Malware Analysis Report

2025-01-18 14:25

Sample ID 240613-dh2ahssbra
Target 2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye
SHA256 f35621aab2fc20118dba8044a6df93130dbb06f5c0591795ba38b924c53c09df
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f35621aab2fc20118dba8044a6df93130dbb06f5c0591795ba38b924c53c09df

Threat Level: Known bad

The file 2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:01

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:01

Reported

2024-06-13 03:03

Platform

win7-20231129-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00BAE471-F6AF-426a-8828-7471583F7076}\stubpath = "C:\\Windows\\{00BAE471-F6AF-426a-8828-7471583F7076}.exe" C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261451B0-2F63-4148-A56E-9689F90D836C}\stubpath = "C:\\Windows\\{261451B0-2F63-4148-A56E-9689F90D836C}.exe" C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD} C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}\stubpath = "C:\\Windows\\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe" C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0595E5D-B1B3-498c-B437-7D53AC51D169}\stubpath = "C:\\Windows\\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe" C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}\stubpath = "C:\\Windows\\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe" C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3} C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D789ECF2-37B0-4d65-996C-D4BE903A494C}\stubpath = "C:\\Windows\\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3E5EAEF-93EB-45ad-A804-234B7E289129}\stubpath = "C:\\Windows\\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe" C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0595E5D-B1B3-498c-B437-7D53AC51D169} C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76854266-3DA0-4ad3-B186-E5DF1A068574}\stubpath = "C:\\Windows\\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe" C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7} C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB} C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}\stubpath = "C:\\Windows\\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe" C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D789ECF2-37B0-4d65-996C-D4BE903A494C} C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95EA840D-B222-46c0-BE01-6A92442C5FB1}\stubpath = "C:\\Windows\\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe" C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76854266-3DA0-4ad3-B186-E5DF1A068574} C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00BAE471-F6AF-426a-8828-7471583F7076} C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}\stubpath = "C:\\Windows\\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}.exe" C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3E5EAEF-93EB-45ad-A804-234B7E289129} C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261451B0-2F63-4148-A56E-9689F90D836C} C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95EA840D-B222-46c0-BE01-6A92442C5FB1} C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe N/A
File created C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe N/A
File created C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe N/A
File created C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe N/A
File created C:\Windows\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}.exe C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe N/A
File created C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
File created C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe N/A
File created C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe N/A
File created C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe N/A
File created C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe N/A
File created C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe
PID 1848 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe
PID 1848 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe
PID 1848 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe
PID 1848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2572 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe
PID 2268 wrote to memory of 2572 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe
PID 2268 wrote to memory of 2572 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe
PID 2268 wrote to memory of 2572 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe
PID 2268 wrote to memory of 2632 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2632 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2632 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2632 N/A C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe
PID 2572 wrote to memory of 2660 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe
PID 2572 wrote to memory of 2672 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2672 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2672 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2672 N/A C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe
PID 2660 wrote to memory of 2696 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 948 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe
PID 2504 wrote to memory of 948 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe
PID 2504 wrote to memory of 948 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe
PID 2504 wrote to memory of 948 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe
PID 2504 wrote to memory of 1596 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1596 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1596 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1596 N/A C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1724 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe
PID 948 wrote to memory of 1724 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe
PID 948 wrote to memory of 1724 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe
PID 948 wrote to memory of 1724 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe
PID 948 wrote to memory of 1824 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1824 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1824 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1824 N/A C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1880 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe
PID 1724 wrote to memory of 1880 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe
PID 1724 wrote to memory of 1880 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe
PID 1724 wrote to memory of 1880 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe
PID 1724 wrote to memory of 2308 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2308 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2308 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2308 N/A C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2500 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe
PID 1880 wrote to memory of 2500 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe
PID 1880 wrote to memory of 2500 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe
PID 1880 wrote to memory of 2500 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe
PID 1880 wrote to memory of 1520 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1520 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1520 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1520 N/A C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe"

C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe

C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe

C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D789E~1.EXE > nul

C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe

C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E5E~1.EXE > nul

C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe

C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26145~1.EXE > nul

C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe

C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95EA8~1.EXE > nul

C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe

C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0595~1.EXE > nul

C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe

C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76854~1.EXE > nul

C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe

C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED5CC~1.EXE > nul

C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe

C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDE5~1.EXE > nul

C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe

C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00BAE~1.EXE > nul

C:\Windows\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}.exe

C:\Windows\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C209~1.EXE > nul

Network

N/A

Files

C:\Windows\{D789ECF2-37B0-4d65-996C-D4BE903A494C}.exe

MD5 49bf259557f3944ab1bd50e6b484d941
SHA1 0b30cd30b47f44dfab6ee27d8ec4b5d0684f158f
SHA256 9cb1e77859c969456215e80bc40c0f75c99c701caeea491675a30b805ce9fc45
SHA512 3a19fec75362a915978517371f0ab33d36f0991868eebb1390fb4455fd172dd4617a936deea19d106096557905f317b31209afb2d8cdf325db9a256125553ff1

