Analysis Overview
SHA256
e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a
Threat Level: Known bad
The file 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:25
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:25
Reported
2024-03-02 16:27
Platform
win7-20240221-en
Max time kernel
144s
Max time network
125s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308} | C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}\stubpath = "C:\\Windows\\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe" | C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B} | C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1} | C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFB2356A-26CC-4208-8714-61B9D164F7E1}\stubpath = "C:\\Windows\\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe" | C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72} | C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED} | C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}\stubpath = "C:\\Windows\\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe" | C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}\stubpath = "C:\\Windows\\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe" | C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382} | C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96605775-AC2A-4368-BB05-B38F1B6E9308}\stubpath = "C:\\Windows\\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe" | C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF} | C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E80E0958-075A-499c-89F5-6315C24AE0AF}\stubpath = "C:\\Windows\\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe" | C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029} | C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331}\stubpath = "C:\\Windows\\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe" | C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20C4325-2996-4700-AEC3-821F53CEE382}\stubpath = "C:\\Windows\\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe" | C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D783760-B970-436c-83E5-2508D1D9E36B}\stubpath = "C:\\Windows\\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5968B87B-5080-44c2-888C-687D0CAA5029}\stubpath = "C:\\Windows\\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe" | C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058} | C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACE45D8-5F84-4db7-AD74-E32551C13331} | C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}\stubpath = "C:\\Windows\\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe" | C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe | N/A |
| N/A | N/A | C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe | N/A |
| N/A | N/A | C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe | N/A |
| N/A | N/A | C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe | N/A |
| N/A | N/A | C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe | N/A |
| N/A | N/A | C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe | N/A |
| N/A | N/A | C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe | N/A |
| N/A | N/A | C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe | N/A |
| N/A | N/A | C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe | N/A |
| N/A | N/A | C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe | N/A |
| N/A | N/A | C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| File created | C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe | C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe | N/A |
| File created | C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe | C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe | N/A |
| File created | C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe | C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe | N/A |
| File created | C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe | C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe | N/A |
| File created | C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe | C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe | N/A |
| File created | C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe | C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe | N/A |
| File created | C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe | C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe | N/A |
| File created | C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe | C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe | N/A |
| File created | C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe | C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe | N/A |
| File created | C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe | C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"
C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9D783~1.EXE > nul
C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E80E0~1.EXE > nul
