Analysis Overview
SHA256
818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8
Threat Level: Known bad
The file 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:45
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 16:45
Reported
2024-03-02 16:48
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}\stubpath = "C:\\Windows\\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C}\stubpath = "C:\\Windows\\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe" | C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C} | C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803} | C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3} | C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}\stubpath = "C:\\Windows\\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe" | C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}\stubpath = "C:\\Windows\\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe" | C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8} | C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}\stubpath = "C:\\Windows\\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe" | C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C} | C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}\stubpath = "C:\\Windows\\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe" | C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6} | C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}\stubpath = "C:\\Windows\\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe" | C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA} | C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8} | C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}\stubpath = "C:\\Windows\\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe" | C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}\stubpath = "C:\\Windows\\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe" | C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8}\stubpath = "C:\\Windows\\{8550E314-E587-465b-8CA1-259E76846DE8}.exe" | C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8}\stubpath = "C:\\Windows\\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe" | C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3} | C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24} | C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe | N/A |
| N/A | N/A | C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe | N/A |
| N/A | N/A | C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe | N/A |
| N/A | N/A | C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe | N/A |
| N/A | N/A | C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe | N/A |
| N/A | N/A | C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe | N/A |
| N/A | N/A | C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe | N/A |
| N/A | N/A | C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe | N/A |
| N/A | N/A | C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe | N/A |
| N/A | N/A | C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe | N/A |
| N/A | N/A | C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe | C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe | N/A |
| File created | C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe | C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe | N/A |
| File created | C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe | C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe | N/A |
| File created | C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe | C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe | N/A |
| File created | C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe | C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe | N/A |
| File created | C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| File created | C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe | C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe | N/A |
| File created | C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe | C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe | N/A |
| File created | C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe | C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe | N/A |
| File created | C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe | C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe | N/A |
| File created | C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe | C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"
C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2519E~1.EXE > nul
C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C226~1.EXE > nul
C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B619F~1.EXE > nul
