Analysis Overview
SHA256
bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb
Threat Level: Known bad
The file 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:42
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:42
Reported
2024-04-04 13:44
Platform
win7-20240221-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF} | C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}\stubpath = "C:\\Windows\\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe" | C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}\stubpath = "C:\\Windows\\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe" | C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA} | C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C}\stubpath = "C:\\Windows\\{F64B3978-62CC-461e-8171-248679C9158C}.exe" | C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}\stubpath = "C:\\Windows\\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe" | C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728} | C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}\stubpath = "C:\\Windows\\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe" | C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23}\stubpath = "C:\\Windows\\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe" | C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF} | C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}\stubpath = "C:\\Windows\\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe" | C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C} | C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E} | C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E}\stubpath = "C:\\Windows\\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe" | C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E} | C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E}\stubpath = "C:\\Windows\\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe" | C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}\stubpath = "C:\\Windows\\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe" | C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE} | C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23} | C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}\stubpath = "C:\\Windows\\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2} | C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe | N/A |
| N/A | N/A | C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe | N/A |
| N/A | N/A | C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe | N/A |
| N/A | N/A | C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe | N/A |
| N/A | N/A | C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe | N/A |
| N/A | N/A | C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe | N/A |
| N/A | N/A | C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe | N/A |
| N/A | N/A | C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe | N/A |
| N/A | N/A | C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe | N/A |
| N/A | N/A | C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe | N/A |
| N/A | N/A | C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
| File created | C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe | C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe | N/A |
| File created | C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe | C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe | N/A |
| File created | C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe | C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe | N/A |
| File created | C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe | C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe | N/A |
| File created | C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe | C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe | N/A |
| File created | C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe | C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe | N/A |
| File created | C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe | C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe | N/A |
| File created | C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe | C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe | N/A |
| File created | C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe | C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe | N/A |
| File created | C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe | C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"
C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C782A~1.EXE > nul
C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA2E~1.EXE > nul
C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5CF~1.EXE > nul
C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D6B~1.EXE > nul
C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{920BF~1.EXE > nul
