Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-dekhlasara
Target 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye
SHA256 572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce

Threat Level: Known bad

The file 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:55

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:55

Reported

2024-06-13 02:57

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C9E3E-3466-43f5-A766-21779C09E6BB}\stubpath = "C:\\Windows\\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}\stubpath = "C:\\Windows\\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe" C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D626C78A-83E7-4151-A7F7-F46927379BAA} C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA} C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4DC051-A22E-4d62-9599-D6B570F049ED} C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2673D7-CF52-43e4-9206-A0E4816020D2}\stubpath = "C:\\Windows\\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe" C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A859487E-8325-454c-8E3D-93E4909EE838}\stubpath = "C:\\Windows\\{A859487E-8325-454c-8E3D-93E4909EE838}.exe" C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE55C28-3045-4ce9-88CF-3E56AD957577} C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE55C28-3045-4ce9-88CF-3E56AD957577}\stubpath = "C:\\Windows\\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe" C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96FBDB4A-BB6F-4376-8958-F3A0A8309044} C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C9E3E-3466-43f5-A766-21779C09E6BB} C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}\stubpath = "C:\\Windows\\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe" C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FABF7C-1C11-4d8a-930B-088E024C05C7} C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}\stubpath = "C:\\Windows\\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe" C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}\stubpath = "C:\\Windows\\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe" C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4DC051-A22E-4d62-9599-D6B570F049ED}\stubpath = "C:\\Windows\\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe" C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A859487E-8325-454c-8E3D-93E4909EE838} C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}\stubpath = "C:\\Windows\\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe" C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0} C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203} C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D626C78A-83E7-4151-A7F7-F46927379BAA}\stubpath = "C:\\Windows\\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe" C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2673D7-CF52-43e4-9206-A0E4816020D2} C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe N/A
File created C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe N/A
File created C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe N/A
File created C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe N/A
File created C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe N/A
File created C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe N/A
File created C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
File created C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe N/A
File created C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe N/A
File created C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe N/A
File created C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
PID 1676 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
PID 1676 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
PID 1676 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
PID 1676 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2644 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
PID 1060 wrote to memory of 2644 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
PID 1060 wrote to memory of 2644 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
PID 1060 wrote to memory of 2644 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
PID 1060 wrote to memory of 2580 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2580 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2580 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2580 N/A C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2524 N/A C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2476 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
PID 2700 wrote to memory of 2476 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
PID 2700 wrote to memory of 2476 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
PID 2700 wrote to memory of 2476 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
PID 2700 wrote to memory of 3000 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3000 N/A C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
PID 2476 wrote to memory of 2832 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2832 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2832 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2832 N/A C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2412 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
PID 2792 wrote to memory of 2412 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
PID 2792 wrote to memory of 2412 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
PID 2792 wrote to memory of 2412 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
PID 2792 wrote to memory of 1812 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1812 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1812 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1812 N/A C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 628 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
PID 2412 wrote to memory of 628 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
PID 2412 wrote to memory of 628 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
PID 2412 wrote to memory of 628 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
PID 2412 wrote to memory of 2400 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2400 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2400 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2400 N/A C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 2764 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
PID 628 wrote to memory of 2764 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
PID 628 wrote to memory of 2764 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
PID 628 wrote to memory of 2764 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
PID 628 wrote to memory of 1620 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1620 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1620 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1620 N/A C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"

C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe

C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe

C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E17C9~1.EXE > nul

C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe

C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE55~1.EXE > nul

C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe

C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{96FBD~1.EXE > nul

C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe

C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7E16E~1.EXE > nul

C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe

C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFB3~1.EXE > nul

C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe

C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D626C~1.EXE > nul

C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe

C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5FAB~1.EXE > nul

C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe

C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5DCA0~1.EXE > nul

C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe

C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4DC~1.EXE > nul

C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe

C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A267~1.EXE > nul

Network

N/A

Files

C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe

MD5 6df5ee1f39fc95475fa99ac9ab20d8e1
SHA1 0b6d285047a57279a62339a48f371f5caab846f0
SHA256 c504c8118632e1c318b14ff163a25d2c18fc67b851bc84530a166c624ff1c977
SHA512 8294759a20c2585ef4baf4d94fd68402e97bdd75c2ea910a7d1100d9225b9d72522446883b873be74de5828ef46ae659566a3c393a1b0cf97d6f8e7b8b93c6ee

