Malware Analysis Report

2025-01-18 13:58

Sample ID 240613-dhrfbasbqf
Target 2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye
SHA256 221c12292934484313a0e4c0616c12ccbc14024efa56c16040e09ac6afd691bd
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

221c12292934484313a0e4c0616c12ccbc14024efa56c16040e09ac6afd691bd

Threat Level: Known bad

The file 2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:00

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:00

Reported

2024-06-13 03:03

Platform

win7-20240611-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59} C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CE29DE-D3A7-433d-B09B-085C158C1DBE} C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{732A6029-861B-475e-BBD0-82DC6FCEDFA6} C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}\stubpath = "C:\\Windows\\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe" C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A46D2C-671D-45bf-AF42-071A412DD4CE} C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1424957B-5154-42e0-BD48-7A29B1757BED} C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12} C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}\stubpath = "C:\\Windows\\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe" C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B569AFBB-1637-4c97-AE30-0C25D98720C6}\stubpath = "C:\\Windows\\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe" C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A46D2C-671D-45bf-AF42-071A412DD4CE}\stubpath = "C:\\Windows\\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe" C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A80877-979A-44be-A9C4-20E7D07E84F7}\stubpath = "C:\\Windows\\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe" C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}\stubpath = "C:\\Windows\\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe" C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B569AFBB-1637-4c97-AE30-0C25D98720C6} C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021B75BE-B5DE-4288-827B-8E857E7E62CB} C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021B75BE-B5DE-4288-827B-8E857E7E62CB}\stubpath = "C:\\Windows\\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe" C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D} C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A80877-979A-44be-A9C4-20E7D07E84F7} C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}\stubpath = "C:\\Windows\\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0577196D-E7D3-4c4b-868D-9EABF380F2C4} C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}\stubpath = "C:\\Windows\\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe" C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}\stubpath = "C:\\Windows\\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe" C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1424957B-5154-42e0-BD48-7A29B1757BED}\stubpath = "C:\\Windows\\{1424957B-5154-42e0-BD48-7A29B1757BED}.exe" C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe N/A
File created C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe N/A
File created C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe N/A
File created C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe N/A
File created C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe N/A
File created C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe N/A
File created C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
File created C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe N/A
File created C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe N/A
File created C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe N/A
File created C:\Windows\{1424957B-5154-42e0-BD48-7A29B1757BED}.exe C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe
PID 2460 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe
PID 2460 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe
PID 2460 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe
PID 2460 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2736 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe
PID 1624 wrote to memory of 2736 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe
PID 1624 wrote to memory of 2736 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe
PID 1624 wrote to memory of 2736 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe
PID 1624 wrote to memory of 2764 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2764 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2764 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2764 N/A C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2680 N/A C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe
PID 2528 wrote to memory of 2640 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2796 N/A C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe
PID 2640 wrote to memory of 336 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2776 N/A C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2216 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe
PID 336 wrote to memory of 2216 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe
PID 336 wrote to memory of 2216 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe
PID 336 wrote to memory of 2216 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe
PID 336 wrote to memory of 1440 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 1440 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 1440 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 1440 N/A C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 1816 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe
PID 2216 wrote to memory of 1816 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe
PID 2216 wrote to memory of 1816 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe
PID 2216 wrote to memory of 1816 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe
PID 2216 wrote to memory of 832 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 832 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 832 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 832 N/A C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1436 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe
PID 1816 wrote to memory of 1436 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe
PID 1816 wrote to memory of 1436 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe
PID 1816 wrote to memory of 1436 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe
PID 1816 wrote to memory of 1052 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1052 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1052 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1052 N/A C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe"

C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe

C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe

C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E84BE~1.EXE > nul

C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe

C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC034~1.EXE > nul

C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe

C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05771~1.EXE > nul

C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe

C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18CE2~1.EXE > nul

C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe

C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{732A6~1.EXE > nul

C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe

C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B569A~1.EXE > nul

C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe

C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{021B7~1.EXE > nul

C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe

C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C605~1.EXE > nul

C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe

C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10A80~1.EXE > nul

C:\Windows\{1424957B-5154-42e0-BD48-7A29B1757BED}.exe

C:\Windows\{1424957B-5154-42e0-BD48-7A29B1757BED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54A46~1.EXE > nul

Network

N/A

Files

C:\Windows\{E84BE07C-9251-44e6-98A0-08D6FEAFAF59}.exe

MD5 2af67cf8dcc286e674b6633c225145f6
SHA1 6c922ee184c886a6af3a9135cc23d25ac6921d20
SHA256 19b05217bbd952a3c1216c7f04ba1de0fefb76c8e51626bc4f55f282a2101b9a
SHA512 c5a534243a2860564d710d8b5408cf6f62a85b8fb698485f0cdfba30a4d1f3ef8e313e2c6a1b2264fc345bed29c213e9821c3121666919001f3b594963431618