C:\Windows\{C3E5EAEF-93EB-45ad-A804-234B7E289129}.exe

MD5 e8283fb6d9eac3912b248485dbf42f2c
SHA1 19a6e0a12b668d16538081c3baeee51e18c2c20f
SHA256 e724d5802849c6bdc233833cff35bebe6cbc199f5f0e2c4998e9de5ae8b0a551
SHA512 6ecc034b1f92a8143458fec1560233eb021e0bf9f5522947a7840fc977ad2708b11e382c7e2ad7f6ab8786403bfcdb5723ec196ba10c278952e087b68a63da66

C:\Windows\{261451B0-2F63-4148-A56E-9689F90D836C}.exe

MD5 6365d9d7e300143a435fa3dd6ce7781a
SHA1 523eba579e83a1c7580d3d3d86022b8d8c738c1c
SHA256 5881be739c7562ad7bbdbf7dc7e13b8e097edf1b88c85e797e382df33a0d5c0f
SHA512 20155b988a0d15ef11836567692b2cc565f2f9971f1781a7e40ab2f28e71936a5af50c0499ed710539d97e1a52793fb53179680a246bcd9e1ff652262a48da7c

C:\Windows\{95EA840D-B222-46c0-BE01-6A92442C5FB1}.exe

MD5 76344081b7ca3282e90a563200392ed3
SHA1 640bbe05e704f18ac00d4fd8e58d4da6ad9ceed9
SHA256 8ba2d7b51e2f1accfe780457ff4e416bcb2e78241bf8712348278cb0cde1f5ac
SHA512 8f48e7be14f4414cf1042eaca7cd1a7c2b85495a3a547d8499f5ae886ff1ded37d74bea3c66535b5177fb811ef37cd9689d73fb927a7ad9b7d410d0b6de4d57d

C:\Windows\{F0595E5D-B1B3-498c-B437-7D53AC51D169}.exe

MD5 cc022214516ea46325657b2397453db7
SHA1 af001888dc3e37965a82a89f602f53cd92aeda94
SHA256 a9b80541a53ce3a74b089a6ec5b9cfca9a8d4caf4669baa2823c0bdf08d62b3d
SHA512 67ac22baa0a5bcd83f644d50f0ad1bd2d66522ba39890438605345b9b0ca8a76e7adecee891016eaebdaa49890d3d2e224baaa7f2dd55f4f4c4db60aedafa0d8

C:\Windows\{76854266-3DA0-4ad3-B186-E5DF1A068574}.exe

MD5 84e0958734ebe011e2990888049533e2
SHA1 0871de77d46b6768e07c2790e6d47de0d30825df
SHA256 999fdfb67d4febd3e21a3c0af83458765bcf926751f4e54e268eaa84c7cf9d44
SHA512 1054be3fcaaa8b2fe3294bcb535c82446779ab46f19f1afc45ae78bb231e11966f5abca2ba9af4318a4826a8e82fef0b06fbd2224a6844e44d52f18f3011234d

C:\Windows\{ED5CC736-ABB0-4e32-8B39-145E6F3300F7}.exe

MD5 57555f1ff76f861b77dedc137fe01e7f
SHA1 6ca64cc6abaf6d38135ef359bc5ae982862173a3
SHA256 19f58ba965cf30ba60423f691180d1bf6af55f363194bf0a88c9e379809969df
SHA512 f69aad35615f2be87e7959e063c00b1b1749074935b30d09a407503bcefd402b8dd54dca42ef43244878ca09d736741ad41c72b013797244c6c6a103fe58e0d0

C:\Windows\{2BDE5D93-2118-4c6d-B025-87E0F06CDDCD}.exe

MD5 053114bb3993ff52dca5e4aca92d4269
SHA1 f7592df6925ed4c7c154d07e1f56d826cb367b86
SHA256 7baf34ad5c8da3a58995a70bd5c1e342a996cd3292d5ae3a9e604033f3a8c227
SHA512 db541e23a99b1c2021d16c3a522027d49a417e498a932d7c4fc13f2d52a99f7f17cde2b8d553445b1128bcac9202e3d2938a80113b89c4bb457767f02d1da202

