Analysis Overview
SHA256
c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4
Threat Level: Known bad
The file 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:32
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:32
Reported
2024-04-04 13:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B} | C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B}\stubpath = "C:\\Windows\\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe" | C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C} | C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}\stubpath = "C:\\Windows\\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe" | C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD}\stubpath = "C:\\Windows\\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe" | C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}\stubpath = "C:\\Windows\\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe" | C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6} | C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}\stubpath = "C:\\Windows\\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe" | C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE} | C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}\stubpath = "C:\\Windows\\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe" | C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513} | C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23} | C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD} | C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6}\stubpath = "C:\\Windows\\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe" | C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44} | C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}\stubpath = "C:\\Windows\\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe" | C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769} | C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}\stubpath = "C:\\Windows\\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe" | C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513}\stubpath = "C:\\Windows\\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe" | C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24} | C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5}\stubpath = "C:\\Windows\\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB} | C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}\stubpath = "C:\\Windows\\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe" | C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe | N/A |
| N/A | N/A | C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe | N/A |
| N/A | N/A | C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe | N/A |
| N/A | N/A | C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe | N/A |
| N/A | N/A | C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe | N/A |
| N/A | N/A | C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe | N/A |
| N/A | N/A | C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe | N/A |
| N/A | N/A | C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe | N/A |
| N/A | N/A | C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe | N/A |
| N/A | N/A | C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe | N/A |
| N/A | N/A | C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe | N/A |
| N/A | N/A | C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| File created | C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe | C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe | N/A |
| File created | C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe | C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe | N/A |
| File created | C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe | C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe | N/A |
| File created | C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe | C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe | N/A |
| File created | C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe | C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe | N/A |
| File created | C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe | C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe | N/A |
| File created | C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe | C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe | N/A |
| File created | C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe | C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe | N/A |
| File created | C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe | C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe | N/A |
| File created | C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe | C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe | N/A |
| File created | C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe | C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"