C:\Windows\{FC0348BE-AC5F-40cb-9F5F-074D74B9EB12}.exe

MD5 5168f3dfac6591e5ac5104954f0ead33
SHA1 8ebd8c329b418d0e662dee801e8c9dda8e9fec61
SHA256 f2ee66a842a5bda712bef4fa19be4d2b87a4981102e20adb62db17a831a0c7a3
SHA512 47f80426ea144548b969a4cafc9d94156105a6c00f16011efb320351d3cf9431243ef6f70aac07095adc5b6ca50349d0777d37c04a4ac7178a6269368d6182a2

C:\Windows\{0577196D-E7D3-4c4b-868D-9EABF380F2C4}.exe

MD5 d1b16a49d383ecdb38794b55f1f04ec6
SHA1 ba9542ec857e8f4e90727e6002314981b04c2008
SHA256 4cd3b2389d43ebe0b9478cd99d2a121f4ca0c793c8a6d6ec0aff7a5683f1e4c9
SHA512 616dbe3c9187a97574af7a6ab90ceeaa7a75a82487a2cdd9e759288ae5432472bec9f14ad164bb6b8f9a070589dfcd0d67810e8a6d603175ac93a9cea9535757

C:\Windows\{18CE29DE-D3A7-433d-B09B-085C158C1DBE}.exe

MD5 95d1f160e0ebc996740ec113cda9780f
SHA1 8e194a6f7c3da8ba0ec0c636e37574c193ad59af
SHA256 44b55d938fa1d9e20d4a1e1f685f050d8ffa50f7e1292bafe8d5796e13389689
SHA512 f120006ec836f9ba73e1705cb64117a3fba02c7e0039f5a0440159cffc16e57b60f98c8050f1b890cd3ae22ff61a9db42c7ff01eb787da2e63d124422b590cfe

C:\Windows\{732A6029-861B-475e-BBD0-82DC6FCEDFA6}.exe

MD5 1f75849d4d0ea6cc41641ed20f26f1b5
SHA1 418b6fe1a799944f3d3bd462948cf3cc827ca50d
SHA256 1f37e1a12a6f6f38d45cb5c427ef79c7d1a404f61e644b77c00541c2c88c79c5
SHA512 dae11913e7fe681b9b541b2de34bb29b12617e763e1ac0130eb94f1c1ff68c5212079d43ecab00d7f5e6f0ebdf279fcfdc3c20ba0119f198589592cff0498b37

C:\Windows\{B569AFBB-1637-4c97-AE30-0C25D98720C6}.exe

MD5 8b53d737785e1cfaad08805d7791bb57
SHA1 24ddb7cbf0bbbbefd62d2db71e2bebd62191150f
SHA256 b26aed4d8c8f23793947712c72fda4d95db3ae886b6faca21bb817f296acfcac
SHA512 add484c2a5587e4b1baa8a7fe024dff4e925fbc5d99373f8b8370c052df0900615d3d06aa63571a9ff198fca61f72b57fb687c6ad81e123c1059e7c9cab39b2e

C:\Windows\{021B75BE-B5DE-4288-827B-8E857E7E62CB}.exe

MD5 7abd8b89c175d51f8622c89b0d4e06a7
SHA1 18650d7d82b7b0d421baae7b0f55dc1dcfaae1f7
SHA256 6173f1e94c1fafa26ca09edeee5a5a17d9f6415164809c09afb04664894d6461
SHA512 bcae5da6052da05d762b498e91bed1e2d1af4ebdf08b8c5559d7adc7282f4902e42be6ef1aba8890d54f68097be46e7714ffcff5eb8ad86deb1728ddf32edc96

C:\Windows\{4C6055DF-DDF3-43c2-9F18-6A504A7E7D6D}.exe

MD5 c47cece0fa1bd4fd1ab888b260f98e23
SHA1 703955ca0e5e2fa4ea64bd2fe0dfdb8ef6f1eb5c
SHA256 053811e3446190cc0b26a0a1a3d7e49f508e1196c468d211aa7c177d59c5eed2
SHA512 ddd2777f5ef7d9ef5e590656f4d4711e17666f7ed5d371c257cb37c5fe9bf602c9daa3f4c3a0fdd0ca7bd24fcc994eaa0d801c04b89b33c17006f956b33d5515

