Malware Analysis Report

2025-01-18 13:32

Sample ID 240613-dgnysswamn
Target 2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye
SHA256 f9738adc7c4192099c2b6f71d1e418f0454a91e495b4e191a429d0b6e33db30b
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9738adc7c4192099c2b6f71d1e418f0454a91e495b4e191a429d0b6e33db30b

Threat Level: Known bad

The file 2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:58

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:58

Reported

2024-06-13 03:01

Platform

win7-20240221-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5091EA96-9C29-4ab7-A07E-788B362C5C74} C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69} C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5EFFFB-479B-442c-8C85-374463A60BB6} C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}\stubpath = "C:\\Windows\\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe" C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E9F8066-FB6F-48b2-BE38-C9107BF57126} C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}\stubpath = "C:\\Windows\\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe" C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1547E39-D772-47e4-9DE8-9E06C2ADD787} C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}\stubpath = "C:\\Windows\\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe" C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD} C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F158C67F-D1D1-492b-A124-8E92C7574E33} C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F158C67F-D1D1-492b-A124-8E92C7574E33}\stubpath = "C:\\Windows\\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD3CE87D-1845-4d52-878D-643AF679DE28} C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}\stubpath = "C:\\Windows\\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe" C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60} C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}\stubpath = "C:\\Windows\\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}.exe" C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF434AC5-0A8E-45fd-95DB-1428121D2480}\stubpath = "C:\\Windows\\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe" C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5091EA96-9C29-4ab7-A07E-788B362C5C74}\stubpath = "C:\\Windows\\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe" C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DB900F-D0B3-485b-8FAA-57F53E615043} C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DB900F-D0B3-485b-8FAA-57F53E615043}\stubpath = "C:\\Windows\\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe" C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5EFFFB-479B-442c-8C85-374463A60BB6}\stubpath = "C:\\Windows\\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe" C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD3CE87D-1845-4d52-878D-643AF679DE28}\stubpath = "C:\\Windows\\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe" C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF434AC5-0A8E-45fd-95DB-1428121D2480} C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe N/A
File created C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe N/A
File created C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe N/A
File created C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe N/A
File created C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe N/A
File created C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe N/A
File created C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe N/A
File created C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe N/A
File created C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe N/A
File created C:\Windows\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}.exe C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe N/A
File created C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe
PID 2664 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe
PID 2664 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe
PID 2664 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2496 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe
PID 2832 wrote to memory of 2496 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe
PID 2832 wrote to memory of 2496 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe
PID 2832 wrote to memory of 2496 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe
PID 2832 wrote to memory of 2604 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2604 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2604 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2604 N/A C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2388 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe
PID 2496 wrote to memory of 2388 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe
PID 2496 wrote to memory of 2388 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe
PID 2496 wrote to memory of 2388 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe
PID 2496 wrote to memory of 2328 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2328 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2328 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2328 N/A C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 804 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe
PID 2388 wrote to memory of 804 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe
PID 2388 wrote to memory of 804 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe
PID 2388 wrote to memory of 804 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe
PID 2388 wrote to memory of 1524 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1524 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1524 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1524 N/A C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1560 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe
PID 804 wrote to memory of 1560 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe
PID 804 wrote to memory of 1560 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe
PID 804 wrote to memory of 1560 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe
PID 804 wrote to memory of 2060 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2060 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2060 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2060 N/A C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe
PID 1560 wrote to memory of 276 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 276 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 276 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 276 N/A C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 680 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe
PID 1612 wrote to memory of 680 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe
PID 1612 wrote to memory of 680 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe
PID 1612 wrote to memory of 680 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe
PID 1612 wrote to memory of 532 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 532 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 532 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 532 N/A C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1400 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe
PID 680 wrote to memory of 1400 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe
PID 680 wrote to memory of 1400 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe
PID 680 wrote to memory of 1400 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe
PID 680 wrote to memory of 1780 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1780 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1780 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1780 N/A C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe"

C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe

C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe

C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F158C~1.EXE > nul

C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe

C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5601C~1.EXE > nul

C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe

C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5EF~1.EXE > nul

C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe

C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD3CE~1.EXE > nul

C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe

C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E9F8~1.EXE > nul

C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe

C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27C4B~1.EXE > nul

C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe

C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF434~1.EXE > nul

C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe

C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5091E~1.EXE > nul

C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe

C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35DB9~1.EXE > nul

C:\Windows\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}.exe

C:\Windows\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C1547~1.EXE > nul