C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF0D~1.EXE > nul
C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E2B1A~1.EXE > nul
C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB23~1.EXE > nul
C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5968B~1.EXE > nul
C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA3E~1.EXE > nul
C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe
C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FACE4~1.EXE > nul
C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe
C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B781B~1.EXE > nul
C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe
C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C20C4~1.EXE > nul
Network
Files
C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
| MD5 | 63393dc5f2d8462fed30e99a982145b9 |
| SHA1 | 1ea90a41924e78400f9a812baf11c962d23abcad |
| SHA256 | 09018fcce6c99670d23f2dab37e7df97df099d1798194a748682ea21c95a8483 |
| SHA512 | 1eb2bd904dd1666760a1402f5a999899981050cdc1be7ed38d75e6dabb803902a7d473f3cfb4a4d2d66b7c2ad8d17af355be4e7a9aa09be69d55ab26e737d836 |
C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
| MD5 | b795287c559170a3c78b914a78446eb8 |
| SHA1 | ba94c6b5a62083f661de4f9380d92cb7b2efc42a |
| SHA256 | 5ebbb616b06d61d3a53fe3a8af49322319a28967c9fd23a590dea006497c87cf |
| SHA512 | e573355a58f4537eb7e54a09edf29d469ffe16093bc9f47b91d3a7e627d7c524f4e16ee35fc301033c4c35bb0f08eb6e4b775fa819ed3f178ac901dc7072a48c |
C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
| MD5 | d32fd6dbc830e6e551d8e65545e725fb |
| SHA1 | a740bae30157a11d94da31870d099083cdeddd2e |
| SHA256 | ff222733f14727a891d7547df8181af53e9c1b9a4af2419a8f869c46df7cb4d9 |
| SHA512 | fbacdfc30573276f24247a2d90e6c83e6c883f551e3a073d01eb5e0f82f763de0b26a995e8c86f1b428574438e24c1f45d2d7ee69acac749803bafbcb0d6683e |
C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
| MD5 | 8ac47d31ea4ff4fbf83d61e6880cdde0 |
| SHA1 | 5b3640a7ee8b2dcda35de24cfc9c6b740abd5352 |
| SHA256 | be9262ec02966d881aa897a907fba6adc58a79a2bea5607cc7bc41dc6c3a3d4c |
| SHA512 | 1326fe53ecf98b8bba721906e9a80373e63ff23cececabd2b2dc0cc0b36093a8df645096f99e0f2d89007a99817ce97d93ff420d838bcb80e108ce0983a44825 |
C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
| MD5 | c3fb4cc8cdcadd622ab6e94d2aebb776 |
| SHA1 | d4a240951216d46fa281b8c72ea91e4cbc2fb7a6 |
| SHA256 | 3096852ed8cfd3cea8b076e534cc19c7297b81f8ee99d97d773e325c207f75ed |
| SHA512 | 502d8ead7a1212e4f51c168fd2fc61fee4b564a22fe538c3657fb8e955a6df8752fd2a4941bbfb0671df86eeaedf538015dd978f4a04a751fcd504ba3f979820 |
C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
| MD5 | a5411af724a5e4be182f3149716ff5c5 |
| SHA1 | f24612c1eb97f1f0543c16ff4e48e53649a7c52e |
| SHA256 | aeedeb19e293ee0f7c3ae62bc33950b47738de939590cd8f434090fc3f5104c9 |
| SHA512 | 5c4fcd1eeee7cc6bfe04c3adfe69a0707f2a7376bec73ce766414a2a0176a39a3dc0acc96ac3ab53462f567b603219063abf457028a643bfdad152af965ae9a5 |
C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
| MD5 | e4ad3f270657b214c7d89032e9f9852c |
| SHA1 | 049de04d0257b8fda57ed1ea2cf6de4032f7a6bb |
| SHA256 | b9963407feb3f39fc92c26f05f866e6e12816ddedd3a214941a86ef96e0a24c6 |
| SHA512 | 703cf6e511ea15cf7fafe8b194d08c9521b2217329fdd6ad436a39a7bb46279a4b7e0808aff270621956edf299b3ab602775f01a2d4f79809a1e6df26aa8fcec |
C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
| MD5 | 49f60d68550465e426559cb2c5393c65 |
| SHA1 | 09fd34158dabfd6b1955c452184577a642f467e9 |
| SHA256 | d637e59a73b98735644a614b2d3033088c9d48760c97e6dd706af35b7b2ea57b |
| SHA512 | 8bcdeb055a37e1ebfabb1bdcc4422c7dc147d4d3d4d965f1412b29dda8e07ae974c37c47e2d0b8f77a31672e288f55086c0137b0fcf89520afe649f3ca8dca38 |
C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe
| MD5 | 4beca00462435f975d09579144fde3d5 |
| SHA1 | 0bd96603aeb6448c5b07804d0edc59ac88adb9af |
| SHA256 | ff6663be3a55473abcbe7e44a5f38fa8c9fa40be9538da4c8589580538df4e7f |
| SHA512 | fdf8a68949a422aaaf0cb220ee956dc4eec8343a2fa0331b39e0d9b2e7d9c512bc548c67dff1ad1046202ee0edefa3ce1053f350418aa8aec99bf4de1314ba53 |
C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe
| MD5 | 754d24c398a62e079e27eac9ee566eef |
| SHA1 | 06aebdea23c9b616cbbb86a0f11b83f100627867 |
| SHA256 | 1610bc5cc5bb8b418e2a5542757cd870dce47c1e510d99ca69d9bd8654c8dadb |
| SHA512 | 38b0faf1d80f30e095b843ffde89b87f80b18f8fdbd17b51e84587f6c06f0d075495bf1aa8a0965252a17001fed78ada1921cf77c65ecf52d177b9cbbf8e11ad |
C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe
| MD5 | 24b2a49d3a4e8315791b85d5916a0a16 |
| SHA1 | b1630e2fe86002eb07952fce33add4334d1c8359 |
| SHA256 | e21798e1eca4a0df775ae5e68a9290ba6c45a63f62f3d547b84bd8a9b2a50638 |
| SHA512 | de87bc496a6f4596c70a1b2be686a29ded4a11582cc9acb166e4ea34189c98eabb87c68f599c4c1fa3b3f65058a43807d6b8f9b414701aa34669b2b26761b5fc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 16:25
Reported
2024-03-02 16:27
