Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-1v7dmach58
Target 2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye
SHA256 e51233abbf9a61c6d16640bf659111a42fee16b8d03bab2b2f95040219fdbec5
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e51233abbf9a61c6d16640bf659111a42fee16b8d03bab2b2f95040219fdbec5

Threat Level: Known bad

The file 2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:59

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:59

Reported

2024-04-06 22:03

Platform

win7-20240221-en

Max time kernel

206s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872} C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}\stubpath = "C:\\Windows\\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe" C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802DFB4B-A23C-40ef-A21A-930376204765} C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F} C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}\stubpath = "C:\\Windows\\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe" C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9} C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}\stubpath = "C:\\Windows\\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe" C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}\stubpath = "C:\\Windows\\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe" C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01} C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}\stubpath = "C:\\Windows\\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe" C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}\stubpath = "C:\\Windows\\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe" C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66} C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}\stubpath = "C:\\Windows\\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA} C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CCF282-2223-49c1-87F9-46B541955D87}\stubpath = "C:\\Windows\\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe" C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CCF282-2223-49c1-87F9-46B541955D87} C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF} C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802DFB4B-A23C-40ef-A21A-930376204765}\stubpath = "C:\\Windows\\{802DFB4B-A23C-40ef-A21A-930376204765}.exe" C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe N/A
File created C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe N/A
File created C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe N/A
File created C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe N/A
File created C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe N/A
File created C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe N/A
File created C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe N/A
File created C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe N/A
File created C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
PID 2444 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
PID 2444 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
PID 2444 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
PID 2444 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2756 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
PID 2988 wrote to memory of 2756 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
PID 2988 wrote to memory of 2756 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
PID 2988 wrote to memory of 2756 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
PID 2988 wrote to memory of 1516 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1516 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1516 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1516 N/A C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2804 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
PID 2756 wrote to memory of 2804 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
PID 2756 wrote to memory of 2804 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
PID 2756 wrote to memory of 2804 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
PID 2756 wrote to memory of 2744 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2744 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2744 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2744 N/A C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
PID 2804 wrote to memory of 2828 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2828 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2828 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2828 N/A C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1680 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
PID 2852 wrote to memory of 1680 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
PID 2852 wrote to memory of 1680 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
PID 2852 wrote to memory of 1680 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2068 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
PID 1680 wrote to memory of 2068 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
PID 1680 wrote to memory of 2068 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
PID 1680 wrote to memory of 2068 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
PID 1680 wrote to memory of 2936 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2936 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2936 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2936 N/A C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2388 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
PID 2068 wrote to memory of 2388 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
PID 2068 wrote to memory of 2388 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
PID 2068 wrote to memory of 2388 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
PID 2068 wrote to memory of 552 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 552 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 552 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 552 N/A C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
PID 2388 wrote to memory of 1964 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1964 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1964 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1964 N/A C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"

C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe

C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe

C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1A3B7~1.EXE > nul

C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe

C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDD9~1.EXE > nul

C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe

C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8433~1.EXE > nul

C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe

C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BB99D~1.EXE > nul

C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe

C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F7CCF~1.EXE > nul

C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe

C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FBAB8~1.EXE > nul

C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe

C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F361C~1.EXE > nul

C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe

C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{802DF~1.EXE > nul

Network

N/A

Files

C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe

MD5 f77db84c6affc8cde84882facb85b2d7
SHA1 a6dd5f2dbe5b8388bde536c19393c1db0d189136
SHA256 0594bd5aea7e963650cff512f3b2f47f030f7fe42a29a67c3a58f1edfddff511
SHA512 6372a520fb085db417b6b84179af14a29bec7642aafc7a56adbc1d9bf8263bf7be75e1ea9e572d494f18760bf54f6ef9ad58057467882823e313c105a3518f33

C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe

MD5 9dde26783347866923ebda2c61d0986a
SHA1 6031c324227d36188739be112a25f4f1dfefa21d
SHA256 f6ea4b3667388b2328a94a1753c234e8fe47973f3e85ea2f1f88e9d8dbdb61f2
SHA512 2e4fbb9e8d1c91f7c1bcaf4acf8080c993b64631284f2f936f98ba85955f3cda2be59ea0f1ed60362e23ca501aba4f810c78965555a956f1701d3791a45a6f7c