C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2B97A~1.EXE > nul
C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8550E~1.EXE > nul
C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D630C~1.EXE > nul
C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{080C1~1.EXE > nul
C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E1789~1.EXE > nul
C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E33~1.EXE > nul
C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2771~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
| MD5 | e904e8a83fad10d0a63cbeaab5a3bfb4 |
| SHA1 | 949575c2c873809366776ccb91f533fdcb0ed451 |
| SHA256 | c84fafa2c241b628c88e757da4497fa9f07a843753b26678da76b82cf396dd05 |
| SHA512 | b9cdd94c98ecd6f2c927c1f695a2c90be1a988324105fa4d69f559e925de58d3bfb77aebd61854e8f61b7ec87fbb3f504760b6a38ad654b25dbd75033edaf39b |
C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
| MD5 | f625b9c6f1d28d9c668c3cdcf058f2fb |
| SHA1 | 4baecf07fafdebafadb1cd5cdd2d22a7524e3202 |
| SHA256 | 06a7c78b5211b81f5e28a250b678d2d8fccfa6f448b8726480fba25b955056fa |
| SHA512 | baf12093ba46e1f916e1aded68eaa2e710d8061027d012a9d06515bb2dabd372ab150f96ab562276cec7b598d19f57217fa833565e2ee13a6ccbce464889c568 |
C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
| MD5 | cdca9b33fedde9a4bfa8467cc54a6666 |
| SHA1 | 8690d99555f03cddfe10b9d2905788c4c650960d |
| SHA256 | 5eb687e1a261dc43e28ebee11401335efc2bff90f70186a89c797c5159d6b3c2 |
| SHA512 | 425c6b7b28055be958f646b1cb8c9560a9544ff8402bee6ac165ca84a1720582eabd21bb474bf91c83394051b4ab5209e597863afe90d53d513d8d54c19bf7a1 |
C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
| MD5 | c34daf0ff0c2db9aa6c619c21ddbfd37 |
| SHA1 | 4e901782334d80d9aad083cfe5e9f1d165297a02 |
| SHA256 | aac4b5267cb997c45cc21132407cefb2ccdc8fc5b74d9a6ca60c8a8515938e50 |
| SHA512 | 8777cecf8a417e191cd04783007d3c63ad5f9c9c85e58ed00508aea1becc48ef1895fe4a49d14c8ea9c2c1eb36f7cb3d638b5fe40d05851699e3b039f7b395dc |
C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
| MD5 | c927f29ce27be9cd8a0f0c17430da951 |
| SHA1 | db74dee01aeec937729f99779aa351c25af72fe2 |
| SHA256 | 8140acdbef506542bd3736cc338dcab4eab86e4b58cc7dadd02720adedaeb77d |
| SHA512 | 1d3a6066ac417db1984b3528313f6c65d2b7ab3128bf78df3e2211a2994eb72d2a4f4eb43b07c19df9787bc6c2dd9c4b984c1a1a0a0d5e312158cba3ef64bfcc |
C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
| MD5 | cf1b5d9ff12e2d8d23e2d937420ea6a9 |
| SHA1 | 5cdedb6fe64b40d0c07c09d3f88defbe33060711 |
| SHA256 | a08781e10e0270ca1e6f25616bcb35b31c281d9b1009ce57b1b45ecb652f7fc8 |
| SHA512 | 0a7323e6b0ac0cb2f19ffa8a8141bb5597ecb398a4a46eb51b8ecca962429ef5ba310f67361c53638b3dd8f23ba150b5eb87d765f258840c64774f3238268220 |
C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
| MD5 | 5b944cc48aa80445754ecb73fe94767e |
| SHA1 | 0e34b62e6a48fe90c2520d04924dea5fa2def0b6 |
| SHA256 | 4f18f6fc52863001a1dec92979986171eb3940e46af8c5d2973097972e941af7 |
| SHA512 | 142cfccd2f0e281af7ba19f423610c3c22cacf6c989ad41ed3cf19dcdd9a350252f5824323cee6882b0c0ddf44dd97c3003405b13c065000ecf286322fd56e6f |
C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
| MD5 | c9e8992deabf78659a6b84688a6d0992 |
| SHA1 | d5de0218d2e9951d0e04f9dfab2325600d041b74 |
| SHA256 | b1edb2400e4fce70e19b910372e1fc843a86c42444e0b35bf70adb925d1b533e |
| SHA512 | 547aff14685b26d6500ef64cbae07767d4351d15af8aa67e084bad54b83ba792590619c2918bd4b0d40e8a084671aa83cf6e7fb30a79579df131aedd51c694c8 |
C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
| MD5 | f43427e664148170aba2b37861057efd |
| SHA1 | fe0dfd6bed8cbc9e969f161addbe7ee727896414 |
| SHA256 | c8ffdb4c735e1425a3a55ad89fcc57d5df30cde9ee3578cf2cfaa078a2124567 |
| SHA512 | 2a07b60ab92b84c13e38a20500d154dad5b3a86e4dce6c457ae9e4704a3bc1cda6a85852464c6a3e32447771700c713252e25c383afd6dfb59e944ea999f009d |
C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
| MD5 | 5c4ff13e4a6dc60b6e4c8177b7ee714e |
| SHA1 | 59519188b796f62ae848c3bde354b026e8f2bf36 |
| SHA256 | f3d0f052ea4960aa5eb9dc54e879edc516f38a71096854af3f7cf603fcc64b3c |
| SHA512 | 73abe72e47b23acd90957482970a95c8c136f1cd1691a1e87dfa8688e370fa8f05dd7a54720b675bc849023405d018ae33bccc8ea9ef100b4d2772309dce5f05 |
C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
| MD5 | 51b6334063f4dbe29dd3517fab7186e1 |
| SHA1 | d63f66873f06c7bb1ea989faa419c191620b39b1 |
| SHA256 | 4d1ddd706f23ff4e685d63ad106e00b6d5aed11d47da48645ed8967430f3d527 |
| SHA512 | d424fce9c63cb3603b5d7035373c889a5e4fb13c63ab2a6d10b47f897fdbcb5246fc94661d459dfed225b08212530486b057823831ec59d26c117776c6626e65 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:45
Reported
2024-03-02 16:48
