Malware Analysis Report

2025-01-18 14:13

Sample ID 240613-dhbpvswapn
Target 2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye
SHA256 af90a6e62c8f374a92eda58540a7cde284dea37c89a4d3a3d05d0dd9b66c5f75
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af90a6e62c8f374a92eda58540a7cde284dea37c89a4d3a3d05d0dd9b66c5f75

Threat Level: Known bad

The file 2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:00

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:00

Reported

2024-06-13 03:02

Platform

win7-20240508-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}\stubpath = "C:\\Windows\\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe" C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}\stubpath = "C:\\Windows\\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe" C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36} C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}\stubpath = "C:\\Windows\\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765} C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36200092-754A-401c-9F1C-012E6941BCF9} C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36200092-754A-401c-9F1C-012E6941BCF9}\stubpath = "C:\\Windows\\{36200092-754A-401c-9F1C-012E6941BCF9}.exe" C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4} C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88031E4-0646-4607-A942-E1D28FEF68FE}\stubpath = "C:\\Windows\\{B88031E4-0646-4607-A942-E1D28FEF68FE}.exe" C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88031E4-0646-4607-A942-E1D28FEF68FE} C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}\stubpath = "C:\\Windows\\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe" C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DF00830-D06A-416c-9731-FB600BA526F3} C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DF00830-D06A-416c-9731-FB600BA526F3}\stubpath = "C:\\Windows\\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe" C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}\stubpath = "C:\\Windows\\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe" C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8DC79B9-2A06-48df-BFF1-B0CB69949875} C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}\stubpath = "C:\\Windows\\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe" C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}\stubpath = "C:\\Windows\\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe" C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343} C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9} C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE} C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9} C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}\stubpath = "C:\\Windows\\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe" C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe N/A
File created C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe N/A
File created C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe N/A
File created C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe N/A
File created C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe N/A
File created C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe N/A
File created C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe N/A
File created C:\Windows\{B88031E4-0646-4607-A942-E1D28FEF68FE}.exe C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe N/A
File created C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
File created C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe N/A
File created C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe
PID 848 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe
PID 2264 wrote to memory of 2704 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe
PID 2264 wrote to memory of 2704 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe
PID 2264 wrote to memory of 2704 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe
PID 2264 wrote to memory of 2724 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2724 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2724 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2724 N/A C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2660 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe
PID 2704 wrote to memory of 2660 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe
PID 2704 wrote to memory of 2660 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe
PID 2704 wrote to memory of 2660 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 3008 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe
PID 2660 wrote to memory of 3008 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe
PID 2660 wrote to memory of 3008 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe
PID 2660 wrote to memory of 3008 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe
PID 2660 wrote to memory of 2316 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2316 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2316 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2316 N/A C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe
PID 3008 wrote to memory of 1516 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1448 N/A C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe
PID 1516 wrote to memory of 1916 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 1672 N/A C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe
PID 1916 wrote to memory of 328 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1420 N/A C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe
PID 328 wrote to memory of 1572 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 2404 N/A C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe"

C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe

C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe

C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E6D~1.EXE > nul

C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe

C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6D1~1.EXE > nul

C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe

C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36200~1.EXE > nul

C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe

C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA11~1.EXE > nul

C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe

C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4DF00~1.EXE > nul

C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe

C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3354D~1.EXE > nul

C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe

C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8DC7~1.EXE > nul

C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe

C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3F6~1.EXE > nul

C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe

C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B49FF~1.EXE > nul

C:\Windows\{B88031E4-0646-4607-A942-E1D28FEF68FE}.exe

C:\Windows\{B88031E4-0646-4607-A942-E1D28FEF68FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BDAD4~1.EXE > nul

Network

N/A

Files

C:\Windows\{C6E6D61F-81F8-4f56-8E59-CE0EDB548C36}.exe

MD5 f855a5f7c0ede97e7bf7db971374ed98
SHA1 59a48754ecc9df477a1e630f80ffe9e43fd8447c
SHA256 16829277cc7ff48d7cc2b138fe414da1178ffb15d61c4f07a2845cec5a4af375
SHA512 0cf53b78f99b7667f19de24f26c18f64c90b8291c0431f01d1a600d8aee99ac12d03581f3a75050158e21b1aee5182f76c0f5141493307ea2828423acc28eb99

