Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-ddh85svhpq
Target 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye
SHA256 a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6

Threat Level: Known bad

The file 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:53

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:53

Reported

2024-06-13 02:56

Platform

win7-20240611-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4146CD63-A845-48bb-94E8-46F23B4C1B00}\stubpath = "C:\\Windows\\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe" C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007DDBD6-9988-46e1-8AAA-B66F4433442E} C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46322FF-AECA-4833-9C9A-59B270BF2CD9} C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF} C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4} C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E018DAAC-59BA-4949-825E-FDD20F8D3471} C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}\stubpath = "C:\\Windows\\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe" C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}\stubpath = "C:\\Windows\\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe" C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E018DAAC-59BA-4949-825E-FDD20F8D3471}\stubpath = "C:\\Windows\\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe" C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{906F201D-0C39-4d31-A74E-F84956A77A1D} C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A25C888-D129-4792-9A56-53C11A3732C3} C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E} C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}\stubpath = "C:\\Windows\\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe" C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A25C888-D129-4792-9A56-53C11A3732C3}\stubpath = "C:\\Windows\\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe" C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}\stubpath = "C:\\Windows\\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe" C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC} C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4146CD63-A845-48bb-94E8-46F23B4C1B00} C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007DDBD6-9988-46e1-8AAA-B66F4433442E}\stubpath = "C:\\Windows\\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe" C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}\stubpath = "C:\\Windows\\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe" C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46278B0F-4043-47fb-A50E-1FCED2060369} C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46278B0F-4043-47fb-A50E-1FCED2060369}\stubpath = "C:\\Windows\\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{906F201D-0C39-4d31-A74E-F84956A77A1D}\stubpath = "C:\\Windows\\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe" C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
File created C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe N/A
File created C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe N/A
File created C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe N/A
File created C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe N/A
File created C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe N/A
File created C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe N/A
File created C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe N/A
File created C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe N/A
File created C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe N/A
File created C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
PID 1732 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
PID 1732 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
PID 1732 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
PID 1732 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2572 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
PID 2264 wrote to memory of 2572 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
PID 2264 wrote to memory of 2572 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
PID 2264 wrote to memory of 2572 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
PID 2264 wrote to memory of 2632 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2632 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2632 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2632 N/A C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
PID 2572 wrote to memory of 1152 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1152 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1152 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1152 N/A C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2140 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
PID 2520 wrote to memory of 2140 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
PID 2520 wrote to memory of 2140 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
PID 2520 wrote to memory of 2140 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
PID 2520 wrote to memory of 1236 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1236 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1236 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1236 N/A C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 1212 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
PID 2140 wrote to memory of 1212 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
PID 2140 wrote to memory of 1212 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
PID 2140 wrote to memory of 1212 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
PID 2140 wrote to memory of 2740 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2740 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2740 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2740 N/A C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1952 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
PID 1212 wrote to memory of 1952 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
PID 1212 wrote to memory of 1952 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
PID 1212 wrote to memory of 1952 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
PID 1212 wrote to memory of 2008 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2008 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2008 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2008 N/A C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 1664 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
PID 1952 wrote to memory of 1664 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
PID 1952 wrote to memory of 1664 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
PID 1952 wrote to memory of 1664 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
PID 1952 wrote to memory of 692 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 692 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 692 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 692 N/A C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 804 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
PID 1664 wrote to memory of 804 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
PID 1664 wrote to memory of 804 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
PID 1664 wrote to memory of 804 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
PID 1664 wrote to memory of 316 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 316 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 316 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 316 N/A C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"