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F} | C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E} | C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E}\stubpath = "C:\\Windows\\{597C775A-3953-4c21-B557-DAD3D246475E}.exe" | C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809} | C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97} | C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE} | C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}\stubpath = "C:\\Windows\\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe" | C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4} | C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C} | C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}\stubpath = "C:\\Windows\\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe" | C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA26966D-DE35-45da-B031-0C11CABC4C5F}\stubpath = "C:\\Windows\\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe" | C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9621C1B-3D96-49a8-B130-2D6397F503EE}\stubpath = "C:\\Windows\\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe" | C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA99551C-A1C3-41f2-971B-F825FA05A78E}\stubpath = "C:\\Windows\\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe" | C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14} | C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E9F424-F572-41d6-A41B-302837EABF97}\stubpath = "C:\\Windows\\{56E9F424-F572-41d6-A41B-302837EABF97}.exe" | C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E641844-7EC2-42a5-80C9-475335E5E7C4}\stubpath = "C:\\Windows\\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe" | C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D6739-C881-4b15-B6B0-E31883FD204A}\stubpath = "C:\\Windows\\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC} | C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}\stubpath = "C:\\Windows\\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe" | C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597C775A-3953-4c21-B557-DAD3D246475E} | C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC6E6B0-F2FC-4592-8563-97854B726809}\stubpath = "C:\\Windows\\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe" | C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe | N/A |
| N/A | N/A | C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe | N/A |
| N/A | N/A | C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe | N/A |
| N/A | N/A | C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe | N/A |
| N/A | N/A | C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe | N/A |
| N/A | N/A | C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe | N/A |
| N/A | N/A | C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe | N/A |
| N/A | N/A | C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe | N/A |
| N/A | N/A | C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe | N/A |
| N/A | N/A | C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe | N/A |
| N/A | N/A | C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe | C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe | N/A |
| File created | C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe | C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe | N/A |
| File created | C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe | C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe | N/A |
| File created | C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe | C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe | N/A |
| File created | C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe | C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe | N/A |
| File created | C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe | N/A |
| File created | C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe | C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe | N/A |
| File created | C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe | C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe | N/A |
| File created | C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe | C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe | N/A |
| File created | C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe | C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe | N/A |
| File created | C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe | C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"
C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E78D6~1.EXE > nul
C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA269~1.EXE > nul
C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B9621~1.EXE > nul