C:\Windows\{DA6D16AC-A92C-4df4-AAB2-E5FD6F159765}.exe

MD5 eaa7f4160b04b5c32a44796cf7522e1e
SHA1 ff1550fbcd90204be804329d3f2324b494f3b7c0
SHA256 338138cf2ba668b554ec7fcd0937c83126dc66b25eb60c96275ae5e8b29aee31
SHA512 f6ebc5bcd2d842521209764300fe03c8972418c48c08aa4fb8cd7359584a038f43d5a8e6238e9a29279a5cb882c0ad211840513ba95f3dcc3d6c626c8df26eea

C:\Windows\{36200092-754A-401c-9F1C-012E6941BCF9}.exe

MD5 3705e4b2eeca69d937508bbf584f7131
SHA1 569e52a143c8812c73e0ad13266850e75354b1ea
SHA256 789ff8635ac1bf3bd240046153d0263276baaf2b5bba1ddb38c843397d01d237
SHA512 3c24f72df7ed27f4fea04048d39b454d0fcf7e353212962d0a0325845420177b46f082a464f0e57bd945993642ecf0edbfc3889c24d05dafe251f8bd45de6f6a

C:\Windows\{2BA11765-D1D0-4b47-A1BE-CD8BB6158343}.exe

MD5 eda1abf7229bbaedfdb0cf77b715c84f
SHA1 14748127e200793b5673d9ab5b18a179233793da
SHA256 0d10d0e5ae50720d62096e120272769f81b20a8c497b762d825472f72c45ca5b
SHA512 55ed08d24ce20493dc3ab4266a237b479dd2dcb687a3f28c80dee55560835c3f26b7171c5822257961686cea4cddd19d29db49f5629d9697b980a4e252cc28f0

C:\Windows\{4DF00830-D06A-416c-9731-FB600BA526F3}.exe

MD5 617e3b62135ea8939e7492bbabd76cec
SHA1 8b07b2419f795d14fb69317c50daf0290f56933d
SHA256 07f55febf0de6a8e898e049cc5cadfe993a782fc9a6c2e9c1255fe3afd2211f7
SHA512 e3fa1dd7f8948de7430aa07edade0ceb4cd5b4e718786a8954112deff74e4aa7a98f79ec2893d72174418958779ceead04dfca65a1630f72063ed5e5e7560d61

C:\Windows\{3354D93F-19CD-4e69-BBA2-3FA0AF21B9A9}.exe

MD5 6c2db49a469f7a4d31155ff05bfc60bc
SHA1 90dae359c4d47959e90ec76f1c862079a2aa4ace
SHA256 9ee92e842171d606faf485589928c5c3de3d8e84d2101d03911d71c75c4618a0
SHA512 c57aa583b5965d51cef7607997696659ee91cf115962d339bd374077a4e2afdcb9efc19b86c3b5f92b5598597e72c23e0d48a3e48b4eb4fea27246fbc72f7122

C:\Windows\{A8DC79B9-2A06-48df-BFF1-B0CB69949875}.exe

MD5 20c0c0bef42cc0c4298e21669cd5815e
SHA1 5c0f7e016998f5e976840e2b8fc9e11b7a15c918
SHA256 4537955c473ea99e7c43622aeb360241e8feea4a28f5e30fb28a322a25b01cad
SHA512 309d1f458419f38906b51618183d0bc71880cb3a412ec4e7bb877d4d007ad0c04eea629acc3639de42a50a1c3e6a71aefca0cacdf7d00d7def4b9030aa181157

C:\Windows\{8D3F6C84-C7A0-4fc5-8A4A-8E43BE820FD4}.exe

MD5 c25b2ed3a697455db391b219c9612373
SHA1 92ff55fe482d487d0c0c43be3421b1b21fa9bae4
SHA256 e918d4e0e172e63c227a154b5a45a8c68cd2f734f847b99cf571530c6e934c70
SHA512 a35440d2426fa4848aa83564740fafe57e43f33f98da19b38f4d473d8fccc31decb83f5790eb881f5b467572fa208397f55cd1b48db5dc13cb402e50b98b378a

C:\Windows\{B49FFD8F-59D1-4bf4-A61F-D086809E92BE}.exe

MD5 bc70eeed8acd033f0e9e91f4003da8c8
SHA1 1a23690e07f09e4db443dd14ce6afb8538f30884
SHA256 707fa8f3260962ccea7584362a29ecfa989ced6e3f04a22b2fcd34541026afce
SHA512 fc27f48c863d36929fbcc761f6b600ae75c2bd2f358682821c658c3395b861f97f611ddb97117353310e444e79e7b2b6d5c093d0fa8d2b5308c1e5bf1ec26cd6

