Analysis Overview
SHA256
c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da
Threat Level: Known bad
The file 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 17:49
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 17:49
Reported
2024-04-04 17:52
Platform
win7-20240221-en
Max time kernel
144s
Max time network
127s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73} | C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}\stubpath = "C:\\Windows\\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe" | C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37} | C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}\stubpath = "C:\\Windows\\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe" | C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}\stubpath = "C:\\Windows\\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe" | C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415} | C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A} | C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA} | C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415}\stubpath = "C:\\Windows\\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe" | C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A} | C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D} | C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}\stubpath = "C:\\Windows\\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe" | C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}\stubpath = "C:\\Windows\\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe" | C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}\stubpath = "C:\\Windows\\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe" | C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}\stubpath = "C:\\Windows\\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe" | C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC} | C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}\stubpath = "C:\\Windows\\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe" | C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B} | C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}\stubpath = "C:\\Windows\\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe" | C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34}\stubpath = "C:\\Windows\\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB} | C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe | N/A |
| N/A | N/A | C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe | N/A |
| N/A | N/A | C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe | N/A |
| N/A | N/A | C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe | N/A |
| N/A | N/A | C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe | N/A |
| N/A | N/A | C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe | N/A |
| N/A | N/A | C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe | N/A |
| N/A | N/A | C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe | N/A |
| N/A | N/A | C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe | N/A |
| N/A | N/A | C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe | N/A |
| N/A | N/A | C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe | C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe | N/A |
| File created | C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| File created | C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe | C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe | N/A |
| File created | C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe | C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe | N/A |
| File created | C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe | C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe | N/A |
| File created | C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe | C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe | N/A |
| File created | C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe | C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe | N/A |
| File created | C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe | C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe | N/A |
| File created | C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe | C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe | N/A |
| File created | C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe | C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe | N/A |
| File created | C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe | C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"
C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{67D77~1.EXE > nul
C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{21D7F~1.EXE > nul
C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0246A~1.EXE > nul
C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B07F~1.EXE > nul
