Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-ddnhvssanh
Target 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye
SHA256 7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d

Threat Level: Known bad

The file 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:53

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:53

Reported

2024-06-13 02:56

Platform

win7-20231129-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940AD8B-3871-46da-821E-AED7E3387F31} C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C} C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{612EAB1D-7162-464e-93FE-F47211FEE417} C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}\stubpath = "C:\\Windows\\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9D47B-F7D8-4c79-B310-54F1BA127229}\stubpath = "C:\\Windows\\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe" C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F532EFC3-E249-4d19-A088-F3BDADE22970} C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C370617C-4D18-485d-B498-B871BF4196A9}\stubpath = "C:\\Windows\\{C370617C-4D18-485d-B498-B871BF4196A9}.exe" C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}\stubpath = "C:\\Windows\\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe" C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9D47B-F7D8-4c79-B310-54F1BA127229} C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940AD8B-3871-46da-821E-AED7E3387F31}\stubpath = "C:\\Windows\\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe" C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74} C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C370617C-4D18-485d-B498-B871BF4196A9} C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36} C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{612EAB1D-7162-464e-93FE-F47211FEE417}\stubpath = "C:\\Windows\\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe" C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}\stubpath = "C:\\Windows\\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe" C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737} C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4CC82D-991C-4824-95FD-CB042EE6401C} C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4CC82D-991C-4824-95FD-CB042EE6401C}\stubpath = "C:\\Windows\\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe" C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}\stubpath = "C:\\Windows\\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe" C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F532EFC3-E249-4d19-A088-F3BDADE22970}\stubpath = "C:\\Windows\\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe" C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}\stubpath = "C:\\Windows\\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe" C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB} C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe N/A
File created C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe N/A
File created C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
File created C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe N/A
File created C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe N/A
File created C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe N/A
File created C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe N/A
File created C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe N/A
File created C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe N/A
File created C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe N/A
File created C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
PID 2360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
PID 2360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
PID 2360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
PID 2360 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2624 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
PID 2952 wrote to memory of 2624 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
PID 2952 wrote to memory of 2624 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
PID 2952 wrote to memory of 2624 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
PID 2624 wrote to memory of 2784 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2784 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2784 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2784 N/A C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
PID 2604 wrote to memory of 2992 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2992 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2992 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2992 N/A C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2968 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
PID 2872 wrote to memory of 2968 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
PID 2872 wrote to memory of 2968 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
PID 2872 wrote to memory of 2968 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
PID 2872 wrote to memory of 892 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 892 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 892 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 892 N/A C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2712 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
PID 2968 wrote to memory of 2712 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
PID 2968 wrote to memory of 2712 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
PID 2968 wrote to memory of 2712 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
PID 2968 wrote to memory of 1876 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1876 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1876 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1876 N/A C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2532 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
PID 2712 wrote to memory of 2532 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
PID 2712 wrote to memory of 2532 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
PID 2712 wrote to memory of 2532 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
PID 2712 wrote to memory of 2684 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2684 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2684 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2684 N/A C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2972 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
PID 2532 wrote to memory of 2972 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
PID 2532 wrote to memory of 2972 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
PID 2532 wrote to memory of 2972 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
PID 2532 wrote to memory of 1644 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1644 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1644 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1644 N/A C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"

C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe

C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe

C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6FAFA~1.EXE > nul

C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe

C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57C9D~1.EXE > nul

C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe

C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3940A~1.EXE > nul

C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe

C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3A4CC~1.EXE > nul

C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe

C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1FA4~1.EXE > nul

C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe

C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F532E~1.EXE > nul

C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe

C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3706~1.EXE > nul

C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe

C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09D8E~1.EXE > nul

C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe

C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AFD63~1.EXE > nul

C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe

C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{612EA~1.EXE > nul

Network

N/A

Files

C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe

MD5 9cbe145adf259a903c43aa5e4de62130
SHA1 73de981ef28762bdc272113f84eb810f9c4d817b
SHA256 f485135556d2eeb8ecd92d584a1828e7c45fe84ba44e2d2f873ce022e328feca
SHA512 1d9f18590ecd3eb1a7443c0c1cd8c3a5ca012b356da85c70d28d6667187f81d9bc33b94a347389fddd198edc6af271c531f8fb144f8168ce63dd477585727445

