Malware Analysis Report

2025-01-18 14:04

Sample ID 240613-dcketasale
Target 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye
SHA256 b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde

Threat Level: Known bad

The file 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:51

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:51

Reported

2024-06-13 02:54

Platform

win7-20231129-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48} C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E} C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377} C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}\stubpath = "C:\\Windows\\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe" C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5247CA5-769E-43de-8DE4-254F44BDDA6A} C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B542881-E784-4a99-8D39-81CDE9CEC4DB} C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}\stubpath = "C:\\Windows\\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe" C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}\stubpath = "C:\\Windows\\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe" C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}\stubpath = "C:\\Windows\\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe" C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2131AF11-F503-4ea8-B826-FA8749AB2C04} C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79117DC1-9642-4a00-832B-D1587459CDD1} C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79117DC1-9642-4a00-832B-D1587459CDD1}\stubpath = "C:\\Windows\\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe" C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35} C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3419F1B3-CC30-4e64-B70D-E80C33440473}\stubpath = "C:\\Windows\\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe" C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}\stubpath = "C:\\Windows\\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe" C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}\stubpath = "C:\\Windows\\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe" C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC11523-3EEF-46c0-A70B-8D9519AA4485} C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2131AF11-F503-4ea8-B826-FA8749AB2C04}\stubpath = "C:\\Windows\\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{576A5771-6210-44b6-B079-D768B4AB4CE4} C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{576A5771-6210-44b6-B079-D768B4AB4CE4}\stubpath = "C:\\Windows\\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe" C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}\stubpath = "C:\\Windows\\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe" C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3419F1B3-CC30-4e64-B70D-E80C33440473} C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe N/A
File created C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe N/A
File created C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe N/A
File created C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe N/A
File created C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe N/A
File created C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe N/A
File created C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe N/A
File created C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe N/A
File created C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
File created C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe N/A
File created C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
PID 948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
PID 948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
PID 948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
PID 948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
PID 2336 wrote to memory of 2676 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2676 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2676 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2676 N/A C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2692 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
PID 2640 wrote to memory of 2692 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
PID 2640 wrote to memory of 2692 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
PID 2640 wrote to memory of 2692 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
PID 2640 wrote to memory of 2568 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2568 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2568 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2568 N/A C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2524 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
PID 2692 wrote to memory of 2524 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
PID 2692 wrote to memory of 2524 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
PID 2692 wrote to memory of 2524 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
PID 2692 wrote to memory of 2824 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2824 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2824 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2824 N/A C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1640 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
PID 2524 wrote to memory of 1640 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
PID 2524 wrote to memory of 1640 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
PID 2524 wrote to memory of 1640 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
PID 2524 wrote to memory of 2980 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2980 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2980 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2980 N/A C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1972 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
PID 1640 wrote to memory of 1972 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
PID 1640 wrote to memory of 1972 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
PID 1640 wrote to memory of 1972 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2776 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
PID 1972 wrote to memory of 2776 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
PID 1972 wrote to memory of 2776 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
PID 1972 wrote to memory of 2776 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
PID 1972 wrote to memory of 2864 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2864 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2864 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2864 N/A C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1456 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
PID 2776 wrote to memory of 1456 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
PID 2776 wrote to memory of 1456 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
PID 2776 wrote to memory of 1456 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
PID 2776 wrote to memory of 1524 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1524 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1524 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1524 N/A C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"

C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe

C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe

C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2131A~1.EXE > nul

C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe

C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{79117~1.EXE > nul

C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe

C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{576A5~1.EXE > nul

C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe

C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{212F9~1.EXE > nul

C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe

C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{325CC~1.EXE > nul

C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe

C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AA2~1.EXE > nul

C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe

C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3419F~1.EXE > nul

C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe

C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC11~1.EXE > nul

C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe

C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5247~1.EXE > nul

C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe

C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B542~1.EXE > nul

Network

N/A

Files

C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe

MD5 3b0f16b7ee98bb39adf4c79593bcdf01
SHA1 d9d8bf1a09ef3867a963ca316c37057352b47fc8
SHA256 b3579700061f2490a81940e33c82e8fc90e7a6bdf4867ff47d0c94a423d1ed83
SHA512 4cf4df2ff971ff382a28565fe53204d8965ebf4f90693a921328f7146d3e03010757bac9429476144532a149304f12d42527d930927c39a21817a1ab209390ae

