Analysis Overview
SHA256
90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811
Threat Level: Known bad
The file 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:41
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:41
Reported
2024-04-06 21:44
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550} | C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550}\stubpath = "C:\\Windows\\{ED33C418-2F07-4973-B760-12A88137C550}.exe" | C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8} | C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7} | C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8} | C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B} | C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7} | C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D}\stubpath = "C:\\Windows\\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe" | C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C}\stubpath = "C:\\Windows\\{2680033C-A89D-471f-9091-39AAECD0687C}.exe" | C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}\stubpath = "C:\\Windows\\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe" | C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}\stubpath = "C:\\Windows\\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe" | C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}\stubpath = "C:\\Windows\\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe" | C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D} | C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F} | C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F}\stubpath = "C:\\Windows\\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe" | C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D} | C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}\stubpath = "C:\\Windows\\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe" | C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F}\stubpath = "C:\\Windows\\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}\stubpath = "C:\\Windows\\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe" | C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C} | C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713} | C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713}\stubpath = "C:\\Windows\\{32F24C0A-1292-4459-813F-39555AB20713}.exe" | C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}\stubpath = "C:\\Windows\\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe" | C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe | N/A |
| N/A | N/A | C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe | N/A |
| N/A | N/A | C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe | N/A |
| N/A | N/A | C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe | N/A |
| N/A | N/A | C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe | N/A |
| N/A | N/A | C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe | N/A |
| N/A | N/A | C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe | N/A |
| N/A | N/A | C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe | N/A |
| N/A | N/A | C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe | N/A |
| N/A | N/A | C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe | N/A |
| N/A | N/A | C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe | N/A |
| N/A | N/A | C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe | C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe | N/A |
| File created | C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe | C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe | N/A |
| File created | C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe | C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe | N/A |
| File created | C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe | C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe | N/A |
| File created | C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe | C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe | N/A |
| File created | C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| File created | C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe | C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe | N/A |
| File created | C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe | C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe | N/A |
| File created | C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe | C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe | N/A |
| File created | C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe | C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe | N/A |
| File created | C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe | C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe | N/A |
| File created | C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe | C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"