C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E611~1.EXE > nul
C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE541~1.EXE > nul
C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{97DFC~1.EXE > nul
C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD47~1.EXE > nul
C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC00~1.EXE > nul
C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{731A3~1.EXE > nul
C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D39D~1.EXE > nul
C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74D5B~1.EXE > nul
C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D66CE~1.EXE > nul
C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C39~1.EXE > nul
C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe
C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D24E5~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
Files
C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
| MD5 | aec8cf401e00a93dbac3ddccf835711b |
| SHA1 | 4befd17b1a0d5a0127d30764a1b951b3959bc4ee |
| SHA256 | 41c969952982ad9f5f319fdd5f53ac027a3d9c6bb16fa4982e01188201ce4dbe |
| SHA512 | 5d5af8424654e2b71b5e697cb4d7168301c0fcba036975fd9177b450ad5ba289c368d486ac4197133083137f5a3d28317daea74809dc20585425a0a0cf3b8d0d |
C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
| MD5 | 13259300e9740eadc52ed287d433ca5f |
| SHA1 | d97c6382212103401528929d37ab21873dc7f785 |
| SHA256 | fc24549fafb70d1d56496b2c3b6ab9274e86e7421a62cfe96f3025ac9e5da8dd |
| SHA512 | d8ec5147f5da1b16f64b49535628ad47c1e262b1b08acb08cd3cefc4d73146dc45ab0a700a6e93bb5a65dc65bab3edeb5f99ee89168cba328dce3ed563e699e0 |
C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
| MD5 | e58f237c1885f63ca1ae73b28c25c4d9 |
| SHA1 | 5c04a39b10544be8e8aa3ff793af9ddfeda7c931 |
| SHA256 | 56b07c07a6ae7ef36a023bc1b0f6ece216ed0980746b0f24876cd430509431b3 |
| SHA512 | 88818aac94ac07f69f7186705c800f42ce912876b46d4b81575afed84195b85ebba8bffa6e6a9d02c554a733317c38270fcb8fa172a89ce1b1a11e27c6c39548 |
C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
| MD5 | e2907e946b074e715ffc35ada0113ee3 |
| SHA1 | 2683ff522689464cc5951ebeb33994855582a906 |
| SHA256 | e4732e855cebd3856d0155e36531fef5afbbbbd50b25dd2dd17298710ef45704 |
| SHA512 | 776a3ba089f7cd6d7ae1f5dded8080c54b6c6d3234d6bc7c17af18711238687460958daacb741aaaf60bf85f7f5c7ea5d451f58add373e874c9316a3ba63797d |
C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
| MD5 | 5dd7407d6fae8ee099e912cf5740f447 |
| SHA1 | 6f25130954f4e1ee37150f0916757b60cfdfcef1 |
| SHA256 | 8c7e7d5928d73f09453f10f980293ba7eb100dc46824ad03e51270c27ed1ce22 |
| SHA512 | b723d0459cbdecc303e6c3f2e8e9978126ea6460776ba323074aaefcf2870c0cfa142472685170e2a04b05c0aee857ad7ab606e02296b85ed6e73a4953ee7534 |
C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
| MD5 | 9dcec0b191d36bb6cd02f520357b2424 |
| SHA1 | fea7cb6f4bca9b889155dc019963e08d2c6ddd4a |
| SHA256 | 2177d5eb4a66271ad3c97e9ea70ae4dda82a743c3aabf4a01a0922e3abaac584 |
| SHA512 | a1cf968dadee6b7a510a4439207f7a97ec3dab5b028dc3309d0b62d1d67274e4b3da5099e352f4b5bb76789d52b7b7b5e4a579f81304bf5327560bc7341343cd |
C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
| MD5 | e1ec5576b20a13658443e14c6c6adb56 |
| SHA1 | d94cd4c7f55dbecb2d8688778187296a0ffc5c44 |
| SHA256 | 63096ba7627d00121ea67aa626f702c73cf5b93d327cabad82cba475b2c0919d |
| SHA512 | f3f2e1e3fe0542eab8ae0f024563d1214d850fdac49488ddb0185cc92d6bbefb7bcd89a84ae9968f00b79667701ddc452bda520f8765fe4d7c5ea8ac391164af |
C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
| MD5 | b8563aee3afd588b58e3c7c4f326e0f9 |
| SHA1 | 312845128d5790331358fdd828f409ea6f6aeaa6 |
| SHA256 | 512b02fa0373f5b97ffc5bb70566b27815e6d605ae398d14c7c86c2b8dac8ea6 |
| SHA512 | 0e04e599cfdafa8a890d5bcaf81e271eea2fe4532a0fde5ad5feea02ec96284e950cb2b1935c0737d4fb8ca28a18d3d458ceb2f350df920b294c9a79de382c04 |
C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
| MD5 | f06e5fab6f63c8e7298173696f1f8477 |
| SHA1 | ae16f5021180860c1834bd17166990e6c3c648ad |
| SHA256 | 8913917cb2386c305c148a16f154d55dfe77af19a14e94e56c618256594f4c75 |
| SHA512 | 516121830a46ddd8eb490f1f1057145f76ae7e1fa2116898704f2d72556125b4864c92891ed2a05b050b3382512fdcb639b89f901152ff4520602d31675d35b3 |
C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
| MD5 | 28e8a46d7ef3af17b2e3653ee6904f58 |
| SHA1 | 790a670d48ec99bb00a9118a9b7ad0944292a86b |
| SHA256 | ef89305cd943a920bb7a739102ed0f1e609f86a19faca905aee7a22cabd97cab |
| SHA512 | e1304a7ed071d97eee2256a08b85f196c6418f25d9caccd8cb8c9c85aecdd54f13e71831fbc39cd08918fe369620aea50d9eb2c96a3f9178038d566830c10337 |
C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
| MD5 | 4c8a1541c140c78ec03c3babef52cb14 |
| SHA1 | aeb65bc977a08a1ac6b57ab0034b942e472eec28 |
| SHA256 | e1d49183187c66b37ce0b6398387dffa75d6b9db26f303d8acd5499e9d6ddda2 |
| SHA512 | 931bd1d3aa9a85d19facb8da04d14e5406c2cf118465ef70e534ebafaa3dac2aa7b45b39de37004aaa2eec8284a7be4211a421ded4f4773683d781ef322e370d |
C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe
