Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-erg4nsbh6s
Target 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye
SHA256 71d546866b6bd57bd3addee83e4738fb057c44eeb1781cf5ca1a55dbc6c1715c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71d546866b6bd57bd3addee83e4738fb057c44eeb1781cf5ca1a55dbc6c1715c

Threat Level: Known bad

The file 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:17

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:10

Reported

2024-06-10 04:41

Platform

win10v2004-20240508-en

Max time kernel

69s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB} C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}\stubpath = "C:\\Windows\\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}\stubpath = "C:\\Windows\\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe" C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878} C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E} C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}\stubpath = "C:\\Windows\\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe" C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718} C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E} C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E}\stubpath = "C:\\Windows\\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe" C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878}\stubpath = "C:\\Windows\\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe" C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
File created C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe N/A
File created C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe N/A
File created C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe N/A
File created C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
PID 5028 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
PID 5028 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
PID 5028 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
PID 2220 wrote to memory of 3016 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3016 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3016 N/A C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 2200 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
PID 640 wrote to memory of 2200 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
PID 640 wrote to memory of 2200 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
PID 640 wrote to memory of 3876 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 3876 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 3876 N/A C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4856 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
PID 2200 wrote to memory of 4856 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
PID 2200 wrote to memory of 4856 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
PID 2200 wrote to memory of 880 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 880 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 880 N/A C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 428 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
PID 4856 wrote to memory of 428 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
PID 4856 wrote to memory of 428 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
PID 4856 wrote to memory of 2216 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2216 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2216 N/A C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"

C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe

C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe

C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D80~1.EXE > nul

C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe

C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7A775~1.EXE > nul

C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe

C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{29CC7~1.EXE > nul

C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe

C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{05E49~1.EXE > nul

C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe

C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18BAD~1.EXE > nul

C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe

C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D128C~1.EXE > nul

C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe

C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C04D~1.EXE > nul

C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe

C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC2D~1.EXE > nul

C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe

C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F48E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe

MD5 f13ff9cbc42ec6948b2754e12e837750
SHA1 5d3573d95bb6daa4e4faa0a928630595de32d199
SHA256 d95d03996afb65f646a960829a201b669f945813b248264690d1b513a293a9a3
SHA512 1c953f2a9d2eea7b1e121ced10472144accab0c4834578e588ed5ef3f3534c7c43f778c74cc255684e45d18fe4d33cfbfb833a458248d93d597b90d6f887ba3b

C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe

MD5 61f9b1e29fece0443e1335c460452b6d
SHA1 6506dbc105ab55058af02e98e2eb986bc2fa8efc
SHA256 be18a1b86e3f655f9d9c020757c17f233df30de18c31477a8749ee645832dd45
SHA512 27f7c1cb8c88a7ec91ada202160fbc2100b3fd8143cb244977bccca2e5206dcd7151f1e17bb8e86f1682ee692a24df080a37a8efb67611bf2a5ccf691995131c

C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe

MD5 24aff4051286f5ee94d1952af0c0c36b
SHA1 2f065b149b81a22c303090ed069b5ae4b9c429a4
SHA256 4860ee272eea2bbaf86d03f4d36954ff7191afb07f685346cf4b98b7b8e097f5
SHA512 de36f09521740d6677f6cb0b74d75883355720dd12349fc3d40ef95fdeba5f85f709eb2ef7cde863d62a93d1e1e2a411cd4c67b3f91ba082c220b2ab0ba8ae41

C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe

MD5 74e14ce6556272bebb22b9b2a3a01775
SHA1 ff0b46744aa9f6e5f2819334637b9a41a9d1b28a
SHA256 7a4cd9f7ca3f97787ad9410467a4f0f193789112d6aaec599d5c17232b0f3291
SHA512 3704a36354e356f217d235a52b17120b99945340e8298c203e9231cfbfd3e316be5159c73637da1d210b46a68d2b69a5bd7264f673afcc6b5f3811d27324ab62