C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B92C2~1.EXE > nul
C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D65B8~1.EXE > nul
C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ED33C~1.EXE > nul
C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B90D~1.EXE > nul
C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BBA~1.EXE > nul
C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26800~1.EXE > nul
C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D840C~1.EXE > nul
C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{794FA~1.EXE > nul
C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32F24~1.EXE > nul
C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5A6~1.EXE > nul
C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe
C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B39~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe
| MD5 | 6962adeb8a2852c28b56bea84dc051b4 |
| SHA1 | 5907305582039e400dd5d214a13f4a9bba30eb82 |
| SHA256 | 480de0a304e17a1b8c0de5334d98abffd05466c1b16532b2b1ceed37369871cd |
| SHA512 | c1f3b8cb3aac9f7f83eb7a47e4a91a79b7c4aef65a3ac8c4e3e5695b4e1fe3f54c24d8b572359537d2b6c7fe4a352c69d1e981089d7b1d5c4e6ec06ffea0bb6a |
C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe
| MD5 | b504145634f79796411c82829d3921a7 |
| SHA1 | 22fde7d1e723e8df472ea8c9d2a5e9263a0d0ba1 |
| SHA256 | 9928f7e2740af14a3d8e59d7a84906602cff695ec24c3039d5444d0901aa1718 |
| SHA512 | 043bcdab1c18f0ea3e0a8ef27765b192fda380828343a427bf6555f22172c0299f02259e5b4675740c94297595fb3b48822b2155d30e8d8e6917077066a53e56 |
C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe
| MD5 | fdfdc2075a8de66e869dafab01c012b5 |
| SHA1 | 9aa543a7e925e9725b8f2b280ac5c06aad775724 |
| SHA256 | 6c62934fcdcdcad6dfe8c91335ccbb51d9421e93f2918164f982a95552c19470 |
| SHA512 | 68c9fc0be067dfe19d7e1b89ee4ef4f426f776e252f4b281cd01ea748044605770bfcf081361720617be7cfb970c521a1f25628b8c60c1b10f8dfb2231efddf2 |
C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe
| MD5 | ee2f9d5b0a62a18843ce33ee95bcba4d |
| SHA1 | bd6d3d6884c0a3d1bad8a6de6b77c4daaa0d8b13 |
| SHA256 | ac88b640c9478c7dafd34928773e01601926c8db1308df4367aa45631baddb64 |
| SHA512 | 2229ebd603b96b5a71ba64c418eed52714e384b59e01ac36bbac9232d98049191e1789eb5c526abc4d4536392200e43d14ba7833edcdc9fe3a2618b7cbdc228d |
C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe
| MD5 | 65b5b533d1f2566f31037a8da7b498a3 |
| SHA1 | a185f384ba6de5c70fd76322f71aef42a74e81be |
| SHA256 | 89d58a4b2e734b314236d54c8eefb5cf0e70a324ac891cf9737b0a52abe99509 |
| SHA512 | 244a6af78fa1cff489447e513fec448e626e58c1132c44f01ee3d518bb57ac7db2d4ba26d7e4bae18a36662aec88decd0ecbbb70bae56fa8e14b6ddedf45bb33 |
C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe
| MD5 | b75db6f9365c24882c57d5ff83fe0dbf |
| SHA1 | e64517d9d1b35735230361ddf0f822742b6706c3 |
| SHA256 | aaab70da9dd1c6c9ca98ddb7ee591ca94dd6367c1738e9c197a7bbb671e92e4c |
| SHA512 | 8b9713673bfb645d3059c1c1dff16a6ff9547315369e0edb80926d3c4255c36c6eb2096f974d23761cb7adf6466a6cfad5cd94769c12105616ac179af92a5a29 |
C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe
| MD5 | 96278c90470dc1f051d664f363d4ce1b |
| SHA1 | a83a2bb684550a62bb7b499db2b20eda606a36d4 |
| SHA256 | 47f63746c867b7385831a4c34ae29fb4a8eb97b5fc4eb3d29dfe86ba5565c34e |
| SHA512 | bb7b2f64e50da6756d12f97c8cc8f0c9613d42bd3d2719d47dd14d1e52a709dc972301a2c22c8b4430b26174f0c1b886292c65221d69f9fb7eea61d970921e0d |
C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe
| MD5 | 8ee5ed7f1030a4ccd9795db5e340fed7 |
| SHA1 | a96f84c7fbf7779562b5a3a227b6965eecc9ae0f |
| SHA256 | 0fbbf62a1871b9ff097b92f7916c2e54b98a89ee02ee969c2ce84e9396f9322d |
| SHA512 | 64acfaf9e57bc8a7339883bff2df0f29a56a174d74113a7896713538aae54b2e203b662929eb16d8b9f405a5e751534b528bca6aa4ea73d59e489033373917be |
C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe
| MD5 | 29fa0d25b2dd0b024c450fcd54db314f |
| SHA1 | a01fbfb2248c8a57b43b3e5d713a2445eca2ef61 |
| SHA256 | 17bb93fa291d0d528522b84addf81a02cb3d546ec13821de9dc8969a2c460810 |
| SHA512 | 4bac242ee76a0105dd1e77e175a4c0f71eed7f548dcd9f1dda61f2e47dab28b65d339b5257f4070ccd6cc29ff14d9ec087b33378a88deca833c180d1c67b24c2 |
C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe
| MD5 | f6a62f6c23abc1fc11b0c8ee2d475888 |
| SHA1 | 9065ab3c4ed47caec92dab3138fb9aad4febddfc |
| SHA256 | 78a3ff1171f4154707bfb22dc34a3035fcbec5dc2eaf3af19e288a8a8ae11b2b |
| SHA512 | 5aa1115bdab8dda5968efdacdd0bc08eef8c984193f5b6e1d126cbba6cabf895dd701142665b3302da19bd33dc003038d4187ec602fdbb84739b21da28d40c9a |
C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe
| MD5 | 9671dae3d90688980dde21da52be1951 |
| SHA1 | d98e5f5bb90e0e57f6cf557ba6d2448759491b08 |
| SHA256 | bff45c304fbf073b11471f423f3088354d7a58904d93c51de531258d4a01c46b |
| SHA512 | 64f74269b5e907658c892411914039d44c280e94a5abda87353648811c6bf77e77241901c9fd96bad53049050866f00f20463a9cad4675812fafc9bfe2ceaddf |
C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe
