Analysis Overview
SHA256
69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354
Threat Level: Known bad
The file 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:38
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:38
Reported
2024-04-06 21:41
Platform
win10v2004-20240319-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325} | C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}\stubpath = "C:\\Windows\\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe" | C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}\stubpath = "C:\\Windows\\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe" | C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}\stubpath = "C:\\Windows\\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe" | C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3}\stubpath = "C:\\Windows\\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe" | C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6} | C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}\stubpath = "C:\\Windows\\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe" | C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}\stubpath = "C:\\Windows\\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe" | C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561} | C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561}\stubpath = "C:\\Windows\\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe" | C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}\stubpath = "C:\\Windows\\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe" | C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D}\stubpath = "C:\\Windows\\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe" | C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8} | C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666}\stubpath = "C:\\Windows\\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467} | C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3} | C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B}\stubpath = "C:\\Windows\\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe" | C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3} | C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8}\stubpath = "C:\\Windows\\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe" | C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965} | C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B} | C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B} | C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D} | C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe | N/A |
| N/A | N/A | C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe | N/A |
| N/A | N/A | C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe | N/A |
| N/A | N/A | C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe | N/A |
| N/A | N/A | C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe | N/A |
| N/A | N/A | C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe | N/A |
| N/A | N/A | C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe | N/A |
| N/A | N/A | C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe | N/A |
| N/A | N/A | C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe | N/A |
| N/A | N/A | C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe | N/A |
| N/A | N/A | C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe | N/A |
| N/A | N/A | C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| File created | C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe | C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe | N/A |
| File created | C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe | C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe | N/A |
| File created | C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe | C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe | N/A |
| File created | C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe | C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe | N/A |
| File created | C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe | C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe | N/A |
| File created | C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe | C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe | N/A |
| File created | C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe | C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe | N/A |
| File created | C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe | C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe | N/A |
| File created | C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe | C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe | N/A |
| File created | C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe | C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe | N/A |
| File created | C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe | C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"
C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2229~1.EXE > nul