C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe

MD5 9c33edd401335e3ab9d16dac6c3b9d7e
SHA1 7b70f2f8d7ecc5eec27999194d45648bed3e6f6f
SHA256 27c2e0df35d2417014b3be06346355ccbc552587403a15aabb991855cacf93b9
SHA512 079bbcb650905a5d13bbad7c188e1551973f37f0467e4d296147bf5b7a887d788eb4c5c12a48fe7f97173212dd3f1c9cc7991a1039f3f53f6ce2de264c6f37e8

C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe

MD5 fbffa3044661c44d31b5d74798d17182
SHA1 1d9efdff54790ebca3922b4729bd29151e2db020
SHA256 11b8851bb2057bf929f5a7ca346f1312675ab22ba1f1c2f8c938563696f3f67a
SHA512 fc2cc56b787b12375b60887788c1a896178265789892eecca02a0086ee00c76cabcdc32cd8619a02ba6ecb1082f74f2d63caa1f026679f7e89db7a48d45cc93a

C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe

MD5 6f5b2f4c1eca91fbfcad1b4556aef8eb
SHA1 0c3f5255b5d2d31142f0e85b94b4d97846738e94
SHA256 a6f1603b5ddf36160e22e0d9dad4de3b85f89fa176bf12f893c94327cb39f558
SHA512 a4ca19316686367583071a0180fe6c4d964083f0bec84e024adeb2ed66da279cf867cf431143355b805c20c35d368277e60bf51b1c5439d753d6df409ed06bb4

C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe

MD5 c8cead85543fb65a5e18c8eeb124a663
SHA1 fec1a01d034eb1243e3054ff23b7bf6f807cb1a9
SHA256 9a966489ebdfc325959e34017306fa1e2a60d4a6471a1e1c0c9f5446eba4c7ae
SHA512 ced171321be9fdf8acd24b261d9045493208233ae3704d84e86bc2ce8bc5f2284f8959e62c1c8774ad555ebcca15c3c6fc958b32f9a22a425d4f4a9d2d0879b3

C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe

MD5 3ba855d88392589b5241af5f5b047380
SHA1 e66d77f100ca2c4813b08f785cd6626b6e677ee4
SHA256 74659944398ae1a7fa8c2fb7d715cf39921aed394d9cb3077258bdc708956010
SHA512 beaa3809c490b1dec77fdd4e0ca33d7af1c26a309aee758c13559c57c0cac076ef41b98dcf3ae2bbb8d919689d19fa5b083bf8d786b434a30de0e0838d20e2ce

C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe

MD5 7ae555bbcbf4489efe2d99dd10ba8031
SHA1 4107c575054325bbc4aca2af36d950e42a82b938
SHA256 ca8673d607d62b3a74e873da6e9e7505fc92859c0f92ef7d7d9a382280d0be4c
SHA512 78d205502cd223af3090edc9d8fde3cedc12aaf9c9427129a95442030f159e0ad961814c51ac2cf66a25355ff696ae93965601dd96dde286970c9ec7500067e1

C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe

MD5 1630bc9119a8eeb6a4eec7fed9576d5f
SHA1 9b9019cfd7826084f472dddb44cdcadc7ed8ffe3
SHA256 81da80a991eec81f83852ad5fc7d4b14bfa076b9f78d25ba5106caba42f72ada
SHA512 4b10a455dcd2754e2a2e301f199bd41bdd6f2b59f4fbad99129f9807cb5fbb87b4bb25020d106c014c991077b99bb0e38b1c304061f6d7a4d6efbe3ce2f8a7ac

C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe

MD5 35f19861845f4ed7c053d6ee8ce7999b
SHA1 5b7226766176ee5fbb182508da286e425109902f
SHA256 409835f4cf8ed7f9c1084c1c694331dcc2c51c856900fcc22023817a7f660260
SHA512 90c93fa4bce4807ad0cc7122590d8780f24337d764545733a86b0de1620090a85b725950a64dd9ec3d88a0ec42dee40bfe6b358e5dc83dbba30205351ed5c7b2

C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe

MD5 1a4cbecc2d8ae7b61610b90989f73515
SHA1 87e95d4ae5ba255d81bdfd28e3f7291f6fc5f8ca
SHA256 04933d288a942a7f8ce7c98c0931d9d936a54154121b2c97cdf87c40bf609074
SHA512 43a7d2c7cd922681f93c109efd23bce04ffada1447817138cf68b70baf6b8abc8b22d157a2b8c1ddbd145c11570777015488710a7270ff452153a92fdfdca528