C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe

MD5 e81f9993b6d8ceb526bbe7ec320267a8
SHA1 cc46ac6581620b8966c52022a4b7ca952b8d3d7a
SHA256 4ad216e1c1cce7342d3bb0814f91497761eb5a3570e335dcb2aa65793d987b38
SHA512 f7525614e2ae886f0451b40ba6667d930cac7e89c57b4fb71e74fc7544fa3ab4bf50241da52a8164df908948c6541d7dd306c8c629206dc169cacd5390633c12

C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe

MD5 c8f90ed15fb9ff45548cb79a338b39e8
SHA1 e64b54f963c848b20749264f81cc136e32f8e3d1
SHA256 9adbd799c6d3259895b133fdea8367b88a1c475f24ae483b1f7cfb1ff686f17a
SHA512 70ede053dc4a4ad90e95059d72a7c632246a76beba83c62c948fa6e72db5666f13a1b2c8764a517dff62ec1532ba2aa227a90d6bddb1c3784d146b4693ff673a

C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe

MD5 bcb675de50ccc3c3163e846e71b6daeb
SHA1 bafb371700dba520c0cf45c18200a9311fad30a2
SHA256 370d4e8a0693209aee46ed32c71b76b29b92881137a9211e176fe034ef12cfbd
SHA512 fca829365a7cda968fb1244371680265ff1d4b4bde2d4e01476b9b09e4097309484559110c3274825514f9c5dfd9729944d6f9bdf1caecfb3cae6b32deb7d75e

C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe

MD5 07c9aa9cb076fdd3323de29e383d5e39
SHA1 8349429bd2280ecb9bc2afda4652db0b2891362d
SHA256 6c0960ad3ac185b10dad195ede7909d47a71f2df6ff12275d0c38806ddff9fd6
SHA512 5490216f7a296057f81a8e4332655723a2c8a0891dce6e0bcd6c3a3b1c409a58bb6370d59bf4182ce2a7db16e2dcec05adf4922d99b56f52a4310f36b3f8d81f

C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe

MD5 5926a4972a6403200cd70c4703f9e25e
SHA1 abfead9d906c8fb1ac6c45413da34f35adf237e8
SHA256 9a6eda854a35556a79fd5531fcc4e784bd9fbd0daa2fc28f50de107c1eb237d9
SHA512 de160840538d9b3e85b936f5bc6ad666a151a61bd6a0146abe8bd91bafd5e3ee2884826da17e8c5c5850182b760d57318369918e77936c3f72567776bb28f449

C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe

MD5 534fcdd9fb02593b75c1a3c217da2a52
SHA1 f78c1c682a1b2d6e9e3647e5a48b427c439cb2da
SHA256 a0a2bab1634e4997431f02997729c588b063efd5d6702493f828dd446bb21f51
SHA512 bfc417819eb556766eb6c6471e931e4f11f2ee93fa42a4e7d981ed1d2914c197e7942e10e95abec3f99c4dc385da5e5393a2a67a4df67a25177be41665452056

C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe

MD5 2049b5eabc46e1bf9541ae5d50fc3895
SHA1 90dcbedcf5218fd2de1d7065e7e41f1366e80df7
SHA256 161d4350e26559236ccba177d41bba4e2b0c39337e5e282de946abfa2b73830a
SHA512 fe4e16a4f30f6f158e6c6cde2da95b1517b7648f7087273bbf6b78884fe32d1461d9b9ff1e49eae69614dece40771496878d8392bcf39662025dfc12bc2f13c6