C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe

MD5 56644f319786488189b73b544fa7805d
SHA1 2bbb567d41ee7463c32f6d333c59e1bd2889171d
SHA256 2da8de27ed7823035c5945d6598a24548867238ed355421478013c44abd7869a
SHA512 dd0c0c5ade8446736000d8500f39a4be9c2598d9a712612076ce46a8861cd521dd7ad489b70a64f8b2631abc44be7549f90289b1498bb8e98b157e8dee557999

C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe

MD5 4c4a8e9a89d98a8897b1e8abd1cc02e8
SHA1 6f918b4c22ee28922b9148e2b61847f42df67224
SHA256 c95e8f32677b035b4ae9b9ab0f82f9ca73f0b2b79a72b4109eced764b5997a77
SHA512 5be71d6bbea799cf73cea5eed11fc6b37059e007efdeb60b8e6ed653ca6e0379040876f74f333b29d3e1e6f4b3ebbf3c4460e508c055ba6db4c65458dd90de85

C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe

MD5 cdcf4a9899de7f419883a4fa3d87555a
SHA1 6f82748980e6156b8d5f81baf987e8e0e8e7d00d
SHA256 4131bcac41f0abb4e7ead8f7c7fc6815cf80ac1e67bef9ca5d0e9d91ed18b039
SHA512 75f303cb114b8bf8995b25d6ba39c1e5b9abce6857fc169c3c2f62894215c844743284c700132beaba93236916af729a95312c3239eb5d47973ecb957db98aa2

C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe

MD5 0ba0fea44e9564ecbb32913168d27cd1
SHA1 b50edf77f66086a1be835387de1243807109cd43
SHA256 7306856e579436eb1f99d9c8d5d45fab3fb72af6a5d51c194627f3c2a76ee1ce
SHA512 9b1405f3e475bae7223834698890aa38b4e240947573f5d2a5aba3b9e6f4e93d074b8889b3345ee3ac9bdc8ec1bde0dfce18c55beb89f9d3bd1090e22a862ad3

C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe

MD5 5867335e22dad6dabd8e261a3baaff01
SHA1 9bbaff3ef22e4a8b4095a7c19b48d09fa997ed03
SHA256 79fcfc173b8c67e84107698263a767ef8fe4256c56526277f2afd83b9c1c2cbb
SHA512 554b1a8d49189a69d9de53e756292a77525560120cf6b21f7a274a3ae5124465300bf9e1eebb25192663d9db246e95bdc6c2874eca85ab5c901755d5d9128524

C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe

MD5 eb64eeb8b6a8fa6d9d841f35abc20ab5
SHA1 58d8ac7e0daca663f0e246f1243e97f4a0e79ed2
SHA256 c5ee4ca50c524bc7bc210ec8171b5dca6e9a57661fc974b81f1a4a7410cb090b
SHA512 edddd6dbd1c9cd1eb21cb26dd0dea5b6a2d21365ce48467f3c362a7216b427aef40366f4c0815157f3a8ef27fe4a563fdd67e397b4f4867de0cfb4d0ecc071f6

C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe

MD5 6834b97291a2a692cedadb1601fd061d
SHA1 bc2944f43d314dd53fe9f5a5a98c06893ee9c5dd
SHA256 b1edf6109e48c695fc14f2bdddd554ba80245f55c7021b1e99c53d2d5d3f35a3
SHA512 9efeba34cd98f3b9668db92f9a3f3bc1ed345072885433d3e242c724957519819dde6f8467beaff37f5a74437b6c9b13842ed1dd5839d57303d1383f95931714