C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe

MD5 6dc09cdcc1fa03cb3e0f6f254eb912d0
SHA1 f58d9e6df97b18801fb392a4ed5be5fb505b9d2d
SHA256 b5f6399ef9b28e31eab8b65889c1dda74a38d6869aca4b2540b589747aeda8e7
SHA512 a1973841d6d46655bc06cbe00d3270d48048dd12581164393a7ae66e826584c4cd681177f0eeb7f5d68db5300c76f8978ff4c9d7ac42ce4b9edbd96d99c50380

C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe

MD5 cedd8fedfdfb9223d4d025e4c1fc7348
SHA1 8e87fafe5728c26fb920522760ff3ae011a18a02
SHA256 7e16afd2e326d12b1203de5b7e4119ec09e47bd2434022f5a542c61e9daa0386
SHA512 67b42c8bcb4318762fb43dcc427c9350866267836a3a3ee5037c779113d6c00df073bf33439094158dc5da7a809238ebaebdf31c1ef4fbf52dd934b7a42ad815

C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe

MD5 6115c3580dbd03d74c8fc9f463163a79
SHA1 69fbf3eb591ab7ae9ab4b13b2bec69ab60b859c1
SHA256 7a71fc736efb3b6b02a4ba4f5763b08732d669b3b695d7e4f4996581be6009dc
SHA512 9ce28142af4f32e9748fe748cbe28e9d9de9adda001604140b7e10804d34d11fc6959fe64636c5c58cdc6ed3c278e3095557ed90ca29e210bb622b451de53b4a

C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe

MD5 7f16f2a0e573d4459b713b57af5f7b44
SHA1 df7ee56151ba777cc104e7f33b166c9d1a75155c
SHA256 7c2367a5393587117a004e53987bd66b4f203a7006230bfc8a791269a22e5af1
SHA512 c9ef1af09a47e01be2773bb841726b40b923833500c35bf2a5bd5fe801e0c690da975a8a4ceb6184580652bac11a6670ad41bad28e5ab27cd045f6638c7d035b

C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe

MD5 3ef9c932a68298aab1cbe01299a1a4fd
SHA1 ad6d195bcaf691b202cb0e49cdc179fe84de6033
SHA256 0e9ebf3b9822bca1ce2632b19db33b4fd413d80445c661d27dba6daca2c30c03
SHA512 ad70bc8152b16492d08663bef11d286362156e1400147018f62b917b58957f216427db21b46f360fa98b4b9dccb0b2944c0564b1bbf6856a79654306e6127fae

C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe

MD5 1fe66a40bb5b7c04dd8436006fa699ef
SHA1 96ed928c25e0768abb4bd95980ca80fcfd1e69e1
SHA256 0b4c24d2cd1689bad939a3dd5c682b35ee365e3ec369e43e21f30ff83b6b0134
SHA512 5cc9a89b1f7ced1864af417229c87f766e714bcfe11069f75f5d6ef630d63fc7e167a51be1059722050ce1c1534c3bf249cf424517f2e8ea1b3b4329f093b2f1

C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe

MD5 363e2e407bf57dd59447e1ae33b3a836
SHA1 deaa3cfdefe08d73f38a936c1b55637507eed925
SHA256 2c703ef60f94637b846ae8921aafb9208de07c91c8302fc6f7c57ec6a387e491
SHA512 df496568b31eb4ff0084eaac0684bfaa8eba604c2fb2d6ea280a63adf47f09637d3db4f3dddcf467646437ea2313369f55206763fa4be7f6b742e5e460a27bac

