Analysis Overview
SHA256
513daa66e0e661c795c71c3edd5813884cf5f491f35eadf2ea7b315616b4688d
Threat Level: Known bad
The file 2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:55
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:55
Reported
2024-04-06 21:57
Platform
win7-20240215-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A128A76D-2ADB-42a0-A9BC-FA696E106711} | C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D42573-A596-4575-B447-7B26EFEC4D6F}\stubpath = "C:\\Windows\\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe" | C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5} | C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}\stubpath = "C:\\Windows\\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe" | C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D344A416-A513-481f-8592-F33853B67C08} | C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}\stubpath = "C:\\Windows\\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe" | C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE} | C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}\stubpath = "C:\\Windows\\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A128A76D-2ADB-42a0-A9BC-FA696E106711}\stubpath = "C:\\Windows\\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe" | C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}\stubpath = "C:\\Windows\\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe" | C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB} | C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}\stubpath = "C:\\Windows\\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe" | C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50016100-3F94-46ea-9A8F-3DA37099E160}\stubpath = "C:\\Windows\\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe" | C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12} | C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B69E5D-7645-4370-98E0-F6AF6B67F231} | C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B69E5D-7645-4370-98E0-F6AF6B67F231}\stubpath = "C:\\Windows\\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe" | C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98} | C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3D42573-A596-4575-B447-7B26EFEC4D6F} | C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50016100-3F94-46ea-9A8F-3DA37099E160} | C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D344A416-A513-481f-8592-F33853B67C08}\stubpath = "C:\\Windows\\{D344A416-A513-481f-8592-F33853B67C08}.exe" | C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}\stubpath = "C:\\Windows\\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe" | C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe | N/A |
| N/A | N/A | C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe | N/A |
| N/A | N/A | C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe | N/A |
| N/A | N/A | C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe | N/A |
| N/A | N/A | C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe | N/A |
| N/A | N/A | C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe | N/A |
| N/A | N/A | C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe | N/A |
| N/A | N/A | C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe | N/A |
| N/A | N/A | C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe | N/A |
| N/A | N/A | C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe | N/A |
| N/A | N/A | C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe | C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe | N/A |
| File created | C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe | C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe | N/A |
| File created | C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe | C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe | N/A |
| File created | C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe | C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe | N/A |