C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe

MD5 ff4d00d457c97f974dfba93749f164ee
SHA1 abd4f9bba1e88bafd3cd2e5ba92af6a94a96861c
SHA256 1e142d75f96d4940ca34621f2eddee5f90d27663a9eabf31bf28aee11cce213d
SHA512 0725fbdab7c3d90b872d05195cefacf542c3fd0d405e3d8cf127c71d9ad4270d3458002c28d9c091bddb24af528bcea8d341f4e3641eaf42c9d0faf4718535f7

C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe

MD5 1e00a5858a522c9c61528ff2a20a14dc
SHA1 cb4ce876a4b2e77e85402fc5bae58011d59db1bc
SHA256 e70b28a4622b5d2539be1d5bbc47818541d132fd7c22ef8bc8b044263b018ed1
SHA512 258ea6d354ec5ce04bbad8481d348df0bd8181af3292d72ff8b8405ac7258ea9622701ca626648a6806868a8caafd21525b9057b5175e11f405cf884f0a7e43d

C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe

MD5 5293d10255d9ebbe70d024ed5119f056
SHA1 ab326680b318490078d04770f350cb1c48057fb1
SHA256 540171e2fd5ed41f8269f1712cb177134d1503219a85625faf032a1536f98723
SHA512 1119b1d737a9270bad6e0081d85828e5a0670c314a8c0ba75896147313a32ddce23a5785e507993856db1dc9977d5e2f936a888c8ec503c49786da4f7c6372f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:51

Reported

2024-06-13 02:54

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54} C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}\stubpath = "C:\\Windows\\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe" C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}\stubpath = "C:\\Windows\\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe" C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}\stubpath = "C:\\Windows\\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe" C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BD120C-1179-4046-8CFF-8F510F97F13A}\stubpath = "C:\\Windows\\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe" C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}\stubpath = "C:\\Windows\\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1} C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}\stubpath = "C:\\Windows\\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe" C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A} C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412} C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}\stubpath = "C:\\Windows\\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe" C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453} C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0682648-5076-4a18-839D-42E038D33B6F} C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0682648-5076-4a18-839D-42E038D33B6F}\stubpath = "C:\\Windows\\{A0682648-5076-4a18-839D-42E038D33B6F}.exe" C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6} C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}\stubpath = "C:\\Windows\\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe" C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A727C33E-4FDF-4de3-AFC0-3F73366A649D} C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231B97E5-3155-4a33-91FF-67B9D6BD38B2} C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0FD9FF2-EED9-4305-83F9-7551F00DB565} C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}\stubpath = "C:\\Windows\\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe" C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}\stubpath = "C:\\Windows\\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe" C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BD120C-1179-4046-8CFF-8F510F97F13A} C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A1DFFC-1605-476c-A93E-8129AA56AF29} C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A1DFFC-1605-476c-A93E-8129AA56AF29}\stubpath = "C:\\Windows\\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe" C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe N/A
File created C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe N/A
File created C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe N/A
File created C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe N/A
File created C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe N/A
File created C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe N/A
File created C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe N/A
File created C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe N/A
File created C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe N/A
File created C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe N/A
File created C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe N/A
File created C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe
PID 4884 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe
PID 4884 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe
PID 4884 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 2288 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe
PID 3244 wrote to memory of 2288 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe
PID 3244 wrote to memory of 2288 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe
PID 3244 wrote to memory of 3224 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3224 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3224 N/A C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1448 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe
PID 2288 wrote to memory of 1448 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe
PID 2288 wrote to memory of 1448 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe
PID 2288 wrote to memory of 1380 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1380 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1380 N/A C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3596 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe
PID 1448 wrote to memory of 3596 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe
PID 1448 wrote to memory of 3596 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe
PID 1448 wrote to memory of 2984 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2984 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2984 N/A C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 1544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe
PID 3596 wrote to memory of 1544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe
PID 3596 wrote to memory of 1544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe
PID 3596 wrote to memory of 3544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3544 N/A C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1880 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe
PID 1544 wrote to memory of 1880 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe
PID 1544 wrote to memory of 1880 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe
PID 1544 wrote to memory of 3672 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3672 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3672 N/A C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 4424 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe
PID 1880 wrote to memory of 4424 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe
PID 1880 wrote to memory of 4424 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe
PID 1880 wrote to memory of 4284 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 4284 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 4284 N/A C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2124 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe
PID 4424 wrote to memory of 2124 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe
PID 4424 wrote to memory of 2124 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe
PID 4424 wrote to memory of 3524 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3524 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3524 N/A C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4332 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe
PID 2124 wrote to memory of 4332 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe
PID 2124 wrote to memory of 4332 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe
PID 2124 wrote to memory of 4440 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4440 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4440 N/A C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 5028 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe
PID 4332 wrote to memory of 5028 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe
PID 4332 wrote to memory of 5028 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe
PID 4332 wrote to memory of 984 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 984 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 984 N/A C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 1212 N/A C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe
PID 5028 wrote to memory of 1212 N/A C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe
PID 5028 wrote to memory of 1212 N/A C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe
PID 5028 wrote to memory of 4820 N/A C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"