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}\stubpath = "C:\\Windows\\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe" | C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F}\stubpath = "C:\\Windows\\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367} | C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}\stubpath = "C:\\Windows\\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe" | C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}\stubpath = "C:\\Windows\\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe" | C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}\stubpath = "C:\\Windows\\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe" | C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00} | C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC} | C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069} | C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295}\stubpath = "C:\\Windows\\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe" | C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7} | C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC} | C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC}\stubpath = "C:\\Windows\\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe" | C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00}\stubpath = "C:\\Windows\\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe" | C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}\stubpath = "C:\\Windows\\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe" | C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}\stubpath = "C:\\Windows\\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe" | C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652} | C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5} | C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE} | C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295} | C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC} | C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}\stubpath = "C:\\Windows\\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe" | C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}\stubpath = "C:\\Windows\\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe" | C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe | N/A |
| N/A | N/A | C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe | N/A |
| N/A | N/A | C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe | N/A |
| N/A | N/A | C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe | N/A |
| N/A | N/A | C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe | N/A |
| N/A | N/A | C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe | N/A |
| N/A | N/A | C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe | N/A |
| N/A | N/A | C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe | N/A |
| N/A | N/A | C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe | N/A |
| N/A | N/A | C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe | N/A |
| N/A | N/A | C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe | N/A |
| N/A | N/A | C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe | C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe | N/A |
| File created | C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe | C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe | N/A |
| File created | C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe | C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe | N/A |
| File created | C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe | C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe | N/A |
| File created | C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe | C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe | N/A |
| File created | C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe | C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe | N/A |
| File created | C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe | C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe | N/A |
| File created | C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe | C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe | N/A |
| File created | C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe | C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe | N/A |
| File created | C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe | N/A |
| File created | C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe | C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe | N/A |
| File created | C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe | C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"
C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05A41~1.EXE > nul
C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EF590~1.EXE > nul
C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E1145~1.EXE > nul
C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D773D~1.EXE > nul