| MD5 | 4fe93c9ff5ee0b3669367d86679eff00 |
| SHA1 | 6eb824aa7671268b2ace0f77eedb2ae2215d8e48 |
| SHA256 | c90b92a3b8c4d4bebd166a0e9c56cd175116fdc66cddec7093ec7b1f058d3b99 |
| SHA512 | 543aea64aa985b64d20351619f937f3af196a3b0cc3a3e671b0d00bea28ddad77d7e14974de3fa6dcbbdd4ab760f2d498acf9e4445b54527fb59f50421f555eb |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:32
Reported
2024-04-04 13:35
Platform
win7-20240221-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8}\stubpath = "C:\\Windows\\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe" | C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0} | C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6}\stubpath = "C:\\Windows\\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe" | C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714} | C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}\stubpath = "C:\\Windows\\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe" | C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E} | C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B} | C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}\stubpath = "C:\\Windows\\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe" | C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81}\stubpath = "C:\\Windows\\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98513519-C272-42e7-B62C-90F87F3C5FE8} | C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837} | C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181}\stubpath = "C:\\Windows\\{08886010-0683-4569-B5CA-86122B334181}.exe" | C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C0D496-1469-4659-B710-674F9255570E}\stubpath = "C:\\Windows\\{79C0D496-1469-4659-B710-674F9255570E}.exe" | C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}\stubpath = "C:\\Windows\\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe" | C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474} | C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162DBF6A-5FD1-451a-9F81-A271776D4B81} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}\stubpath = "C:\\Windows\\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe" | C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95024C6-9E6B-4d77-82F0-DD8612330837}\stubpath = "C:\\Windows\\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe" | C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}\stubpath = "C:\\Windows\\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe" | C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08886010-0683-4569-B5CA-86122B334181} | C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011} | C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A799C4C5-4489-4df5-93E1-39190D179CF6} | C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe | N/A |
| N/A | N/A | C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe | N/A |
| N/A | N/A | C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe | N/A |
| N/A | N/A | C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe | N/A |
| N/A | N/A | C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe | N/A |
| N/A | N/A | C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe | N/A |
| N/A | N/A | C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe | N/A |
| N/A | N/A | C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe | N/A |
| N/A | N/A | C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe | N/A |
| N/A | N/A | C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe | N/A |
| N/A | N/A | C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe | C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe | N/A |
| File created | C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe | C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe | N/A |
| File created | C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe | N/A |
| File created | C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe | C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe | N/A |
| File created | C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe | C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe | N/A |
| File created | C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe | C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe | N/A |
| File created | C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe | C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe | N/A |
| File created | C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe | C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe | N/A |
| File created | C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe | C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe | N/A |
| File created | C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe | C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe | N/A |
| File created | C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe | C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"
