5 96cc21f0343d9c4f983d0d37a6256e2f
SHA1 6a6c24e969e4f5a1e807cdaa88efc145489e9993
SHA256 b0324fe3896d6baf88ed4546deb43970e70680968b7ff50509858fd4b4412f84
SHA512 530a12bd544d9f3195db75ce9f743a973e7d9de5853928f3b242a45caf1c858c545da6a70646505a00ab408b36f902865a65986d7c157c49607106e5b54da088

C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe

MD5 627062d829ddb37a34b8818aa006c478
SHA1 451f2e47ae915c40a9cf6dbbff4136703b0fe2db
SHA256 c7da0bb704e161189f7f2369773557a9b815be4513eb5c3985d327f68eab1726
SHA512 7c1a40593fbe5414aada9204c878c22d9046a3e007adfa3c7d55cbeb3b35d019d336ef410c693944db611886fdfe5068b6c5418d900ee62896d4d4ae040a9415

C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe

MD5 4b7e0b0b7f4f5e45b1924e9221a96d9a
SHA1 226f37cd2b90834110a46e3b2450d7e0aa0a1a9b
SHA256 b7588cf0ec394bfe53eaa4dd360fedfd6490769d677d899a6057ddec549d46d7
SHA512 e6963164c1b52597046612e9be7503d25209292d167b718c8636ad6698dd0a361314c27e9b5808f62be87716d2d101d83d7533bc4cf808e63cef9198390050ea

C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe

MD5 e5178df96b38d059e2ad26451ed0aa0f
SHA1 6decfdfb1ec0642cac8f7528e9a6efde253dad07
SHA256 55ecca47dbb34c581165d5a257823f6d2eda8c6ec9a542c22482ad6d2e79ced6
SHA512 e7da5fb0fe62525736aa68cfc07e29db84d75f8d715aafdc5197187ed0c57baf97c79ae02fe4a74d5ec4f45f64ecb0528ee8044fb1dbbd208eede2539007a046

C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe

MD5 2725a46010d284ed99c6e7b50549b804
SHA1 86f777348071a904fb7189a80dfe039e787e2147
SHA256 8fa5baefa4e5b79df73c1c0400dbbab10ff50427f6abfb455bb4feff878f5458
SHA512 085bb09a135e5615b9ff99e35c38f74135b039084b361e1f8ef68ab945bcb5543e34803710e297d9def7c884b0a8e7d2c2d0f2712a99112161b482c3f385f7e6

C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe

MD5 19cf994a5beea939d499563c317e24fe
SHA1 10b596eff1ed0ea2517e8fc1be9f80c7951cdcff
SHA256 16efe45fff092ca786eaae1179bb11ae2ff7ca2336ee95d39d31d3ef997414ff
SHA512 45274bed8bf1cd74b95e69816444c84f3823b60c1770a79301e20afd67c1bd01d725faa886d0abc6ecd7e936513f30f5304b4594387b39d59b51dd0b387eabe6

C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe

MD5 b9fc9f60a3929548681fcacb721807f1
SHA1 4cddc683dd374594becbb58b91f77c18ab5aad8d
SHA256 df9e5ba9618b93fde82bbb7ebc917d61c44e62e85e4635f72bbf538e4bcda61a
SHA512 ec34d81426c5c66421c91a9abb66e4db9d185cad5ded86dd221ed89fd7265b48211ba0e6b0c9406a65de191db631b53954ce9f93470444e95a5f0c89020625a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:51

