Analysis Overview
SHA256
361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f
Threat Level: Known bad
The file 2024-04-04_1116de28e782e197373277782dff7273_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:27
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:27
Reported
2024-04-04 13:30
Platform
win7-20240221-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9} | C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}\stubpath = "C:\\Windows\\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe" | C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}\stubpath = "C:\\Windows\\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe" | C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}\stubpath = "C:\\Windows\\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe" | C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA} | C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862EBF15-8D0E-4761-B328-C9B1F4645300}\stubpath = "C:\\Windows\\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602} | C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}\stubpath = "C:\\Windows\\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe" | C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A} | C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117} | C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771} | C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}\stubpath = "C:\\Windows\\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe" | C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057} | C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6} | C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863} | C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80421C56-0D9E-4d14-932F-88989A4ED863}\stubpath = "C:\\Windows\\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe" | C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}\stubpath = "C:\\Windows\\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe" | C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}\stubpath = "C:\\Windows\\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe" | C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501F3A6D-3066-4d6e-81A7-0E14241EA057}\stubpath = "C:\\Windows\\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe" | C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}\stubpath = "C:\\Windows\\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe" | C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850} | C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe | N/A |
| N/A | N/A | C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe | N/A |
| N/A | N/A | C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe | N/A |
| N/A | N/A | C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe | N/A |
| N/A | N/A | C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe | N/A |
| N/A | N/A | C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe | N/A |
| N/A | N/A | C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe | N/A |
| N/A | N/A | C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe | N/A |
| N/A | N/A | C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe | N/A |
| N/A | N/A | C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe | N/A |
| N/A | N/A | C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe | C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe | N/A |
| File created | C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe | C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe | N/A |
| File created | C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe | C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe | N/A |
| File created | C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| File created | C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe | C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe | N/A |
| File created | C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe | C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe | N/A |
| File created | C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe | C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe | N/A |
| File created | C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe | C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe | N/A |
| File created | C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe | C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe | N/A |
| File created | C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe | C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe | N/A |
| File created | C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe | C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"
C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{862EB~1.EXE > nul
C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DFA90~1.EXE > nul
C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D7310~1.EXE > nul