C:\Windows\{BDAD45E4-1E94-48e4-B1FE-4F275A46AEF9}.exe

MD5 e40ba5b13feabd030be934cde4a6eced
SHA1 902ad4647cf4893564f1cee7d55237d30761a0f6
SHA256 40d94b4107096cc6c20528df884275f8f9a17720d86655d3cf2b4d3bd2cbb894
SHA512 eaead01cdbbe108b6defefd44cf053350e4783865aa875eee29d4e5d48afb0ce7273a8cdca3839cda1047056d15faff0ee2f2c0ff0544903638643bd07b76970

C:\Windows\{B88031E4-0646-4607-A942-E1D28FEF68FE}.exe

MD5 c0fe4c0c005fb2affca605e99164215a
SHA1 88ae2cb507120d4328012a00f611e390adea721c
SHA256 0b651fab237189fe3216c8354a9f89439bc1b57eaed0ff580b5ff457161a6039
SHA512 93c19e00b24e5f3a1e2d9b5621882041c054b79022b81811809616224f75fb06088a656df65bb23a7b12c5e1cc77d5c6d120dae293b8aab4bc2684f52205c609

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:00

Reported

2024-06-13 03:02

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42} C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}\stubpath = "C:\\Windows\\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe" C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0581C50A-A6A9-4928-9971-CCF774512A5E}\stubpath = "C:\\Windows\\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe" C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495D664F-2B4F-406b-906E-DDF4F49B51EB} C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}\stubpath = "C:\\Windows\\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe" C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}\stubpath = "C:\\Windows\\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe" C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0581C50A-A6A9-4928-9971-CCF774512A5E} C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C1D707-203F-4b0a-9B8F-15DB6521272E} C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}\stubpath = "C:\\Windows\\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe" C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495D664F-2B4F-406b-906E-DDF4F49B51EB}\stubpath = "C:\\Windows\\{495D664F-2B4F-406b-906E-DDF4F49B51EB}.exe" C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}\stubpath = "C:\\Windows\\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD} C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC098DA-315A-461f-85E4-75F3FB1F7407} C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC098DA-315A-461f-85E4-75F3FB1F7407}\stubpath = "C:\\Windows\\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe" C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED4441A2-CE60-4884-8168-009BE5BC635F}\stubpath = "C:\\Windows\\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe" C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCC6001-F701-4db1-9271-4E7A91D566C0} C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478} C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}\stubpath = "C:\\Windows\\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe" C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9} C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}\stubpath = "C:\\Windows\\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe" C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED4441A2-CE60-4884-8168-009BE5BC635F} C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCC6001-F701-4db1-9271-4E7A91D566C0}\stubpath = "C:\\Windows\\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe" C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0} C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90FCA86F-A1A7-48ce-8F28-D65355F0F406} C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe N/A
File created C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe N/A
File created C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe N/A
File created C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe N/A
File created C:\Windows\{495D664F-2B4F-406b-906E-DDF4F49B51EB}.exe C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe N/A
File created C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
File created C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe N/A
File created C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe N/A
File created C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe N/A
File created C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe N/A
File created C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe N/A
File created C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe
PID 4436 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe
PID 4436 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe
PID 4436 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 4452 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe
PID 528 wrote to memory of 4452 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe
PID 528 wrote to memory of 4452 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe
PID 528 wrote to memory of 1852 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1852 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1852 N/A C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 928 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe
PID 4452 wrote to memory of 928 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe
PID 4452 wrote to memory of 928 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe
PID 4452 wrote to memory of 640 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 640 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 640 N/A C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4520 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe
PID 928 wrote to memory of 4520 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe
PID 928 wrote to memory of 4520 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe
PID 928 wrote to memory of 2728 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2728 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2728 N/A C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1136 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe
PID 4520 wrote to memory of 1136 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe
PID 4520 wrote to memory of 1136 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe
PID 4520 wrote to memory of 4868 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4868 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4868 N/A C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2552 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe
PID 1136 wrote to memory of 2552 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe
PID 1136 wrote to memory of 2552 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe
PID 1136 wrote to memory of 2820 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2820 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2820 N/A C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 852 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe
PID 2552 wrote to memory of 852 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe
PID 2552 wrote to memory of 852 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe
PID 2552 wrote to memory of 208 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 208 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 208 N/A C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 3008 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe
PID 852 wrote to memory of 3008 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe
PID 852 wrote to memory of 3008 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe
PID 852 wrote to memory of 1256 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1256 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1256 N/A C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3412 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe
PID 3008 wrote to memory of 3412 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe
PID 3008 wrote to memory of 3412 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe
PID 3008 wrote to memory of 2116 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2116 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2116 N/A C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3140 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe
PID 3412 wrote to memory of 3140 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe
PID 3412 wrote to memory of 3140 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe
PID 3412 wrote to memory of 3048 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3048 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3048 N/A C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 5116 N/A C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe
PID 3140 wrote to memory of 5116 N/A C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe
PID 3140 wrote to memory of 5116 N/A C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe
PID 3140 wrote to memory of 2888 N/A C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_cccf755b68a82444975a1e21d5969aae_goldeneye.exe"