Network

N/A

Files

C:\Windows\{F158C67F-D1D1-492b-A124-8E92C7574E33}.exe

MD5 fe716d60c2a8510159fbc495a028cbc1
SHA1 e49afb01c760f188537bf12df5316acac7388867
SHA256 a193a19a12a46444810603f02685277dd37ed0b920850723b2ef2d9083bc70d8
SHA512 6d2448bf004154958db0ea07ddeac1153e6ff0130a09f0a427abb6a2eaac1c952e4043b6dc183c4ca444cb9cdf4e7d213f386612500e82f837eeb96fdd755dc5

C:\Windows\{5601C328-91DB-43d9-A6FB-9ABB01B2EA69}.exe

MD5 2f6971789c3ed18309912068dae80fc6
SHA1 44e2615e342fee5a166c363645fc177f217ea259
SHA256 d8d28326f07c04fec4df3f9deca2931fbe1d2f06e4449b236a20059de3e3a490
SHA512 6851fe2da543e8f9b18f14480a38ce95c08dc071c7dda50e903136641e1a144e8d1ef18b4621468968ce4892c6eb04d01abc1c12b9a1a8457e82f47a30410855

C:\Windows\{2F5EFFFB-479B-442c-8C85-374463A60BB6}.exe

MD5 dbce29277c7a60e45c1f149ac9d084d4
SHA1 b8d992d368d2cf992138fdc82173ebdefc9fb49c
SHA256 7c97fca961bc7e20cef35fbeaa5ee371ff31ed8afc4f460d8b9891bde920fa7b
SHA512 1bc0b208dee7c78c5453d119351dac6e30bcfcd3d5b3db56447a5326c438b75f9476c1aed0fff1168f40687f5654dbf9e18c05d2fe935232ec54ff40fcff46e3

C:\Windows\{BD3CE87D-1845-4d52-878D-643AF679DE28}.exe

MD5 d1bff12f16b6cceba731036c59ada6d6
SHA1 bc6e39e1b936d6fa6abe9d3e94b54f2c203cd454
SHA256 b0e3c4f7ec7d4992a8eb4fc0b2be6ad20055ec2bc6b49146b626be519e6ffc05
SHA512 0a765f91ceb3b6ec2016c2de41ee3134a2e0049e6f60cb0b8a1a5e07d663925ece8001f3d29f296a82816b2b056e449d9e31f214d1390baf1c27b5eea5fc45ca

C:\Windows\{8E9F8066-FB6F-48b2-BE38-C9107BF57126}.exe

MD5 0abb693df35d7b640b6e357c1b6eba1a
SHA1 871482ef68fa618b592856d538473d0112832690
SHA256 6dbdb922c863d84d7090c52931c5b158cdde51d55ad8497b8cc85e15640767ee
SHA512 6f6f2c040b5a7d0106956d3ca3ef603a0e54de3ce922bf567f2f02b3167ccd9e961e202e3bb0d6fe69de70397d7d20e92e65d37c0f092730a8eb0a7c16265dbd

C:\Windows\{27C4BFA1-4FF8-4b9b-8B1C-B21D87A07D60}.exe

MD5 8a389ae803c8476915ff5ff0f80b24c6
SHA1 b5539e4d8b5ccb10ef0c7ebebee9df7fe4f5854e
SHA256 35c185a6d8b368d844bc3f8a7e979c2da7448f6b5f7474d56200ec2d6b975797
SHA512 371ee0612acf8fe9ac9f3d3159633c53915e47cd6182f802ce189ed6bf95a9ea27ffe715ea16e925a26958aaeb798f76e3dd1b57485436342f0ff1e4eca16a41

C:\Windows\{FF434AC5-0A8E-45fd-95DB-1428121D2480}.exe

MD5 f4d858234fcf0bd800aa58177e5ca277
SHA1 407bdbfcf5a6ef7c8016901357032891e25fa390
SHA256 c424eb2db923a1e478a89c336c7804613aa72b14074343838659bc5d32b62787
SHA512 1de1da714c462708a70a3681db44ce64740af4198993436481dbb01b9d593622de95a38cdb329b59f741ac1276eb8998c984802c4629fe619ddb0bb38e563e26

C:\Windows\{5091EA96-9C29-4ab7-A07E-788B362C5C74}.exe

MD5 2eb3e4cef2a65f6c90252fe26277ab1b
SHA1 5c0e5c210e28a859f4005f6e2ba9f13a1da83bf5
SHA256 2d93e459e60d4f68c685525600d67ed39429653ced28363d3089574c232f81fa
SHA512 067e6c20898afdb86c86476bf297cde6224fd6897f1b9aeaa1d891e6e93769234d402d17066bf24fbbcbee6ecbd92f4497d0db308d9e02f41806fe829fb51100