C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe

MD5 503ef30c2ce0b58f3102008d4dc5e35c
SHA1 c110e5f748dc55de89cc54ada8627eb5e9a02f04
SHA256 28b297473efbb138c042db3f917a70ef51819183f6dae78e129687ce83f4d43f
SHA512 312f119fec6fc4187034f16baf69f1a7cac457ccdd066649076a4568c8f6c48f7afebe5c770a35e64871eb55d71b5496deb59695201bca7d2bced3ecf4a82aaf

C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe

MD5 090fb6ead3aebcd35c5b44e25ebb6f8e
SHA1 539035af227c2e26529e49590f0f8081bdc5d36c
SHA256 4707c0bfb0201a7c56137b6cd4ed872b8872c25138a05c2b93ef435c8c708e91
SHA512 f7267a9fe1eb1e350f8aaf5c202a56f9a0b8a1aea571bddd8b448dc59ab50b5a2ce02acec060c2e885600e86927d7afddac6e4ae120bb55aefd738b16f9796ef

C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe

MD5 5d2c8c630212023d639f02fe9d57f42b
SHA1 3aab85a4d7ac81f0774641c82bcf8d4973013a0f
SHA256 e757a3e4b4ee0164456159ffeb025fcaf0b2fa14bafc075b8085b0f6d5af86f0
SHA512 fd1d298db4a659f0dc65394bd6470c2157a16625aaa41204e50b49d01b93a13b9ec350b1a965265d578feea6c662195e7d90dfdb8bbaca9e5a8390e4a63422d1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:53

Reported

2024-06-13 02:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100F4665-7F28-414d-ADDC-60DCB318D02B} C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100F4665-7F28-414d-ADDC-60DCB318D02B}\stubpath = "C:\\Windows\\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E3F101-3DB2-46bc-BB29-42469A568E9A} C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}\stubpath = "C:\\Windows\\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe" C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420FD274-6BF6-4926-93EF-BE40A10BF37A} C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4497DD96-613F-4683-B791-26AABBD308A3}\stubpath = "C:\\Windows\\{4497DD96-613F-4683-B791-26AABBD308A3}.exe" C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59} C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EC474C-029A-49b7-8DFC-7AC012A953BA} C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EC474C-029A-49b7-8DFC-7AC012A953BA}\stubpath = "C:\\Windows\\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe" C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4497DD96-613F-4683-B791-26AABBD308A3} C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869A875D-2E95-4c32-83B9-65592F397DE2}\stubpath = "C:\\Windows\\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe" C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215468D6-31AE-45cb-911F-8F8F97A4CF97} C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420FD274-6BF6-4926-93EF-BE40A10BF37A}\stubpath = "C:\\Windows\\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe" C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}\stubpath = "C:\\Windows\\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe" C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}\stubpath = "C:\\Windows\\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe" C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869A875D-2E95-4c32-83B9-65592F397DE2} C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{493E33C7-AF64-4d04-8B56-BC710E57A240}\stubpath = "C:\\Windows\\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe" C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9} C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}\stubpath = "C:\\Windows\\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe" C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}\stubpath = "C:\\Windows\\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe" C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A} C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3189BD62-AB9B-4e07-B65F-C6961B2227F9} C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{493E33C7-AF64-4d04-8B56-BC710E57A240} C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215468D6-31AE-45cb-911F-8F8F97A4CF97}\stubpath = "C:\\Windows\\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe" C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe N/A
File created C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe N/A
File created C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
File created C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe N/A
File created C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe N/A
File created C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe N/A
File created C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe N/A
File created C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe N/A
File created C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe N/A
File created C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe N/A
File created C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe
PID 2984 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe
PID 2984 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe
PID 2984 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1756 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe
PID 3552 wrote to memory of 1756 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe
PID 3552 wrote to memory of 1756 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe
PID 3552 wrote to memory of 2996 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 2996 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 2996 N/A C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 4500 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe
PID 1756 wrote to memory of 4500 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe
PID 1756 wrote to memory of 4500 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe
PID 1756 wrote to memory of 988 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 988 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 988 N/A C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2620 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe
PID 4500 wrote to memory of 2620 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe
PID 4500 wrote to memory of 2620 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe
PID 4500 wrote to memory of 2344 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2344 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2344 N/A C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 544 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe
PID 2620 wrote to memory of 544 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe
PID 2620 wrote to memory of 544 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe
PID 2620 wrote to memory of 1520 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1520 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1520 N/A C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 4940 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe
PID 544 wrote to memory of 4940 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe
PID 544 wrote to memory of 4940 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe
PID 544 wrote to memory of 2080 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2080 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2080 N/A C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 512 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe
PID 4940 wrote to memory of 512 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe
PID 4940 wrote to memory of 512 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe
PID 4940 wrote to memory of 4420 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4420 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 4420 N/A C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4908 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe
PID 512 wrote to memory of 4908 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe
PID 512 wrote to memory of 4908 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe
PID 512 wrote to memory of 4520 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4520 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4520 N/A C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1696 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe
PID 4908 wrote to memory of 1696 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe
PID 4908 wrote to memory of 1696 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe
PID 4908 wrote to memory of 4360 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4360 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4360 N/A C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4460 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe
PID 2904 wrote to memory of 4460 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe
PID 2904 wrote to memory of 4460 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe
PID 2904 wrote to memory of 4476 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4476 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4476 N/A C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2600 N/A C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe
PID 4460 wrote to memory of 2600 N/A C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe
PID 4460 wrote to memory of 2600 N/A C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe
PID 4460 wrote to memory of 3776 N/A C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"