C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe

C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe

C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46278~1.EXE > nul

C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe

C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{906F2~1.EXE > nul

C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe

C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A25C~1.EXE > nul

C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe

C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FB7C5~1.EXE > nul

C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe

C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F90C7~1.EXE > nul

C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe

C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7961B~1.EXE > nul

C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe

C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E018D~1.EXE > nul

C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe

C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4146C~1.EXE > nul

C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe

C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{007DD~1.EXE > nul

C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe

C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABFB~1.EXE > nul

Network

N/A

Files

C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe

MD5 55aaaba87a62f2f3f6459960d8e1d1d4
SHA1 e1907a9168fe31641f7291edbd38fc777c4ca95b
SHA256 2e32f27df0e0c74a759f9784752d0a3d084ab1805d9dd6353ef697af90d7af19
SHA512 5ad8bfe2894338cc884fc00457bfa02c34dea98a1c934f1b1097827cdd5d3fb25294aac3108622937c824c318cacf3f464e20748a5325d59f8ae20325eac1124

C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe

MD5 def3018e209126e15b1c740077b487b9
SHA1 d811aa7e484115f0b2babff355b11b52e58a2ad7
SHA256 533b506cec1b392724d8fc09dad4e3fb19b58022185c38b54f48123ee9c69b26
SHA512 e13c5e75f47ae9d4220482a373b204457ca5b69b8d8891d3562f48beb179fd0c01fb3f2daf975548ea967d7ea207bcefce34a1191ffd1cda09eeae572aae9046

C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe

MD5 297f6583a5fced8be664100c42bc2d67
SHA1 bcc789cfc9b56fbf00056aa094afa8e21d7d5aeb
SHA256 3fbd275283109adad4941e19828b71b256e80c0c92a1993d91a21470f92cde44
SHA512 88912286bf5b64f792bb36399c57ba57bdea12a60c5322dc63c7e02a9249404a0bfa2289100fabdc7c68c0dde85f1e575fc30e9c85d25c6b646444deb6415bbe

C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe

MD5 a9550d59ed1abe686f4462fb89ac90c8
SHA1 b5121504b2508612e16960c61d581fd6619b666b
SHA256 91736213f7d7b6fe7be8a9a0441ee881e2d1618e7786ef755aed589012474d3d
SHA512 98224248879f78c264fc07601969a8c63cd337e475098436929451ec9de2e2a347c03fed160ce779072892e88b44a49e6428badb7061c34560a9f23e421e94c0

C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe

MD5 94cc08fa8199f447355a32121a4dcbff
SHA1 95c7b2c2192ab2dab8ac86b651aa9d2219edc42b
SHA256 65f7ce1a48d3f44bc9c931c02c7d0dfccf7ff044b8baf4c6d98e4f62e416baaf
SHA512 c27286938ec5b54946b82976d6ffc07343ceaa2c88339e48c6e29bfb22ab2a98112ae1b7b17b5a5b6db5f63b8d3d82648d018ba636012040f95d4858471bf6d7

C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe

MD5 ea8d4bf158e86f0fb50513540219db52
SHA1 55dadf6838ec51bd0589d20d703a3603843594df
SHA256 a2c5aa845591326ec1d2faa677d0343c54c97afc8544eeca4a85c26b4e164007
SHA512 c26da445bfaacc58e5783f36268910df6ce86d591395a6a06e7da94cb07b0539d9ab717236c4a4737a6e2e3b568387483e8dbf93a2175388f30d4674a47d56b5

C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe

MD5 bd5cabe38e079f5a82d333c0d9b7c4ba
SHA1 1bfb607e0c97fafdd8584481d7d8e1ceb51db9b5
SHA256 adc4c05e5efd574d2880e636c612bc332b987a7aeb7091e16f408bcfeb46ed7c
SHA512 05640df943f7966153e74819d9c07bb479e3246d34b7685a956ef39bb8d8c26a9b737758d9f92e165626b1dc8c8c232819f740e0af7e7c8ab579d742c08fc112

C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe

MD5 982764a00e3260a199ccbe8cd32b58eb
SHA1 b7784096af12f8cc9e7dfaa1ca5ab52fbea39533
SHA256 2a8035ec7a7f048da96ed2d3c88f2be9f6d9e4d206b7c107b9f88e7a76c46442
SHA512 71d736bc7e6e9b9bac3dcf854db59673540aeeda4d2090bc8b92dd10ebc1bea9bd6baddbb8eeda291d2078ad0d8a5e13c6db1689af0ca060937066a4a904677c