C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe

C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe

C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CBB~1.EXE > nul

C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe

C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90FCA~1.EXE > nul

C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe

C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0734~1.EXE > nul

C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe

C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A45DD~1.EXE > nul

C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe

C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D14F2~1.EXE > nul

C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe

C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68C67~1.EXE > nul

C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe

C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0581C~1.EXE > nul

C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe

C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C1D~1.EXE > nul

C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe

C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED444~1.EXE > nul

C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe

C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCC6~1.EXE > nul

C:\Windows\{495D664F-2B4F-406b-906E-DDF4F49B51EB}.exe

C:\Windows\{495D664F-2B4F-406b-906E-DDF4F49B51EB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFC09~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

C:\Windows\{B9CBB80F-0116-44fb-8A1B-6E1B169856B0}.exe

MD5 81a3957724280e597bf5210cd96a52bc
SHA1 e85163f7ffdd109af71121578275d10c067899b4
SHA256 95630aaf95d5f62b5cad0992bbdc1474a8fa7dd60bc4bbf628a9746e8a7dce01
SHA512 84276520aecfb8cd0534896c8c253f013063238c6488926000c2145fb538636dedf26b710d7740df20460c09c2d3e62bdf676af078fd296c7265e3f5fce8b6e5

C:\Windows\{90FCA86F-A1A7-48ce-8F28-D65355F0F406}.exe

MD5 14638cf82c24c69d95e70230fc0631d6
SHA1 6583fe649d97dc2d8846a937be8eb0ef5c6155f6
SHA256 775a5d743ee9a351cdb4af6c5de4d57127f09133c52259a835859d05ce3ddc22
SHA512 9725d46095b3b3c0e5cb251996e600133b4f5077147fbac24d8d218651287a8f19687cef07bcd44fac1106938e3efa5b48f225fd498a0a4a8f497caa9c778c9e

C:\Windows\{E0734B71-DBDE-47c0-8E99-FFDE2D57B478}.exe

MD5 022c84c2d548d3ca3d7fbcd5b22e6ee1
SHA1 16e794ef13ad8a2e52284d5e0df5c5671c737ba5
SHA256 57f85ad6ec7a7c251d731e5087161723b007ceba24759b22cd708dd470f39219
SHA512 3645dedd267f975bee017c43104a77aeba114efb123ae1532288f43f400ba3afb4b72755588356fdfa3e3ca907ff6d90e6da1ff16b4f7de97555617451a2a195

C:\Windows\{A45DD487-223A-40e7-ABD5-624FFC5D7CA9}.exe

MD5 368fd3e9748720794b2240597b8b06e4
SHA1 5eec33223e536bf82c9eaded7213bf78c891a23f
SHA256 7edb33534312853952f195a52cf60d445817098103d7212898745bb9226ea450
SHA512 db121df5a6f04ed726416fda974939d8cefcdb81d5454dba7273977beab09f7488cbafd8d8cd0d363d09f2bd0fdd8da13ec17a4b0bac0dca4340f97221335d4d

C:\Windows\{D14F289C-7932-4a5f-ACB1-AA202AACA9BD}.exe

MD5 b86f58e960768ee14f04587315032129
SHA1 799adfedf591516d2aefc155c04a542aa4ca361d
SHA256 f6f697dc3efc0afd4706a55272dc511844f490939f7494e738db968349501ec7
SHA512 93b3feb38741e1c1a90e7f0d9c08f005f3096e515df0f7be6a6fd2652b95b552baaba38466a252fae03aa6ddd0aa0756c9b842d70e3dceec82a022d252f52747