C:\Windows\{00BAE471-F6AF-426a-8828-7471583F7076}.exe

MD5 869caf3c20e9f225a0ef69cc622a1bd0
SHA1 63ff00d621800305ff888badd29d9c094fd10803
SHA256 6092420745681101d3bb17e50b861d84ac9b5521839c22cbd7e744fe505b81db
SHA512 8bbc81a97ad05926a0704542615d1289d87773eaa00f865fb940fff8d13c27c61556003208d7feaa11d699e27640538d1afa5f7903083d168ee2006c2dfa8bd8

C:\Windows\{6C20941D-DA46-449f-BC27-2B1B7A3E1FFB}.exe

MD5 a35bbbab0b15767418f09174933aac0d
SHA1 114fb3fa21462832bb97319176032b46f8d1ca10
SHA256 58f5af7edcf88a7d8282dfa6323b879c26bf43aad1fd417a5f8c0feda68bb3b5
SHA512 081954dbbe7b56f0f706793f45918144b3c6d9af6f0eb3e175c000182fb8f592359ea33484f9df9b2204002852a67b5d11ba1f52fcfbb9a1748411d58e2ffe48

C:\Windows\{BFB420ED-BAF6-4cf0-802C-DB114CC000A3}.exe

MD5 707e97c2e43ce7eccc2896b232c0d2fc
SHA1 0ba19861096e61e7bbdbad88b4846ab414a0a4e2
SHA256 f6a39d3157c8901e6f365bdb9a89ed95fda24cef3a83f1ff89927ad72e034be8
SHA512 1cb19a0a7ba9a1e62ea142499670d5411f4c26e3c777057e0edc5474a795abed6e78bf4f8a2334bff38cad2c8ff7e6fbcda6ab9f37ded4d52f168e605ebe6f4f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:01

Reported

2024-06-13 03:03

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}\stubpath = "C:\\Windows\\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67FBACF6-8C4F-4938-B618-021E61E03591} C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}\stubpath = "C:\\Windows\\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe" C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3903947-4E68-42a6-B475-344F664C2B2F}\stubpath = "C:\\Windows\\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe" C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969E6608-122D-42ac-B075-52CE382D302D} C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31957973-B232-4c81-8A52-3961BB0B51ED}\stubpath = "C:\\Windows\\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe" C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152} C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}\stubpath = "C:\\Windows\\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe" C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D} C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC04F8F-1524-4160-915C-2BABEFFFBD09} C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}\stubpath = "C:\\Windows\\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}.exe" C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31957973-B232-4c81-8A52-3961BB0B51ED} C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930} C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}\stubpath = "C:\\Windows\\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe" C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}\stubpath = "C:\\Windows\\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe" C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7} C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF} C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67FBACF6-8C4F-4938-B618-021E61E03591}\stubpath = "C:\\Windows\\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe" C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5597E-6E2C-4695-86C3-091AFCC328B4} C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5597E-6E2C-4695-86C3-091AFCC328B4}\stubpath = "C:\\Windows\\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe" C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3903947-4E68-42a6-B475-344F664C2B2F} C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969E6608-122D-42ac-B075-52CE382D302D}\stubpath = "C:\\Windows\\{969E6608-122D-42ac-B075-52CE382D302D}.exe" C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E} C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}\stubpath = "C:\\Windows\\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe" C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe N/A
File created C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe N/A
File created C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe N/A
File created C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe N/A
File created C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe N/A
File created C:\Windows\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}.exe C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe N/A
File created C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
File created C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe N/A
File created C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe N/A
File created C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe N/A
File created C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe N/A
File created C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe
PID 4520 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe
PID 4520 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe
PID 4520 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 188 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe
PID 4224 wrote to memory of 188 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe
PID 4224 wrote to memory of 188 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe
PID 4224 wrote to memory of 4856 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4856 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4856 N/A C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 188 wrote to memory of 1268 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe
PID 188 wrote to memory of 1268 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe
PID 188 wrote to memory of 1268 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe
PID 188 wrote to memory of 4184 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\SysWOW64\cmd.exe
PID 188 wrote to memory of 4184 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\SysWOW64\cmd.exe
PID 188 wrote to memory of 4184 N/A C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2796 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe
PID 1268 wrote to memory of 2796 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe
PID 1268 wrote to memory of 2796 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2740 N/A C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1884 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe
PID 2796 wrote to memory of 1884 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe
PID 2796 wrote to memory of 1884 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe
PID 2796 wrote to memory of 2596 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2596 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2596 N/A C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1016 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe
PID 1884 wrote to memory of 1016 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe
PID 1884 wrote to memory of 1016 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe
PID 1884 wrote to memory of 1800 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1800 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1800 N/A C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 4980 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe
PID 1016 wrote to memory of 4980 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe
PID 1016 wrote to memory of 4980 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe
PID 1016 wrote to memory of 3092 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 3092 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 3092 N/A C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2968 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe
PID 4980 wrote to memory of 2968 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe
PID 4980 wrote to memory of 2968 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe
PID 4980 wrote to memory of 4944 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 4944 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 4944 N/A C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1412 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe
PID 2968 wrote to memory of 1412 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe
PID 2968 wrote to memory of 1412 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe
PID 2968 wrote to memory of 2456 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2456 N/A C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 1508 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe
PID 1412 wrote to memory of 1508 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe
PID 1412 wrote to memory of 1508 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe
PID 1412 wrote to memory of 2444 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2444 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2444 N/A C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 1528 N/A C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe
PID 1508 wrote to memory of 1528 N/A C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe
PID 1508 wrote to memory of 1528 N/A C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe
PID 1508 wrote to memory of 2084 N/A C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_fbeea84d00bb9479e71007bdc5820210_goldeneye.exe"