C:\Windows\{10A80877-979A-44be-A9C4-20E7D07E84F7}.exe

MD5 b67c0d16b567e394cdcd80287ca2be88
SHA1 9573e6c8424c51a2c66d4fb9fc56ff3f141c9de4
SHA256 8b96c27cc7755da53094196d4e222abe15f6ff99ffe5fff673a95f3bf69bb99b
SHA512 fdf6bc2fdb79c2fe85644a45d47e408718cc591a93126d9caeab2290b7265432ef80f1bf8a478cc8c92d88339aff05ccc06cd4bf7d313f9f910ae04da3e8dde0

C:\Windows\{54A46D2C-671D-45bf-AF42-071A412DD4CE}.exe

MD5 551d50abce04d20efa3682e8ff63873a
SHA1 0a1d666c6172a05ccdecb3e4b25875976db6b8da
SHA256 33624346847f76aaba1691c12dbfeb963a59f302e09581e121fda094f1aa3628
SHA512 fa796f316b65cb7e176bcc34ffe5497245297d138597482f8fd40580df01333184c6aea3f88f19cddb922b3d5f0f3ec233aedbcf756565a0b48bb49b65c1aeaa

C:\Windows\{1424957B-5154-42e0-BD48-7A29B1757BED}.exe

MD5 d0459b4a24f56fc3a61150414ae20a4e
SHA1 dd04bc0655e5eaed3bf0f90cdfbf5b1d572a82f6
SHA256 d9539e5ab5f53905532ef289246b755e31dd356f338fe42fe4b656c441ee9fe3
SHA512 dfac11b9c44da6cfe6137df0b2c3ab9daa60568d68820746118910974be22553121f001e92ddc92a1ac40489838700a3f0a6879bd2a6d77ad4b75aea622d3921

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:00

Reported

2024-06-13 03:03

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}\stubpath = "C:\\Windows\\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe" C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CE8E06-1004-46d4-A975-75B0639353C7} C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CE8E06-1004-46d4-A975-75B0639353C7}\stubpath = "C:\\Windows\\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe" C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0857784-0EC5-4851-BFDB-CC58168FE398} C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0857784-0EC5-4851-BFDB-CC58168FE398}\stubpath = "C:\\Windows\\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe" C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137379B4-EB61-49df-AA9E-2D6E40463416}\stubpath = "C:\\Windows\\{137379B4-EB61-49df-AA9E-2D6E40463416}.exe" C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}\stubpath = "C:\\Windows\\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF} C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}\stubpath = "C:\\Windows\\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe" C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B97C427-4A47-4864-BE59-ABF6DC25100D}\stubpath = "C:\\Windows\\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe" C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AE91E9-1A26-45ed-A5B6-735E3354EA83} C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A} C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C66282-699B-4e00-A7F0-CAF7BAA4336B} C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B97C427-4A47-4864-BE59-ABF6DC25100D} C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137379B4-EB61-49df-AA9E-2D6E40463416} C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}\stubpath = "C:\\Windows\\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe" C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}\stubpath = "C:\\Windows\\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe" C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2514FC63-5F77-4156-A084-A1559ACC2FB7} C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2514FC63-5F77-4156-A084-A1559ACC2FB7}\stubpath = "C:\\Windows\\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe" C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70200A9A-97C4-442a-86DC-7D663AC0A7CA} C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}\stubpath = "C:\\Windows\\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe" C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DFF365-0B72-4495-AF96-F93A649BE0A5} C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E66775-5950-4bc2-94E5-C075A6EE27C5} C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}\stubpath = "C:\\Windows\\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe" C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe N/A
File created C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe N/A
File created C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe N/A
File created C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe N/A
File created C:\Windows\{137379B4-EB61-49df-AA9E-2D6E40463416}.exe C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe N/A
File created C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe N/A
File created C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
File created C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe N/A
File created C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe N/A
File created C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe N/A
File created C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe N/A
File created C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe
PID 4708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe
PID 4708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe
PID 4708 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 4724 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe
PID 1312 wrote to memory of 4724 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe
PID 1312 wrote to memory of 4724 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe
PID 1312 wrote to memory of 3204 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 3204 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 3204 N/A C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1660 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe
PID 4724 wrote to memory of 1660 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe
PID 4724 wrote to memory of 1660 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe
PID 4724 wrote to memory of 3056 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3056 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3056 N/A C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2192 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe
PID 1660 wrote to memory of 2192 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe
PID 1660 wrote to memory of 2192 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe
PID 1660 wrote to memory of 2996 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2996 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2996 N/A C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4524 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe
PID 2192 wrote to memory of 4524 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe
PID 2192 wrote to memory of 4524 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe
PID 2192 wrote to memory of 4784 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4784 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4784 N/A C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4176 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe
PID 4524 wrote to memory of 4176 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe
PID 4524 wrote to memory of 4176 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe
PID 4524 wrote to memory of 1300 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 1300 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 1300 N/A C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 2424 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe
PID 4176 wrote to memory of 2424 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe
PID 4176 wrote to memory of 2424 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe
PID 4176 wrote to memory of 3712 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3712 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3712 N/A C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2236 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe
PID 2424 wrote to memory of 2236 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe
PID 2424 wrote to memory of 2236 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe
PID 2424 wrote to memory of 2968 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 4328 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe
PID 2236 wrote to memory of 4328 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe
PID 2236 wrote to memory of 4328 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe
PID 2236 wrote to memory of 3944 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 3944 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 3944 N/A C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4140 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe
PID 4328 wrote to memory of 4140 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe
PID 4328 wrote to memory of 4140 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe
PID 4328 wrote to memory of 3216 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 3216 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 3216 N/A C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 3460 N/A C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe
PID 4140 wrote to memory of 3460 N/A C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe
PID 4140 wrote to memory of 3460 N/A C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe
PID 4140 wrote to memory of 3440 N/A C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_edeabfd31140c33d942a63a71736a0ba_goldeneye.exe"