C:\Windows\{68C678D8-3E86-4bdb-B4A4-63C6CB2F6A42}.exe

MD5 dea4be0353d6e7d3f1445409c1456f86
SHA1 0dc1c57dcd7888e0950f704f436dcc0dc4bf12f5
SHA256 f23502322181f4043dc3c721a01cbee58da1d17025daa26cd1c3eccf12e19e7d
SHA512 de926e129d1c6f5306861e57a0fef9564ca9d2999234149d3ff4d8e92e8c84e1e16ed948a621ded6523298f97f57eb1e4ced8a54fbe5c4f148183a4359f08206

C:\Windows\{0581C50A-A6A9-4928-9971-CCF774512A5E}.exe

MD5 c84f13bfa83bf6634c0aca60ffb1e0dc
SHA1 edf4d2258523f73def361e794512b0e70b9a9604
SHA256 ac765f11d56e8ba2c52eb6bf493a4865c2d93116a94849fa9d1a5268db6602f4
SHA512 29a77c91df589848f8e1e873c77213db15fa36dab03972659fd55679037e2a11f8b33bf22e5c0e054bda4329bee2844f9f425d9e97a02101d8585ea59817cdb8

C:\Windows\{D3C1D707-203F-4b0a-9B8F-15DB6521272E}.exe

MD5 149d995226f85a43ccc22dadc18950a5
SHA1 4da98f05afe831185b4622d3dc6e03b4d65f7c7d
SHA256 f34e160e87d68348aa09e428b8f95f231719ea1cc4b70360da32f8d2f460596e
SHA512 674379529a98ef9f25b58741e70cdf10a7aa091ba5611875be083d369c6beb24fdfc2fa27ae2e45ec7936788e5f2d6a5e743d4c0ab4b34b4566a4cd023821419

C:\Windows\{ED4441A2-CE60-4884-8168-009BE5BC635F}.exe

MD5 519e1072513c2f0d6a8d423d9c0fdaa0
SHA1 b8ff378a1bb7ee1fb3d4cdebc0441eb72e6f7308
SHA256 cf03059e4072f8151bdba0a915acf88bb32a91a2a1d23b848034730580c7d721
SHA512 025b8719e3405ca31d221216b79dbd2d1da3a52403bef1318bce06dfb145f19b38c68755c234c9aad24bda7a5d4db73abf0457141ee4fbbcac44ed0369f5834e

C:\Windows\{8FCC6001-F701-4db1-9271-4E7A91D566C0}.exe

MD5 0c6553a2a317b5004e5553a4c0bae147
SHA1 4ac0d697c4c6a5e8b2ee275c221e6ca545f9146f
SHA256 ad1f09b5c70a5177d5a8c5961486765b9caab52ea06094f6c077eb042a4d0dad
SHA512 64e6903ff3b2035aebc2ee051d256775a43653844f18690a138be04578ad9adadeabfbc5f3789baef1f36e4d8fca9169531c959828cc71dc330bf7c44b52de42

C:\Windows\{DFC098DA-315A-461f-85E4-75F3FB1F7407}.exe

MD5 4ef2e38d81e8c40aa1a3f7538a75735b
SHA1 cc18f234200935c3ba91117ad48407b3e35de117
SHA256 8d142b3fe777cce11a89ac5fbdc724260ef405e515b455cd407b2fbb2a1be76d
SHA512 182b9e7d7159de28b9758f75bbd3c308f0c171e4ecd65a7352818e8fdd016252eec2fb8f6ae77bb52457e3a2c1a5cc016ba53d950a2a68c52cf381a9546e12bb

C:\Windows\{495D664F-2B4F-406b-906E-DDF4F49B51EB}.exe

MD5 d8fff0a4594d52f4d0c0bb9e6130c314
SHA1 13a8f6d2b088d0dccee9e169a773d3e072e2d0cd
SHA256 d40419fea387b0396d1dba543922b407d32a1424c235a8ec530fe04939a2e7ef
SHA512 bcd25f9458ce196455cba4c7a6ede2d52c22fc1ce9ced104730bf16a22efe12b39b8521dfd44f228a65d7618c3295ecf8c420932e66c4d434080920be518e0e3