C:\Windows\{35DB900F-D0B3-485b-8FAA-57F53E615043}.exe

MD5 3b9376c0c2fb11f63ca7041f1296cf52
SHA1 872e758cc4aa18943c531cfe6f48b8e885e7b10d
SHA256 8f70f8db49f461a160f3967e87e736d62c8d8f391eabb6a2ade2ebc88c268eaf
SHA512 289e73d11ef4a2d670a824a1d2403203d6072e4550fb352c33f49606fa85f4862ff6e8e0d3145054943dc93dbb18004b44ab21823f5f557239725645fdbce3f5

C:\Windows\{C1547E39-D772-47e4-9DE8-9E06C2ADD787}.exe

MD5 30a5663821118c9eac2e684648b7502c
SHA1 976054537a701f55eebbdfd25e54fa88e0f101b5
SHA256 5bbfe1fb8512d2c1054b93c30683e1278bb02aa214e9959ff19eee73a191b4f0
SHA512 e4b01341d146eb73f9235b1870e213254a8426554fd4fe701dc95f62639443f69f4f78c7021968657d62a22b51ff9a320341aacf0216a7983fa733739fc99ce1

C:\Windows\{EDEC2EED-C2B2-40fa-BA63-C06FABB358CD}.exe

MD5 5381f894dde7aeab47caf8e42b0478ad
SHA1 49d2d2ee20b5759d8702241cdc8ff73ee07cb5e1
SHA256 23dccae6c627212372d63983e16af7d80804c46bf6d0ce9b9d7caa8ddce89ad7
SHA512 7b6549e6016190ad3bfdd9903134bcd89b8d307fc3bc685559c04b3ce5ec519e5da0f939fc3e7afaf3beb478bad39438e017d9d2792d5716ea55fb6eb32fd0ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:58

Reported

2024-06-13 03:01

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}\stubpath = "C:\\Windows\\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe" C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74C260AE-9474-4ab5-84BD-3D63AD17CC20} C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}\stubpath = "C:\\Windows\\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe" C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A} C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}\stubpath = "C:\\Windows\\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe" C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}\stubpath = "C:\\Windows\\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe" C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{006E2F90-B989-4291-A49C-E1EBF58CEFCC} C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}\stubpath = "C:\\Windows\\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe" C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F87608F-8F99-4189-B750-F6F4444D77CC} C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{198CDCAF-F434-4575-B716-B7AB834BD0A1} C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}\stubpath = "C:\\Windows\\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}\stubpath = "C:\\Windows\\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe" C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D10975F-6623-4288-81BA-BD3BC45D50D3} C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D10975F-6623-4288-81BA-BD3BC45D50D3}\stubpath = "C:\\Windows\\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe" C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3} C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C53D9-5EE9-4506-B17C-11AEEEF41477} C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C45481-53BE-435e-A8AC-32E437CDA743} C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C45481-53BE-435e-A8AC-32E437CDA743}\stubpath = "C:\\Windows\\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe" C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{198CDCAF-F434-4575-B716-B7AB834BD0A1}\stubpath = "C:\\Windows\\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe" C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070} C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2} C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559} C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}\stubpath = "C:\\Windows\\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe" C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F87608F-8F99-4189-B750-F6F4444D77CC}\stubpath = "C:\\Windows\\{7F87608F-8F99-4189-B750-F6F4444D77CC}.exe" C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{7F87608F-8F99-4189-B750-F6F4444D77CC}.exe C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe N/A
File created C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe N/A
File created C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe N/A
File created C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe N/A
File created C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe N/A
File created C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe N/A
File created C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe N/A
File created C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
File created C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe N/A
File created C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe N/A
File created C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe N/A
File created C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe
PID 3952 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe
PID 3952 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe
PID 3952 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 848 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe
PID 3540 wrote to memory of 848 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe
PID 3540 wrote to memory of 848 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe
PID 3540 wrote to memory of 4248 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 4248 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 4248 N/A C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 1276 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe
PID 848 wrote to memory of 1276 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe
PID 848 wrote to memory of 1276 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe
PID 848 wrote to memory of 2828 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2828 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2828 N/A C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 3232 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe
PID 1276 wrote to memory of 3232 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe
PID 1276 wrote to memory of 3232 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe
PID 1276 wrote to memory of 4352 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 4352 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 4352 N/A C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1416 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe
PID 3232 wrote to memory of 1416 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe
PID 3232 wrote to memory of 1416 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe
PID 3232 wrote to memory of 1524 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1524 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1524 N/A C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3652 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe
PID 1416 wrote to memory of 3652 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe
PID 1416 wrote to memory of 3652 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe
PID 1416 wrote to memory of 2484 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2484 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2484 N/A C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 3108 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe
PID 3652 wrote to memory of 3108 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe
PID 3652 wrote to memory of 3108 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe
PID 3652 wrote to memory of 4240 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4240 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4240 N/A C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4396 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe
PID 3108 wrote to memory of 4396 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe
PID 3108 wrote to memory of 4396 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe
PID 3108 wrote to memory of 3752 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 3752 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 3752 N/A C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2476 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe
PID 4396 wrote to memory of 2476 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe
PID 4396 wrote to memory of 2476 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe
PID 4396 wrote to memory of 2448 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2448 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2448 N/A C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 4124 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe
PID 2476 wrote to memory of 4124 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe
PID 2476 wrote to memory of 4124 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe
PID 2476 wrote to memory of 4724 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 4724 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 4724 N/A C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2116 N/A C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe
PID 4124 wrote to memory of 2116 N/A C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe
PID 4124 wrote to memory of 2116 N/A C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe
PID 4124 wrote to memory of 2784 N/A C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_a931f967e8db0c3bd0a224afcf3aab42_goldeneye.exe"