C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{501F3~1.EXE > nul
C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D8410~1.EXE > nul
C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{20FB5~1.EXE > nul
C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CC16B~1.EXE > nul
C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe
C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A99B~1.EXE > nul
C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe
C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE0E~1.EXE > nul
C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe
C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{80421~1.EXE > nul
Network
Files
C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
| MD5 | 889e9ad93b2d919b168683e582829bc5 |
| SHA1 | 93758ae5196bb57d01687c405b0b3607fedd3c58 |
| SHA256 | 8332e7f3b109e8aae4e5c47d58f4fa17124e71539e8474b9831d3d4ea75957fe |
| SHA512 | 0cb1e2df143f186b9e9c75de4af2fe5e5ca432e136898bc09cbd5efa08ce1b8346851e9a1337f8fa98f00297809219029d9df3909d5f901e950ee6b2c3c18f39 |
C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
| MD5 | 4da78d24447d78737bd01da22ade50db |
| SHA1 | d4b66d26fa84427288b1501187284dfe49d3f515 |
| SHA256 | 922a641c5d9f28a614bc28d58b0ebc966236d915c48c98d0a2458c48e132dedb |
| SHA512 | 2c1aa901b51476e88b2cb5659dafa328da4a55468509b51a1542066dee80676448dd2519e9d4cf55a33cb4b9f13eda33c64ff888bda74901432b1427c1288109 |
C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
| MD5 | 4273603e448c7b2028e9f101be08eab0 |
| SHA1 | 4d094e903c9519bd530fb1b6a40c5166514751d5 |
| SHA256 | cd770e2929a25314938efd1eb79dff867efd46c84025d85352160e55105770fd |
| SHA512 | dde4620c1a1b0ba7c2c1b7262678531cbf551ddfb3025b1949ed46bea171e10e429abb26ee10569091599ec3ca4d9e02cc59ad46896b5ebde1518e42d81cceb2 |
C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
| MD5 | df7aa31266fed34925ef2cc175cf6ff5 |
| SHA1 | 69a2700ce3b49adec1cbd399f3cc973fac7663b8 |
| SHA256 | 7ed3e15ea573840680f44dc82790ed08b916fd25db3531bd2024d32b836f681e |
| SHA512 | 45a2f2dadcf0f1270f9e310300847b1b7bc8c369822ab5f2e5c30e3debd20fb0258bfae034032eb92d1bb542d4c00a8ebd6cceec0d7105c5a2a2596b214da675 |
C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
| MD5 | c0a5cc39d316c7294f41abd03011f5f0 |
| SHA1 | 4abfa7261e402984464a52f0baffce06f0e001d1 |
| SHA256 | d02fad6f622cb5f67c8ed3ad28d3b47fb538c7956d0514bd1957369809d7970f |
| SHA512 | ed00a9108a05578112e0a140d198cc3a9d7f4f5705ca191b12b9c7e09ade1788f55d2103ec885dd996fb4698a06282ba3e81db4bd8bfe3982ab1b0e928718a68 |
C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
| MD5 | 1d7119d991dbb7b23da22d4a5246f1fb |
| SHA1 | f43296ce17ffd1f0633e1292719bbfefecb988c2 |
| SHA256 | ce992bc1baf4767bb163614d1d5a257582b0d7cff4146436fdf101f9ced91536 |
| SHA512 | 7cd3b31759e15254e11ed6234fa800ea648232502cb1718f9ae90928109fec2da03dd7c697aa9171fbbf311913c976fa382aa371b694e9edc3ebca5d25e3a007 |
C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
| MD5 | 4cb5cb4c122368ab986902efee33130b |
| SHA1 | 726a76f6398e300f6afd5725ec00d74584249e00 |
| SHA256 | 925674927431b5a27f46b8d931a17d13049a017d5ed92a09bcb5408989940fd6 |
| SHA512 | 682cd878ed92a9a9b5ab451c7d3d3ceb3b693e453028e5af022394c2a2e5ee7ac7d9c8f614fd8aa0d0cd2411fcae374f1b2bd076ebb6400f8618ac04dc412198 |
C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
| MD5 | 73568b4ef73379e82fb7dee5c19c6fd8 |
| SHA1 | 457f6b3886c9a29a47589e7ae4744b8ea7ca4271 |
| SHA256 | 331799bfcab39fba94442e6d7f28b649c1d4aad6efa0e607ffe29ff69cf54cda |
| SHA512 | b2d091c06713bb445e6ab3ea5d74b514a4c3ece3a50b85ca1a7d3c7ed8fee7bd3636409806f6fa7e59658334bebeea90935aee13fb73a36643b2cec72193c4a1 |
C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe
| MD5 | 811b7c05a9979a820e391a5842b0c1db |
| SHA1 | 7c0536b415317a5d972fe49baabce1fb8402d46d |
| SHA256 | 99042bdcefb2b5148ac0c52cd5db8ddf5d8502d8ce5182230745cb276b7c28ab |
| SHA512 | 9a393cbf4ca807fdf2b95d83e176f4495c1fd7571ec696aeec06ec754efb94ae1073ec6edfc3c0dddc6d9bf104300e3b1383f5355f3e2dad5dd86c1660a73773 |
C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe
| MD5 | b28f934e806da810484d9744c2ed4b6b |
| SHA1 | dee68429624cad3061c78aa93afb78ee14369d41 |
| SHA256 | fa2328837d705b03535e24107266fff500000d42c8d801d26bb5567f61a9e051 |
| SHA512 | 364cc7cfda304701ca6a681c20cfda3af3d6eb832968fdedf13e0f1e86295115113f18130b0b0f2098101390c8ef76f473fa0c1e4d6348443574443307448d81 |
C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe
| MD5 | 27a729d2a6ee85b190fa46d20eed2a10 |
| SHA1 | 5c71ae69a8d461d51427bd710acefc507b9da15e |
| SHA256 | 13d278116ec744b7570bdfc0cf1738361d72858107d66e8ab703556649278dfa |
| SHA512 | 1bac7c0f6768aa45b3cf9aa568fb8fbf96373155252e4da0ba26dbfda99a01b1f3e9c6e181b677901efd1d3634c4d4258ef3c977cc6f76649f7a67ce75235695 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:27
Reported
2024-04-04 13:30