C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40F7D~1.EXE > nul
C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4020~1.EXE > nul
C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B4~1.EXE > nul
C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe
C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3A856~1.EXE > nul
C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe
C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25CDC~1.EXE > nul
C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe
C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF97A~1.EXE > nul
Network
Files
C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
| MD5 | 798b37a5ec6d1894c64137cd814ce2ec |
| SHA1 | 0d2f774073bf7f6cfe5394c154b0c558ba3d16fe |
| SHA256 | 7abefc5775f08409d124fd389511d52109fadbc58582b6fc99f173dd337d8c9d |
| SHA512 | bacef93bc354bed6c545b136db76c8d97a4efbc92567488143028d7f45065e70a671373a379d7c7690c1790ffb9eb5617a2f9f44975d61642697110e9c48bfd8 |
C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
| MD5 | cac5499d8d7f46de07a2698e4b1fca86 |
| SHA1 | 19d9c4bd117e85ae37723d2a2afada8c31a1662b |
| SHA256 | 3e8305fd5178bbb5d310610a4eb810fc13056054b2fae005473a8899c4a1cfbe |
| SHA512 | 86cf60343b8a7876dae1390bea60043480a01a34238dd4309522f99edaca75bc6c4ad6812af5b16e9391c1ababff3d0a56742b0aa4d631ca87763700fa73d1e9 |
C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
| MD5 | db7aa5b7695086d9774eee3006e63e8b |
| SHA1 | ce387f701380657bd05dd3deec5b17f7df94d022 |
| SHA256 | e87fbfe6163185ab64b517e82db03e844a8fa94a67a49d9fdddabc632da4befc |
| SHA512 | f4d4d650dd90f257b5ae3a73e424ea6f268a02e664c5ebbb8c633cdaf282d914270bf6baa63a6431f81e839389f8dcc2f3ba1d20af7250d6c67d2857601af27d |
C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
| MD5 | d483b89cb4f6d4b8fd5a8335dcc7a0f3 |
| SHA1 | 2075abe6509c5bcdd0aae7adbb1755df436edc49 |
| SHA256 | c3721e7798fc5ca40f1dfc7d83f4276433b08ad40926fd0f16230b983130bac4 |
| SHA512 | e5fb251d0a87628fbfd6ae27f9f0bf8535d441101795d9fa9d6e26c487a1a266a952ebc1562b8cce035a99f2e52a18c89ab54704f395bf6ded3815294e5845f0 |
C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
| MD5 | cea25b498077a23ed2c17343e6074acc |
| SHA1 | 16f24ac8ac75238895e9af936aa5f4d67281647b |
| SHA256 | 6089aaee336f57def4afadb9492892de7314c9bfede0ce38807b864c76e17bf4 |
| SHA512 | 778c6dbe8fb6b3fdf0cd884f16d2caa22b4d06fc6d39e3b70bead7093f8a7e9302e84678fbd338c686846700c6ecd1890418a570a64138e6a8e39bd4cb2844d4 |
C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
| MD5 | 12bcccd9444bb6221de6441de11dad82 |
| SHA1 | 20968c1cd024ba741aef164acb60d68314d400d6 |
| SHA256 | 31e2dd275513bfe5ce39b43fe3e082710aaafa08a53c7178e538c0e85cf0ec01 |
| SHA512 | 7d615609abeb3f298da6381004d9c6e421cc2419ff7265c282cbd91737d4b9438ec299ac8a83b36b4ef8418934ecd65fd921ea3c2538fe087b2b169d213c3aeb |
C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
| MD5 | 57f57a7eefcd2b10b298cb3901da8cfa |
| SHA1 | 6681442d56079990ead67be77ee8f41393c7e8c4 |
| SHA256 | 792d25ec4b27b97e02a61059baf4dd82d2c988e03c97edfa8a57f6f8d95b3ca2 |
| SHA512 | dbb0ac5fac4b6352dcefe072e2f115b06c328f4696290234968d0a3f04ec246347a820478b8263f3fb81ce798264ec91003a71599a7c323c25732b3514a6534b |
C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
| MD5 | 7941e23059e3d610f8e728b148b38256 |
| SHA1 | f5dc5bb7715e702689f887d8026e9aeeac01e42f |
| SHA256 | 51af5bbaa8e72224b856bc1927b6aa68c2cbea4426b59768ede6b37290c8f49c |
| SHA512 | 87186d913cad726b250614283ef56a48981f5eda04b1b3b2691b3e9333ef5775c4f824f78cce862076d50ffd2cb0b7d9dbb7494b8d64d5bf9b247ab4139afd55 |
C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe
| MD5 | 51d6972bd13f374904d2425fa9260fd1 |
| SHA1 | 5f8ec7f8a516dc33eca8c167d20241c21f14f38f |
| SHA256 | 446dcac08e7116c135c311ecd0ebc6f30b2790be5a3a4f653d424242f2632377 |
| SHA512 | 4e837cf159a8f052bf5d8bfdddf191fd54522af62b15427c3be6417d3ef4cfb386e3c4a2bf80112effa0809bac5bbdae0353a89ed1a11b5d97fae41476d4a781 |
C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe
| MD5 | 9a613d3c95f31a3e480d351f8d8645e5 |
| SHA1 | bbb9682bdecb70f4650c19c1b5890ba6467297d2 |
| SHA256 | 15b55173db355edf7a58a1320c4aecd3e3e467b429b57efe82cd706ea8370d21 |
| SHA512 | 1138bd7ab3fef6a77420ef1b3471bfd9f7eb33070796dabf9b0eeb73de6df5f8cd2f2898ea57a5b3febecfe8bd2b2a39a3972e06d26302d4cfe750bd9c19a009 |
C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe
| MD5 | a95d460006ccf8acfade824368945f59 |
| SHA1 | 327c70eda9699e50aa41bab1368aa20909ea1dd8 |
| SHA256 | 760679e993412bba2781ded187b6e91aaf8403ab1b5d84d51770e1b6419558a3 |
| SHA512 | d22b0495550830a107cb1529bac2271a91e4a074fae9f2342af800559dd56ec874bfa5827f1e738a1c4389211037be737a9efe6893e478511770745261d2c154 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 17:49
Reported
2024-04-04 17:52