C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe

C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe

C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F5E66~1.EXE > nul

C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe

C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A0EE~1.EXE > nul

C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe

C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27AE9~1.EXE > nul

C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe

C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2514F~1.EXE > nul

C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe

C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5CDA~1.EXE > nul

C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe

C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70200~1.EXE > nul

C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe

C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04C66~1.EXE > nul

C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe

C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2DFF~1.EXE > nul

C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe

C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8CE8~1.EXE > nul

C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe

C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B97C~1.EXE > nul

C:\Windows\{137379B4-EB61-49df-AA9E-2D6E40463416}.exe

C:\Windows\{137379B4-EB61-49df-AA9E-2D6E40463416}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0857~1.EXE > nul

Network

Files

C:\Windows\{F5E66775-5950-4bc2-94E5-C075A6EE27C5}.exe

MD5 0ddfb91ddca13c9ef0e5224af8316d7a
SHA1 53d6a3dbd638b616496db17f8b456256d149315c
SHA256 1c4f9be1eb06a3a6b641110418924e9b5668a52fea5de4da91b8016f46694941
SHA512 cb53c5ee2cc026250ff784bf148d3e280fee96c8a3149ba4b52594bef65de78511ebdb998bc1a6de122574e979e25c83f2cb7952117df3bbe32e98936ad3f3f7

C:\Windows\{6A0EEEF5-C67D-4b0d-8E5A-C41852BCA2EF}.exe

MD5 fe4ff994635b4bc07ffbfa318ed1435c
SHA1 fb2b1abb483224334b41c0451a8f96bda8281216
SHA256 7c8f66253d6b112fe2f9ba1f20c5234d8046761d1e67946a9334fdd8dcd8cd89
SHA512 497b7bf47397431ee3416ceb485155945d28b18d908cb1243c6bbcf86fd0f870e97819f6035aad4959a40af4fc111f58f4ef3e52994952d216df7336c55fe0a8

C:\Windows\{27AE91E9-1A26-45ed-A5B6-735E3354EA83}.exe

MD5 0ea383cdc6123b1bd8b8a5ae92272eb0
SHA1 1b838b7ae07676793d008ce9d2a50cc674ffd7b5
SHA256 f5ef76f1f4f6a64fc5afeb5c5825ce33abe15c18d9b6ee5a6bd3c6037bd40e90
SHA512 ccc4d5fb53afe7ae31478c95f742a8d0f901951b536f8ecd0d79d4613d9a1f6f2fe65f9dd0bd64a4531815bff6a86c3453aa7924e847bff91acc2a18ec3b947a

C:\Windows\{2514FC63-5F77-4156-A084-A1559ACC2FB7}.exe

MD5 c05ac78d0cf4cf10ae61d876cb3854c5
SHA1 b2d1dd672390ac58c63d844a70d34ab7d8c007a8
SHA256 dbbad7752d3c5e4cfe6df47384d563a9a91d67580acef4fbd07b3ddc651da74c
SHA512 c1fc09e8d5822491957129ef45365a070056c50e6131a7068bc91b9d0720293502541a57d39512379d6466d9d56d3b053b42639c9d396f0576e41043a6a8926c

