Malware Analysis Report

2025-08-10 21:44

Sample ID 240610-exhmdsca6t
Target 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye
SHA256 0dbdaab9f4a49f1a69493c62a58be2a079d3bc8a080344581f96aa2c13692f10
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dbdaab9f4a49f1a69493c62a58be2a079d3bc8a080344581f96aa2c13692f10

Threat Level: Known bad

The file 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:25

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:19

Reported

2024-06-10 04:41

Platform

win7-20240220-en

Max time kernel

76s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A8C64-E312-4490-A1F5-73A411131640} C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834} C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{629AD80D-08B7-43b3-B21E-F2700B80A670} C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5} C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}\stubpath = "C:\\Windows\\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe" C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A8C64-E312-4490-A1F5-73A411131640}\stubpath = "C:\\Windows\\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe" C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}\stubpath = "C:\\Windows\\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe" C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09E36FB-B648-4a2d-90BD-33A0E55A1985} C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}\stubpath = "C:\\Windows\\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe" C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{629AD80D-08B7-43b3-B21E-F2700B80A670}\stubpath = "C:\\Windows\\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe" C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}\stubpath = "C:\\Windows\\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C} C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe N/A
File created C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe N/A
File created C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe N/A
File created C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe N/A
File created C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
File created C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
PID 2268 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
PID 2268 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2772 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
PID 2924 wrote to memory of 2772 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
PID 2924 wrote to memory of 2772 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
PID 2924 wrote to memory of 2772 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
PID 2924 wrote to memory of 2716 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2716 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2716 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2716 N/A C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2468 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
PID 2772 wrote to memory of 2468 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
PID 2772 wrote to memory of 2468 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
PID 2772 wrote to memory of 2468 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
PID 2772 wrote to memory of 2712 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2712 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2712 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2712 N/A C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1748 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
PID 2468 wrote to memory of 1748 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
PID 2468 wrote to memory of 1748 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
PID 2468 wrote to memory of 1748 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
PID 2468 wrote to memory of 1200 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1200 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1200 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1200 N/A C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2692 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
PID 1748 wrote to memory of 2692 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
PID 1748 wrote to memory of 2692 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
PID 1748 wrote to memory of 2692 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1852 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
PID 2692 wrote to memory of 1852 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
PID 2692 wrote to memory of 1852 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
PID 2692 wrote to memory of 1852 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
PID 2692 wrote to memory of 1936 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1936 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1936 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1936 N/A C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"

C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe

C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe

C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C31E~1.EXE > nul

C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe

C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA09~1.EXE > nul

C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe

C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6A8~1.EXE > nul

C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe

C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0DE~1.EXE > nul

C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe

C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A09E3~1.EXE > nul

C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe

C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{629AD~1.EXE > nul

C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe

C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9315A~1.EXE > nul

C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe

C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9A6~1.EXE > nul

C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe

C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{933E4~1.EXE > nul

Network

N/A

Files

C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe

MD5 3e68feca10318e689d86279afe2975ed
SHA1 14881fdd3fb06bcdbb931c0931a65ef615ef1b6a
SHA256 ae859aac76d7e761d84f32b66b562c0ab9b445e70e3f86534f5f65fb1fecbc3b
SHA512 9629a69271f99efe4c442dbacc99e41853ca254da6944222b795a97994a574487b7bae4420eae8fa2f5ec51f84c9107526e996de7d36a01471870af852a926a9

C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe

MD5 1dc7e2cc64b7839e151c07f7e1099d3f
SHA1 2a5a439070d748bd836e5a67749e6ddc41bfa642
SHA256 99c71a17f091cd571c7be7f60a33a2d1643b046098f779b6f2aba6d83167889b
SHA512 600bca6892e9e73ad0aa7db8acb7b4d78bb1d78ed5accc469932d31c748c1b92bc2035b695d9075b6a6fe6445daddcd93ae5cd0f1f475f1845e093f50319a4ee