C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe

MD5 d6cd2ce1767082f5bea9e9d1e6f3906e
SHA1 965fbe3692d030715d3d9cd2ee03d4129381ed97
SHA256 e38ee3d2156c0431bef8fe65e253fec57b6b35cf9ba25ac1b00b779f4f3c1400
SHA512 36cc61ec8739935a2b84b35aefce2df067b2ba0b1a02db159353371fc519d0f7ea12ed83f98233faad1c82ace11dd631d9cf9f180a5bb2f5e3664e7706dd17d5

C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe

MD5 5621d6e259bfa23aeb21df3de2252830
SHA1 2bd438e4eed63702e79f799eb3a8bc7f935e0df7
SHA256 e867e199fd18936b9fa5196f316c3c9c185d996df7b733294914446ccf2bbd63
SHA512 68cc64f6fe86ff7a0c7ddf2da49218899649f71e5a44984cfef76d3c74a6f42b31d1cdf1fa5f05a3229524e98d70ee7a5771b7e7b7fa66f605d5a5d94fadd04c

C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe

MD5 97d5be818199cade03d6551bca609257
SHA1 d80ac3cb2481401502857e79042fdb0e15773c8d
SHA256 b025c49c7ecef0009fb10c68f803263d212deb0bd247f97320cb0caccb302ff9
SHA512 ac755bc707782a07130eb838643dc7f37e13dd5c9e06d0b9fdca821d8db9e4c995fcc8d68410c6ff16177ff81beed14fbb563e5e94e7d26fe10318842f9869f3

C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe

MD5 1e7d0661decbd2e6a04171c955361169
SHA1 5b4c063510c0c611a9f1ff1fa5771c838cd6046c
SHA256 336af3d5c40511c52d6049864f960b2cece4d7ac9197c3afba2026e7aed602fb
SHA512 e6715464f8a6e3e68368ee37430f907e8e58e709aa6a2e20ccb1fee9cad1de5417fffaf53ef25ad39767cdf6e021a3034985c1ec0f2f097ffcb9697308e189c7

C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe

MD5 5143117233961fa211e6ddc9f86195df
SHA1 1aacf6a968eaae6921c00c2b4ebcb803b8af1233
SHA256 d24d0b46b1a1f2bd831ca985e92cd5c433a978f08e3a93398a0dc8f695d36149
SHA512 72dc80c5bbadc33fcb2944abf27438d6781146d9bc85b24cfcde3b773e80e83a3eb1b4f62154ed8e1c3c5980d37be90d760433d04cec910fc2bd18373b0c38fc

C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe

MD5 6c60e977be50a03faa51007a41bedec7
SHA1 8ebe6bdc11990ae5f912d6c34eae78435283c0f1
SHA256 4937d6bcff49d83695d6448062c4671b5f2f84ed59e10859568e0e90541fb19a
SHA512 1aa5b651e3456adae59653b30fdf09e8dfffc480cc849a78de24e958f6abbf9501751efca1a397cdf068a748e54490d51f121bced92c82fa3cee6e8b347b693c

C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe

MD5 ed5d6790ef143428896d710f9f9cd344
SHA1 2cbda1e315723d6ea663e8cb1a159036af6b051f
SHA256 28df8cdf27329ceb9dd144f09004ef52852c301d5d0a61ca49db2db8a6a63ec5
SHA512 36add895c967441e6d65ca5fcffdf679841ab7799c5444cb187e157abbf466793a12bf1dd05aae09b13253c610eeefa4b739a1521bd29ca770a0ce1667c1fe2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:59