| MD5 | 9dec9cbef597c559fb48e55982d16108 |
| SHA1 | acba07de7127565cd44a0d9113d793a503ffaf9e |
| SHA256 | 7848b148da89da4b6aadff7092d5ec32b71bf503612daeedfdf73067783ff44e |
| SHA512 | cc7eebc4188ad8ea076f8950650eb530b444b1ac11627d1b2cf4ff4c6bc7d3ff9d40ae1113a785d76007c7f36e4a35a93bfc7a8011c763d65c5c8be351bacc22 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:41
Reported
2024-04-06 21:44
Platform
win7-20240221-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893}\stubpath = "C:\\Windows\\{431A6667-4647-415b-BF7D-1DB71C339893}.exe" | C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}\stubpath = "C:\\Windows\\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe" | C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A}\stubpath = "C:\\Windows\\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe" | C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}\stubpath = "C:\\Windows\\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe" | C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}\stubpath = "C:\\Windows\\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe" | C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A} | C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC} | C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5} | C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC} | C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}\stubpath = "C:\\Windows\\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CDB414-CDF4-4064-9420-EA6CF103F5D1} | C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431A6667-4647-415b-BF7D-1DB71C339893} | C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}\stubpath = "C:\\Windows\\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe" | C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AABE60BD-C741-4afe-9545-1FF019089B7A} | C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39} | C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{014E8685-45A4-4b53-A26A-E2F47321866A}\stubpath = "C:\\Windows\\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe" | C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360} | C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0058770B-2F97-4cdf-9061-995DBFC7E360}\stubpath = "C:\\Windows\\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe" | C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A368A8-9708-4512-87B1-6603EC5F97FC}\stubpath = "C:\\Windows\\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe" | C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5} | C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}\stubpath = "C:\\Windows\\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe" | C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe | N/A |
| N/A | N/A | C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe | N/A |
| N/A | N/A | C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe | N/A |
| N/A | N/A | C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe | N/A |
| N/A | N/A | C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe | N/A |
| N/A | N/A | C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe | N/A |
| N/A | N/A | C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe | N/A |
| N/A | N/A | C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe | N/A |
| N/A | N/A | C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe | N/A |
| N/A | N/A | C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe | N/A |
| N/A | N/A | C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe | C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe | N/A |
| File created | C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe | C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe | N/A |
| File created | C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe | C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe | N/A |
| File created | C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe | C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe | N/A |
| File created | C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe | C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe | N/A |
| File created | C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe | N/A |
| File created | C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe | C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe | N/A |
| File created | C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe | C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe | N/A |
| File created | C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe | C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe | N/A |
| File created | C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe | C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe | N/A |
| File created | C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe | C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"