C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{943AC~1.EXE > nul
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8
C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F69FC~1.EXE > nul
C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD77D~1.EXE > nul
C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A4691~1.EXE > nul
C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{03379~1.EXE > nul
C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{44B3F~1.EXE > nul
C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{064EE~1.EXE > nul
C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56499~1.EXE > nul
C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{191B3~1.EXE > nul
C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe
C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00FB8~1.EXE > nul
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
| MD5 | 887611bb37aaefc95bab4d078d051c62 |
| SHA1 | d01d8b6c5b76900d1c23c2cbab1b323adc1b3f6b |
| SHA256 | 33d518d02a0150de36d2a5c64d5f1f50234e48ea190052edbba574a375399073 |
| SHA512 | 2229485b5c791dc117b6439d1e94b81d086ca5472db9390aad79e433c8234173ef458ef6a79ff6cf6a715e30d33e64e0b743426ac00c6095a9c73a4b782ff6c1 |
C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
| MD5 | 73c5337ac5141449eb55bc204317912a |
| SHA1 | 319227bf9b4d978bbfe496802a67df4cc6af9fd3 |
| SHA256 | 7b18ef2fb540e9682432f1ce02059e635106a48deee17a1f20826e23c2682f0d |
| SHA512 | 2968530b0ef244649b40f0e674df9caf408ef04318fe16482ada6087bfb77d0785811a4534dfda40c430a1c9507a66216ddc69b80f4c290f9b5ce09330f43907 |
C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
| MD5 | 9390f36d7e90fe0eace05edc032af3f9 |
| SHA1 | 9c0cee219a4bbd44862e8c884a0eec997b75e5d1 |
| SHA256 | 0eff6419b35c29231ef363908bc3ab496032a513b1b8f8f5a6aee035331051a5 |
| SHA512 | d541c03ee435c7824d8c8266fb386591eb35a591e6021a61051bb37d8efd70adf16c596bc722238d3d4cd1b340484af34e08e666596e8c66a940915a7e3dcf09 |
C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
| MD5 | ff01f72e93b9c1784531e3755fedce3c |
| SHA1 | 32e600631fd9a9de8d76691c60a9f4923a2a447e |
| SHA256 | 5405e3e974a000fab114d71fd42eb6f9a63070a3db0fb1065f266d084bbf7331 |
| SHA512 | 7b9c5c989824a0a8d1b192588ea7b6886825ed7b539b3f32eabe74f5b5c9c2015785f9fc168dbff2e0c98875db6a6dff1162575624b8436ce4b9d38ac151ab14 |
C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
| MD5 | 7d9205e27d90261aa3cea7df75708474 |
| SHA1 | 674912209c7815c755cfae75357743347abc3f42 |
| SHA256 | 383a1a0add457c8c07affc7d42c7350a8474808a25c94ad10c5372343bbfcf11 |
| SHA512 | 85979df49c5f17789d940b8c924c719b1fa93dc2e7e83497332a4fba9beca4616ae2ecb913c2b2a63750e16d8b5bed653d45c392eff0cd3635cc8b20c08546b6 |
C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
| MD5 | 3b4e8a1f6e1c8a12c43e381f22598686 |
| SHA1 | 2ad0890605c9cbbba060dff691790d5df8865de4 |
| SHA256 | 4130b91efd72fe0259b4a95626aead81b4145b993cffee596179e75efd34d8cb |
| SHA512 | 9bd671449c3169602019e03d7637c1c0d8e5a3895fa06c1e628bedb53f26163a3e8489602dfd82f1019347d25c3d7c7d1ee4d2eaaa940e401f4e381bfa0986ae |
C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
| MD5 | 570ab4b81dcf8c188a6c19d79fb7c2e3 |
| SHA1 | 618059626acf1427e916ae1850a1cd29400db13c |
| SHA256 | 82bb9d7f5aa73aba450673caaf69d722e80e0d5bf754b2087a3ed5fde20c2887 |
| SHA512 | 98089631a444adc5807847d6616958cd460da98d68538490db3d8eddac61835958b931c95820cc6535d31287061d81f4be4e5b6955023dd3b86efebd12a63553 |
C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
| MD5 | c24b48c3ac6557e15815464a42254674 |
| SHA1 | 8d18b56971fe377748aa151b9b74a727f9b66fbc |
| SHA256 | 48969e88f95432f3672bbdfbb5909b89824100182edcafe5e4c1ce1cde93239b |
| SHA512 | d5587ef12d68c514963ca5c106aa13ec5b9e1df0dfc41f1e05d57e2eca8760f708032ba8d83be004976f3bfb043da498116db86f27d3e146bb1719072ba6f646 |
C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
| MD5 | 7025e0b7edfcea9cdd346bcd3a991665 |
| SHA1 | ade87526547148340fb4dbf6071630494e033d84 |
| SHA256 | e47da23c2fcea4847aaff9d1fc615fc23ec9aeb0c11f2fe587643834ddd72f67 |
| SHA512 | cecb3a0e5c72b3f072e9538fc31c02c47cf1e645f0b0f8cc02041fb44c33bf35b17731a33aab77bd5cf81ef44564db4b6e77ea914cc92115067d2fb352c0218d |
C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
| MD5 | 2b272c690240919495450b3427dc3e9a |
| SHA1 | 720f1f228cab367707bca34677fbfaa53ec938db |
| SHA256 | 7fa542690232729d30b8fd23d37a7e5e11c90cb8fa63841862290b6bb34cde82 |
| SHA512 | 3c20c5efd2d0050630d21eba534b4ddd8f270d7441158568a96166fa117dd0bdd902ce82c847093420fb6cc3267c53c6694f52594904417c90f702f9bbcf2889 |
C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
| MD5 | 57aa700d1116b61bfa5b237c9382ae99 |
| SHA1 | 173bd07bc03fa86308ed3550b34a84294bab1896 |
| SHA256 | 0fe9bd515988976da82e09658fbb54c2a2f45d3250f18c94b31646cc2924e58f |
| SHA512 | 86d1a78b4739f309546b69a09449cb5f19e47af22a099d341d118e306eb28da5a9dc6a2602026c37a3cdfa566c76507c790bb4630d24c17bc9b52c4f23acc74d |
C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe
| MD5 | e1debc602b8ddfec01bc2adb2deec164 |