C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe

C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe

C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00FA6~1.EXE > nul

C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe

C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B12C3~1.EXE > nul

C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe

C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C5~1.EXE > nul

C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe

C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D109~1.EXE > nul

C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe

C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93F7A~1.EXE > nul

C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe

C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{006E2~1.EXE > nul

C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe

C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58C45~1.EXE > nul

C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe

C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DC8F3~1.EXE > nul

C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe

C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74C26~1.EXE > nul

C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe

C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC4E7~1.EXE > nul

C:\Windows\{7F87608F-8F99-4189-B750-F6F4444D77CC}.exe

C:\Windows\{7F87608F-8F99-4189-B750-F6F4444D77CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{198CD~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

C:\Windows\{00FA62CC-2E3D-4d50-8E6A-CF1D890AD93A}.exe

MD5 190690cac14a45c9e847d114af8a517d
SHA1 663088586b000b25c50d3d74b2a5bac8bb2fae49
SHA256 1f843a32b35eb0011cf017088bb3b52112725282bf98f58c92debfded7469425
SHA512 2b6636b4b15906ab87e04b814e97dfea84fc383f6f24f66af81b81118ee454ff1fcb4a7717f4e80ac49f30487b41d56fe13db3c69c2b4c3e8616ee58c78091f2

C:\Windows\{B12C335B-DFD3-4043-9E7A-74C1AB1C6070}.exe

MD5 3191d81882b0ee7038307ab0f0eb8db4
SHA1 f762880be2d61afeaf08f5bf951279dea3a3b52b
SHA256 7cd48e7e5b27b0102851d607da4d53bede4b21aa38d02742534db5b4652bfaff
SHA512 8fb18ee01f16a520080f94490830d4fc9c6ad7bff0d596c5669ca730b9b906f6a309f237889fd9d7e892fb4f3a5ab6fa355dc1535e51e8433b4bb256945902de

C:\Windows\{C73C53D9-5EE9-4506-B17C-11AEEEF41477}.exe

MD5 e66e2ff1ab5df66c33dd1cefd54b3b6c
SHA1 f077d1301caa24b5dce5a96d528be37504d53453
SHA256 42feaa2743e0259b8706781fe0834e7c63fc0daa2b15be348a74eee83e4a100a
SHA512 960d2d95dcaaf15bab395a2073caffbc95e5fafcff13a3b02623799e4d3b69337368521449c0cdc1c6446ceb1080f78420f2309ed2927b7be09a29d548a17613

C:\Windows\{8D10975F-6623-4288-81BA-BD3BC45D50D3}.exe

MD5 c77ac7f4feb5be4482f7a809e36e10b3
SHA1 0bae0e6f0735705b657a9aafa96e9f5fe8df6052
SHA256 43b98fb47f5646c4ccefa76e6cad2ba83d07c2e446e1dbd92f7ba21299082499
SHA512 c311520ef09f5123263dc744ebaa64e389c44738fc7dbe533a496678c7752d2f2dac6d183fddeb75d4d7ccd317e3e94ebca9908f904f48288e56de5404ff540f