C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{162DB~1.EXE > nul
C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A799C~1.EXE > nul
C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98513~1.EXE > nul
C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EECFA~1.EXE > nul
C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9502~1.EXE > nul
C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66BA1~1.EXE > nul
C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08886~1.EXE > nul
C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe
C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32EF9~1.EXE > nul
C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe
C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79C0D~1.EXE > nul
C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe
C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18803~1.EXE > nul
Network
Files
C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
| MD5 | 0379cc575c9d18df25411fd0bbdb53af |
| SHA1 | 35ef3986100d2a29eb6fb9a9a92dc7ad89457eb5 |
| SHA256 | f0e9c96b07a7c88faa80a8a2fd4352b70e048b378326ec01a66d9fe0f3aca09e |
| SHA512 | 885bf86a7a634e706c6d39911d64f285d4afa2a075ad900eb22a50f1303bbb5b693d8f32af31f0770024f7d072e8c58493fa941f3dbd5e79a837b047c4f5a991 |
C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
| MD5 | 1a7b9435ae338bf44dd3934059041120 |
| SHA1 | d32b0fd91db062c98c99e8f7429dd67c0bbba15b |
| SHA256 | ec2d846e8cf9519f79b085b09745566fed17f14e74238d957b7f728e403e7752 |
| SHA512 | 7e20d66810d45630b61de340eec94c5837acbf0383eb29acbbf6d12f8e07acb67b71d73452e53d0623d99dad1c4701c09b4690ef4fe5a1d96205b46f6f59cb2f |
C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
| MD5 | 33ca14285601737b87f56358389ff2ea |
| SHA1 | 96ccebad416d04c473f79325b621d120e7f8bdab |
| SHA256 | 9fc823ec4aa3f0fe74b4f2f866d25e4a3e1529f0f43b6ce19ff956ac028b9c66 |
| SHA512 | 2f01063fb315abcef304d233836568e31ea0613ec9f18578ce5eac45af7985586b3b9a40c2e81d948dffc43e521fa0af0c968ac029004e9d82358c0b3660144c |
C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
| MD5 | 5514bbed30469ec70dda59bb309c1ca9 |
| SHA1 | 50f1fea57c6df6e5094a9e3cfd1a0c297c60a560 |
| SHA256 | 15829ca22af7d3551932b1f14c2dfa22aeba8c4ff42712219df7625a310025e8 |
| SHA512 | 85d1ee11dc3d626b5d6effc7076ea10041788d8943ce6a25708ee6ca4908ea34b517f97ce916750940b24ec71645a9e22a35bc7c6831e9e2fb085551edc24653 |
C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
| MD5 | 64c6aafeed2506adfac0132131b556e3 |
| SHA1 | cc5ce62fbb530d52d68b9d76fa76feaf6bd7e093 |
| SHA256 | a5221aa31ced443f6794329dafcd95cfd945ef091c791f06fae667cb5f558ac0 |
| SHA512 | 18286d0b517ab4b88a2671dfa26e58ca2a00aefb0e05152b492d5c697fdea49f3425117e247fa1fe3cd8dcd1c9775d9151f5a5b1e713962d5e88b0105f8ffe1a |
C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
| MD5 | 9b4b2f6661878e2990dbd378665ab7cd |
| SHA1 | 07d30ccb1db48165464167f3f1672e43de136792 |
| SHA256 | e3b48ae13c794dfa4b601b567c0dc98ef3861d82b976d98ece98308b96aa0de6 |
| SHA512 | c40afb6c6c7e774d761eb40d858549f053a3fa0a98f7cbaf4cdbd0aa443587bbb44104e5e80cd8d94ff50a10b6a746a812ea558373bd7dcf9c09783014271f3a |
C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
| MD5 | 7164d3bfd369680ce71fcfa2667494af |
| SHA1 | 3c44900a5fbfcca5754676ffe6efcbc1f7588473 |
| SHA256 | d6f80b67d3bad7fcbdcba2752960e2dc7c47bf503bbbbf9c1541c7079d704d35 |
| SHA512 | f89f97a858fc09c8a9f7ee2214823d37ad4333520646fb1df5eb191c5d949866a0dc4325acb1003bf5d76df75d19a2605c4f361e6b729d0330624b86212f1f97 |
C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
| MD5 | 9d47b527d37f302d29871556c95085a0 |
| SHA1 | 9449a065d790e5b225bd428b28c52c435eb0bd1b |
| SHA256 | d2b40a9c0bd658699b350a42b9697e3769f4d2a856444b979afe930ee109932f |
| SHA512 | 5c2d32bebac3c2c2c8245d979cb50f4d1938b19461c6013d9f77a139efc397652c5eb053529b9b7c816329026f3aace4d6f9b756d0ea606280e9f822ff19cdec |
C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe
| MD5 | 8032e7bd7e0921788b84667ef4282eba |
| SHA1 | df913b95132e5c93057aa3d7ad6321589abd41e5 |
| SHA256 | e7d504c6d109e564b7b494cb03682cbff0b37382acf15bab669ee8579227ee4f |
| SHA512 | dca6ad023296f9578e9683dbbee707b47c242deb6e14d3e46d33ec3147239c26cc3423e2babda7b43631586852849ac63be7a845049dbfba595e7456a23f3778 |
C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe
| MD5 | da88213bdf6bfab96c212d0dde0220d4 |
| SHA1 | 494e7fd74e0d79af2670845caece4df32c91c76c |
| SHA256 | 9e8c074fe1f90c08abeb1ebff5cfb13f9635be3a1cd782c16bbbc6b393636240 |
| SHA512 | 2baceb525f10a8a53e385b022373edb575222c8f6f3006c630adde6e31f9e2147f6e92e1ada19c97bc4efad7f14f0c312ad556e72515c6cf383c9616ec46bd6a |
C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe
| MD5 | b3c9f16d623251ae81e53d13a733a782 |
| SHA1 | 84b65487ffed3df894c36db0d747a55b1fbb496d |
| SHA256 | ebc490c2d9573e0727283320949061b455b0b10e350af692bd4710c80e55b6d3 |
| SHA512 | d01e5ba33f36d579d0983e0c51fe36b791e133a7869db998210cbef60423a39296ad503c418a166ba9349300dd9f4d8bde43cb9e9eb8b183c28942fa419d7350 |