| SHA1 | 78777ff37514a55cccd358022a2f889c6eda6337 |
| SHA256 | 5861226d0b0eee913159d43f6d4ead3f984b56ac89be272a5470ae94e326a697 |
| SHA512 | fd52a9ad79da533bbcbcd333ddb1e8ee7cf97f73a7d288cb7f039c0edefca715555b21e9675ca24c2b6735ddf5aaa09e06dd7bcb91d41b0284475d47a3a584f2 |
memory/1288-48-0x000001FB42E70000-0x000001FB42E80000-memory.dmp
memory/1288-64-0x000001FB42F70000-0x000001FB42F80000-memory.dmp
memory/1288-80-0x000001FB4B2E0000-0x000001FB4B2E1000-memory.dmp
memory/1288-82-0x000001FB4B310000-0x000001FB4B311000-memory.dmp
memory/1288-83-0x000001FB4B310000-0x000001FB4B311000-memory.dmp
memory/1288-84-0x000001FB4B420000-0x000001FB4B421000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:38
Reported
2024-04-06 21:41
Platform
win7-20240221-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084}\stubpath = "C:\\Windows\\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe" | C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B} | C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A}\stubpath = "C:\\Windows\\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe" | C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}\stubpath = "C:\\Windows\\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe" | C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3} | C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}\stubpath = "C:\\Windows\\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe" | C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD}\stubpath = "C:\\Windows\\{32148707-3305-494f-A23A-AEC08124CDAD}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084} | C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}\stubpath = "C:\\Windows\\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe" | C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0} | C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A} | C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}\stubpath = "C:\\Windows\\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe" | C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}\stubpath = "C:\\Windows\\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe" | C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C} | C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5} | C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}\stubpath = "C:\\Windows\\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe" | C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A}\stubpath = "C:\\Windows\\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe" | C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A} | C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008} | C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2} | C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}\stubpath = "C:\\Windows\\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe" | C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe | N/A |
| N/A | N/A | C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe | N/A |
| N/A | N/A | C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe | N/A |
| N/A | N/A | C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe | N/A |
| N/A | N/A | C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe | N/A |
| N/A | N/A | C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe | N/A |
| N/A | N/A | C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe | N/A |
| N/A | N/A | C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe | N/A |
| N/A | N/A | C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe | N/A |
| N/A | N/A | C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe | N/A |
| N/A | N/A | C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe | C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe | N/A |
| File created | C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe | C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe | N/A |
| File created | C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe | C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe | N/A |
| File created | C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe | C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe | N/A |
| File created | C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe | C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe | N/A |
| File created | C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe | C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe | N/A |
| File created | C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe | C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe | N/A |
| File created | C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe | C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe | N/A |
| File created | C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe | C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe | N/A |
| File created | C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe | N/A |
| File created | C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe | C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"