C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe

MD5 a92d37bb2767f36006d3805b07d641fd
SHA1 687712868c531210174efc24e4f403f8c122132d
SHA256 3fa619535f34c28837e40db0fa653872974f8659c45c5e02654b104f6944a86c
SHA512 be94cdde076b27f66441a4d08558cb4e010e46537c31427b0784e228c6b6a4eb03507e10ea92ed7f3134e9b5248db39be7efb6f9b4b407cb4eb9fe599d23faa3

C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe

MD5 0169cf074fd10b5ac0fcad1dab8905f8
SHA1 d24a0370986a4a09cd6be372dcf95f33db5814a6
SHA256 02ec44738f286c2c33e9a997f1c2beda95b1ab03ab7150d0abd59ffd43d86173
SHA512 b778a67b170acaf3f8d03c990c28a921433421c5a7d90d89d1e9a2bfa08a561121ce8e086699bdfef315da457dcf5dae166a8c9bb05ea741da58c788cfa26264

C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe

MD5 afabff026ddc63bc812d505dc58ed98e
SHA1 b52d6c0ac7645740536c7e4c958adfcbbe7d55d4
SHA256 3d6f3296fb632f6a44990e6fc98579ba039d93daa541cb3e72b43bb2642ee658
SHA512 83ef68c6b1a5c4f0a19a6a75c77194940a8dd6fb6e936a5a5baeb8dda3888aec315ed8d1861303179dc1e940af0198f81ee3255cd238fa49a9b52e3209304711

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:53

Reported

2024-06-13 02:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AB625-E491-462d-8270-736D06A74AED} C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE} C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}\stubpath = "C:\\Windows\\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe" C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA} C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{203CB95E-55E7-403e-86DE-B31D77DA65B9}\stubpath = "C:\\Windows\\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe" C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40816058-FC3B-4b2b-9998-C3C35FF02714} C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AB625-E491-462d-8270-736D06A74AED}\stubpath = "C:\\Windows\\{C85AB625-E491-462d-8270-736D06A74AED}.exe" C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}\stubpath = "C:\\Windows\\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe" C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207} C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}\stubpath = "C:\\Windows\\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe" C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82807A2-D1FA-4700-B5A6-8137FD08D78D} C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7151-D33A-42d6-8100-84C40E16808C}\stubpath = "C:\\Windows\\{745A7151-D33A-42d6-8100-84C40E16808C}.exe" C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC37446-A826-46d9-A9D5-7BED0927E3A8} C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}\stubpath = "C:\\Windows\\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe" C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9} C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}\stubpath = "C:\\Windows\\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe" C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}\stubpath = "C:\\Windows\\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe" C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{203CB95E-55E7-403e-86DE-B31D77DA65B9} C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40816058-FC3B-4b2b-9998-C3C35FF02714}\stubpath = "C:\\Windows\\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7151-D33A-42d6-8100-84C40E16808C} C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B} C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}\stubpath = "C:\\Windows\\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe" C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}\stubpath = "C:\\Windows\\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe" C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA} C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe N/A
File created C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
File created C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe N/A
File created C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe N/A
File created C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe N/A
File created C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe N/A
File created C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe N/A
File created C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe N/A
File created C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe N/A
File created C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe N/A
File created C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe N/A
File created C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe
PID 4604 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe
PID 4604 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe
PID 4604 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 4172 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe
PID 444 wrote to memory of 4172 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe
PID 444 wrote to memory of 4172 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe
PID 444 wrote to memory of 1132 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 1132 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 1132 N/A C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 3220 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe
PID 4172 wrote to memory of 3220 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe
PID 4172 wrote to memory of 3220 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe
PID 4172 wrote to memory of 400 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 400 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 400 N/A C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1384 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe
PID 3220 wrote to memory of 1384 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe
PID 3220 wrote to memory of 1384 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe
PID 3220 wrote to memory of 780 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 780 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 780 N/A C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2448 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe
PID 1384 wrote to memory of 2448 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe
PID 1384 wrote to memory of 2448 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe
PID 1384 wrote to memory of 2952 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2952 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2952 N/A C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 3608 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe
PID 2448 wrote to memory of 3608 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe
PID 2448 wrote to memory of 3608 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe
PID 2448 wrote to memory of 3932 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 3932 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 3932 N/A C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3484 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe
PID 3608 wrote to memory of 3484 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe
PID 3608 wrote to memory of 3484 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe
PID 3608 wrote to memory of 1716 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1716 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1716 N/A C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2228 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe
PID 3484 wrote to memory of 2228 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe
PID 3484 wrote to memory of 2228 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe
PID 3484 wrote to memory of 3540 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 3540 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 3540 N/A C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe
PID 2228 wrote to memory of 1992 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1992 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1992 N/A C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 5004 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe
PID 2800 wrote to memory of 5004 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe
PID 2800 wrote to memory of 5004 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe
PID 2800 wrote to memory of 1116 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1116 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1116 N/A C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3132 N/A C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe
PID 5004 wrote to memory of 3132 N/A C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe
PID 5004 wrote to memory of 3132 N/A C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe
PID 5004 wrote to memory of 1884 N/A C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8