C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe

MD5 39bcb74b065e99595b1d32fd84e851df
SHA1 f1cfceeb949fc8e3ac04a0afb69c06b2d2158840
SHA256 866d4fee8040b07440bad146a45e82547c2a563ec6f60306403a4f11d217c8c9
SHA512 77eccc3d75b0abf81c8f814639c5e69d930d2ca632c9fae49c902ea1231ee02a182822b8f22bfe0a76ba4270de4257ed9ca25b1b13f9902d6b7ce94f11a58f9b

C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe

MD5 fe8e93d5d20f985fb5f16f80a49c243e
SHA1 5b8916d73e308173a0f6c1684a824874fca731de
SHA256 ba4cd8bc6f56701ce8c144d68a062e28bd3f643806b9c6b15f7fc4799741e3db
SHA512 929d391b491d43fbb0ffd3816196daeebc53ff7259edfda2ba1f606f20caae588ac030ed2318c53447ea9f1cabbbb4dda14a9cae07c175416fb02f8263dc2ad6

C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe

MD5 829c4e10ed1f24a033b7ba866f02e509
SHA1 742376d092681d37c59bab4155fafc5f8ee2a4b5
SHA256 20e9e34efd98d524041b19e72b064085942c621110f20ebedc16eb428fe1dc33
SHA512 d0fdf0c00e40aa21703af6d8d4f445b95c02a0137f5514b83caa51f25e99ad0555a9f04f5ab79221ed52f97e7893457dbc8b777a1845c77d08388c0b47ebbec5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:55

Reported

2024-06-13 02:57

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE} C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5837A597-461B-4a8f-A9D8-49D44A9311B2}\stubpath = "C:\\Windows\\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe" C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EAD84-7173-4299-AB65-6C900D8DCB73}\stubpath = "C:\\Windows\\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe" C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B851E686-75BC-4092-BC1A-2433BB1F0176} C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B} C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}\stubpath = "C:\\Windows\\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AE891E-3A43-4164-811A-D03F47D183E5}\stubpath = "C:\\Windows\\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe" C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D11098-9169-482f-BF38-52CEF81E2947} C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D11098-9169-482f-BF38-52CEF81E2947}\stubpath = "C:\\Windows\\{81D11098-9169-482f-BF38-52CEF81E2947}.exe" C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}\stubpath = "C:\\Windows\\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe" C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD5C137-36C1-41ac-B9FE-18A316C3608B} C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AE891E-3A43-4164-811A-D03F47D183E5} C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EAD84-7173-4299-AB65-6C900D8DCB73} C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B476960-3C08-450b-B0C3-5552F3692FE5} C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B851E686-75BC-4092-BC1A-2433BB1F0176}\stubpath = "C:\\Windows\\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe" C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52} C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}\stubpath = "C:\\Windows\\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe" C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}\stubpath = "C:\\Windows\\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe" C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6} C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}\stubpath = "C:\\Windows\\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe" C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}\stubpath = "C:\\Windows\\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe" C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12} C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5837A597-461B-4a8f-A9D8-49D44A9311B2} C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B476960-3C08-450b-B0C3-5552F3692FE5}\stubpath = "C:\\Windows\\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe" C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe N/A
File created C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
File created C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe N/A
File created C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe N/A
File created C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe N/A
File created C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe N/A
File created C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe N/A
File created C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe N/A
File created C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe N/A
File created C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe N/A
File created C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe N/A
File created C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe
PID 4036 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe
PID 4036 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe
PID 4036 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 968 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe
PID 3900 wrote to memory of 968 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe
PID 3900 wrote to memory of 968 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe
PID 3900 wrote to memory of 1484 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1484 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1484 N/A C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3420 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe
PID 968 wrote to memory of 3420 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe
PID 968 wrote to memory of 3420 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 4904 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe
PID 3420 wrote to memory of 4904 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe
PID 3420 wrote to memory of 4904 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe
PID 3420 wrote to memory of 3156 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 3156 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 3156 N/A C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 4128 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe
PID 4904 wrote to memory of 4128 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe
PID 4904 wrote to memory of 4128 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe
PID 4904 wrote to memory of 2796 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2796 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2796 N/A C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 2436 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe
PID 4128 wrote to memory of 2436 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe
PID 4128 wrote to memory of 2436 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe
PID 4128 wrote to memory of 4552 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 4552 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 4552 N/A C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3336 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe
PID 2436 wrote to memory of 3336 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe
PID 2436 wrote to memory of 3336 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe
PID 2436 wrote to memory of 952 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 952 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 952 N/A C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 4020 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe
PID 3336 wrote to memory of 4020 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe
PID 3336 wrote to memory of 4020 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe
PID 3336 wrote to memory of 1476 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1476 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1476 N/A C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4336 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe
PID 4020 wrote to memory of 4336 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe
PID 4020 wrote to memory of 4336 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe
PID 4020 wrote to memory of 4512 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4512 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4512 N/A C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4788 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe
PID 4336 wrote to memory of 4788 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe
PID 4336 wrote to memory of 4788 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe
PID 4336 wrote to memory of 1688 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1688 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1688 N/A C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 3848 N/A C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe
PID 4788 wrote to memory of 3848 N/A C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe
PID 4788 wrote to memory of 3848 N/A C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe
PID 4788 wrote to memory of 1912 N/A C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4272,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8