C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe

C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe

C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{100F4~1.EXE > nul

C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe

C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E3F~1.EXE > nul

C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe

C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{48BBF~1.EXE > nul

C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe

C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{420FD~1.EXE > nul

C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe

C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD68~1.EXE > nul

C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe

C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3189B~1.EXE > nul

C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe

C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{78EC4~1.EXE > nul

C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe

C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4497D~1.EXE > nul

C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe

C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{869A8~1.EXE > nul

C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe

C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{493E3~1.EXE > nul

C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe

C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F529~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe

MD5 33778b645d30e4dee875f05d00cafcef
SHA1 7353c094549e041842c8a7a461166b949d739705
SHA256 dea0a3496c37d7f6677e567ed864e5d440abf5a070407ea1a2261169265a3ed1
SHA512 bfe48d6087ae0da11cd64e5383585edd4af713994b665dc849ab29e005e69107af7ad6d74cdcc7363079313d1125d0c63ae855d785ad889eb36797a80822ef9d

C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe

MD5 7b8441a6077d80921c9abeaad9165dab
SHA1 52dd526f0faa57dc13573812fbf9858902019ca0
SHA256 fca3235efc51dd43bfe3e05e5df05309a3ad811291549a47cffeb54f1ad0e6c1
SHA512 320fb067b29e5ab95da1baa42bd719ea8c0dc472da39383595e1adfbf1c991dfdb4ce2280080cffe849756c1f26de754a018fd3d058b11afcd9fee2c3a3e6006

C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe

MD5 953032cc38b0cf9b81dbd6b0108a6c18
SHA1 f59dc7b23875cbe3a51541db6bee15f85ae654ef
SHA256 1259b158f20ecbadcc679c9f704e6bdbc3473bb9f2dcc2e855d639bb3ea5ffed
SHA512 a5185bff1b255003e251d9e98a2ed996f07f553620b6d461650a43faae46535771d14a57372ced738fd4237e8d5ceda325b8ddd9bbbcfa47ce482b119e03a72e