C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe

C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe

C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40816~1.EXE > nul

C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe

C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{745A7~1.EXE > nul

C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe

C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C85AB~1.EXE > nul

C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe

C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B54D7~1.EXE > nul

C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe

C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3A6A4~1.EXE > nul

C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe

C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC37~1.EXE > nul

C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe

C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2C47E~1.EXE > nul

C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe

C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B5A6~1.EXE > nul

C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe

C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BAC~1.EXE > nul

C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe

C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8280~1.EXE > nul

C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe

C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6AACC~1.EXE > nul

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe

MD5 8bab5288e28d67b1c98b12c26d18aaa7
SHA1 f251f0800f3e5249de34ba817128035e4c4ab8b9
SHA256 f09a1dff2659c4ba32bb90209718996eddc5058d92e836587939677c48a5953a
SHA512 228e5923396551da85e6e52ff5f573efb3222b633243cecefe7343c3d98db0e89be0a3d597a48cd85500a137101134eceb926c46dad40ee913a89d49f9f6b55f

C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe

MD5 560f3773250f57a82e78bb3d693d3fee
SHA1 cdb02f767cfbf083000a2e92a6fa4cf91e0efb4d
SHA256 966666210ed4962cddaa2afba0d0311817040591e85d6ef760a35950bc2cd8f3
SHA512 65a8422fc6ea4e742bdaf9a00bcf4eee5b0abb2ea98e83fa1569ea46144df29536d8381359ab88d12ae881f8feab270e2f0a134c48c667be4b948a78466f5506

C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe

MD5 b188edbb6479739588ca079ba1fc1906
SHA1 794e84f9f49f0beb3a62a66d61c639ed168657c5
SHA256 4366eb8132ba93034efe7c0c830510e14338044dafeed1a36ce2c872d7d553e1
SHA512 67cb3e1c83160054d4634cd9e25871a63b634c5e15e3b1be6ca1962ba4f458498d410cd31b036fce1b8da96faf9f31e4955f0ee68f506b6ac662fc43931bee2e

C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe

MD5 c0023af99790eb659bbc943690811a1a
SHA1 c87423a6c86833052a1018a9b54e7f5b862c4ff6
SHA256 92dc5ecb773a66f3ae79a15e9458104eb07fe28c1c4c48b8f8f771b2c71d9ae3
SHA512 6a92a4943b3ae9edc78e540dd263896256428d99ecc242f74deebdcfa0b5b3ca59b69f2abb55751f049de0a6e472fd0ef4ae5475d0d6f40014d6bb83077d71ca