C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32148~1.EXE > nul
C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4613~1.EXE > nul
C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5263D~1.EXE > nul
C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18989~1.EXE > nul
C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A456D~1.EXE > nul
C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA72~1.EXE > nul
C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0730A~1.EXE > nul
C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe
C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD29~1.EXE > nul
C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe
C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{69263~1.EXE > nul
C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe
C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AC8~1.EXE > nul
Network
Files
C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
| MD5 | 190ecf2346d1cf1c06ef7b2568c1b169 |
| SHA1 | f27fb3a360382555204b2326f6e0e68b3c108d36 |
| SHA256 | 600182a0f0903851c273f9ada3acdbf46b981928aaae0b818bd050c748bd490d |
| SHA512 | 4c5243b13a50b797e80edad29a4828af0afe3828199c4aff4af3e2b936ceea61202c381de498378e8857748e89be7afaadd1884af5ae253b7c4499a1e8080e8c |
C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
| MD5 | 9db1deed3fca18618d279513b0b4db91 |
| SHA1 | e86495b346354027b07fb216601428f5c4ea9b72 |
| SHA256 | baa8975c164495389e1abcc302eb19e97350c8447d0d19bed991ae4132979f24 |
| SHA512 | 6e13b855341e41d11ec0a8437432ab5e78d495b562e92e44cb67dede92748245ec50819962614b5a41cfd9c85ede9f861b2898eac491a0f66e5ecf496d6063b2 |
C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
| MD5 | fb81e0977bd32db128c631a40b40017f |
| SHA1 | 33679f47fac44fe2eee18df4572a93d316b400a4 |
| SHA256 | ea00e8f312f87e8f1053ed1045a68ab8c2181b98b1503ca05ac22b5f6110c506 |
| SHA512 | 4e666f6c157e37d3980e7de592cd8311d16f90d29182baaa239c9c2a4007f39513572c8f0a5e3e58eac503aceaa484679afff4d66cc44ccfd2bbeda80427bf41 |
C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
| MD5 | 4d8830f5f658a7d6915f962f4cf5988a |
| SHA1 | b087991b8c1daf93b302bf3b873685985d78eb1d |
| SHA256 | ff80f6d554870899610bedb675a147567d86bbba5284726677e0bfa7e927568f |
| SHA512 | 0a8782cf0b4cc5930cf9a547bc8e99bae8bb1c4e1e98fb075ae7a424e396774a2bacaf8d4a08b21a8b67d30726228edbac8225ef093e355c1cc3441dc57b6f5e |
C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
| MD5 | c7c1b9f3f20a6434b03a2bd1ab17dfaa |
| SHA1 | 3c983702424f15eb34d868ed3a0176fa3559393a |
| SHA256 | c30443bd9c407ab25513f93eb5bb96dee05da2d6effcf0a06530385d05d83d69 |
| SHA512 | b0b3af8dd22926ea8eb1c98111e86719cada262b2a152d59ed4004b2d3bbcf4bd62242893fdb6023e575b81ce68db87655408ae3b0d1c1024c6d9b3db4518246 |
C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
| MD5 | 48335daceca2d6f00a9a62aa59fa60e6 |
| SHA1 | db6c7246029ea1dafc5670ea0aed3cbe8cf0189b |
| SHA256 | a1228f18fb50ab3f62ab97ec04d7e33f242e9d4d849fc61f878c38165abb8aaf |
| SHA512 | 54238c425dfb6f7f9e5b4d92a946fa0975aa2a1bfe363693c87d4b0670c6f5ec15118724aeb04dae60927e62df12ca4997ea962eb9b7877ef6c39aed0ffcef2d |
C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
| MD5 | 0ec921de00125c0e0d29a4a151cce93b |
| SHA1 | 4837eddf7f55b735c305b4bed0ebf0a2cf515bcf |
| SHA256 | 06c3c1803790c4cdacf511664f0e354ab4224341fd5957a208bc7c9393d31435 |
| SHA512 | db33ad44cfe7b785f5a32d30eeb4f60e8147f9e162ebc8c47f2ed484e521207b7344714fa2e1aba22be8f55533fb0d961a8ee90524a0f5fb537653b5add18234 |
C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
| MD5 | b717fae994ac25bebb414a416d5895a0 |
| SHA1 | cb0e64bc03a2df43e60c5ba3cb76ee92674fee0a |
| SHA256 | 9e227a39a161cef1d6e51d57fa690f0d754425d74b90fe73d738ad4849c899a1 |
| SHA512 | 21502dbb78f98985868f3c1c7670979fd5204061b86537d199071f619332d42e5cf791bee3b93b0a22a866b1edd6f80f45d88d544484d9faf4f2e01a835b1ee9 |
C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe
| MD5 | 0dbe3f48b6db8372dd88885c02ee2982 |
| SHA1 | 46c4e48c0add4717a248c60d64c54933d04aafd8 |
| SHA256 | a11ea72bfcd6982ba932d182b492349d300d731f978356bb45679ff9c0f8e584 |
| SHA512 | 82fb02b77c322203ccc6c90ad66215c6cbadc9acc4cd737950a6580e6a8c9487acf670dc89bd2ac2ddc971ef9adff3fca68a1d7b940c9eeb21fa0d299a085cf1 |
C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe
| MD5 | a390168c82f61a9cad66b1e70d98c0d1 |
| SHA1 | 93e2681e2f28c2e16e71cc7dc716187b6483ff17 |
| SHA256 | 99af0a45597f486cabda6bf6b7847182519389366ae66677ea0840c6e6ee539b |
| SHA512 | d21a3fd57a6f561854e9028c949ea7e1a5456efa032be420e0263f8cdf1a9db603a208171a6febab7ed5a7e3517bc74de3f9c931d9806533f7bd79c60fe06a17 |
C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe
| MD5 | 7a7c3f6c91d22f3c99f65de5bc1e4965 |
| SHA1 | a2eb92e01876d1d864aa81a5fb4acbcfd77d1e47 |
| SHA256 | e21d59a0640b3d3f940a09dfff4f49d3c34d7df305edf7e4c8cead8086842dba |
| SHA512 | 8a5994b51ee5a3852d1819f4402bae4dc89d6b2dd9054ae755686438e3fb3d0275aaecdcb324e06f37610a95d564b95c0e7e34c883da7adc19fb5b3047a64f52 |