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536}\stubpath = "C:\\Windows\\{8C4F2825-2B7E-4a58-B284-188481186536}.exe" | C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439} | C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}\stubpath = "C:\\Windows\\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe" | C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38} | C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581} | C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810} | C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810}\stubpath = "C:\\Windows\\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe" | C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4} | C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C} | C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2}\stubpath = "C:\\Windows\\{47626205-076F-4679-A319-F56900DB60E2}.exe" | C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8}\stubpath = "C:\\Windows\\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe" | C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}\stubpath = "C:\\Windows\\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe" | C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8}\stubpath = "C:\\Windows\\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe" | C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439}\stubpath = "C:\\Windows\\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe" | C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C}\stubpath = "C:\\Windows\\{7327239F-91DB-43c0-8952-30548D4F149C}.exe" | C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E} | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}\stubpath = "C:\\Windows\\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536} | C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8} | C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8} | C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581}\stubpath = "C:\\Windows\\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe" | C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}\stubpath = "C:\\Windows\\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe" | C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2} | C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1} | C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe | N/A |
| N/A | N/A | C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe | N/A |
| N/A | N/A | C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe | N/A |
| N/A | N/A | C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe | N/A |
| N/A | N/A | C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe | N/A |
| N/A | N/A | C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe | N/A |
| N/A | N/A | C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe | N/A |
| N/A | N/A | C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe | N/A |
| N/A | N/A | C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe | N/A |
| N/A | N/A | C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe | N/A |
| N/A | N/A | C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe | N/A |
| N/A | N/A | C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe | C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe | N/A |
| File created | C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe | C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe | N/A |
| File created | C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe | C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe | N/A |
| File created | C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe | C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe | N/A |
| File created | C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe | C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe | N/A |
| File created | C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe | N/A |
| File created | C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe | C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe | N/A |
| File created | C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe | C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe | N/A |
| File created | C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe | C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe | N/A |
| File created | C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe | C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe | N/A |
| File created | C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe | C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe | N/A |
| File created | C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe | C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"
C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B06E0~1.EXE > nul
C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47626~1.EXE > nul
C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CE503~1.EXE > nul
C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{749A5~1.EXE > nul
C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4F2~1.EXE > nul