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}\stubpath = "C:\\Windows\\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe" | C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81}\stubpath = "C:\\Windows\\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe" | C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}\stubpath = "C:\\Windows\\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe" | C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81} | C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE} | C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE} | C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}\stubpath = "C:\\Windows\\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe" | C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5} | C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}\stubpath = "C:\\Windows\\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485}\stubpath = "C:\\Windows\\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe" | C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}\stubpath = "C:\\Windows\\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe" | C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485} | C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D} | C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}\stubpath = "C:\\Windows\\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe" | C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254}\stubpath = "C:\\Windows\\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe" | C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49} | C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44} | C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF} | C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF}\stubpath = "C:\\Windows\\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe" | C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254} | C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5}\stubpath = "C:\\Windows\\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe" | C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}\stubpath = "C:\\Windows\\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe" | C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6} | C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe | N/A |
| N/A | N/A | C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe | N/A |
| N/A | N/A | C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe | N/A |
| N/A | N/A | C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe | N/A |
| N/A | N/A | C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe | N/A |
| N/A | N/A | C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe | N/A |
| N/A | N/A | C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe | N/A |
| N/A | N/A | C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe | N/A |
| N/A | N/A | C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe | N/A |
| N/A | N/A | C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe | N/A |
| N/A | N/A | C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe | N/A |
| N/A | N/A | C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe | N/A |
| File created | C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe | C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe | N/A |
| File created | C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe | C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe | N/A |
| File created | C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe | C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe | N/A |
| File created | C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe | C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe | N/A |
| File created | C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe | C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe | N/A |
| File created | C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe | C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe | N/A |
| File created | C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe | C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe | N/A |
| File created | C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe | C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe | N/A |
| File created | C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe | C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe | N/A |
| File created | C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe | C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe | N/A |
| File created | C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe | C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"
C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{81D0F~1.EXE > nul
C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36A73~1.EXE > nul
C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98564~1.EXE > nul
C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99A38~1.EXE > nul
C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43A2F~1.EXE > nul