Reported

2024-06-13 02:54

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F843788-F64B-44ad-B95B-6C670784A565} C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}\stubpath = "C:\\Windows\\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe" C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5} C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C} C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A53E0-C418-49bb-B824-D572D968ABDB} C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A718273E-E3E6-40e0-8A61-8B0BA487DABE} C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}\stubpath = "C:\\Windows\\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe" C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}\stubpath = "C:\\Windows\\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe" C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}\stubpath = "C:\\Windows\\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe" C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA82FB4-8392-4848-A949-93357B0D7EB7} C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA82FB4-8392-4848-A949-93357B0D7EB7}\stubpath = "C:\\Windows\\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe" C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA861259-F217-40a7-A2B8-0157213E5EAB}\stubpath = "C:\\Windows\\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe" C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8} C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F843788-F64B-44ad-B95B-6C670784A565}\stubpath = "C:\\Windows\\{4F843788-F64B-44ad-B95B-6C670784A565}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AF340E-DC64-481a-8A99-1BEB784648D1} C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AF340E-DC64-481a-8A99-1BEB784648D1}\stubpath = "C:\\Windows\\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe" C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5078ECA-D536-43c5-80B0-7E0DD231F52C} C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A53E0-C418-49bb-B824-D572D968ABDB}\stubpath = "C:\\Windows\\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe" C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA861259-F217-40a7-A2B8-0157213E5EAB} C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}\stubpath = "C:\\Windows\\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe" C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}\stubpath = "C:\\Windows\\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe" C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8} C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}\stubpath = "C:\\Windows\\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe" C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C} C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe N/A
File created C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
File created C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe N/A
File created C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe N/A
File created C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe N/A
File created C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe N/A
File created C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe N/A
File created C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe N/A
File created C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe N/A
File created C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe N/A
File created C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe N/A
File created C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe
PID 3908 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe
PID 3908 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe
PID 3908 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 1900 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe
PID 5012 wrote to memory of 1900 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe
PID 5012 wrote to memory of 1900 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe
PID 5012 wrote to memory of 4840 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4840 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4840 N/A C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1436 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe
PID 1900 wrote to memory of 1436 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe
PID 1900 wrote to memory of 1436 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe
PID 1900 wrote to memory of 1980 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1980 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1980 N/A C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1856 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe
PID 1436 wrote to memory of 1856 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe
PID 1436 wrote to memory of 1856 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe
PID 1436 wrote to memory of 3564 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3564 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3564 N/A C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 4724 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe
PID 1856 wrote to memory of 4724 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe
PID 1856 wrote to memory of 4724 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe
PID 1856 wrote to memory of 2664 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2664 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2664 N/A C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4008 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe
PID 4724 wrote to memory of 4008 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe
PID 4724 wrote to memory of 4008 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe
PID 4724 wrote to memory of 4852 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4852 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4852 N/A C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4964 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe
PID 4008 wrote to memory of 4964 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe
PID 4008 wrote to memory of 4964 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe
PID 4008 wrote to memory of 2424 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 2424 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 2424 N/A C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4252 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe
PID 4964 wrote to memory of 4252 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe
PID 4964 wrote to memory of 4252 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe
PID 4964 wrote to memory of 2408 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 2408 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 2408 N/A C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 2264 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe
PID 4252 wrote to memory of 2264 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe
PID 4252 wrote to memory of 2264 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe
PID 4252 wrote to memory of 3136 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 3136 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 3136 N/A C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe
PID 2264 wrote to memory of 664 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe
PID 2264 wrote to memory of 4276 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 4276 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 4276 N/A C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 3552 N/A C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe
PID 664 wrote to memory of 3552 N/A C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe
PID 664 wrote to memory of 3552 N/A C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe
PID 664 wrote to memory of 2432 N/A C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"

C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe

C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe

C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F843~1.EXE > nul

C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe

C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AF3~1.EXE > nul

C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe

C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5078~1.EXE > nul

C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe

C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3FD3~1.EXE > nul

C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe

C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34B0E~1.EXE > nul

C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe

C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC4B~1.EXE > nul

C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe

C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{771A5~1.EXE > nul

C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe

C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA82~1.EXE > nul

C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe

C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CA861~1.EXE > nul

C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe

C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{779DB~1.EXE > nul

C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe

C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A7182~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe

MD5 b89657c7e702ef4d7a6cea1bec1169e8
SHA1 c23a69964dce154d4042635ebd08e446fa97dc99
SHA256 e69775230e12152805a9bcff09e72dd9d4954931791ad3f8455d5f6c72c73eb3
SHA512 c70a839cc31e26615c3569348eaa12b25d40800514c1726b27a6f7f98f77c2f57f7bd04879e20ca296c7b4885972f945886a03e937c9547582a4d241d9279573

C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe

MD5 6db088a1e022df4c408a08db8f23ff64
SHA1 156ff8abe6a8f7b0b7518cb08641fd7daf81b670
SHA256 3f7d2df4413f5df0cbd97eb2b84059a524e1d9f67bd6c66963d7d43fee6a4547
SHA512 28191ef13b47c1507525155f0e0b734b9ac85529ca94c81b6865b72447486ce1a9aeb5de730fa3d1870e1d5844a0b5c727b0a2004bcaea045eabe2dcebbdb9d6

C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe

MD5 44a90b37638cb4171d3b0a74a77162c3
SHA1 310cc9eccfebda6570c2b03256914dcd9b9d6b6a
SHA256 5c5fc3feeda89b0e975e940128a571369b5d5f12d3a37343e9aee1e9fc2d5093
SHA512 a99f00afedcfa7921faf81ad96d398347e41a1325697576d249ec166bf6b80457aebfe2a7344226ea28aef6683ea9e262cd31e0655087294b09ecb33f213bdfc

