Analysis Overview
SHA256
a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168
Threat Level: Known bad
The file 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:36
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:36
Reported
2024-04-04 13:39
Platform
win7-20240220-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67}\stubpath = "C:\\Windows\\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}\stubpath = "C:\\Windows\\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe" | C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124} | C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725} | C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86} | C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}\stubpath = "C:\\Windows\\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe" | C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3} | C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4} | C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}\stubpath = "C:\\Windows\\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe" | C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}\stubpath = "C:\\Windows\\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe" | C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E}\stubpath = "C:\\Windows\\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe" | C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F} | C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86}\stubpath = "C:\\Windows\\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe" | C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}\stubpath = "C:\\Windows\\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe" | C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}\stubpath = "C:\\Windows\\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe" | C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E} | C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F}\stubpath = "C:\\Windows\\{9B8E65DD-0180-41df-8903-910F8314783F}.exe" | C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871} | C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}\stubpath = "C:\\Windows\\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe" | C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86} | C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD} | C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe | N/A |
| N/A | N/A | C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe | N/A |
| N/A | N/A | C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe | N/A |
| N/A | N/A | C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe | N/A |
| N/A | N/A | C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe | N/A |
| N/A | N/A | C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe | N/A |
| N/A | N/A | C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe | N/A |
| N/A | N/A | C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe | N/A |
| N/A | N/A | C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe | N/A |
| N/A | N/A | C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe | N/A |
| N/A | N/A | C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe | C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe | N/A |
| File created | C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe | C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe | N/A |
| File created | C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe | C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe | N/A |
| File created | C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe | C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe | N/A |
| File created | C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe | C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe | N/A |
| File created | C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe | C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe | N/A |
| File created | C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe | C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe | N/A |
| File created | C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe | C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe | N/A |
| File created | C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| File created | C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe | C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe | N/A |
| File created | C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe | C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"
C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCC4~1.EXE > nul
C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{604BF~1.EXE > nul
C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8E6~1.EXE > nul
C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1665~1.EXE > nul
C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35EE9~1.EXE > nul