C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe

C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe

C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E466B~1.EXE > nul

C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe

C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31957~1.EXE > nul

C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe

C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF257~1.EXE > nul

C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe

C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67FBA~1.EXE > nul

C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe

C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02A55~1.EXE > nul

C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe

C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A4E0C~1.EXE > nul

C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe

C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F3903~1.EXE > nul

C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe

C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{969E6~1.EXE > nul

C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe

C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C5A~1.EXE > nul

C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe

C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16D97~1.EXE > nul

C:\Windows\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}.exe

C:\Windows\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB7D~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Windows\{E466BD88-E85A-4f34-A2CB-3AF48F00D6BF}.exe

MD5 907957e7ccd94dc18368da9f308e1e7e
SHA1 4f928cb02a8ee78b72eb5374895e92e56f68f9c4
SHA256 7f69442d25e4118e59512d03e2fd14932b530f0f7711fed1a083d4b5e05cbf23
SHA512 e7fda5184564f4955e5ae1aed6215127f61c82051fe3af68aca795b68da92d5f8cd5f8e72e028b42e3478623a41e16eaaf8672ad421c548601d325fd5d327e7a

C:\Windows\{31957973-B232-4c81-8A52-3961BB0B51ED}.exe

MD5 a820191a322f2efff417675038d74229
SHA1 604c6be4fd5a9ddd51f3af22b221187b7e703479
SHA256 ef8d8ddc70c8828b46eb4d10cae337e86cbb77ec3a8d65669299914eac609e2a
SHA512 8abd7cc82b06f09c459e3e5c7465df1bb954f0faebcab15983c407834104732961386a2c6406859b7989e005b4fdbc369106d994080eee083ab756e403dda14c

C:\Windows\{BF257F86-31C6-4b4e-BB35-AAA17C1BC152}.exe

MD5 f9a0c2f67c02621c94f0f0599f093410
SHA1 27bb1deb2cac51e2fb37c66f96c5c341596a9d5a
SHA256 96b07e9c4a3f839bbbb560ef4d36f22b1d94173aed6391a61b5b656a1532ec82
SHA512 40a56d732314d849d1448d8e481c8fc0f1f750a837dd8fdb8b91e7c858e45284b1a8d44c59be9198af3c4ee68980ec4051b9e1699380b92107402ed1a0a8d991

C:\Windows\{67FBACF6-8C4F-4938-B618-021E61E03591}.exe

MD5 72e3097c6cf384e3c521bef171746a71
SHA1 e2b88d161a3e96dedcc320a5b9b82b2f3cd130f1
SHA256 8114e024f32c07982fc08320054eb8cfdc87eb8d00f8be32a98f1882c45b15d3
SHA512 3d9479dad9f7dd5ae577821ba7ad4ed8536f31f570767d3e188e015c6398e34991742c21eaddf392d30b26e6ca691ac884114aaf8807f22034b14ae11dcfdce2