C:\Windows\{D5CDAD7E-2314-4b69-92E4-7AA17872A98A}.exe

MD5 e9e57dc36145b14f490cca8af42a63ae
SHA1 e7abb19f4d58bb55183eb2ad2dd471b771d55147
SHA256 44ebd6e60216fafa267c90259ee54c86381b73828a32db3b701203acb372a9ee
SHA512 bffc3fb8135f2cb452a3433dcb68cc9efcc142b3554ffe114ab2396a325093890dc500555c25ab5271cade5fdb09d89fac78935d766ba4aa20cb5f5ae516b55c

C:\Windows\{70200A9A-97C4-442a-86DC-7D663AC0A7CA}.exe

MD5 fe11fec6eae5b140ca4efdf2bfb25dd5
SHA1 1e32cda11847a8e19dc0366f93cc0ecc79c1d846
SHA256 1eeca0ef8bb1904278a92a76f81f7588b006f513a69c6304e744648eee191e9f
SHA512 660f7b045df195feaec68cd417fc579463c207852b490604b16d093ca1293c76f17c323d0dbc256b7f401a97a0096e231a79f93f6c16219265b2675c5502471c

C:\Windows\{04C66282-699B-4e00-A7F0-CAF7BAA4336B}.exe

MD5 f922f2f4e71a7d4da1abd5e774a9af6c
SHA1 937b13ddebbb81c8eb00e17866b86fbc378a973a
SHA256 ec9898ae86e6873df8909f86640622cbed7b199c2ce6a492aa790ae23e1c28a8
SHA512 53bccf022bc9981915b9ce1742cfa11df484a101417699d3a222c363bcc9da34c805200eeb8984f2921daf2e521df60d377fb7013aa16c21811d13ed5c76b465

C:\Windows\{C2DFF365-0B72-4495-AF96-F93A649BE0A5}.exe

MD5 a5697cdb8f9ab3ad1b7f47a09e0ee7ba
SHA1 0dbc06a0b984c24b6c8df50df0e55234c5c8ca16
SHA256 2ce5a6830277a600a4dcd0e90c5ae597affcd0f0995ba570ad5769bfb06d8c39
SHA512 5ef4c74f7fcbe7e96faf6e2fd6959605d9dba1a319a58240806c3ff9656f409eecdec00ac50c92946c3bafc1b2ce16acb03455dcabbff19512d0237e2ca86ef6

C:\Windows\{A8CE8E06-1004-46d4-A975-75B0639353C7}.exe

MD5 ba87cd364f0109687752102891065433
SHA1 6fe9f87f5349179ab4d42a21857ba0daa7eef10f
SHA256 c7aa05ace87df675cb2506ceace48a431432c419af3b17ac1a81a9f0ecf1d362
SHA512 f994349538aa82db77b3a72f7794ea9484603e6bf891e2b26bec04970ab90796c55d47d0f6bb1780f2ba031ed62c5264f33f48a92ec0366ccecfc88616a980bf

C:\Windows\{3B97C427-4A47-4864-BE59-ABF6DC25100D}.exe

MD5 7e5666d88946b5abbc07351ce520eefc
SHA1 b015f8b889b2e7126546caaaed35982568cc7ddb
SHA256 764a4f66d2f4488b22de94064e8562f7550532bcbff900c6035d4193b1219fd8
SHA512 5b74bedec795891428a416a4f9bd2ef664b138d369f2130f00c36dfa49c5d50abaefede3ca94e25140cff0a2563999335b3b172bea7c783367b3bcf71449514c

C:\Windows\{D0857784-0EC5-4851-BFDB-CC58168FE398}.exe

MD5 ab350cd3ad75ca419aec1d30ac52cfed
SHA1 4a5a5de2fb3c717729202be313cd4fb8e5bc1fee
SHA256 d4519a742d689693e5b616886d2e2f20093951ad68e4d46e0cfc956c4248d52c
SHA512 92bf9abd9aa556d835c4516390a977b010b40c87244c51aab68a7fe3aadf2728b81dc8e148d6397114422fd26aed064d0c23b3d0770040998728dd26eadc3b86

C:\Windows\{137379B4-EB61-49df-AA9E-2D6E40463416}.exe

MD5 818af7cfde0e0d404c9d4eec485c9354
SHA1 8eff8bf1b7519a70774ea01eb0f5d8c19d5a28be
SHA256 098a881aa616107aa450b29d6cb2dfe8b734fd52ef4e25923d3b4dd5352a0ce2
SHA512 4729656b70a5397971ae327d3822dd2e00c19c5e04ef92d4e2e6b7d7d279658b540b17542996be43ed03d32157d2c47a11fd178ef36327f7ba928eb65318ee44