Reported

2024-04-06 22:01

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA92C02-2129-4ea3-86D3-931400F1CFC7} C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58BD934-EC29-4359-A99D-B25FAB580E97} C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58BD934-EC29-4359-A99D-B25FAB580E97}\stubpath = "C:\\Windows\\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EB06D6-3041-43ae-9C53-D9E9B1193260} C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}\stubpath = "C:\\Windows\\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe" C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A407B36-B070-4a75-B97D-AC4399E1AC39}\stubpath = "C:\\Windows\\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe" C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}\stubpath = "C:\\Windows\\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe" C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}\stubpath = "C:\\Windows\\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe" C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216262-B433-4700-A827-537F374632BD} C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216262-B433-4700-A827-537F374632BD}\stubpath = "C:\\Windows\\{0B216262-B433-4700-A827-537F374632BD}.exe" C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AABBC2-20CA-4f21-BCF2-53B060E5B017} C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271DD18-F0EF-4ff6-A941-D085FAFEA726} C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}\stubpath = "C:\\Windows\\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe" C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}\stubpath = "C:\\Windows\\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe" C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CE1281-6831-4243-987A-AD7FDB420AB6} C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477642EA-6674-44d4-8922-CF42977E1062}\stubpath = "C:\\Windows\\{477642EA-6674-44d4-8922-CF42977E1062}.exe" C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}\stubpath = "C:\\Windows\\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe" C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F} C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299} C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CE1281-6831-4243-987A-AD7FDB420AB6}\stubpath = "C:\\Windows\\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe" C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A407B36-B070-4a75-B97D-AC4399E1AC39} C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48} C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}\stubpath = "C:\\Windows\\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe" C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477642EA-6674-44d4-8922-CF42977E1062} C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe N/A
File created C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe N/A
File created C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
File created C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe N/A
File created C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe N/A
File created C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe N/A
File created C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe N/A
File created C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe N/A
File created C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe N/A
File created C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe N/A
File created C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe N/A
File created C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
PID 4236 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 3780 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
PID 5056 wrote to memory of 3780 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
PID 5056 wrote to memory of 3780 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
PID 5056 wrote to memory of 2560 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 2560 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 2560 N/A C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4240 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
PID 3780 wrote to memory of 4240 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
PID 3780 wrote to memory of 4240 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
PID 3780 wrote to memory of 3228 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 3228 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 3228 N/A C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 4272 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
PID 4240 wrote to memory of 4272 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
PID 4240 wrote to memory of 4272 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
PID 4240 wrote to memory of 2912 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 2912 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 2912 N/A C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 1248 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
PID 4272 wrote to memory of 1248 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
PID 4272 wrote to memory of 1248 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
PID 4272 wrote to memory of 368 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 368 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 368 N/A C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4680 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
PID 1248 wrote to memory of 4680 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
PID 1248 wrote to memory of 4680 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
PID 1248 wrote to memory of 5048 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5048 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5048 N/A C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3392 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
PID 4680 wrote to memory of 3392 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
PID 4680 wrote to memory of 3392 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
PID 4680 wrote to memory of 208 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 208 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 208 N/A C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 1648 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
PID 3392 wrote to memory of 1648 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
PID 3392 wrote to memory of 1648 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
PID 3392 wrote to memory of 4588 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4588 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4588 N/A C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1924 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
PID 1648 wrote to memory of 1924 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
PID 1648 wrote to memory of 1924 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
PID 1648 wrote to memory of 2184 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2184 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2184 N/A C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 3432 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
PID 1924 wrote to memory of 3432 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
PID 1924 wrote to memory of 3432 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
PID 1924 wrote to memory of 2276 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2276 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2276 N/A C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 3708 N/A C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
PID 3432 wrote to memory of 3708 N/A C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
PID 3432 wrote to memory of 3708 N/A C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
PID 3432 wrote to memory of 2960 N/A C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"

C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe

C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe

C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F58BD~1.EXE > nul

C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe

C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1EB0~1.EXE > nul

C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe

C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7271D~1.EXE > nul

C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe

C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A407~1.EXE > nul

C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe

C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0995A~1.EXE > nul

C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe

C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BA8~1.EXE > nul

C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe

C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA5C~1.EXE > nul

C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe

C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA92~1.EXE > nul

C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe

C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B216~1.EXE > nul

C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe

C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F5CE1~1.EXE > nul

C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe

C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11AAB~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe

MD5 eee03050c1ee8ccc6caa203059c46de8
SHA1 2e0ff1c860fe7f2b55d399839ab30b74f80ab850
SHA256 b7d51756d416d8f15fc5f381f063cb18dd8dfdd71890344be74a3f5c81c21a53
SHA512 78c3b54758c0feeebebda754134bae95ef9c574f6351099cdb45f7cae4b998bdfb76acae1a1eeac52746a82a64e1c1e9962034db2f32bcc9ad49460187f3e942

C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe

MD5 2ae792f35e894f0ce228a2388a42f498
SHA1 5aab681d3351d2f001a7c3d7fea1a5cb85a66c90
SHA256 f284a96bbd3628ffcbd4407c2632e1418d2378fc48419223c0fb5f393efef769
SHA512 8a63d8b029417a1da55c9d7d6341fd8cbd5a1f32ac04683387db5f96fcd8c28d490463b8fde52d211d3e38aa08a58cf2560ed191ed6a61d7e42e3902f1f4edb4

C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe

MD5 7ca4283f86237bead2075d387ac86284
SHA1 fd4c17dce1b8fbc4cc517e30beaa22fac5403d22
SHA256 ed7daa93599fdf22d187769c84400ca3517aa180c8f29d1fef5b98892d8ed353
SHA512 f33767d525280c365abc413b4d9a36270579d9a8ea616a3ae6c5183bee568b352bbd060c36c8001b446546e332f892a27848255814172702595e575d6829b804