C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F64B3~1.EXE > nul
C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE61~1.EXE > nul
C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe
C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3963~1.EXE > nul
C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe
C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36797~1.EXE > nul
C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe
C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94BE6~1.EXE > nul
Network
Files
C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
| MD5 | 4b42f57ee3e86d494c41cdf8e51d651f |
| SHA1 | b1af92ac51b60ebc391c3fb9c043cb280fd47a26 |
| SHA256 | 96837a319c4f4b6b176c8cc133ed976ef17e237622de04a0d7937285291a2d86 |
| SHA512 | 0b08d7333b48af4aadbb0ab72e22c63383472990a4f0bcdf7d61ca47dde9d0466fe81f41279f33558089a242a4fb1a780a4d91082ecb1382ae9d760f5412e99f |
C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
| MD5 | ff8acbd3543ce31c8313c1a7b6231d11 |
| SHA1 | f82242e02f84fcd123aecacb59ea0dad4a9f39c6 |
| SHA256 | 3c82f0326f2e69495f966f5784e5444e343283119e3f8495a5644d1de2cecb54 |
| SHA512 | 65b935648925acf737a82f59016cc536a803277f434a71a4bb2b6651427e506b7f6a740dc7da2abbb36744336e2d7142849f05b0ef4ec9d185d150c2113a60d7 |
C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
| MD5 | 9907c62fdef52d2b392b33b0b9e1621d |
| SHA1 | 0992aa321d81fa6a90c1da32c5cb055bb2860c7c |
| SHA256 | b22e7b832e0ff1fcad9e682b1ec6dd746e60798b75bc223233b2089f897e6811 |
| SHA512 | 51b4190b5dea9dfc90fab358cc262064c0a67a726b1bed366b2eb00d14e70e3f519d08606d9445658045c1bd95e6c0cc061da7b6a528f4ace0255ef105775835 |
C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
| MD5 | 96b150812c214e2448606befba0853bd |
| SHA1 | c7436e2cdcef3134e459a5e87af1422a98150c57 |
| SHA256 | d4eaa4294474847f6c827e1ae5ea1e2c9872258a154e4515be8420935ece3b64 |
| SHA512 | f71741abcf04f5fbbf10ca9ba5bee07f1995353e449cdcf6a5f71e58061de146011425c935e32c1df646364427b7f618e6f925945df6ef7746e89de7fc27d46a |
C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
| MD5 | 8b1aa8beecf7703712edf6e2d5b66bd3 |
| SHA1 | aab2f887506290cb1f63df1cca47e8a54feb5e40 |
| SHA256 | 8dc3ca1e11d75d96fe7fc1e91aaca15878cd9d056377af1f2d21e2e1872eb9d8 |
| SHA512 | fc5b02bd10328428548a396a8257db450f7d54731abb5cf18d4c645b339ee942200f985773335b95cc6fad5af499f1f514fdcf525c7d8864961ab82cd9e9346c |
C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
| MD5 | 75363e3e3641dcaf387599fc85c10313 |
| SHA1 | 5e32d925468cd29e5e03ac81651724d2cbc5713a |
| SHA256 | bf3f64aa28fdb34a44020fe627e2ec097c5a6d047085769bac063bc5943ebf24 |
| SHA512 | ea6c04fe5d91ceec12f8f617df3500a1c07fa5362d67bdb3d720f91a1a25b2867a8adc0ed553e190f97a69fde2dca6c7ccbaa6bb34318b52f92e70e9afbd104b |
C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
| MD5 | 62c887fe00794f92f5bcae7ec9c2422d |
| SHA1 | 9dbf591e2d23bc7e59b7ab0457df0a72093575e7 |
| SHA256 | be169592d960afb855d6cb836960554a7c5334d82f2cb8a5e674323402e4c715 |
| SHA512 | 4694d52537b18fc34ceec19a709ef8f70869ee293453759b50f1d8bd6d32bec2359ac78c50960a6778d658af1da3826fd9540a1e452c4ab45bc1c8ed2d144dec |
C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
| MD5 | 23e44dae1b62aff2adfe009b407e09d2 |
| SHA1 | ac558e257930cc6bea1fd1adea6827b5f8bb6cd9 |
| SHA256 | d7ff4669cb798ae72b2b2527ca9a17fe1e69d987f35f28646128606904a288f3 |
| SHA512 | 4b923e24c6be21fb2cfc373f16569ffc2becbe063e9bd0d06a818cb338009a43cb1e146c8a72fc841912ae3c9436cc92ed9e449922fb824473a21243456d1ff4 |
C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe
| MD5 | 86b33c8923947dc9ce00b919d01f68b2 |
| SHA1 | 65d8eb6fbd9db745d9c5156760cea1f8f0f97a27 |
| SHA256 | 5b666817cb57151c46a3922d85f10ad157adc4ee1745fd0b81b108c31bd5ccbe |
| SHA512 | d0652fb4f80729b02693085068fc0537a827e9cf5173f1dba38bc23d00d4bd856f0dafb8680b7f25e252200e0314a1fc4ff38f7f6f9eeba6eb4021cd8b45da44 |
C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe
| MD5 | 95efe9b25e1208ac39de6cf2e267c25f |
| SHA1 | 5dec70913b652ad79b7c81b5f132348375ccc45a |
| SHA256 | 703652989ab0be398251fae833426a7b2016c2df7754adb38cba1a945e2558a5 |
| SHA512 | c57b9e4f58812db482370408e8a46b94c4b426228ad1b43b24f3901f0964687a1316dc0e145dbfe83f16e182097a4bb861882c62f4d69a53e2d7cec1e938f8c9 |
C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe
| MD5 | ff1831da8a50d0376406aebfb439576a |
| SHA1 | b0f28269eb2459d5642ccc0668c9049329b305a4 |
| SHA256 | c78a446b480452462f0589380493f805ac5a97e3d4c5fdeaf29b198c723327b9 |
| SHA512 | 180be68952eec2fa75923479d438cbe6994139c9350e515b9f07d337531a2143f3fc3a4ab763c98fccdb5dda183c14d4dca12acb0347f7145719f2a360fc0c73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:42
Reported
2024-04-04 13:44