C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9838F~1.EXE > nul
C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8BD~1.EXE > nul
C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E4C~1.EXE > nul
C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EF021~1.EXE > nul
C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B899B~1.EXE > nul
C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe
C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B797B~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
Files
C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
| MD5 | bbeeb1fe07132072d41e48cf20d5af1c |
| SHA1 | 4f72a2e1832643cb51f0fe3363c4ec4d65716eee |
| SHA256 | b10c769f001f108fc67ffdf3bbf639df68d5beec5afe04464df2cbd2b096d243 |
| SHA512 | 4d0b6e869b3d77c9e57bc8bfd57dce70d3e0b6cd257c58c889aa6517a58b387fc9f2f2b5a3fc8c5b9a64c2f5575fa70299e35a8c0b842ee2cc69bb4a9cdd3763 |
C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
| MD5 | 3a0ba1bb161ac9b5a21e1284868c8906 |
| SHA1 | 0c8b1791729ec52dec422df49bcee41802ac9775 |
| SHA256 | a55fd6b732eaeb577c8e8a1404c7fdf3ddd2e7542e5ab9ddfbbb1a5e9e19c8c4 |
| SHA512 | 152910767439e1ccecd41a57205b96a03e9a7496bfb7d589463be7f26974e0e3de8f5a93af6efc9a18aa23ee0eddb78894744ad0535c68d834a8d5069079d5cb |
C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
| MD5 | 8a2283a479a1a61e5f4c379a22347a04 |
| SHA1 | dbacf57cedb3bf50ddb68cc6d1b56104482a90c5 |
| SHA256 | 610aec70006a57b54fb5c610242034563ff092abbd3dc81b4086eedc8479ade4 |
| SHA512 | cb01ab652a0cea1a4554aec1b230612d8362b561b8baf874e0152415f0c153c06eccb8e1270200aff7cf4a0d716a9b6c288e291728187aaf2a38c34445c99e93 |
C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
| MD5 | 266050b0429000b5c7b46ea36a48ea56 |
| SHA1 | cd61a72c78cabf3d567e6764853999ab7175794f |
| SHA256 | 1ea58499d6c5f746b768041f7e7c1135f495a34cd53a10c3e58172984f94d98a |
| SHA512 | 393c7d913207b9ab53c88964af7e335a84755b59a6cd571ad3b8135e03c283f4d8f8ee2e03ed6f4bf5879cda573e48e15fac82a07da7147fe8d8f06cde0d13d9 |
C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
| MD5 | 7bde490f92506b270207842ddd9b50a1 |
| SHA1 | 4870d1bf313f422a979ac980e69413f762626ea3 |
| SHA256 | f768a2fee3859324d2b4f97e9aa6945c6795e9ff787384b4add100d86d1f49fe |
| SHA512 | 4e8ad0721515b218573ae87dcfb55c08a7afbd5fc41948bdec6c6bd27434a798c77faef29e7ce9cc9b90cabc7dbde3307ff3dd6006630e11b332bec2f63d202e |
C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
| MD5 | 496d2a05ebfb3c469ebb8f7b1ed09a8c |
| SHA1 | 64f9955dd37dc487cc086e1f64447896483f3c96 |
| SHA256 | f61c5fc72399b1a60924503f3485288399f988d740eec8d47ab3f3839f500113 |
| SHA512 | 3f0969103ecf51969a1d9e89be69d9044bd700341b2d5dc85a00579d4240968a7d2e679776e02ccfd5531fb5e06561a94e619c251b9b3741e3b4124af8069103 |
C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
| MD5 | 2af684362148e8668723d9f866d8eda3 |
| SHA1 | e4de2164d0df780cafe97296e9939435af71d784 |
| SHA256 | d35231bb1bc1ceb5549cb180ba3769ec43cb19dca93230e63cbe57f9b2573d9c |
| SHA512 | 028dd2fbfccd3f60de3cda979f7a485db8780eca2617ba89ec0d2ce03f0c3cb46c41f531a8f82144e67dafd79ae592bb9dc49524040a42369c92e0332eec12f1 |
C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
| MD5 | dadd9905d8d1a8a1d978ca571124964e |
| SHA1 | 3967a07404972c490968704715e8b55954fdf8ee |
| SHA256 | ed68b7363b5d45092fcd99e5486e98fa4eff55bd71b383953d9a91d0107e7d3a |
| SHA512 | d6482c02e20a3be4fa566475d6fb3a7cc427ea40f7cb79e47d5290b10a26fd30fab7ff3f9b90930fe236a6c60ed32db250c86da9af9c987151fc232c63aafaaa |
C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
| MD5 | cd7a50628e66e4596dcb0f9ba10e43bf |
| SHA1 | d7c22edc336f57e834d153de73b5f904ec2c84db |
| SHA256 | a7fba4653fd9d9b6da899775863468a91d79d46f68e1b840190ad689c41d89c7 |
| SHA512 | d21f615501c0f8adeedb9487f65078db19720eb83853d5e5b4e7e97cf8c97a2354ce71999acc4bb7719ddf59b6ef3be970b6ecb2635aaed76a31458616f70fb4 |
C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
| MD5 | 33f38b59f55e7a9b2abb800a0a756297 |
| SHA1 | 12321646e8f9afac759520984ad4bd63e5bd9b76 |
| SHA256 | 31d4f863a0ec42963782462e5b30cbd0a1ada48cf554d218913f79edd0c57466 |
| SHA512 | f25cddcab63a789531d050febf0e59fc95ba139616ff12335157ff08987672531211088cc03859fc05154c1ecef573ea5eb17a07a327419adcdcc19506b940fc |
C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
| MD5 | 6be44d31e500ba4d085abe3bf1e0cc39 |
| SHA1 | e1069ebd6712574841328017806c9c2d4792e613 |
| SHA256 | e97a73b971a4a2764ce0d89c03af68245d63451262ab1bd5c9dd798dbb018767 |
| SHA512 | 5fd2d49296be3185c0f1f8ad70535ea978f58a6f3230f6a09c068dc2820f8cd97d261357c8ccda72d368fe623fcff512f72a35ae9d282367a6ee04b16a1db07f |
C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe
| MD5 | c3698d11005c279eed9cb1e1cbd22c1d |
| SHA1 | f7560a045e60567a39de102cf0e7e772c3cebe2f |
| SHA256 | 5bc9a3ca9e861700db6614edbddb0f2c4834b7e1cacecc87a2ad482969ad7009 |
| SHA512 | b8534deaeea5084dad30c019856c4c629f2c8a5baed0f743f706a7965459b674023808393d7010ff42bdf405dac7d49def616065c96926c4996fe9765d69b456 |