C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe

C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe

C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{231B9~1.EXE > nul

C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe

C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBB1~1.EXE > nul

C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe

C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D80~1.EXE > nul

C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe

C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6140~1.EXE > nul

C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe

C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0682~1.EXE > nul

C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe

C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0FD9~1.EXE > nul

C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe

C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE9F~1.EXE > nul

C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe

C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFE61~1.EXE > nul

C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe

C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9DC~1.EXE > nul

C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe

C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64BD1~1.EXE > nul

C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe

C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00A1D~1.EXE > nul

Network

Files

C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe

MD5 410af7607bfc3432230eb71a982d8404
SHA1 c7c510cf47a19f3c15831eb224d5843561da6725
SHA256 3fe948f4e7efb35eb9b4414c754c50c43e13d341dbe0bfcc769fda16f4f82326
SHA512 13a8d2c151594c925639f2875c8373a672ebb89316f832b2af4a8f906f28ef0629bc5873cab62c53e99fc33d260f09e0931022217570518506da0aeb3cf6b8d0

C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe

MD5 cbb2d351da7ed421c24fb4106c7cd5a0
SHA1 3495402f93b920b42e44437981d28b30651207c9
SHA256 2d567a891db89a236c4d49ab6dacf26b1338323816bfa4818a42826efffd3748
SHA512 0b22cd2a95b883a2c5613f4e0a611aeeeaf20dbda4b19ab6c96764b32f4071bfe748d7e20dd29515afc8ce9586cc85a422dec33e1a97cf1209fc811593dd8582

C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe

MD5 950068227f4b7f0bb1f0fe4543163683
SHA1 e6268f5bed7e8a1c64dd99c94130690f5cff746b
SHA256 3cff5306dfd71e587771f1dc608457d0ca9847de894fda26d3f6cf08f8c95980
SHA512 dedeba053fd4ae7355ed987ca5f3eb17365a7967f56875fac31dc1d705b8d3f8b638e43097980ec818bc7df2ea38c490af6043d4b43ff19195089cc4307a028b

C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe

MD5 e99553f009dbe58e3b40fd1a4f1d487f
SHA1 842e152258612bf8e2bf5fb6267b65115ef5d3b6
SHA256 f8dacba201525994d53287d68102478ed857b5ea011366ec7c4914e0f13060bd
SHA512 8de9acec0b9fe33171189371998a15375ecdb343b73fb43f445192a5ef7bcc360e4bbd77a7d172a1f5e29a66e03a8af59a3f0194f889bf0bc68004bfcd9669f3