C:\Windows\{93F7ABA6-D49D-446b-8BAD-2E24BF50CCD2}.exe

MD5 59dacbb4a3f84281387fd78f702b495c
SHA1 5599acba349bc5945fbe6a6fa15b88be85895858
SHA256 251db9317b9f314f452e07ceeee03a9a622adb0644d524ebe54222bff3dabd5b
SHA512 450a5b05e92f82c13aed8a4ea1f55ab16d46ba7d3b03e85f00360c4fe868bbd25b2e32da7e4a1a513a0d767931a68bbeba629e6724abdfb268cefb3cb6a69381

C:\Windows\{006E2F90-B989-4291-A49C-E1EBF58CEFCC}.exe

MD5 d50b7852f79d5fb43e57224d0e785e25
SHA1 d903eb1a6b7a8627cdda67b0b5b54c34ab901a6b
SHA256 16ab46d9d56cc981aa8061880610e6f602234886a4bcd8b598a7c19f3021f022
SHA512 4e4103ee40b5d5209bcadd5bb5628522a11ee0a96e6271d8757330f95230ecf251c0762f62bf2ee24e6711e8c92709bf4652bd243b05b3091eb79fb8109515f0

C:\Windows\{58C45481-53BE-435e-A8AC-32E437CDA743}.exe

MD5 3c563723d97c9389c873f51c833a6a0d
SHA1 21958907127a2f0afdc221c87ccd9d6889a8ee8b
SHA256 a75e103be75837bcc95689aa973ad23bb3c853812590bb9ef6ec7b9cf2a33130
SHA512 a9af720e606724b0aae43aa050dc9766d236be4276051aabbb9aab55cefc36bf126303a9d46c07286c99b78a82aab59a7387fda8acaca537f32d6eed2110d459

C:\Windows\{DC8F3EF0-A276-4bf6-86DF-1C26A03EB559}.exe

MD5 52e6668c154dbf89b7fb0adc04984a8a
SHA1 a07d84e45673e8c95ee9a9651025a359beae3b90
SHA256 821a8fa0acb44a973728b57a06e74bc1bd2574de5d398bd070292e799d45b847
SHA512 55fb836b44f56c683c4ecf07ea15597e83cc5107cd3a1845553089adf2bff1f780fcf2d3fcdc1f821ab3a2405d785ab5fb5e79d572d810e2af6f532f0b915944

C:\Windows\{74C260AE-9474-4ab5-84BD-3D63AD17CC20}.exe

MD5 deb07259251b7cd2e478afa276d15558
SHA1 9df403463c2282a0b03c5d86fc1cee93ff350d29
SHA256 c355e8d916719b2603dd612636819da8984c942696a1355f16d7115728abb828
SHA512 d56626c6d48c726e55457d193df5089e61b998687d5b17a625f85e79a287c8f4d65f157b931403ccd5775fa2a8f22c99ffb7a155fde24ddb919ba2e2fbf06f58

C:\Windows\{AC4E7948-DFBC-48be-BC90-DEBF5DE2CEE3}.exe

MD5 38dc0bf3933c255d3f6e481524c9f881
SHA1 8388176c6dfd1b8c389e3f3d086af24dbf8efb5f
SHA256 7a6e9bb454d104422b48f2cbd989892767ec4e056e71943bbef63c1cefac4f90
SHA512 952a804c2aaff2123f17d8537951f983ecd538d49e8a59e0f062a827710459fa4fd21d36949e4c85f115f28c2242a0e22100228d20108b444bad397d0a0e70de

C:\Windows\{198CDCAF-F434-4575-B716-B7AB834BD0A1}.exe

MD5 61c179c0acad5362a9e62348b7e510e3
SHA1 c0c32a468b977cd41f1457e334e2adf5f3e85547
SHA256 2f0693927b3eafc10364fe2877ab2a69f89ef925ac1bf9034be88ad9c951cb88
SHA512 0c2a42859ba7bc462895d1247bdd0e34a971c4e7d00797ad98049309c2b4490545b3426741f4cf1c046fef6d6a0ec90f16d807ae12bd78881605646749361515

C:\Windows\{7F87608F-8F99-4189-B750-F6F4444D77CC}.exe

MD5 15676094836b3b8399c262ad3526d64a
SHA1 ce17dce317b63171a7a0d3667728cb6bf4260082
SHA256 ff197c16c13fe8cae6dcd7203ea5e273703467108e35bd544be1ff46edf89e62
SHA512 26f521270b5597959d8e9ce9273f019038302f03d6c9dab56cae17abf5c877e73bf204d5fa3d0668eba20653637a59fb4f09a18abd592ab4bbaefa3a7ff7fe41