C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B8F~1.EXE > nul
C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1F495~1.EXE > nul
C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE20~1.EXE > nul
C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71881~1.EXE > nul
C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52E86~1.EXE > nul
C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe
C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5ADBE~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
Files
C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
| MD5 | 37cffa0494c1acfdaab59db8bf2abdf6 |
| SHA1 | ceb79398fe061e75b147df206d0c8931b87b2f0e |
| SHA256 | d28e5a7dac2c92f01be36cd81226ef3da23cfc1b381256f9d23d3b7a75761a90 |
| SHA512 | 969bbc0283170e3be1fb13c172e1af39e59204b15b6440129fc1d9ba8da8ec31b6eec78fc650dea4959c22fbc9ac1924999bf660119b438921fb23a8d95fe305 |
C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
| MD5 | 177bcf7b542648f46334093f02604971 |
| SHA1 | 4ddb1f863ac94a00e6b86fb2ae75c1aa2560a1ac |
| SHA256 | 247b7f4bd0828cb272330cfbdc7aad6fe220aeb062308104039107ebaadcdbf4 |
| SHA512 | 12e211a187659c70be78fd7bcb267d57933c049ee39f3a3b03180a446373dcf501c9a38a2e72ef12e0c6fdca85b21868377687f72762e052d30853ce65fde0a7 |
C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
| MD5 | 6176220e2dab4612004bc65e96766a9d |
| SHA1 | d4c619cc039bfe99c504aeb093d939109d56b699 |
| SHA256 | c4cd918cf112dd65ecb51ad39b2372a934232f225cbc77f8f0d83182cd107642 |
| SHA512 | ce81154903611f996ca598fb90701a3a3a97307f5d1fb73b6c8699c9f28acb51a44c3f236e25f19937b35b2fa058a5342a1e73bc66aadf4ebdc4dd493051278c |
C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
| MD5 | d098339f19c86500aeae7ea4af4fc413 |
| SHA1 | 2ff38fe36fa9b011ea3f17dcef08e23ae0c9e254 |
| SHA256 | 74ac4b21e59f3fdf6b7607f66b73d7a99dafe784449849ee1de4d6a614a17122 |
| SHA512 | de1e1925f5d05ee14f23e5148fb1d18999bc43d061ad7a3c6bda041077c7f0d137711662985be782e9da68a0fa3167198df2665bf205d2b01ea83b6f2ce93ffa |
C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
| MD5 | 3e49f3cc3e16882b51b4ed7e29d0f692 |
| SHA1 | e04bde84ab7f23984e28e0a08ba82c0c22733961 |
| SHA256 | 2578029062fa38711f27fc2422a382a7ccf789b91d13b09d7181987ec3a0b860 |
| SHA512 | eeac99fc5e6b200ca4db54c48b2462246d6d435c72feaf969d74638ba45ba498ba5d04a0ae5a126da1f359be1aa033e85fa62008b13ddb52bd019e0bee013fe8 |
C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
| MD5 | 5f348da000176e032dfbfd0b310821aa |
| SHA1 | 1c463992f6606494aded81f4bd122fb703cb963f |
| SHA256 | d40bbcfc67a2f293651098b3519920a60fd844631bc9d7288cfc2f846ee2a6f5 |
| SHA512 | 5164611f29d55548aceaae2dfcd8d3d1bf2e63665479500694c47972b86d84d4ec726f7a357ae6fa288b95aebc2d2be40470351780597ec6dd5527b1fcd5e182 |
C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
| MD5 | c9c4229ea6e87758e93432969278f9de |
| SHA1 | e8e671545a90d5ca4f467d76085a55a7c6d1bd8a |
| SHA256 | 1a65373e9e7a6355753e681bf16d328bbd62c2cef5fcbd313d175a429c7a037f |
| SHA512 | 971f9bcbd52ea59809e9a0a0b2824862fe345a0f536298d9690c824a0820180eb9a92ed2aca4972e18f087a096fbd44f5d4f985f730677239609b1744d43e137 |
C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
| MD5 | 2e2bba62b4451cc670e9919c952de48d |
| SHA1 | edff1b0919a4641324bc8f7d1abfa6b393815124 |
| SHA256 | 7c6b96e73fc0474c89deb9500c826ee7f7dfbb179af15c174a7b505968032cad |
| SHA512 | 5a0cdde408cd4242f291285ece3932115715b4e7972c66a42371c1b02feafd997a74fa68086e41d4aa6215445be00bb14fa514c8bd17e75b204034e5a83bff5a |
C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
| MD5 | 3911e221ab26f894d39e85e4c3dc7071 |
| SHA1 | aa5262371674129aea86f735f011504d04474fb1 |
| SHA256 | c689166d01078a3d486d8c5192cc4d6e5476f4d09f9ff6596bf84ceb8dde6524 |
| SHA512 | ec7e0f079b952fbce8750427caf79d6b5cde053c04f4eef130b44f1543aa4b134e52f034a137156f58a9f9bd5d313cfd916339f029c8604da631fbab1a9de210 |
C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
| MD5 | 2fed1986f077cce2c60ecfba09947895 |
| SHA1 | 734f9664b779bde6169e74907027fc4105ec8f94 |
| SHA256 | 2603ea77f63d120cb4aa9fda850b1d5dea2bb0b639b29aafcde626e34b163a34 |
| SHA512 | 54a3f21a8ec13534312a922c48ea3e52472f21c80f1ba0397348ea61ea1ee3c4bbe2001b045adb1d72922a6bd55d2909e989a779ed34df8d87d3cc9b3afaa42e |
C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
| MD5 | a89acaaa4612e88c4e886713342399d3 |
| SHA1 | f1581092fed960e1590226b924e518b6b7d9b653 |
| SHA256 | 124fb829a4ae16eb3b74d3af6c6bdb0deb5210f8b223cff41fb2064a4de86602 |
| SHA512 | 247f09729ee83561ef9adff76094828a118f35f2c00923305ef0212e3bd16794528c307e24e89964af83b848756b989032ae5a45e5edc3faec2b4755c5dc1d85 |
C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe
| MD5 | da427f7382a7793f80af76bdca4cd642 |
| SHA1 | 1ad7ecd90e2401c795910d9273f21df929d44d7f |
| SHA256 | 83d10ba3a26650dd02e6ef5c96faf2fdcc6086845b32bdf7184b69c4c5731344 |
| SHA512 | cdee2f2d99d5b50ca0f5645473889979a4af2e7436f7e7067f7e8f815be1a10cc5feae2b25d4b7b2cafdc133b25634ab48493d9388a09c937438a66a879e9913 |