C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe

MD5 5db9bd5d1388ae1f2fcdab06c3b530c8
SHA1 8359590dea2ef476685f7dabd5406f0d7e1db3ab
SHA256 d15f800b2ea9037d32d6883155aff18596a988ae6f647e22230cd4d57f5fc6fd
SHA512 696c259d161a45c7fb979dd75168f6845ec436c27048220703252bd0c9a636bc57015ca14dc616b80e9533e1861c9bb29937f33d782a9599faf02e01fea82b0c

C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe

MD5 5e81c8f54b58a8ea899069f45f0e5a51
SHA1 acb33d1c1e342aa4794c316ae8e1adf96840a568
SHA256 97497a180805aefd2cc9f720f05390b1dbdf9e94808ce032cac7a1191e0a00d1
SHA512 c305effcb270cfadb2bb2b1dd73767a93f8bbc2e181c6530a191c4ac8cbc95c5af75bd23e56d555769ec8430f17a6830ac4da7fe3539f4b348fcfb1991c3d3df

C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe

MD5 a7429aa9e6ae02c75a937caadc4909d4
SHA1 9942b87b88035e32501f0d75f338a1e4c15bac48
SHA256 80808c854aa46760277a39aa636288c9af55a31f5ae931f090cf0664abba3f4c
SHA512 4b35f482de69b166f375e7197829837346b8ff5d64aa89c39d667b5c3b8d87e0ac6e14e4fd2fac92b7035dd6c385eff32e89688d79f8f18ab4dd4ccf43e54bd8

C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe

MD5 fe63c857831fecce80894d06d5090eb5
SHA1 1e91934f3d09dab11aff84b244cc8902f31efb64
SHA256 a7e70dc3faa9130e0078a46ad6912a3b26d360fddb2c5f03a0033683d03b658c
SHA512 b3bf5b96df5576644977aceb2bc082a7fb3a08dc993a923170f6a8dccd8285ca622780d90f3011ba9375608514054c8f94167ecc2430eed00b4cb9a75c05719d

C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe

MD5 3ad9b1a42f971966600025d5026ec6a8
SHA1 53835a0d4ba011b8e178899ef953bd19440af040
SHA256 de9c3840075e0acf7c536e57d2407c07e27244372b5300286df11b080ac48951
SHA512 4489d137ac459b8386ba31cec6862343a71d9ce79477370de40192cdcc92f186ae6352bd93a2622e9b14e8074a917aa8bf942142f0cd2b8442b5e32329e676fa

C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe

MD5 d661c580495a79f2fdaf48c91abe4983
SHA1 db4cd8b4aefb9782c112380a1941544e57e1f3c3
SHA256 37cdd937010e7299ace7391dcd53b2dc56a769c946328e13560dd60e5fd3de56
SHA512 8377ad22b1323d5ab4e5ad0b236d345cc8cdd79335459cbeba041287b0197e4a42aed1534d9b354dbc765690b15e598e1b5f48a0a48e8d4cb59f22af03d46268

C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe

MD5 9be53b44bfbb300598fc7aff0849fa4d
SHA1 888b2c1178eecd9273227f4a68cf436144dc3e20
SHA256 290db80bc1d07c65b329c3e8639c7ee400b4ed4846a61ed4be21a98fe017067a
SHA512 ee1952431b828e69be8e67712abd10ae527fbc3535117988d6b921d4a53fc9b0b658eeab02bba242222637b29ad2e3df7372fd46a1afbbd32554adb8174a614c

C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe

MD5 86d05b550d93229a4af5995eb19569bf
SHA1 b34ff43a0628a3178154e5fcf99aa00d5bad107a
SHA256 cab7ca5a9aa73a6ae837096973ef610d2d61e8019484af87c66b2a3f896984f6
SHA512 bcd02fcda9aeecea69008fbf5fc5c444f1e18997369529278d235364f3881b21cf5e8cd4dab5a765f7457f80ac3bd304528b4535331520e1b34da67831a58196

C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe

MD5 a229ebdf1476170002447f76f1410d40
SHA1 3162472904b8b29ac32fec19698010dfe4efcacb
SHA256 73ff511eca2969e012f8a5fbc5d53e5ce6da0a2240ae815d10a38328f973e30d
SHA512 b48f7f243ccd7a76b60d532480df3544dd8d3011355f56e5ea586cd156bf77c6292dc5a9c67e5723657886ab8e9964a84ea35e7347f1e87e4af8c115494f4f87