C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74128~1.EXE > nul
C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{280C3~1.EXE > nul
C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F1334~1.EXE > nul
C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B698C~1.EXE > nul
C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCB0~1.EXE > nul
C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53FCA~1.EXE > nul
C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe
C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A44F~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
| MD5 | a7550814e5ceddba2d236c68c9db7b2f |
| SHA1 | 9480fc49bd0108653d69505669526dd7f0c3c22f |
| SHA256 | aeb3b20f58906aa5059e94ac0dc85cee0565b2ce0768b110989598c9bb94e543 |
| SHA512 | c0d87b2d33f3306df59ea77bdd5e43789d247e237d3a10dbe0116cd60ee00491ebddb8ff5d814c76c8bec85bd12a97c0cee29718451451ded99520d06329c631 |
C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
| MD5 | 06556908af90a5bb64d4890210f92435 |
| SHA1 | 72aa27784c401dabb2fbdb6ef9652fdbf38850f6 |
| SHA256 | 0ae4abb2d27b0995cf291fa97d3c59daa6612c21166113faeb90c2937f771f4f |
| SHA512 | 446d944c14f77a1da669dc0173679df4a247fae36d6996e2f981da398a91e8eaa0f7f04ae47ddacec3c01a77a08621471418f576ee3b2db45e8f20e7137f0c91 |
C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
| MD5 | 476190ed351ec4740a1af77cb50ac150 |
| SHA1 | 4e5ab03a8b389d03af222d3be1a31829be26962c |
| SHA256 | 8ddeb6a3018c9cf9af0e63179133d1833adb478400de61c6f1166803f2df4270 |
| SHA512 | 89d186379ee8674945b827de393ebb6bdbe03d8dce1f831d8aeaf598614926f9ccae25c178493e3dd9e1774e949af2c7fa9e3cfad028e8753245a1e24dc23a32 |
C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
| MD5 | d085c1f10ba21a7c895405764b136c45 |
| SHA1 | b3c4aae5284965fb49ec57b3d96350cf0215c825 |
| SHA256 | 67f19e5a1685f6e5552203704cc24c6b11e57384df0a20c80b5a471eb7f215a9 |
| SHA512 | 2a9ed37f42b3e52e64228f49974a9b61a137904d6f55b2f04ffae568c3b98f41e89be7a0b78b5bd9a938acf6c25afde613d2aaa398a4042a471b4e08d1a6c8d2 |
C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
| MD5 | cbd785abcf81395e5c6b35576e8aea1a |
| SHA1 | 7c775cd2c4e4f976caf2be3e661f846d33d9d0c5 |
| SHA256 | b44ca5a968304e99877f1b27ed4113b7f0cc50ccf0981ead55138ea13ae9c6f0 |
| SHA512 | 829dee45d7a916248c9423a2686d76548b16be282d4659fcc63da0ade81b0e26c37eb5ac16feb7a916b29de041ab378b5d223e9c228ed8a17e8fdaf0f359f531 |
C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
| MD5 | 6a2822ffd4ed5318b03dc9f758c229a2 |
| SHA1 | 37b0da5f3dda82fd3dc472f8505dad6b265c4f91 |
| SHA256 | 970d921525c8283246ada37ac5d5bab8593f1ec1f529de75bd783c33905be603 |
| SHA512 | fba191853b1cc5835401e6d43547bd717d7be4bcef9a66bc86ab7a7d107f55ebcc367beaddb30a370919e76606afbd6948b9b24586198271d99ffcb613b40d8b |
C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
| MD5 | 809133b041504bf7f98e1490bfe4c547 |
| SHA1 | d88348d7a20744e6cf63155fc23e981c57213071 |
| SHA256 | ee9e4f0957467cb91fb75dbb89a98d076dea870d850fd850072f010aab9e6324 |
| SHA512 | 1a27bd55ae1506c5c3b8522295d53b43e80d7ae5bad4cf6fc6860e131068dcdbd29de25ddc5ccd65c8ce29910e88dbb34db4fbcd03b54fed451eb89bcfdb867f |
C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
| MD5 | bf1fe7ac730308e273e3c764511d100c |
| SHA1 | 8f5c21e27a93de03b55e1b0c9db257bdc683e378 |
| SHA256 | 53b8b828e3243bbb8af7fb68aa92f1ea03abf8b5ed4b2066e014cad660b626f7 |
| SHA512 | 0d78c8a05a0d7ddcfe82adf0b8b2552c84540930d349c926a764e22a5d1c0b16b69df86c91ccabeaa554d2d44db57367b041c0101b59553f727f0e8f9c9493cf |
C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
| MD5 | 926053ebf3c2f2d4c3d76ac70763063d |
| SHA1 | 96dab02f33ef525f6bc9ad76f948258e7350f133 |
| SHA256 | e263634f8dbd02139ef290ca34069c6e0ebc60b18d39478702b5b2ea9025a8b5 |
| SHA512 | b38a29c8bfa7e269ae68d3a2330a681a2e43bd7bbc313021a9ff82e6dc8b010bf94cdac71019341e02c9bdd30862fd60dc88afe5a95f9c8db21297ce1a41e2f0 |
C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
| MD5 | 8e53448751cfebff2ef7d89238e1acb5 |
| SHA1 | fa4de38c2654d31d15cd20f5bc87b666435ae966 |
| SHA256 | b18ffc49ec76934012fdabedef156aae6691d7de3d015a01b164b982e2aa4d4c |
| SHA512 | e10cf90e6c9da96f93dbf71d39eec7f114474d8744878dbfbb7f43266d1b747b6498ec54d6c47b8f421f4edd622e00e97aa34052097e8df462f66ced7e1ad1b0 |
C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
| MD5 | b4a0ae726cfcb78fdf1f477b3e1522ae |
| SHA1 | 3aa62d0de78a84c0919124c725e341d61eb5a5da |
| SHA256 | 7f81be6ee1fa4b10fc077eeceed4fbeae17c662aff9e935a44c82eae1110775c |
| SHA512 | cfb5beaa31f255d81ba5b51387311d8b96082e324604cf94e4129795260cf80b63c260f3021ec29b9f5f75206be003ce4dfff855903f5b2a1ef3390b56b8e04c |
C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe
| MD5 | 347ca2aea7503c1720a6f089cfe52209 |
| SHA1 | 3d63cdd15a388e8fd0950b1c1202679b93df4b22 |
| SHA256 | 422bae897342bd627003b08b0f458f50043c6088112aa70ada2d9aac4923ebf0 |
| SHA512 | 49b408ef889e18fc538aec0f1533f2f39e27ce2967b76e64e50d90e48bfd3889ddf53815a3b674018e0760e072afb7e7af70ec13b4f2ebd6c634ad0a907dc92f |