| File created | C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe | C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe | N/A |
| File created | C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| File created | C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe | C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe | N/A |
| File created | C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe | C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe | N/A |
| File created | C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe | C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe | N/A |
| File created | C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe | C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe | N/A |
| File created | C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe | C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"
C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{794CB~1.EXE > nul
C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{17B69~1.EXE > nul
C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A128A~1.EXE > nul
C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D6B3~1.EXE > nul
C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D42~1.EXE > nul
C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50016~1.EXE > nul
C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0187C~1.EXE > nul
C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe
C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D344A~1.EXE > nul
C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe
C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5651F~1.EXE > nul
C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe
C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4D65C~1.EXE > nul
Network
Files
C:\Windows\{794CBD22-3FEA-41a2-9E81-212A0D5F8DD4}.exe
| MD5 | f52fde8708ca932c4aa813902d63ddfc |
| SHA1 | e64dfdfa9119941a985c4274713404a080ac48a6 |
| SHA256 | 3db4108483a3a246b754cfe5bb839a271c4e848f73adbd529db851a62aaa0193 |
| SHA512 | a3ebaf65b14605caaecb63eea54423cb49c8a738f12ea1f72c0fb17a6d00f23911b65454bf25bfa62aa78690876a207ac2176f77884f3896d49f79bda84b8b00 |
C:\Windows\{17B69E5D-7645-4370-98E0-F6AF6B67F231}.exe
| MD5 | 4403db0c5bd7a9a0d5e1eda901dc2e48 |
| SHA1 | 100b5e21cbdb8825f79f84080beea80aa95cd99a |
| SHA256 | 3dcd608574ab253831d8989b7e13db72223c479c8fe66bfb807c393c587d08f4 |
| SHA512 | 6953ba206119672f1906cd75a6b6a7e14a688f7e84ae6dd8ea946501bb7e3329bc5b3b534e19a81d8a62d6d043afa459b4a28372fc4ebaa3b5c65c81aa563c9e |
C:\Windows\{A128A76D-2ADB-42a0-A9BC-FA696E106711}.exe
| MD5 | 7bac4e90f313affa74a99335a9c436d1 |
| SHA1 | 26b33d8632fb8592c449c9094ffef359992bf6c4 |
| SHA256 | 5ec36199b50e701e3d1758ce8c7c2559f3784c4618809818455b031e0606c975 |
| SHA512 | 84f51af8edc0a3a6876b4199dba768347cec697790b8b285ebc021ea9a00fe9c2546fe21228e2a2c053dc3f37680c532a62dbd3c0b7f02d207d876aaaf570c1d |
C:\Windows\{8D6B3FB7-5A1D-4b71-BD45-CBC037006C98}.exe
| MD5 | 85b21a21b54617c7dacf067477db937b |
| SHA1 | 1e6fa75099fd563436919dde7f6c878cedc5a81f |
| SHA256 | d835d5c90cb8fd6824a95792bd8d2482f3a8d4fb627b984b6d0739995ce5322c |
| SHA512 | c91106a22a17c87cb72b54f13267999aaba084de6822a1b612b1ff054ade480e59b3faacf1839ae7248d13caec931b19352cb1ec4f91ae2e48c1598ff35ee59d |
C:\Windows\{D3D42573-A596-4575-B447-7B26EFEC4D6F}.exe
| MD5 | 1eb0673b499ad9720074f9120313c9ec |
| SHA1 | 7394fd23da4071ec591a5a89a0f019407179352f |
| SHA256 | 4a8e01f121269b8e06d1ad945acbd66dcf907e15d9967fed796883f4dacbc0a7 |
| SHA512 | fbd78ab89b037632465e2ff79347a4ff2f2042604e0495458a1dab2200fc4ea70488df98e867f1dbe5a2b7efb21f7cf2bad2e55c37a129058634606d5fde5ab3 |
C:\Windows\{50016100-3F94-46ea-9A8F-3DA37099E160}.exe
| MD5 | 1cd66f9a22ac0b7a20a574b61ddcefd5 |
| SHA1 | e94b5e17b47dea87f07cc3b2fcaa88780d687f1e |
| SHA256 | 9665e76b2843872bcfab998c949863a73cf46533b925a8ee53e27424fdc77059 |
| SHA512 | 3947083a054026b3af7d2a4807b8d9c1a8414ab88a2c948d6bee44ab0f2746070a111f53979d11ed7a4b3c7f5d09b25578394a224bc1346d32059592c4b86219 |
C:\Windows\{0187CA61-8F86-4497-BC5E-3A3ED106F1BB}.exe
| MD5 | ed7166ca1c271551bd3bf7395489e8a9 |
| SHA1 | 4e3be09cf5a9d0f006081ae9be2d73c6a0583f34 |