C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA995~1.EXE > nul
C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E9ACF~1.EXE > nul
C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C120~1.EXE > nul
C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{597C7~1.EXE > nul
C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe
C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC6E~1.EXE > nul
C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe
C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56E9F~1.EXE > nul
C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe
C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2E641~1.EXE > nul
Network
Files
C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
| MD5 | 1af8d243e85a1166fda3e18c475edbfe |
| SHA1 | 3eb3c2f47b5ab5339b324fe07bece1c6f87351bc |
| SHA256 | 1c69f1665f599ea7c84f5d3dfae7187d2a99b6be65e2443471548a72a747be31 |
| SHA512 | eadade69cfc62f2d7f979e39d51948f21256d92e39faba9b01ec00da40c95f55d86c6ec428d085358dec200a56f980ea4e636c28cd23d871b0a8611d58f78dfa |
C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
| MD5 | 3eae0282abd018b2239c8c3e6449f4ce |
| SHA1 | e38c6e196dd5819e0207abc64348741625090141 |
| SHA256 | 163f6d475075cb930bf9b99bebcf0cc3bcaecd0fc5ead30dc09670945e0a3a49 |
| SHA512 | 5ed537a35e45e5c6ab8b0091bb3a503c95ac5114fa6f07c22ea3b30507a6bdb65cb51b9c5bbcea686cf9f9d5f6e0a852b98bd12cb7487fa0bca27b848c2d8aa4 |
C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
| MD5 | 582820ac45214e67b85b03cc72b1515b |
| SHA1 | 28572f7cb3b9501a1318627a811bcd99ff8c24bb |
| SHA256 | 1b101072b7239803e5ce07428a156bd60b8ea1434e08207fd3e4536d8ad1c371 |
| SHA512 | e738fc39df7cf2a983682e03a066e01ef219e02cb4a6b0631c27e22171fd94651dc33e5b9ea3bdbbec2d170cd0101bbeca8a9bff44eee3e6b096132730f71aae |
C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
| MD5 | 0125484002fd1cc31d79d1074092e92f |
| SHA1 | ff9ba070583e9132d2116ac41f742e230db077ff |
| SHA256 | 178d4a984edf6bd5e87499b22863b2c11d4569783248746a3f4609f5367f62cd |
| SHA512 | 77bb2061a809879e8f8801fa08b83cbb0e275f294cf06ad5923f509330c421cbbb4f904790c2d02912bd294cc78d35aea9f43855383edc06928c005a711dcc7d |
C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
| MD5 | f85ddaadabfcc79a6d51bdc5236e71d0 |
| SHA1 | 8583d679b82b87161f3df2a907ab2998ecb2efd8 |
| SHA256 | 1510edcff34d80fd3dc6ff45069fd825af3067ed9e463d1204d6e917ff375dbb |
| SHA512 | d846b9e009efee7c3e555721572fb5d3623c974022a77ee1b78553cee202e6a4d5c04c990659ce362e8910fed9fc70243133773a140771e7a7f5b99bafd09014 |
C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
| MD5 | 9ff40a19f749adeaa0869b382f22b9d2 |
| SHA1 | a28a07fa272e5a5122ddb66d39eed578a6765ffb |
| SHA256 | c5b58708eafc12e6ab53032829f305367894d69ce635d76eb279f30ef41e1f5f |
| SHA512 | 12dd512d956f174ffe61ce10c77abffba51186470702d66976023b8b707852b163028f6b6dd9309029e4167cc2a5aebc0c3fff7afbd82bda423db62563d4ef68 |
C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
| MD5 | fe8a3f275834f30c70169b2d7349caad |
| SHA1 | a109aecb01f7bbfcef8544753a494b1e0dbf2a3e |
| SHA256 | de5a1df0423384976f6d811ab51a3158df5f71e65de77458a19d02ef6c19e394 |
| SHA512 | 9079b98ae23ef15213b14cd14b0a134a76d10d6411024ca48c788e9dbe94016976a7f052a20e34c14f9890c3b33ac430fdbdb8cdfe698819e043c6ae4ccfcda3 |
C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
| MD5 | b98d232b25a8d58bf4c0474aad6ea9a0 |
| SHA1 | b75826c242f09288d333046b16b99297784c5191 |
| SHA256 | c5b93ce35edd7e881e3d4879cd208e96293c9ec6ea7b1e5f8716af7df342a0a1 |
| SHA512 | cc47769e14f80328a37fbcff6c5b76645c8e068b2ea969f68e4f398f624227fad031d617cd93032990057aa823638ccf50c0476ff6c889e273fa52fe0e2d38bf |
C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe
| MD5 | ae08bfeae7d4432f95830bceb7b46f04 |
| SHA1 | d5543728bbb8802350b4e5f09a8a9f42a50d6d46 |
| SHA256 | 4fe120ecd98afb6766f318b0b84d891e50e2a724f08b45561b6eaa4431fa35b0 |
| SHA512 | 2fca97612c45e0c5da7af946cf561620007c3796d929bc278f9528d433b903e57d4a8f8c42d837b5402451fee3b3a64772d57cb726129689c2e271d278e37298 |
C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe
| MD5 | f993395b3f6da2a276d12e182a725929 |
| SHA1 | 10e9ab5071f13928ecdc427380f4a966a4bd00bb |
| SHA256 | d706667e5473358f7731b83c4c673a37717c7090e58cf379664fb581ebffedc6 |
| SHA512 | eea0ef975538c6cfefc542455d24f3c69b1c96350570b969693d11c3847f09bc1fcec9f8e5c24078c8d01971527937c9d6dce64a47b51b03b6f736b01494c2ed |
C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe
| MD5 | d582459d75c8b00df3d9c0d1bfa39e44 |
| SHA1 | 8c26f2969372212aacf92ab9159a50947cda8666 |
| SHA256 | c38b529a398651c99b561e5a106aef72e5473339751a5f72e1ae6ad362eb2d56 |
| SHA512 | f7990ed248c0ee694dfca2154c8db8e4df99f8aa1b2c9d6b72f3fba0a9b991c3bb843f2a076146da38f5d0c4431963a5b25c586a64a1692fc153ebe90f500bcf |