C:\Windows\{02A5597E-6E2C-4695-86C3-091AFCC328B4}.exe

MD5 469572f52ee4cc3dd7f23a61f1e623d6
SHA1 cade0937547403c553b342e4837c55b54c28b0a8
SHA256 501e9be14237cc6c59e88511344b093a2d8f95f9bbbff0d68ba539ebd1b0660f
SHA512 157b096161bfba16d9945db62848936a33e8a698b31db15e32a7fe3d9d44aa76094f6330e1d64ba26f6fdcb3e7f1967739fcaf84922846eed4d6204847bd08e2

C:\Windows\{A4E0CBCA-B53E-40ae-A9F3-B125EAA19930}.exe

MD5 177710861c60d9e9d131173fef5d1dac
SHA1 9069a36fca21c12cf2b83d5158501ac7db1e84b1
SHA256 e61adf2ff6a4b82b92c27484a3e8bfa51b4c9fad68e6bdbf22a05c93eaab4447
SHA512 482838b2731cf2a69c6e49664ad9a845a8a9133b28ba187f59bdc47211acf09fe6017dbd73a733745b1c33c8fce1aade614024bc9812117c307eefeb648a9f49

C:\Windows\{F3903947-4E68-42a6-B475-344F664C2B2F}.exe

MD5 54f8a4d3073eefed59ca17dc46b4d1c5
SHA1 2073244e4c420bad05bcd830eaecdd8266ff7149
SHA256 aa9460f93e93876d6a1be3088d12bd95467ba74c7ed3c8344dca67b788d2bb73
SHA512 0549d7b22f7745a67549192ca1d685ca52ec97558bb9646ef7cbeaec391908d3abf677a6966286d680fb983bdab2b367fb67eadf7ebe4dd65edba66c4d34a6d1

C:\Windows\{969E6608-122D-42ac-B075-52CE382D302D}.exe

MD5 b5b8cf05e8cb82fffb6575497a420f94
SHA1 9992040b84174e0d51c97962b2bdd307127b31c1
SHA256 ac76f3349b34133f297a88dedc5c10d9970a02ccbf19fff4d97cf97e9480b1c0
SHA512 ac8a518dce74c6e52fd446b7535fd8c08bd3fc80ff3b357f2e0e1936a551e97eeea6db9a8c35e44f871ad6b9b13f41b0d4e7dd33d97e5de6f8a4fdb0c407c94b

C:\Windows\{B2C5A952-E9F5-46d5-9C05-F4530BF8BA4E}.exe

MD5 03e1c487e4f2bd92163cff5a4729c7fc
SHA1 8048a12870f215ded54a564c3108f94a04469122
SHA256 39806988016adf29788416d848542f54eb341226267d09763a627791336108de
SHA512 28b809723533dfd2d9978e29fa7bbe1e1c2bb90d845596881828e51f4a2d38e78ebbe2d9e31c2a14c387a1cacb8626d910e8327268102b6fe7eb3be4a5fe7a48

C:\Windows\{16D97D4C-A3D7-42db-B2A7-5DB34351D04D}.exe

MD5 23d83d914ed7a260a30ea1999363c5aa
SHA1 877c6915d785738aa1564ca6e85cb710f71b5314
SHA256 cdfd4562005a0e0d96c505141a852bf06d8e6c21acaaabfe0eb4319b490ef9bb
SHA512 275749d92c501e75f5680e6a153b275d9f093b513567838787f07fe8985c08e53f8dbc95c45c854be9f8f0ed1cd19c24adcfaac72f1d3653c6dae81a8077fe74

C:\Windows\{3DB7D47A-2957-4da5-B2AD-3B9075172BB7}.exe

MD5 2407ca83178099858573b64c03c7c0e6
SHA1 b1b7ab23d77b14cd702d360b41c9780a61e0bc17
SHA256 3d8eeb354e1590463c198c8ed1bb4ca359b42f95d00ec086ca3cb3865e3ce08c
SHA512 e50667494b4c8269767d09f6d5e75da483bd73647f6ade04fe05169d8626c8d487a1327c9743d4244944d747f3c6144e2cf1cfd954fa3598cf0832983116b047

C:\Windows\{AEC04F8F-1524-4160-915C-2BABEFFFBD09}.exe

MD5 bac3b7b574904faf0d9a008870d58b53
SHA1 74af36e3479c2d81c5197988df25a1fca0e1bb0f
SHA256 1ca81e4c44487e6938725ab948899b7b56a93df6dd63c8d2aca3fd43aab5f128
SHA512 0d329a323d02f966832508217fa26a06f690edc474b1bb1d0892adbbb13fdebc140fa291d56a002c906f3cf3a63ce8fd32105fd9abbbf653f1d4a7fb3759b8b6