C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe

C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe

C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B27C5~1.EXE > nul

C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe

C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{45CC5~1.EXE > nul

C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe

C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD5C~1.EXE > nul

C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe

C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60436~1.EXE > nul

C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe

C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4AE8~1.EXE > nul

C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe

C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D1FC~1.EXE > nul

C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe

C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81D11~1.EXE > nul

C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe

C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBAF~1.EXE > nul

C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe

C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5837A~1.EXE > nul

C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe

C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E63EA~1.EXE > nul

C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe

C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B476~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe

MD5 8d2f52f913abeab6c755be40f125a396
SHA1 e27e83c5f427fd226aa6d93f7173ac533e2f7852
SHA256 0ff46febdccf66e8da26a47ee734835512b144227b776214f06c49f3da06b2de
SHA512 3270394c6722fcab40674c5090556d97108fe26bac915e13bb891c1a72b4426318970e3380d3dd9a7cd1e70dc0f50f108fea5b2871cd51c1e719bbb59a1e8f20

C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe

MD5 59ef2810097875e233b0ead9b40d23cb
SHA1 166503cec8a4e77cdf7ac0729389243f6eae4afb
SHA256 7c47687f0f97147f63905518c78d6708fcb4463e95c44fe0566f5a42bb0a1992
SHA512 4ad9a95e53282df49885263f57ae8dff21ba07e4e888fbb7f95368fbb3579d344f8a19b0e67779ff515afd91079ab5be82f20af0cfabc522ae287ab814c09e86

C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe

MD5 166b5eaae9d5b3756cd28ed9d9b3161e
SHA1 13e502dab36c34ac18a20374aee82cb205db7aa7
SHA256 300734407bc65bb23b8c6adfebf2006661fc462b0b3af2e748e3911b7a35c313
SHA512 43d78a4e7a97b5d3029de4b2d02241edbafb391761273b87bfb1b8fb0527be8908adf50e0548808081f2191c18d6bab376a9ecbf5aa777147c6e8c8c21144ecf

C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe

MD5 ae4ba5c8ce27e086ca6a7a8f65776171
SHA1 cb6d8a28fbca3a0c3b8d2502a2edbaf501f3506a
SHA256 946c0bb531d095be4bf7f30fb98c1fb8ca7611e0cc5aec011f4055a5e53db76a
SHA512 10c9f81fe0c388430063b840b9024240e30fe08c2871382bd9ed86cad6ce893b2ab73695851151cd985fc592dcdad8a4f4908262ba625f79f9c136d155e797ad