C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe

MD5 c9ada1c51fd7eba11c33494abfbac023
SHA1 4788d3da0342b2e356af53ebf1f38e29dd072fb4
SHA256 a84ca2fdb34453453429664f80a1712ff5a606d9dbd4b9937e2c3fa3ca0da339
SHA512 4399c1da324311a17d071f182ceeea994f6e3f0f8ef92cacd25a915a8a38bd1f97942fb60f0d45868fa44ed67c0b2d4466f311c11d12970eacb62083812dc364

C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe

MD5 06d32f774cb84196adbc72eff1f35b3f
SHA1 cd0ab5ebde66b86579772de54b439051355070be
SHA256 82c85e703eee45f47809aa4c075183c7de1669744e9cb86a50dce7b72aa11fdf
SHA512 1faccd294f44e6cd629854cd8145d2c65dcb85bbeb708d9417082605b92dde89fbb66b58f59b98f4fe1d9fd7c0477b927c6ab6acd71cd65ba7a2fb8958ff1ad0

C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe

MD5 44f71f161c4e940ff3260d6198a2ab81
SHA1 3373ca01be9a271887e1b6a487ebfeea64a4cf3c
SHA256 dc848bb1146e07ee7b0785354ed269dab541802d0c53ea6c2bfee6809775ae2d
SHA512 0bc79a3f76aa3eb3ff75b44dc4ccc85aad3998d7b274bfde7ecb5678ce6308bfc444705e87811bc4d1ab8cfcb7c51dc0a9292cbbd46d8c6fb48335784150758f

C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe

MD5 652d19dde2855a10bee674ef1677ac02
SHA1 ea945fab2b6fcfd3358bcd364e27de3bda452d00
SHA256 6ae55cc754cdb46a5a482c01507fd5ac391646e339c49811dd948d9301ec4322
SHA512 e773d84f42ccf2473918d28675b779faa1dbe65da3da1a46129f16531d0774364bca8f13b002f1197f0696f732a04314e6085258605fe96e6aa70efcafd8ee7c

C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe

MD5 21befc1bafdc474d1ccdc5b1954c0d3b
SHA1 b839e4bda4f42963df81e03e81521e9414c79b5a
SHA256 8f2937100e3262a8e0e279db16d054bee2251b2e40aac91df7dbe4edbada6305
SHA512 3a6f61c53798f32e33e54a2b8575930d93821454ced14f965df903e6f344ebc2637e1185f5c8c3495e42cf6d379c8103b24902f3a564fd5f5fd3f00c157d438d

C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe

MD5 8aef2c3b5c4c217a40ec4d7df533622d
SHA1 b832540f2b158c4c13ddd069f345d3b2193a5244
SHA256 d50223332e6450d3707cecade2b9be4af602394c1078f9b449ad2317fde7a367
SHA512 d2ff4f5dd5cb646108f05baa682aaa271f1705b080ccc8e148b07a01e1fb4da3d5a6fc04e8f4df03bdc70b0bd720f3f80039d60b1eee7ee0eaed219a5acd2c6b

C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe

MD5 7a1e886f5340e214e0905a0e15ce7b22
SHA1 3dec64c294ac0506f404a6a81b3a8b50080bad68
SHA256 63679f8e68e6b2a1ce7902dbb7c9f2779f225c424641f0d3f8363254cd0e40c5
SHA512 3c2796aad4b9521c4527484e1b2de199bf5e6ec4285e7b7bfe6e5989760fa0d9bc3c4d855f85b501efe8ae4797d00a5f4b13d65a5e371e25e612c377f399f007

C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe

MD5 3f22fb8492a9e69014feb5ac8bad3aba
SHA1 572b728ddf9ad05a818fe90fd139b2589f39c873
SHA256 5a3e75e0c9df5f67de888065d61005c1b5c3f3cf2c63eb21182c3a7a31fa0a99
SHA512 38fb19239de8af719ed3ad4549f1f07a5d1a3183d977a9b11943aeaf715bbf0277252940c151d5aac7d9bd9a1c71020ee56fadd6052749ae9dec5a848438098a

C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe

MD5 b4de64a21004a3388d1f6b02a2939cf1
SHA1 c1089455c38b20a1bd9aa4e0dddbe11ebffa5818
SHA256 b61e65584be9e2b55b1b68700626c6b7d86f269345009b8fbedac0041a5c1fea
SHA512 48c20e18d38a540fd127de5dee2512b89175f707883222eec7ae13c7050bfd256bacb2b6d173f5f9f75a509c281bd7539f70dafc25eaf83eacb17497a18cf5af