C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe

MD5 31f6b71a54474b0b001324b6feaa05dc
SHA1 89e0b1e4e4af58f612c33e5bd84fca3e958893a4
SHA256 f10812bad56747d7b250a208d199fb1a0e3a97f8e7ff19dc462133e21757e7ac
SHA512 bf8dd1d2b9ad016ba5f0a76928e09304da82469b819c8b3754013ad4b493af4cd78a126b8441f038879de9bf16c2893d9391a2ae27f9b76f44ec9840448ac10f

C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe

MD5 04147b8cd39d9c0c324945be70731686
SHA1 aa8f2231edec70ccd243046d6902f09ebacd6eec
SHA256 26352eeb72bd38338a702ad5d59635d4e65da143a87b101b7ee9cf5e97065cd6
SHA512 b588b4acfd100a42cfd2acb126435c4fb5bdf101a7fdfd26caa56c6d63554dad31e35a6daaf5a3ac55e05cadbbd2d38a39d03beb9e87d8a3d280924a54b15a78

C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe

MD5 717f90b1c55d77cc6ed52e7191dab2e2
SHA1 fd60a5eab5df9cb179232844aaeed70001ec49c7
SHA256 6bb64aac0c70451f9ad361a4db3fa300ff361cd53c5f26d2dd36efbaea0cc1f2
SHA512 81685fbf1993f5e68d595f7694c22f0ed0d1ddd1bd7e1d3004f5d5443a4f5dc5f09b9bc44606baf0c59cb74dbe78cd5b2c5bf6b18466d483ce3b1460e8c7c8f1

C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe

MD5 eec71ed4802f7ea028b9e2d9fca07efa
SHA1 4ea8e74e3183491d53385736030af78aad1c3f8d
SHA256 aa1a246ef18f08ffaf26080e15d9dc3cd365292bcc8cffdb03b6fe66ac5ddd01
SHA512 fabc907d9ffe5802189c5ee28441f0dcf778e6ae7d2e7af0a0ea05a46460961f2aa79b8b56e0e7969ef96a9b27c55fc660f9b31dee3266dceb6b4c22dd3dbe4b

C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe

MD5 8426f9694edc965508d0903084ef30be
SHA1 bff4fe4b49462c5cef709f5ca19a0394273abed4
SHA256 4e33820d5fb1e8990b070502003a80cfef3bab1c2d514a943ae219385c9cd95f
SHA512 9f99604b8c18c521e5329ffd9fd343fe2c0fc4181d107c64d134b9ec65f25dcd954ea0e476c5da23064eb195925cf77e963c4707c8831af92d6e333fbb40f704

C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe

MD5 587238fb405c2ac2a2f18b0deb7e05f5
SHA1 0a68bfa1c3d63974aed39ef5734ebd7b285efac0
SHA256 00a7bb2ca45abf40bebbeaf1159c93dc5e773db5c3882792eca17ff49f206672
SHA512 2c37ff03b21f9f7ec7f1e90e8fe20bb87e03776d2f3656d5d7c36c61a615248205b1d1b5490febec1fc03299270a096d47a8a718229d583008b0c7b052d55a18

C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe

MD5 125e7043c78e9e94ab727a8ccef3623c
SHA1 20448975b13a62338c4b80755afbfd0f2fb80d78
SHA256 7659099761a479d038005bc983e2f4a22f61f6442718276bf06948763206e139
SHA512 a68a53078b91ef1fec273f6908261e819cd7bde9415fed3c955696c08baef0320c6f2d1d2b5e574ae269b420e5495096753bfc612f6ec4cf42b763b9bc4850fe

C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe

MD5 afc36a5a4da48b39e2d66f60cdfb6797
SHA1 c3370e29fc613aafe44097bd480472e6ea10b24e
SHA256 c9c047863b6cb8f501c4e9f89adeda1e4cd4f6b6d7872613019540d9aa196c29
SHA512 67d9d6c85eee826bbf05e2e07a9604224998c59decebe6426db02e59691427b3480bc39326159560f195fce285e83762561ab2c616b9731b55d9f7da8d974b1a