C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF3D~1.EXE > nul
C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8764~1.EXE > nul
C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe
C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B66E~1.EXE > nul
C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe
C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C8~1.EXE > nul
C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe
C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD60~1.EXE > nul
Network
Files
C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
| MD5 | 0675366eb2db2b9fb6c571acc3d3cfff |
| SHA1 | 51220fd63562fed5f193cee5e5e15ea9bdb7dc7b |
| SHA256 | c1ac122ee6e70f72d69a735c0807b49eb8a0f7d4ccd75952668cb1918ca54c50 |
| SHA512 | 84163e2025a22fb50bc7583bf522de5f05a8cf3ffd5e007b5f857fc9bb2bea9f0689761814c1690b0bfb6134b6ea1325a7caa2ea52532b2e5081ab313abf5977 |
C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
| MD5 | 56e50e2b967acbb0d24488c0bc2bbaa2 |
| SHA1 | 1e31b5ebd9426aecb4896f1f69ef0ce1a1a71de9 |
| SHA256 | 1e34c4176ab4509f9ebab70461b2b15686042126f10a9ff6eb484afc95c4afb3 |
| SHA512 | 23e85f75881ad209cd167641ffced90a1fb6c8bb916295d13450c4f0cc66efef21ecb5c743fbdc8e62ce5a5f3abaaa2533535cb48a03e81c1c411c5ced91faca |
C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
| MD5 | 34fb909ad609b13ee3daa35a99c873b2 |
| SHA1 | de387611134d7e4725ff103ddf0992d393d95d37 |
| SHA256 | c796f6da61c8579bdd5b6eac472b7a51589304ee9c94bcf801f22fb3601f40c2 |
| SHA512 | bb1106c3a27dee637a2fb38104d83d863fda18984af1fa87e704b9406574b03efe13e2048d90b3babad3295b49309b5c92307f376825c63f56e61ff7d1322840 |
C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
| MD5 | a1fc6ab812dfad7e48b4feac80539371 |
| SHA1 | 32492210dc4ae2c77b4eb9d950f326bd116235a4 |
| SHA256 | d2de389109edd5717ba1df530db1dfc338239a56f5ed7593c58ab4f6102b4ab0 |
| SHA512 | 02451eb93e5bbbbb8de4371da589089370cbf2098529539d80a2ce8da05b4a2eeb167349dfa67c1208d96c166e0bf4ab7bb36ec3e876e4570f77858ac4328167 |
C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
| MD5 | a157d7c774553e1b30311f41f7dd1bbf |
| SHA1 | 41602061ff4327959b777d13d62cf4cd76095512 |
| SHA256 | b572aa5c03475fc2578f78aa153e4b9e4ff8d16aecefc70f97b0170d868e9f13 |
| SHA512 | b26049a12117b54554b915b5ad6d3a6db8b6d6fe0870e667e903752164e20d2416033b3f1feaa790ae36ed1a86951378cc3fd0693aec52a78bb9059b40b69f50 |
C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
| MD5 | b092c683792194635b29a52de32a0f98 |
| SHA1 | b7c3550c33114e3a61c12a898e162dc93c2658d5 |
| SHA256 | 59cb80853b8ebabcb9bff0d701c353e76850d1870b132d90e9183ae330135bd7 |
| SHA512 | 89653b9f4c69149eaadaff8b17d8c53a93e586bff7df7d0e92e416082b204cf8cf98615e0cf8ffd96458dfd36174ad65fa089252f98cb194e4fc73ae0690a2f3 |
C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
| MD5 | a52714442065a2d688dc9f64a039b659 |
| SHA1 | daaf60b3561163bc1593263ac8568ff319422163 |
| SHA256 | 64f1244b34f6666f0e89c6ed7b8d64d28a518590bc4ba577827839ce7738a1e8 |
| SHA512 | 4bec2ac3cb2a774cf057965929dc4ea1186d3140f9f66157006c73210224ff0b2079a54906e6716b7d2f35b42a6717f7b7bd0ac3b01cd3f3f6d660bd44d68d46 |
C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
| MD5 | c27e58a7d6aaadb450283217e9b8b3e7 |
| SHA1 | 3ece90233252ded4b564826b037db395b9c6a225 |
| SHA256 | e7b1a6eb6b529df898adbcd8a90f18447a77b75452d72d418e7ad3e8aec9e879 |
| SHA512 | 0e9f7511057f7b53f7a68c48bbdfaa396b413d9fabce58d5f4ccf4c612d26aaac8fedc147f17066675511e98958ca97859a713fb964ce734d8155a961b910176 |
C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe
| MD5 | cba567da7c2781c136d6b41dd3bcfc5a |
| SHA1 | 4db1a940af3aefd68a6f77301480ea2ecdb5f28b |
| SHA256 | b145bb067e58fdb9e16b0b64371b27601722183a31ec738e4d67b89c227fbb0b |
| SHA512 | 83eb9bce1647de624fa8487cb25f392810889373fa7c5c85e9eb169d3fc6270e2caec04b6c1f2371e17e8bf1f03a6fea7fc4e9141965581b46ff108fe7905955 |
C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe
| MD5 | a1cd3f99cfb4b417d3c6b7754a1ff522 |
| SHA1 | 4fb281ea818fcd5d1050043b95961a39110c679f |
| SHA256 | 9d5f1f544ff5756603f1f657c1e0602a72add7a469fc41999f4504b9c26a2239 |
| SHA512 | 53412b9fd5810fd38a3c26a739a169fb60ddda251b4247b8af74add0fbe19075f7196f976123672777a764343e24d3a91e0be4576e222e817793cf3e99cb64c9 |
C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe
| MD5 | 09641c994c8200aa5437f719f04eb09e |
| SHA1 | 9bde1f6fd87230b7db3674e60f74b4e1da2ae2d3 |
| SHA256 | 39b2c06abb9b0bd18c7e231ef66816940e54e9e87b4330c7af42935dad7eb035 |
| SHA512 | 16f5e937e298558720f46ffcab51b33b54dad8f96c58c6fa593b947c4288c21a9b9870c067c1a8c746dcd008cf0f326ddcbc236b2d0baa37fce9add86a9a58bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:36
Reported
2024-04-04 13:39
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