| SHA256 | d281f2cb1c7aeb38a0da9c0c19f9f71967c822a3024d283c93ccc0d85fe02c0c |
| SHA512 | 1332445e48c8870a6b07120c122b667ed9920ed769b38aa35be233d9cbf3fb28c403c392f96e386259ca54c66c5b2a5dbd5171dcd874612f948e49fdb55cb109 |
C:\Windows\{D344A416-A513-481f-8592-F33853B67C08}.exe
| MD5 | 85cd7e7432187e95971b5ce96d40eabe |
| SHA1 | f5f7927bd2322a238ea7a52746b7b9ad86ca4da7 |
| SHA256 | 341fcc2b302e3bbb7013180994aa1b49ae917c2c81f57ee34a10ad7f73687d68 |
| SHA512 | 5335627b2417011b07e3a60c884224b1f447c0d17d22281e5057a3cf5beeb2927fd7719df39d193d5447bd22310dc688b70f8687f550cf5c1e7d199922de04ee |
C:\Windows\{5651FD45-3300-4bd4-98BF-B5E0EBCBBFF5}.exe
| MD5 | 5843f3b40c5f7a08b8591892d1510d2e |
| SHA1 | c40d4f05d28a6eedd8e8f99e4724666b799e10f2 |
| SHA256 | 840b6f5541f7818ae99362a9d63d010de5b14bc89cbaf67ac8d7605fd27867e6 |
| SHA512 | 6ec042498498693a97b7e174b48a5dd1a31c57f280a88b0a1af44d85027db04e4ae28addaec0597ac7b0cf8cd9a9a25eb12f628db2717d09ac139d4ec8e0ad4d |
C:\Windows\{4D65C1E1-F07C-4008-B0DA-FDCBB273BC12}.exe
| MD5 | b1cda8170903a169d17e7f466db07af7 |
| SHA1 | 0a1a41c83513077d1ab997cc27b40cdc4809ff8f |
| SHA256 | bbe7c2cb5522c4335eba15a41b7d5c840a1ae3d1a9a7065b81133ca835eed867 |
| SHA512 | 42b66d38567245ce3c386b877999f57b90394625c118b8bc70bda1a2e60acbc18c3abfecc8d4b873ad9943b34c022510f9142c6d1e5a339e5bf366960844f71b |
C:\Windows\{5ADB2278-6DE6-45f9-A9A6-3EEDF5EAF6AE}.exe
| MD5 | 0b1728c0b7c36e2870dd0d73c13cda56 |
| SHA1 | df3146cde969762d5201af0c0e863ab8a2b2cdc5 |
| SHA256 | 733da23f027b73cfa04b53c4dc97df40e4aafa28810398b10e4d7973711af094 |
| SHA512 | cd5bc9d4ebe9f2fadced9b8a6c1460adceb67002ff57cb2cd3a890bcab3724bc938f281b06b08afa5189e4840476ed7e80d6d87a38d2ef3fed5b88c431a78462 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:55
Reported
2024-04-06 21:57
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CAB263-0F51-4f35-BEDF-1E73F24828C3} | C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD} | C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}\stubpath = "C:\\Windows\\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB} | C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59FC855-73C2-43e3-9B34-4190443FBF6C} | C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}\stubpath = "C:\\Windows\\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe" | C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2} | C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CA11DF-868E-4fc3-B7B9-D38F25577971} | C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641C9218-F79D-41da-91E1-97F114414075} | C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641C9218-F79D-41da-91E1-97F114414075}\stubpath = "C:\\Windows\\{641C9218-F79D-41da-91E1-97F114414075}.exe" | C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37726F-A66A-4c83-8877-C97CC7B5000E}\stubpath = "C:\\Windows\\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe" | C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}\stubpath = "C:\\Windows\\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe" | C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}\stubpath = "C:\\Windows\\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe" | C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59FC855-73C2-43e3-9B34-4190443FBF6C}\stubpath = "C:\\Windows\\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe" | C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}\stubpath = "C:\\Windows\\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe" | C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8} | C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C489379-F0FA-4e81-9A8D-944578CB2085}\stubpath = "C:\\Windows\\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe" | C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}\stubpath = "C:\\Windows\\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe" | C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37726F-A66A-4c83-8877-C97CC7B5000E} | C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}\stubpath = "C:\\Windows\\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe" | C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}\stubpath = "C:\\Windows\\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe" | C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C489379-F0FA-4e81-9A8D-944578CB2085} | C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05CA1B5B-617F-4129-90ED-16E6FE5336E9} | C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe | N/A |