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:10

Reported

2024-06-10 04:41

Platform

win7-20240220-en

Max time kernel

75s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7959034-881C-42e8-8249-89AD8819C1DC}\stubpath = "C:\\Windows\\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe" C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160} C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9813416-B0D7-40e2-A823-1ED3622119CF} C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859B9250-2726-4e1e-8340-CFBD3D779E2C}\stubpath = "C:\\Windows\\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe" C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3891D4-74EC-468b-A927-C66142374897} C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701B1477-0536-4ce8-A0AC-4272467DFDCA}\stubpath = "C:\\Windows\\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7959034-881C-42e8-8249-89AD8819C1DC} C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9813416-B0D7-40e2-A823-1ED3622119CF}\stubpath = "C:\\Windows\\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe" C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859B9250-2726-4e1e-8340-CFBD3D779E2C} C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3891D4-74EC-468b-A927-C66142374897}\stubpath = "C:\\Windows\\{2F3891D4-74EC-468b-A927-C66142374897}.exe" C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701B1477-0536-4ce8-A0AC-4272467DFDCA} C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}\stubpath = "C:\\Windows\\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe" C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe N/A
File created C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe N/A
File created C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe N/A
File created C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe N/A
File created C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
File created C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
PID 2064 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
PID 2064 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
PID 2064 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
PID 2064 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2696 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
PID 2148 wrote to memory of 2696 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
PID 2148 wrote to memory of 2696 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
PID 2148 wrote to memory of 2696 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2744 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
PID 2696 wrote to memory of 2744 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
PID 2696 wrote to memory of 2744 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
PID 2696 wrote to memory of 2744 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2868 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
PID 2744 wrote to memory of 2868 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
PID 2744 wrote to memory of 2868 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
PID 2744 wrote to memory of 2868 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
PID 2744 wrote to memory of 2236 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2236 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2236 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2236 N/A C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 768 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
PID 2868 wrote to memory of 768 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
PID 2868 wrote to memory of 768 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
PID 2868 wrote to memory of 768 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
PID 2868 wrote to memory of 312 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 312 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 312 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 312 N/A C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1980 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
PID 768 wrote to memory of 1980 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
PID 768 wrote to memory of 1980 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
PID 768 wrote to memory of 1980 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
PID 768 wrote to memory of 2412 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2412 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2412 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2412 N/A C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"

C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe

C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe

C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{701B1~1.EXE > nul

C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe

C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7959~1.EXE > nul

C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe

C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B1F~1.EXE > nul

C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe

C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9813~1.EXE > nul

C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe

C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{859B9~1.EXE > nul

C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe

C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F389~1.EXE > nul

C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe

C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7390~1.EXE > nul

Network

N/A

Files

C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe

MD5 bf9398b7fedc16b39b773397812a5603
SHA1 f15b6e10211cfef1ff9944b627b2c53758eab839
SHA256 e03807bc203bae44159274cc5a09317b33fb87bfa4f0500dc7b50f32ac8a5149
SHA512 d60f64b8cf4197c109a86b990f38866c6b4028de9db5b96a329981bbf948694ca93871d939629e5241d8d36cd88a44343c3129257b3283926e87c270f64c4a58

C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe

MD5 6b1347e4e69bf6877df30eb1d5678fca
SHA1 4773265902984216aa242fb9f68658edf609cc69
SHA256 510fdb82b323a1eefba450d16794df314e32dcbbc84e24a7c3c55ee3d2720aa6
SHA512 0d4203fd768b2713e62153c863cb49d34455c28bbfb0c87a7f4288d68e856f38f3bd57267c1c53896581205ba491f9b851b716230b7c1ffd0bb12a1746d5e9f2

C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe

MD5 787dc17bb7f2ef76e4126af6cd8a9d19
SHA1 6deea89cab426c2679c8ca7db2afcf35fb010bc2
SHA256 8d9dbd860fe3f0a71f4da99ea47e99440c7adbbd67e74554ebcd0d6075d88978
SHA512 e8bdb300730d0e28f943a3701ca6b98d66eb520b83110afe3cd7083dc4c31721756f11167289496f186f5c162915b05c3d17c656467e3022f3875cdf594ac56f