C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe

MD5 ae1308cbe533134393f9aa5fb7ab7ba9
SHA1 239beb578c9a1639caaae852fa4cd3fb9128b233
SHA256 0dd49ee1e6457bb6f0bb2abf8b94b15482a13a33591181f2099a49c3005fb00a
SHA512 552a7305f11253fcc725823e3ceb5176ad530fe79b7d44344cc6810d6b93e7d888a6c35d07e4c1288fa6de4e3d0699b79a38068afb74451ab5a38c65f925ad19

C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe

MD5 6f18a06a5fa9e9a250708871dcc95b81
SHA1 ca7e9299cf16a37bbba47d8f165e2301e6727dfc
SHA256 2a279da836c29bf239bf8cb062ea5f80f6cb9032f54f672a33ad9789042651a2
SHA512 688aade79650d30cdbb98fd3c9cfa735759e131b410926e3846e18ffd7c9024c8319ae0da2092464689cfa0637dbe61890733d5938222fdd5dc61749d259d5d6

C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe

MD5 3109afd8b54ab2d1c9f2bfb06bb582e4
SHA1 2d8a64778a213d87f5fb713a6fb0a5d955395581
SHA256 f7601e93ef99e93c270ca4e04224db5d5b20f2157bdfb92ffc94e56aa5c45c2a
SHA512 241aa3952aee0c3d72111e9a14a073e6d48fe06240b111fce543d30dd2a3e1f9b0e012c345dd871eb32411509100e25d4bd57c51b8de754a787c9195a00d9291

C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe

MD5 80849997449367514d329571d551215b
SHA1 b705fa1dabe9014a6f67226f4feabfecad1e6d39
SHA256 1fe6dec60870760c21c5676d43f97f9e019118f18b5f136a414a2603e7975c3d
SHA512 39290bc65a8f825121a21029dc073509c5fe173c15c3dfaf13154a7f2a47ff5588ac292e202f97126bb27dddde0e8b94bbb771fd4f163392040ede3eb246b6b3

C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe

MD5 a60ca98940e632c09c0ea54b3a7f389f
SHA1 ff915161cfae0a4eefd5a00c1bd0d7c57a4753ec
SHA256 557a01dc0bbcf3cc373c7671adf410177a2f131579ebc15450bac855330c8f31
SHA512 71079f9e1e8ed829b7f7b418833215ee7e4a1676608aebbf814e2f3741744e20fded689cda5aec1c610436fa2ad625dc9c0e31ae1fdb215e50346f6be7271eb9

C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe

MD5 cc505bbf06f4df180a54a3103280150f
SHA1 8edf2c3a6a127047d7473b273d771c39f2aca175
SHA256 940186badce55c215b8aa683004eef681bb392ca685a58bf7b35fdbc09582614
SHA512 56693a0b9d5b45c576a0950a0454e39d72ac19775b8fbf37c7edf36312fee79439fd290c71c123927fd04661685f050127ffe9c3f999634c7e4d89f0deb4a8e0

C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe

MD5 4ef974897c9c2c0109f45c7ea2236a58
SHA1 f47388efc8938e363591dcfda58b58a64f74a38b
SHA256 edca44f94b7ae3669f9f882695bd788363f7860e846bba4e354060a11b0d5e00
SHA512 5dca899ec6bbfbd6d7610a11bcc49a6ff6f980bb5796e10bb18a71ead4e9b49fef927ef71689a0d1c2b204aa0b6856804262a8c17acf9c5658d9830b5067a468

C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe

MD5 e3bebdef1477b208ed24f9d09254e983
SHA1 cb670c0f17bedb2c5a2fa5d51e619c8b6b13dc87
SHA256 84898c819c20ff46789fd92289f1c2236520982291895ac92cda7daecac6ed54
SHA512 0d1d38c92c091f0e7c70c6cc35ca8895a0a191e4b49b0717f622c17ec778e245d270eb94e7290e8bf32b308759a61eb33718c6ee3a8dd5c944734f8e4c69557a