C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE330~1.EXE > nul
C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99CDB~1.EXE > nul
C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{014E8~1.EXE > nul
C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{65A36~1.EXE > nul
C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36360~1.EXE > nul
C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E5672~1.EXE > nul
C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00587~1.EXE > nul
C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe
C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5E559~1.EXE > nul
C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe
C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AABE6~1.EXE > nul
C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe
C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CD9~1.EXE > nul
Network
Files
C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
| MD5 | e13aca139107da106545a2d03b31bd18 |
| SHA1 | 76a9425041ab4fd03cc452685a34c144361ffadf |
| SHA256 | 0046739247a69b062926e9a3865069020397c20918798c0b42eb55a690b95f88 |
| SHA512 | e94a1e446ba6b39b3094881128696313e1ec1d7ac7a0e0051f16075b37b5575ef6a1dfac11a14696f3e4284fe1cb229b65f87aca62a893c1746907da21f72e4e |
C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
| MD5 | 2e1bc942e8496036a7ec152dafb49be8 |
| SHA1 | 49bdb411dab31499e68fa530d72e780b1f347941 |
| SHA256 | 73cb93940dabafadafff46649320fc2890411e4bd5441c97d885afa6fd96fd85 |
| SHA512 | 296430ca0ac0d68a0ef235af848b1450e4628da1a868a9389922a8559638a0a4773577f0e37e3a65478e71ee32cc44d2f44f2ddb1e9b001737fd80a0964dd555 |
C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
| MD5 | cc88fe9641bc4dd52adfda5343d53406 |
| SHA1 | 7494fbd3e57967d58bca0e384fc921f7f46448b7 |
| SHA256 | 321ae1fd42e4e8365854813ebfa57f519546d116947b5bc1360e05f287c1efa9 |
| SHA512 | 26cd03707ed6baed35cec44eb63e71b4e119cfcaf65026e6c816d560e47bfa06e6f27f9c0d54765fafbcd10fd1d6505e02a3ca8f728e3ac864b601f5b26d6f5f |
C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
| MD5 | bd4ec6d4525e8b587136394971beba94 |
| SHA1 | 20534777e5834dbfb4e35c3a5f94767e5458e99b |
| SHA256 | 992e6c349ba887d6218eb267c63f9e85470df60c2f55fe814cb6fda44d9de4d3 |
| SHA512 | f8015eb6404c2f97c66704dd97727c819d3c168d477597592d0dda8235b52bf169d91063c313fa136c654f134d55361b9932ab52493a68975b785681329df8f9 |
C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
| MD5 | 7e03607394275d6189d04533b4d0f503 |
| SHA1 | 4c4d95b784b812f7fd1aca2ba44a7625a75693b7 |
| SHA256 | 62e33872fe852a18df6960267ce3e1d5550a56805e6967ee1b069e96eeaa8f7e |
| SHA512 | e148c42d3bb3a250a315c823f39ca1c6309b927bca97bffc3144bf618b6d3061fa8f2afa9fb5bb08da234af2096e0f5c5db90abfba8336fc2cf53d4cf3b21349 |
C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
| MD5 | 157f984840c33b695fa372f84a49ff54 |
| SHA1 | 3cd2cfb10b6e8d161a28883fb78c89b91260def1 |
| SHA256 | c7bf0d2140c2737dc7fbca9aaf814e6d205c9e31c3d2c158810d44d22fa7ca9d |
| SHA512 | 0e96c5d2b96bcf6b97b6efc06a49a6c3c2e05794f76d56a05a3b3c04759690053608aa1e7bc3f1192feb5e0b91080a871c5b5ef47451f3a5a0493bc550cc6e78 |
C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
| MD5 | 3676a0b39fea3ff0550740acbabccc48 |
| SHA1 | bf75ed13abd00528ceb189d45321a16a48fa6212 |
| SHA256 | 2067b5a0904ed2787a6504113ee425e5990a769b7a53479e1bee6a05dc762e91 |
| SHA512 | b69ebb1a696e4eb4e35bca678f10bf7976ff4dac85d5531622d437963558e33b3c8ca5728e1f68a3dd56da0e3766f39a5c6d9a27d05f77c411ee40343b9e9fbc |
C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
| MD5 | 7c9674bb77aa94fbbf68319a0ea655a9 |
| SHA1 | 712d4a9c14a64c8f774265dfaa6e3e9371bbe5df |
| SHA256 | 0c7afec432553d1fc3496b5514654818a1a8c8a0cdc42b322d64110c75d68042 |
| SHA512 | c94e5cd8b9a78af06c074718606b30c1c1a7d7b81220b1814b71bc1e21717debf4bf9ce6dba26c63fdf77a485637faa7b9a88382a2b3307fa6e7a5c956a1515e |
C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe
| MD5 | 6ade46bec34defa673c810246aea28cf |
| SHA1 | 19acf06bf3d8f40627f486705a5e4c3e957ea3e7 |
| SHA256 | fb925708eb0f2128ed2a63ecc7fca2314abf1376fb05cc04a4d56d6b52216ef6 |
| SHA512 | 9566a754bc3a0c2d383ad2fd7a1f8139125cd45819d06922ab41a012a175bf93d58d2bbece1de52c8c770db9931bea2eae6318d5681de345352d42725157474b |
C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe
| MD5 | aa5b1822951f496cde3997df058ee316 |
| SHA1 | 9364ed6126601c4ca70c13e99e288feb35239af1 |
| SHA256 | 1cacd2d2a2202134de18e6caa101031ff05c1c8b7751642d9b371ff861612066 |
| SHA512 | 52ca09ea1749678f04f3608bf4aa56048e774b7af15a1c8e984c18668f241a83fb425e2fc9d947407ecb778c8825665b04b7c873f8a66ececd243f2f157ca5ae |
C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe
| MD5 | af2226b1f99ea6e3cef0aa350d449f61 |
| SHA1 | 975ed800da6df9dd2cf07fcf9c43c75bcc3b6f83 |
| SHA256 | b671b48dce982152aaea611f2c9421e02802242c5dfb63eaa6ae507daa01c082 |
| SHA512 | 427c5448196fe3f921c31725fd0aa78cfa77b7b778d71c30635fe50a2ba1ab5f211f5d2ae4f6565e27f220b9d85709b81f01c12f7b183278e68a083f5a4dbf15 |