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92} | C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}\stubpath = "C:\\Windows\\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe" | C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85} | C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9} | C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}\stubpath = "C:\\Windows\\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe" | C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD}\stubpath = "C:\\Windows\\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3} | C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B} | C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}\stubpath = "C:\\Windows\\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe" | C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D} | C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85}\stubpath = "C:\\Windows\\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe" | C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}\stubpath = "C:\\Windows\\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe" | C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2} | C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A} | C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89}\stubpath = "C:\\Windows\\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe" | C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A}\stubpath = "C:\\Windows\\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe" | C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86}\stubpath = "C:\\Windows\\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe" | C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A} | C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3}\stubpath = "C:\\Windows\\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe" | C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}\stubpath = "C:\\Windows\\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe" | C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2}\stubpath = "C:\\Windows\\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe" | C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86} | C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89} | C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe | N/A |
| N/A | N/A | C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe | N/A |
| N/A | N/A | C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe | N/A |
| N/A | N/A | C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe | N/A |
| N/A | N/A | C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe | N/A |
| N/A | N/A | C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe | N/A |
| N/A | N/A | C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe | N/A |
| N/A | N/A | C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe | N/A |
| N/A | N/A | C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe | N/A |
| N/A | N/A | C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe | N/A |
| N/A | N/A | C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe | N/A |
| N/A | N/A | C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe | C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe | N/A |
| File created | C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe | C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe | N/A |
| File created | C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe | C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe | N/A |
| File created | C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe | C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe | N/A |
| File created | C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe | C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe | N/A |
| File created | C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe | C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe | N/A |
| File created | C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe | C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe | N/A |
| File created | C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe | C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe | N/A |
| File created | C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe | C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe | N/A |
| File created | C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe | C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe | N/A |
| File created | C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe | C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe | N/A |
| File created | C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"
C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E5F67~1.EXE > nul
C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D38C~1.EXE > nul
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F0596~1.EXE > nul
C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6A667~1.EXE > nul
C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{54C94~1.EXE > nul
C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71936~1.EXE > nul