101s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}\stubpath = "C:\\Windows\\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe" | C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA}\stubpath = "C:\\Windows\\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe" | C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871}\stubpath = "C:\\Windows\\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe" | C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5}\stubpath = "C:\\Windows\\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe" | C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C} | C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D} | C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D}\stubpath = "C:\\Windows\\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe" | C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}\stubpath = "C:\\Windows\\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe" | C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C}\stubpath = "C:\\Windows\\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe" | C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}\stubpath = "C:\\Windows\\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63}\stubpath = "C:\\Windows\\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe" | C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}\stubpath = "C:\\Windows\\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe" | C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D} | C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB} | C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096}\stubpath = "C:\\Windows\\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe" | C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49} | C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5} | C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA} | C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096} | C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C} | C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C}\stubpath = "C:\\Windows\\{C7130592-EB19-432c-8743-F6518207F74C}.exe" | C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871} | C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63} | C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe | N/A |
| N/A | N/A | C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe | N/A |
| N/A | N/A | C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe | N/A |
| N/A | N/A | C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe | N/A |
| N/A | N/A | C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe | N/A |
| N/A | N/A | C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe | N/A |
| N/A | N/A | C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe | N/A |
| N/A | N/A | C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe | N/A |
| N/A | N/A | C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe | N/A |
| N/A | N/A | C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe | N/A |
| N/A | N/A | C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe | N/A |
| N/A | N/A | C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe | C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe | N/A |
| File created | C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe | C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe | N/A |
| File created | C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe | C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe | N/A |
| File created | C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe | N/A |
| File created | C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe | C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe | N/A |
| File created | C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe | C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe | N/A |
| File created | C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe | C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe | N/A |
| File created | C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe | C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe | N/A |
| File created | C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe | C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe | N/A |
| File created | C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe | C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe | N/A |
| File created | C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe | C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe | N/A |
| File created | C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe | C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"
C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C22~1.EXE > nul
C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{390C9~1.EXE > nul
C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC3D~1.EXE > nul
C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E889~1.EXE > nul
C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{35484~1.EXE > nul