C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe

MD5 9a8e7d304a80c819a1241abe1fbbcca2
SHA1 724001a55cf61088f6a548df0644e8d829491fd3
SHA256 b2db87a72f4761be2a181a3ee5abc5f3c5e6f1799aa0b757153a4e8031124c3a
SHA512 507014f7c9bf55cf05c4560afe09097e4687483906ea0cdd93fadebe5cded46249427b1d54a6362a0ae53dbbd208bdb6cd278edd7ad6e587dc369f37beffbdb4

C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe

MD5 4982c143e36bffd74aa5ac747b167b12
SHA1 d12e649b71b25e8b1bfd602f9705d4b5944897b1
SHA256 07a8b77cc17512ffbd04305883d1b89d216ed2b16218aa05d8f0a72d53b7da08
SHA512 fae561d1d28bd57a82f01409a7ae1c805163d6e1a80074889779d96aa95dae432d97e405e995784aa94fae96aaca3d154288f071cc412a642a2e1ca2c4819f61

C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe

MD5 9c3bc8f82589bc9860c847dc8b80ae3f
SHA1 f342af00ab44c49848aa4a8878702789be39ab00
SHA256 d9c1810759063b4500b4fdbd3dd78dc960b1078110f896c7f429ccc2bde44ba0
SHA512 2ba8c8fb1b3e0fd6b62102925fe808968e3366c1a99ac259a0a74042444e842e41bf6b9c043db72b8220f854675376ed70d7d0e500b388cdad24cba2649ce128

C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe

MD5 bda2d5eee7ef400a496c69bc489ce46a
SHA1 58d8730882a53c906898b72b7b39705a43082e75
SHA256 9d6e3f0cd7074ab75a120f39590e15f26f722b22d8d1974cb7cb37b86c92c688
SHA512 45dbed3121d5321c35f6d223a4601229067469c77142f33f0dec30cb9fdf75dc9d42a52965b85b35a582647ff4d18d632b5b6ee2ea202b73e410322b178a399a

C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe

MD5 fdf85048a2ead13d006f1753aa771e6e
SHA1 c8a49d429e02dcce8874c4732d2df45b88be3fe6
SHA256 8c0b7ae850d1f061e48be7e30593d58cb0360845935f15a319987bdb11dc70a2
SHA512 4a3c64b342e04202ccae6b2a0842e89e6f3a61d77503ea0e85895ce28d99b968ad8cc125f8af762e51f39975b6a3129be8fea0f470c8c4482ad4d1bbd9456bd4

C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe

MD5 b94da8d8f6e3ce00e3008980150cad83
SHA1 dddd806e4966c20fc0739b90b56ef372d519b9cc
SHA256 31bedfb5de2b7fb88d0af6812f0b0c512b7d4962eb85f5869b288c0e01e94336
SHA512 93fd2395eeff00026cf2e69466eaaa0e5e32eefd9742076f672b76a17885d43494b649be129723bcbcc76a1d959dcbe39ee79cb47397e071739390e5bfff71a4

C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe

MD5 3c0edf1105696366387247409c66cc39
SHA1 6b7e3fd367840fd8a76b59ad931552f129501b01
SHA256 41aa5c602ab07d1bcf25844dc44c2c977c73f7645d3b5cc309d1333f7be355e2
SHA512 e9b7d9c353bedc2f1a431d82aab6c28285c4908357de6b368b2edbff3ff2ec15cc59ef27419acafa2d69534d8859fa0fd3a0b00f4b348698280f78d40214d239

C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe

MD5 d855b92f1618fdd920d58541811b81c8
SHA1 09a3ca856f2a8eb3aa92af329a645392b1df926e
SHA256 68ecb3eb5bb6d7299f85bccb6881d84fd1fba931f0c809cdb2a4702f10368660
SHA512 9de1ea190dfbdf229b6a0fecd3996207d5706dbd9335ece9c599d6da64be5d3f8667ffe568ea7a1b0c8a0f8810ad718206ab94c3b8ae0f0651cdd7fdfaa0cf03