| N/A | N/A | C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe | N/A |
| N/A | N/A | C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe | N/A |
| N/A | N/A | C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe | N/A |
| N/A | N/A | C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe | N/A |
| N/A | N/A | C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe | N/A |
| N/A | N/A | C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe | N/A |
| N/A | N/A | C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe | N/A |
| N/A | N/A | C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe | N/A |
| N/A | N/A | C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe | N/A |
| N/A | N/A | C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe | N/A |
| N/A | N/A | C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe | C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe | N/A |
| File created | C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe | C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe | N/A |
| File created | C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe | C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe | N/A |
| File created | C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe | C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe | N/A |
| File created | C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe | C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe | N/A |
| File created | C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe | N/A |
| File created | C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe | C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe | N/A |
| File created | C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe | C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe | N/A |
| File created | C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe | C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe | N/A |
| File created | C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe | C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe | N/A |
| File created | C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe | C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe | N/A |
| File created | C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe | C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e438036ce767efd124fb3653b957028b_goldeneye.exe"
C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{30495~1.EXE > nul
C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{27A98~1.EXE > nul
C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C59FC~1.EXE > nul
C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B6CA1~1.EXE > nul
C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F6CFD~1.EXE > nul
C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{641C9~1.EXE > nul
C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85CAB~1.EXE > nul
C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FAEBE~1.EXE > nul
C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2C489~1.EXE > nul
C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05CA1~1.EXE > nul
C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe
C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EF377~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\{30495F1D-524D-4bf1-8CBE-D659D8BCEDBA}.exe
| MD5 | e5335a269fff04e6fb993a35d5b90b5d |
| SHA1 | ec656c9587fb41bbd46c982e9d5a2895848b7c04 |
| SHA256 | 31206c9bf3674b71389de425045390f43c9c230c8146adad80e1fc5dcd7f7731 |
| SHA512 | 5820cb47023ba228b363719a7c5bc7bbf4a2c99638f9896b51b64faf2b64e7d54667c37f31b4ad9eb7e9265e0ef91413e8f7abb2df5b003b1f4ceed652d55652 |