C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe

MD5 ed57f0edbaf54109639062242b43a527
SHA1 3b3d7dfd79787a624b437ad260a42b3850c55fc6
SHA256 29f24a2155da4cfe230d99b55d51588e5c8c5f69a3ae89623e9aaa372e899fc2
SHA512 f09ef74ae52ee9dfa7a3381fa225871eed58feac0bffeb38b4ca26326149307750585a9699d3274d05f22d47a6c032e29537268d5bfabe93823ad3c446826270

C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe

MD5 46420b0c9049554c652ecb3a39fb2f9c
SHA1 800f00a4927a7791b9b25087db43ae40b82db3b3
SHA256 e2fc202903ed5e6ac137027b7209ec2026b36e2646e409a3b5059e72e23f77f6
SHA512 bbf904e451c4f1ee62f9a8e8bf375cc1b100806f778d248fa5d973404e52c4917197c7c8dddf0382400f35a9bf65295ffa2e01c4cb593809268ab89a157a9a77

C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe

MD5 b6affccceafc8fd8904801ccd7192aba
SHA1 e99ee2d68a360ba6d8537a5c50d807e3dbadfdcd
SHA256 333ef86c138c3ecdd00b36b75531b835be438f85a77032cbc4578ccac76a7d85
SHA512 530eb08ad4f05a9251e5e44c631eacd50cff27db6f61f48517c92188bb59b5363064d66d8ea6a2299bab02fef1af83e8501756441bb416b711248a632498ff48

C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe

MD5 49e2a1801699fc4deb353b00eaa4698c
SHA1 f3dcfa4ce8b3470cf67fec07cffdf3872b3a7fee
SHA256 e05125d6307aa96b930b030f38d24d0714d4f3aac7af1af85d9b63c8f1b4a2bb
SHA512 8fe8fdfe891d39b9fd55c63433bad15629d5655ef49107a558e582725b3c601b95bbad302d78caa1578aeddc74dd4e2fc503519d8a8c18a23249d1be537d48fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:19

Reported

2024-06-10 04:41

Platform

win10v2004-20240508-en

Max time kernel

38s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C} C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}\stubpath = "C:\\Windows\\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15} C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}\stubpath = "C:\\Windows\\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe" C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569} C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}\stubpath = "C:\\Windows\\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe" C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
File created C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe N/A
File created C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
PID 3508 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
PID 3508 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
PID 3508 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3496 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
PID 4468 wrote to memory of 3496 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
PID 4468 wrote to memory of 3496 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
PID 4468 wrote to memory of 2140 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2140 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2140 N/A C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 1224 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
PID 3496 wrote to memory of 1224 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
PID 3496 wrote to memory of 1224 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
PID 3496 wrote to memory of 3956 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3956 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 3956 N/A C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"

C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe

C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe

C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4EE~1.EXE > nul

C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe

C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{29CE3~1.EXE > nul

C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe

C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04D2A~1.EXE > nul

C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe

C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9E4F0~1.EXE > nul

C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe

C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B95AD~1.EXE > nul

C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe

C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C30~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe

MD5 4caa8362deb017127e75cfbf15f9ede3
SHA1 3d4d6457c84c6272c7e6051904da56f13e125652
SHA256 9adf6cce615ff962eb33cb33620cbbdd30e814f0f39d92b9420fdfe45568872a
SHA512 87796ed33747ff0c79e0f5286e71dbd6cddbea3163a4f5d518019fb42ad9ef333821a2d2f5057f0572d2534ca0944a4a8bbacddcf66b5b621c47ab8c96176aef

C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe

MD5 70d7270a6b3299a91a4508959902b1b3
SHA1 59d463abcb8568b0c589b075ff5eecf6076543e0
SHA256 5f64b2e80d6608b07c43dc8bfb8dfb9a6a544f48ab21a8ce773d333d89c1b2ec
SHA512 da9f924a9573e49a9f327c017c87af01019ab5e0453ef912af2fe35f94a46b5c083c1866d08290cb72e206eafb856d16bad295a7ae0584aff99d8136a93283e2