C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe

MD5 bb0d7dbf70fcb3eb7c2aab1910544c1b
SHA1 f7f79bdba230bfb424d1b78bb009c381f36c51f6
SHA256 82dd2512b9531a82a1667c5527653b3ff9a5bae4ba504321053c65affe2aaa7b
SHA512 b2e97388d8300bd38c1d1dfc7b0db1e4ed8f065831ba2b597e542ab40063dc58a4c7c5e3c7e45a89550d1066d53289473ebf9a1db82eea517ad75f8e73c319d0

C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe

MD5 1c225a8e30c24c177a42dbab35099dae
SHA1 f360de89f0134703cb8c73405af13f3090bb54fc
SHA256 430351d777aeb1a634f2ccf707a2436ca67f4a56d3c4eb2e1422609116a6f8ab
SHA512 cf2ba9abd27977f84e64bf1a98285fd4a107d459c7b304e7601a2c286fe6b9b6f4b5dc7d55061509295e8745f8fb4ee3eef745d531709f96f33d746796af8dbe

C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe

MD5 b7ff04d1ecf7739b4593fe4402d76940
SHA1 65bd588410af4558689c5da2d578af2045ff7fa1
SHA256 1c3b48cfd02eba2560857467f8d6a69fad18128ddd77f5465f9d5eacd6705787
SHA512 5808c73d113705c397e957c1845532b353a57879b98f4ec62dac92f24b9cfb6102877943e0946807b33d88101252e443d4b6d642ea5f8908b8c65c44c46f71cc

C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe

MD5 01fac01c77833bd82e7445f312315e48
SHA1 d9c44f78728ae715433f26dd1601e1056604f72d
SHA256 5c2304b380a30c52abd02d435bb1e5c94074fd1f5ab3841d3dd14aca1d1c9901
SHA512 ccd58cd150913cba37b75919f8739dc3c0b1034149859ebc4126d8383ad19c6c6827228c11db64bd939ecfba89087a976d7209ce2a184b68f583e08ad287eb4a

C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe

MD5 b08ecfb098d70aa9fc7f0715193384e2
SHA1 b1253f1c7a427629a172b31f06c53a04687bcb24
SHA256 7cb446dcedd5b6476f37383596c6d3002ee808b77ac65a267778853936766b61
SHA512 c1e6816f8ee0c5d27baa1555bf589eee95eec1df51e18ee38faa40a51285ff98dc3d4ad2253fc96b8626b663ded00b3ef41a8639105e7e7f1587473341b3a46f

C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe

MD5 7ebc1dd71550ffb5ceff19135ea43cc0
SHA1 121e975c1ec13ae8bd5ef1e464f1de2a6a48c13a
SHA256 cf46f1c071151757163ca2897ad7db84222b744d8261630e4709ccbf626246ba
SHA512 612c82f5ef01e72ab5e570ffc41c2394d3815953fba27ec2288c5050a65132d86c4de0b6fa8e03dcbeb6bc139c327c03b16766ad05fa86bfc5be1edf5f32ddf5

C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe

MD5 9bc42c076954695fb15dd6d0503cac2d
SHA1 06d20b5c9cdbdd700d92cd99328f6286c3e38f5a
SHA256 1968c6aae22c19b23b0066b5e783bb646eb739c80777b58f859dd752174d3a35
SHA512 28e994732161bd9f1b87800d355fe464aed37dd696822ab931e269143f538882ee1a22b50e947b3818aa169fbe85dec4208328fb3708362b990e9b7bd90332b3

C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe

MD5 295a4d9fea30d8fec0781c449055b887
SHA1 c8ea3984d8418df944753efc66109ce2488bbbf9
SHA256 0a5ee3395a0b588c0c38ec5e341b5f33dd6708625b1eb06c83ca73c3d5364956
SHA512 3c4781bebea903b065a0e376ead21464b61e74af428bb46abcee65922f2f796eac62b16cde7228b161884c01c5778205a2bc81ec3d25bacbc7b50b387aa924e3