C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe

MD5 f1bb9fe2f7feeb62734012e2d07cc994
SHA1 6dc7b96925c88304416c8319823b3869b14e64e6
SHA256 8df266fde65afa0c35c7335d17723b77d58e32e7d70aae4ab40024cb3b97fb26
SHA512 83c0b6b2cf99acef6a4039004121820a57a9f319486935dc11670c5a70c4fd8adb4ffb32ebb604dc4c6a5c2c0428a9e00912fb37c83a5e4f8f0c8cab21822782

C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe

MD5 7f657649944b4c91452521dd0a891839
SHA1 251ebff75dcd3a7a95de7d8326e55cf5ad9c773d
SHA256 bb295233bc59157419b2195027bcfbe8c1a4d6fb59957b5e596e9d4b0e6cf252
SHA512 7790006eae2dd668790c8f59fde23d5975965a689087ddcaa0187007517b9a6f1f1297df995f820d0b4b1b34fdee50d2692ee6e3bfac7f8c14e865a942df2b62

C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe

MD5 8fba8d942fa96dab5244a563a9498d31
SHA1 88f71da3e9377bc8f28991e6219442a0bd2601d7
SHA256 ad78f0e70c87297901f89395e8dbce919112c23be002d68842ef8541fba648b4
SHA512 a73301538bad72df7253d81a5a49dd7fc4aab3c363fa930bd004b80177c7379bc36602502cd1416e346e8ecd4f2a9acf83feb10448e4fb891c15f3f0f2b6a3c0

C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe

MD5 c9e2ac6497509f5815050348e472fbea
SHA1 2f53431b4ea143f14877337012f3e9834e2cce7b
SHA256 d204247c12cecfd2af845ee2087066c34d82993b2cd6fa0eea08162f6e0ecf48
SHA512 0b94ce14e6d1f31c38bc2cc44cddb4092e053b52ac78805ec1a84807afeceec46a0786afa0dc45158bd360435e5428387436685a7aef6477cb98129651b319bc

C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe

MD5 e67dc4636100246c1a8b602647079f72
SHA1 d998a29735e47e980409d93857b6abc704903b05
SHA256 17527124380df17cfa24cdda99dbb9ed3aaf469d93b34f75b1f8dd70058e6717
SHA512 e15fb73e8ff654c82e14c28bed78af820a89c497837961c6ece1e688d2f194afb6972db46ee1b96885d562da2fa816e3322ca2f10772684ee660a160fb45a46f

C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe

MD5 8ab61473e99b58673a5b4331a53d0883
SHA1 d5bdb78e27009f88e3e45e8e746ae8d933c84abd
SHA256 cd552f209b39d6a617d086a7c0a35931c6367321f18e1c60e56ef12f070b468a
SHA512 550da3c88837852e6a85f9daf086fea41cb0914e75f19c97b048863e859ce91e6d5f1c1f047b492d8906300a0b3821caf509159e3221ac9064aaf60d365ad038

C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe

MD5 dc880221f9b5257f6b552a6c79abe53a
SHA1 fbf0e8dc2936539de1861288c9d2e541fd674456
SHA256 d069ade7da504316e15a41f9b25e25dc5f6b44b590014c026643dc7d39a8ffc7
SHA512 8033a339bade456f0ea7abdb471eb780aed76c011a394d9455f6412f34d1985285117eaabe62f4cd14934299b7380244772bcb0f644976ada7cd45b1423259b3

C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe

MD5 e2773bc901ce7abcb741aa0c18417991
SHA1 58bad29624673bf08b68d568955002a4c20df0ad
SHA256 c694123d4df7d665931dc671b872b6c25be851fa5b10b3ee15788515932a00d0
SHA512 f52f1ff6bf0724a3372a88b51d7ae0e1367c95f2c03bd01bc546f5de829ea83f6a1cf2e7a8a45c0f1c118a239979fab0e02c950fa423c797963ae2baec3c4423