C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe

MD5 ef715bf5745ac9bb90a8e2237ec216e7
SHA1 d380252cb8d8cc5574a4db4d51f19cbc739ea0b7
SHA256 0d8f1d25a90c23abc217a6d36931c1eeab77c041d0fa7ea5987a146bb88d770f
SHA512 c1f02f3037137e610ff0607ffe1aa3c7a9c3b237afdbe1d3ee4a9bdc8eeeee6d2fa3d136754d2c18ae18d980118f139bfb71667cc0f4ffa37e6d2a40cd3e9dec

C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe

MD5 3da8c96cef5664b77bfa3b030aab4d38
SHA1 c2599c532e26302595625a69843e24922785dd60
SHA256 8c9b93110d2d9d65717dd124e10e97ef65a8e6972f346c2d8a04fe50e53e5c3d
SHA512 66426da7a3d2f2fcbb9f8096eb411d4fb4f3ede3be8e875725c43d8745fd3e9664e9365be882424860c92cc5a8510e2e78bea1de70e7842d2a96ed7309ecbb08

C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe

MD5 9b03c0b1662436742ab943c4e1f1a0ae
SHA1 ad4fb39d546c7a56fd10d175ed6d331196a583db
SHA256 1af44249d2a4e7d0d08ac07c0f6987758959223e198ee28f2ccc68cddb2874cd
SHA512 6c39a681713155621eddb5c014c25a049350cc0b83047357befbbc0d11145eba01bb4ca1a6ae5bdf68cf7ae4c50f38af98facada38602a51517a8cd8c9852190

C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe

MD5 e2e85ab24a62dc579ab4285a94bab11e
SHA1 ff487f4b6a15beaed45ed44de0ce550b22f08ed0
SHA256 8ff23f33b6446d8177bbca5e048da6230ac8e7ed95f2c56fce8c4a2b6177d3a2
SHA512 6adb38e88fab7660b610781ce1b7892d9de55082183bae4136b85dd484136712ff25ea927dbf6c96f06023c3f5854b3630a5a4d36fe09b5d7331c48d8ad4b8b5

C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe

MD5 7953d1aba2580821a8fa14e66eb49b0a
SHA1 174be4e352baa5f43f1a0bbcd18911a53d878b02
SHA256 bfd67f3fab5bda18ac73e1e8769cd1ae62b8d193e00daa37fa800e869d35e691
SHA512 6ecbec72633f8ce827c43cad46222679c59e74aa46a617e6c72018cbecb8ae6c3644ad3b78652e0ed4e6fb5ab98135834c189790831332fea1f1d6a9a20d4705

C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe

MD5 4bee6da23400fcc0637c025537360df6
SHA1 4a54e85442b67f9258d76f1381a761c0745ad8ce
SHA256 921b9275c90ea0020100947117860d1d5f2b3de557d6ae0e855193c8ca0872da
SHA512 224e4f5666e8646e77b1255a6a87762a76fb46ed607a15d8d2ed570695737aa17ca00f29f91e015eef529c683fca3ba03707cdf97148e21ae01fcd5de0312873

C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe

MD5 dc3249b04bb856d2b7720dd5934bbcc8
SHA1 08a798942ab9196755dcfe84219ee6a8c3e354d9
SHA256 01a3411df16ff520ca0927e08f83c9af7a1f3ee93b7223fd3ffc4fbe14842a57
SHA512 232d03561798b28691ea46f9517154cb9de25db8329ee7ab073bdcdd39c8e2836bafc0208d20b88443ff88680dc4cb0e76c354f2d2da385bd32b0af1f23434c7

C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe

MD5 735b5c2540c8886311e4f0697d6f9e14
SHA1 684d8131ca871d57fe363fa7ee039479915b8985
SHA256 2e865eea9f5ff5fe19f35890e2fcfd5c0881dd2b1492e264e3bb0511bdb6b9eb
SHA512 34622cd7f90252475e764f3bc3e3faeb8cdec7c84deabf18e670b44acf7aacc7f72cec4044032c89394362e7761ad375b1621add77d4f832188918e76542ec84