C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF312~1.EXE > nul
C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A52E~1.EXE > nul
C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C02D8~1.EXE > nul
C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5ADD6~1.EXE > nul
C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe
C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3F1~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
Files
C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe
| MD5 | 2fa53ac77d584319fb682bf4a5257a34 |
| SHA1 | be1ed2b18952627e2a623d07912418b18f90790d |
| SHA256 | d64ef68becfeed01dfc3bbad27f6e1c6302784e2739e9dc7890a96d1826b54c9 |
| SHA512 | 523a8d10bab10e0af6f13c1e23ff8015132ba08931875388948781631cb5bc13dd8d38ef27f1662299dfac36af6bef90177aaa55d11261ce94828d72dc895bbd |
C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe
| MD5 | 285b2768c7711416ebf74c8aacae5cfd |
| SHA1 | 75756931c440c41cdffa0097200abc0c78bdb478 |
| SHA256 | 83e28d0d2cb27fbc20c549906e9590ca1eb29124f126fcaeb9340597c77ad7c1 |
| SHA512 | 2a131d67b795912304972b9a2c04304bb025ea1be31ef6511d7be69788099f1d09e8dfb04ce6660c728067bb71361edde979e65e151f621299029465abf960ef |
C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe
| MD5 | 0d248fe2b7c379e3a81a524d8aa48e27 |
| SHA1 | 535b884585f705900d5bc4934773b4bc8374b5a2 |
| SHA256 | 92a57033f65dec9510e5a94c176c137b93e09050e66dd59da0675fdd603a9245 |
| SHA512 | a42dbc65dc668de8b6b12cb9faf18c863051d6e16033a9063d394cb10e5eed896e754a344d67ded837f93bab2b35a466b5743735fcebb728e85197a9dc8dc92f |
C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe
| MD5 | a01988c7c6e58597b4a3172b98bf5f0c |
| SHA1 | aa9f9c4523e9b0eb6f383fa384622c4f39b4fb24 |
| SHA256 | 1720adedf684c3287c524cd2ab876e64af6681c9d7878e3520d9d6eeb74766ff |
| SHA512 | 71e602a0a1bbf8944381e7bd35099e50b091fa9e58414fc0c356d28d36a6d278ebfa9e28d59c7b2ee7377fcf0be0c7834995c638aa7a07ee1a22b8eec7ad0c4e |
C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe
| MD5 | 366373eb32a66bc1475f99a76f7b6e0f |
| SHA1 | 95353d57e3b405d1ef49dd289f406af830615ec8 |
| SHA256 | 79b4874e6b4bafe432b1551013f82de30265040054164ee165daf2a00a7298ce |
| SHA512 | d4aa152983156180a6f372557d6c31098c2f4736177ba0972ba07b226770dfb5933e3a3433b5b75635776a0259646a31bc774404e70b20a19c0968222ad5bb0c |
C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe
| MD5 | 560fe80261ec77ddb3cdbbc6765fa9ca |
| SHA1 | 5fb88a6eb607884a20563c572417740f1d31b615 |
| SHA256 | 3614f55976d8952cb78b88a1598df89e037cec763b69279b08da6441410d43f3 |
| SHA512 | a3b450426542721b481f722ff5b4e3f1e79b72968d75dc0d09a439d97384afdad9a1b581db3671b4c37b91fa5d73eb335de868db7eed8f63f1883419bf5c7801 |
C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe
| MD5 | 03a4b468b27ae81ee11ca6f9bf654c25 |
| SHA1 | 5b6cc702a4070ca817dcf6ffc9da1472417da0ec |
| SHA256 | 01e7b6014516cd8a6974c3a40fb7125bbf65e7c1b7191bc83e16621d6124e256 |
| SHA512 | e4f319300ad7f1f7021a7b10916903599f8ee060654b0942700b80c1f4e638e6116c30aec57750a62f5187a51188c8157482c5537a400b8759bb3a86ff7edaff |
C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe
| MD5 | 42f4d1fed021ca9a392605f8a171e3c5 |
| SHA1 | 5883da9b09aa4ca2a7503f733779dc262f5bd323 |
| SHA256 | 0eb1fb50f988383196a39b52a00ce9191e358edd652ad62d3067829696bff486 |
| SHA512 | 7e7d67654c0d4575c261ba54567cbe1bcc4276b92ba389df5e343efa95dd4bf3c3706e62e3cd92695735899e663c384968a14d85e9de82fc13c3c6006e4767fc |
C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe
| MD5 | 1af5e07bd92ee0fb4ffa34c18da6343a |
| SHA1 | b59f6e7b3495a9ef78541db64a345ee46aab7f08 |
| SHA256 | 7ddb33b8cd22962182659346c8de4ce268d7198273a9ad2b34f854fb01d8999f |
| SHA512 | 949ebc74c681c9ec111b50cee65d0b3a55c8ff68fa87e83b4243291867076dc1a0debbbeb56d40d7e92f7c6272dd8c2ad0db01ad0cec76e980b8189060af2be7 |
C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe
| MD5 | cfee9fffc6e1d72f482da1f494267319 |
| SHA1 | 85eb7a0346ac34642e13d8480f468e5deef73a70 |
| SHA256 | d44374ff9148a9025d58ade52d6b37ff7be7e1ec8d62f3e599f34347b3324432 |
| SHA512 | 60fba8cff74d25b1f075d7e4a512dd6224393598f1898f7dc17777c2247546615505b41ff3f2dae9a23518d18876e633a3bad5276452ea93bf93d0563238190c |
C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe
| MD5 | 552ba3b676000103b683b1816832d3d6 |
| SHA1 | 1879bee58f94c903515ac1b67953f0337d5a2914 |
| SHA256 | 3737c3904ef925754eee91c036c164ef8aefbee35ed462bc740b3dd37832aa1f |
| SHA512 | 2d56ab5b2e9ca8b86de8b27df138b32acab3a1fd3f40df61169ae548e52a6df9c9bbdbedd956a35da37c9c0049cd5e1208204317424447d9d76a46153d21dccb |
C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe
| MD5 | 4c4f6507127de70ef1ab0c80824a8d09 |
| SHA1 | 7670d55eacfc561fe0272fe6bf63e519069fd179 |
| SHA256 | 0bd47a3ca69cdaa174de4877ab17bb3b5b78f0bf2f54d29edb8c169662bd47cc |
| SHA512 | c8cf455e13da10affdeacd917cf757eaa215d1e4b905119abf9a6b0c49a3744a1d99048664d6eaf494c350e6a9f7f4202765d49ffcc31c776aed46967662c481 |