C:\Windows\{27A98EDD-BB1E-404c-8D6B-9C938BE9D0CB}.exe
| MD5 | 8103fedd9c1e25e74fdcb464737bda18 |
| SHA1 | 3699aeb822c71d0ecb67243e5cd0b0dcfc1aa6e9 |
| SHA256 | 4840353668481ce0907355be0f5e311b02a04ede6fb08fb1ffdaa6221e26b14f |
| SHA512 | 075473ecba40281daec4f86a367bb186a7c5a280da890fae1046b2989dee8aac22e7b34be400a1504cc69f7bda733916d16d141d784ade32ab412dc841d47014 |
C:\Windows\{C59FC855-73C2-43e3-9B34-4190443FBF6C}.exe
| MD5 | 5be2be4f5918a00100f1616b33244806 |
| SHA1 | d7f9d84d98d9409cf47b72feefc44b0772b08875 |
| SHA256 | c5ed516f613cea5d8cc4136423b0c1748bd598da3a0c8b937c5266e5d2ca8218 |
| SHA512 | f875467017ba02281eca48d4d190c361402aa5b2de0aa00b66b055d987faf40a086f84eafe224fa9c776b6419d0da34f9816a2662c4306b50368fa4d1ff28364 |
C:\Windows\{B6CA11DF-868E-4fc3-B7B9-D38F25577971}.exe
| MD5 | 3ad5075ca370b58ec7bc5b13fed6d804 |
| SHA1 | 79c76fa91503097187548adbe125ab7c392c6f85 |
| SHA256 | a4e3959c08a60e00c8e2693a1d8a85fc8e74fb5f00f99a17b08ff02c3eedee9b |
| SHA512 | 42218e69651d80b4d1768cf46f3c0803984c8f96bb3d6080085f4ac92cef8080f265c8c15df7ff3b1773427dc3074346ae78b3335834b3c9244c5a4fa99b99ea |
C:\Windows\{F6CFD93A-94FE-497c-ADEA-AE35A9C9EFD2}.exe
| MD5 | 1fde3609b1406958ac55232dcb790ceb |
| SHA1 | 2a227909508ed7f853e4fe6c28670392ce7192aa |
| SHA256 | dac9307c5da0650fac1962ca03685c3d1ec55e599cffd53c91ea72f3a5e069c7 |
| SHA512 | d652a5513540b3de3e0b4a5ec4ffcaed8b5c33ff9a0076a3813b0f8bd2103ae11f184625a84182ebbac13362613326f0ae0c6f945291e57002ea882e88566664 |
C:\Windows\{641C9218-F79D-41da-91E1-97F114414075}.exe
| MD5 | 72956f7583b4efd499fdac84a5068eb3 |
| SHA1 | 8778ae2a3633d63b10c6c1dc1a68c31b85099a99 |
| SHA256 | 914d857cbdbf1de98d19586de1293020726d93471adaaab8988e72b4870b4853 |
| SHA512 | 9b9b34c978f39808d99d64e2100c639152fd71603774014ce51bd90f1866ead672a470cf5945214c4b587d31967e639600472112f30486f7d39a9898668f53d2 |
C:\Windows\{85CAB263-0F51-4f35-BEDF-1E73F24828C3}.exe
| MD5 | 50723e7a4fd28353870aba299d9cd948 |
| SHA1 | 27c43a87086108d84a69096cba5d199538739367 |
| SHA256 | b8cb78c956bd6e2bb02f8470f6ec378ff6d90fc881b0a1276ce34b36dc14debc |
| SHA512 | 6e9705ed361b0e0329d3ffbf3ad859c4685378c9ede859959fba112dd8319ebd10cfc944c19078ed3ee4d170f27abce9cd3c5dcd64cab2fb35bdc3b195f3b85f |
C:\Windows\{FAEBE0D7-CA8E-4246-8768-18D7F4F6CBA8}.exe
| MD5 | fe395b08a1e086e0fdee0809a50ced2e |
| SHA1 | 13acd9b6533eedf9497b3b17bcb9e125c725be94 |
| SHA256 | dcbae200d6bd98a19572fc58ef01eed927a9bfbf2d12431f82b1cc3011cebde4 |
| SHA512 | 64fc019c751b14ca0ac91a7f59d735e863f2d78a05e29ef4d29fb034da2933d98ce3ca9a272d7400db9f3cb8f5b083549f3311f1b8083accb9e16caad514b3a1 |
C:\Windows\{2C489379-F0FA-4e81-9A8D-944578CB2085}.exe
| MD5 | 1932c7553714c7a5af27e557e2ec31c8 |
| SHA1 | fc9f551ce62786b81ac32c182f803ceff6f930cc |
| SHA256 | 5bedd2d9aeb3ccb3713325936336ad07f22c83093ede084aca6243ba9adc62d5 |
| SHA512 | b2d71c310cf5159015f4b48f9de567ce3c01b7773b09500ca2b052a33abdb8b2eaccc1a7a3ccbf3e3e8463704d68734f1e88b6de70e384ef61780aa3bae7b0be |
C:\Windows\{05CA1B5B-617F-4129-90ED-16E6FE5336E9}.exe
| MD5 | 69db0eaa9fb956f4b6ae92c664488c55 |
| SHA1 | 6c6d36a3ae382dec7f8dc20b7aaf7716297f6407 |
| SHA256 | 7bfce857dbbcbee79392fe1e1ecf0f50126f4f072fc4ba0f3b20b08c6880c0af |
| SHA512 | e298e75f3cb0b93b26441762d8782523e3f68bc4b75c746da6477892135127e3ddf46039616a2987ad552f97a0155b75ea87d1cf496f19a7ba8c24b7b9bbac60 |
C:\Windows\{EF37726F-A66A-4c83-8877-C97CC7B5000E}.exe
| MD5 | 4d9a5b2d6fe64d3fffdd9ff5477bbcd7 |
| SHA1 | 163c2bb9dc001068b5734f98829a5ca7a00aa7c0 |
| SHA256 | c3d479362f38f748a3ff7be1de6f0ae180bca7f16f1a9ad0663cbc89e2e961fc |
| SHA512 | 8e9fbcbd476d1060ce8f1ab57a2576c596b63403920e732ce697425e18b94a6ed67c1ce7be44f0581525ccc1e509a836a6e4fbe8cf652ebc11aaa1e4c67623af |
C:\Windows\{7E32A7D9-6FFF-4ad5-A98C-3D0011BCFDAD}.exe
| MD5 | 8bc324a756a2405ecf8b79ccfa59d539 |
| SHA1 | f31ba0e561e97d7cdc66a2d67a57f2a2c61e6b09 |
| SHA256 | 1b9441d222bc07e5b835a39dc01212ac30da0c3f166793b2a68660b0f4d36d19 |
| SHA512 | f96d505774aabfedf84d22775ee40567d54aaa7389f1f7660f16fb3417ec47ce233db3d51736adbf64ac2631cec7cb3692d2bc595d058a2e8dea9c27fc0cf366 |