C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe

MD5 ccde5ac447ac759ec753fc9edb3ca7a8
SHA1 89e06dcd329dc797b82defc2086073915f66f624
SHA256 dddefa08c82b94f2b5fef36183fff270cac12e6648e6b25f48f1416fa07a3649
SHA512 b8458f4462d8c7e2e28c18b9823c43b58a311c59222c5d2c286eee9141932ce47e60a792a0ca4dbef6070deb2bcaad4eb1d3fdef8ea8eb76fab080f864708808

C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe

MD5 de046aed84640e0dc35ff53bb273665f
SHA1 e7fc0e5f270db3461040bc7b46c1f3763ea25e6f
SHA256 56a82456cc39f240b3dda2173328190e289b464325483d5d7c9f44188a430ea3
SHA512 eeb310dffb88037e92793bd9dd5314e4d09e4c29c90c9d0f9fefae960d1b42a971d13fc9ca116491719034aeec4a001953975e11d9e3336f26e2de3a5b14e2e5

C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe

MD5 a81a71b2f0d83401f9e8b7e590d077fd
SHA1 e0d72060eb651e02901e5d428bd8f8644961a510
SHA256 2a46a6e2c4b3032f7baf56c665a08dbb73de0834f5eedc3b2240d352c09165cc
SHA512 2242d365e9262fe2c3a4324db39b1dddad95c3b62d35e3957e0a61d25589bfb561fe3d947e968d77ae659daef54d4148c3438333848b7a2d21e02b9c9c9a62e9

C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe

MD5 cf16d470f24707bdb25b7015564dced8
SHA1 aabbb4333d2c2a05a1b90ef272511be90b41e807
SHA256 a4923e55e323ed771a26136404378d85e823b42004d9d66b53d611b5b4803f36
SHA512 aa6b1ae44ad64620719674beda4418fd4fd9dbfd5a3759888aaf0cbb631aa4d476763a572a07275a802506b2c026976341fd890d01d6fe601e0c18a7f6bb2011

C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe

MD5 3924b39d3adc7612033ffcd312c3d1e2
SHA1 045551653c42c327cfd03f0c26979e13e2bf6cdf
SHA256 ef17338a4ab70d428f5fe17be422b123490833f7742f1d1a1ec12fea6a4456d1
SHA512 5da9a8807197660678590d8ccb9ffcaf51646c4ae416117e69694e80d5e12d15a67542f9e8aa1812c1a9b7e5b479a3402c5e6c111f80025e8dd37b3a1c539fe6

C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe

MD5 7c4be8786c00c05681b0925e7b208d77
SHA1 b365df9469965472abd06ae6e04fa6e3316e9d4a
SHA256 31b1f829e8c982d9cd79f4422c925807967a8d9c93602aeffd381b06e0603b15
SHA512 872a2e3f5c147925391a8baabc508c5bce81bf413e2143f6471441420c959f9c2008f5ff7c1eadd80b484099f7c07981893603258ddd70bdd45717dd52249c83

C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe

MD5 dbf7461fd5839cedb9405c47c9f30e46
SHA1 32b5da2f00b239e1e386e18918bfea787a7286af
SHA256 4c2ead10aa02b2be3cce00f2de29558c761fb3148bfac2d0728ce49d681e343d
SHA512 5c6b55d2e035aa1d22e677374ca608f509c83bfe2063a3500ea412c1f48d47ecc767c64b3256e61fa5d3d3b404dba3e6b749db10016021d59cff6193733a20d7

C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe

MD5 0a7060902691fd20bee43ad7a3e519c0
SHA1 cb90eb0d935cebfd85380cbba717c4e1a71feb06
SHA256 24c81bfaf6eec2a2dc80a05ab870508b7a193d40ba80a1075d441e1fc3f6876a
SHA512 b211439b1b3ac8c8ed99cbf7ab1e950bc2a58aa91c7a42b047bbc16daed6a270b121d635bcda0f23e1f867c4120d55792420ee8e569464ab6ea1c5a67d775aeb