C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{77B3B~1.EXE > nul
C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6B397~1.EXE > nul
C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7130~1.EXE > nul
C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{65EEE~1.EXE > nul
C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9967B~1.EXE > nul
C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe
C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55FB7~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
| MD5 | 8265fb2d362699c97111cff330ad8e99 |
| SHA1 | 732b6e88493dfd42c8502a55a7ebd156d63c8d06 |
| SHA256 | d666db23ac50e90cb6c6e1aae3dd6fd901ef87cadcc1b6e9c9c1a26f28c53be0 |
| SHA512 | ee36c12d09b45ac823bb6ca59cd511209b1c0a8d72e28962acc02ba1eeef81d47892011fec4805b1252892692095d571af2c84c714b683617a5e9e2d692610bb |
C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
| MD5 | e526e4a2593f59769311affc3b0b02d2 |
| SHA1 | 6cd30dfb0653a25cc40c42e277f1a88fcab3d281 |
| SHA256 | 0543db4016a12599366efb1db45e8ec74a4c9b7cfa327c0fa21a81492c9ec718 |
| SHA512 | 6d98799e34814e9bb9740511775c99887deebb680db862516b9b6808cd99a0d1a7818f52fd59ff50d28a1de79655f12fb7ee47a8f6d01cbea3338d4ed373d1fd |
C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
| MD5 | 844d50c4c89bede9dd276f51c24af53f |
| SHA1 | 965852716b051501f6eaf7138c1ff81a211e0288 |
| SHA256 | c91720460de24e0a068b17c1268527ee68b94a72baa343a77a8cadb81452d440 |
| SHA512 | d40600664461506fbe5f92c31828a17b33ef6247fc5e3007b7b283d3f9be7ba0803482ce3cff257131802d02e3683d3a5aa8df91eb6cebdcf6e7b9a55c4a075c |
C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
| MD5 | 35344cdd4fec8f2c620c6da727ed50ac |
| SHA1 | 1ac019fbb4242bd5881049b6333704eeb9dfcc49 |
| SHA256 | fab9206fc22ca16e011794b1b55d7dcf1fffe13004a1241156e8126009827910 |
| SHA512 | 9006b18e4edacefc3eb56ef4442e4769c1064b1913f5500ae2ce31c584a5fdb1e30095b5a8de8103d8efd54718749ca579e37e3248ef7aaced72df04daf6ea38 |
C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
| MD5 | 0fc5bc411ec863b8ef31b6105aaea5a5 |
| SHA1 | fb310ee022b23cbc48a7e7dde5834419aaa0ddbb |
| SHA256 | c98f63875a59f1c63dd73bd0d0e1c0b10ed0d364b6562d3e8573de188cd7cc91 |
| SHA512 | a416e6f4036d1bb4ae13d1296f4b674a141c24f84853aeab059224f5490bb48d65dca0d0aba50610a88b863f7171a46a95b1e4a47604372e91d8442361c923f5 |
C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
| MD5 | 56136e7b56ee670856de4e9cb2190a22 |
| SHA1 | e09af0e74ce9936050582e981a2323232ad82917 |
| SHA256 | 689fab017550d5934070365e508756dfe1363e4097f762f04661df00f298a185 |
| SHA512 | e0a6abfd52de2836dac9a77d669b832e68020fc26a8e6c0c638e1f7f944cd7a0bc56f90ceeb0c9ebedc71fd65f913f935466d45f0a54babd5c8013131847adbf |
C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
| MD5 | 5ce82a24474f84095401df53af2c2f9d |
| SHA1 | f7cd20893e52f00561e983d2e5cc7e2f43727f57 |
| SHA256 | f590d702b28b564c8f8163c4f78270b96d95afee5b9a400f0ecb6f98376c23c0 |
| SHA512 | 15b91f48403e6ceed4c85d760c0cd7927f2952d2fc776da31917c4e6379262cb6517421df3701a8706aef3280a08ba4d7fae32b1fc07fa8b610c7692a5756a1c |
C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
| MD5 | f2ed789e1fb177aab40e689a93be5694 |
| SHA1 | c87de8d8c8285906c23102853853ab87da2e643c |
| SHA256 | 1598692a5290601c6207a36251d20c67bd312e9f36a7d5f7b61a139ced3e7818 |
| SHA512 | 29ecf5451ff7f358747eb5ff76fcaf14883f7ebef0f6cc9b2beea86f68f5eeea387b8420067b91675eaff965b620c4584b39e945ba3cf91b2f7f8d84b2ffeec1 |
C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
| MD5 | a94caab3bd875a3af5ee1ea3d0df44c4 |
| SHA1 | 1241f19ddbe7907ba77aa5d87d3c03c9cb7ebb59 |
| SHA256 | 5e25989b231fd4d3c3372b8c0f5b53883bb4212c108218a81263a7445cd0039e |
| SHA512 | 2dbcd8c870ee8289180ca8167b5eb9f4a7aec3cd3abc4ad37dfdc8afecc96af8c05602d3d6f458bb1bea0fc8df5e46034b95364af81bd67b6f610e39f7ccc17e |
C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
| MD5 | 179a47cd9d052db77702998b9c38b260 |
| SHA1 | c2166afb47f43c535cdeaeea91412730d48a86ed |
| SHA256 | ab62e9ad08bda5ed2e7694e081bf7798f2e0c532594692359e35ed6b116a3f25 |
| SHA512 | 6934cef31e3033f21808245b61ade6af6c698530770cbe8b18afe132ed2a278e40055be969e013f9fbda0cb6df92e12fb098c64481c4cb4bc7f3956a770771ea |
C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
| MD5 | 3d35c5ea4e2c7278f8952c282a3b946e |
| SHA1 | 955cda7fef39bece44bbb5ee4e7d775715928657 |
| SHA256 | a97378bafddac5e66e300a2f88874c459fa0aef360b0de4d4d079fb8fe464225 |
| SHA512 | dee3c78a04cad2145c8537e712541ff89e4c84e2f79ce219b11b89358a3f0a424470fe04a18befaa1dbb34dd548eed425ab95d5cb49c5e8cf37e42699ff27289 |
C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe
| MD5 | 30f036fad0105ddd7dbbfc3d94e7be4b |
| SHA1 | c3145437d0bd8253bfc0316992673d117098cb9c |
| SHA256 | e5bd663b089d25e4d5022ab38afcc28d7f530e269e1e0b83947b013389d7574f |
| SHA512 | d36685449d3564c720d6f9d0d974978e58fb2739ea7003fbe65c7f497e9fa30f6989bbe6a78be1c6818d38828e92aaca475aa77e0e7ee7fd91c4543a6e9b6ca6 |