Analysis Overview
SHA256
f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73
Threat Level: Known bad
The file 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 14:42
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 14:42
Reported
2024-04-06 14:45
Platform
win7-20240221-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}\stubpath = "C:\\Windows\\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe" | C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A} | C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E}\stubpath = "C:\\Windows\\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe" | C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D} | C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}\stubpath = "C:\\Windows\\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe" | C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656} | C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D} | C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4} | C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}\stubpath = "C:\\Windows\\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe" | C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}\stubpath = "C:\\Windows\\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe" | C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8}\stubpath = "C:\\Windows\\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe" | C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72}\stubpath = "C:\\Windows\\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe" | C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9}\stubpath = "C:\\Windows\\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{908FD874-865D-4f44-87FA-699F30C32656}\stubpath = "C:\\Windows\\{908FD874-865D-4f44-87FA-699F30C32656}.exe" | C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24607556-3412-454f-86CD-0EB280ED1E1E} | C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}\stubpath = "C:\\Windows\\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe" | C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0211D33B-49D6-4a60-B177-C3D2076206C9} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6745D736-4401-43cd-A530-9210F5AA488A}\stubpath = "C:\\Windows\\{6745D736-4401-43cd-A530-9210F5AA488A}.exe" | C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BC2DED-1225-4577-9A83-B75E4A933FD4} | C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB87218E-4D48-491f-A19C-DD567919EE72} | C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB6D122B-7A11-4415-B63B-38CB2535F2FC} | C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99373C54-02F4-495b-97A9-65C87D956FD8} | C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe | N/A |
| N/A | N/A | C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe | N/A |
| N/A | N/A | C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe | N/A |
| N/A | N/A | C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe | N/A |
| N/A | N/A | C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe | N/A |
| N/A | N/A | C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe | N/A |
| N/A | N/A | C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe | N/A |
| N/A | N/A | C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe | N/A |
| N/A | N/A | C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe | N/A |
| N/A | N/A | C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe | N/A |
| N/A | N/A | C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe | C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe | N/A |
| File created | C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe | C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe | N/A |
| File created | C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe | C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe | N/A |
| File created | C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe | C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe | N/A |
| File created | C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe | C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe | N/A |
| File created | C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe | C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe | N/A |
| File created | C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| File created | C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe | C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe | N/A |
| File created | C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe | C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe | N/A |
| File created | C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe | C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe | N/A |
| File created | C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe | C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"
C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0211D~1.EXE > nul
C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{908FD~1.EXE > nul
C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C87E~1.EXE > nul
C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64E3B~1.EXE > nul
C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6D1~1.EXE > nul
C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6745D~1.EXE > nul
C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99373~1.EXE > nul
C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe
C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24607~1.EXE > nul
C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe
C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BC2~1.EXE > nul
C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe
C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul
Network
Files
C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
| MD5 | dce4e8e727d3ba1fa933a84a8c3bc6f4 |
| SHA1 | f71f7aeaf2fcbc11906d07986270b64963e9a773 |
| SHA256 | 69c91a240a6619c6a8259d457d7558d03778022bf999059ab1dfbd88e7c6263f |
| SHA512 | 3ef90d9df5dad8dabfe50ca7bf3fb830a5a377d95028e8d2df31cf7592d8bc3730232cc5cef4491553131d612ff243f1a01f2c14fcd2740635df56f43172d2f4 |
C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
| MD5 | 26d51f31bee81c85057055998cc7d4cb |
| SHA1 | 01846bd8ac7cb096045fcdb203fbf9b9418e41c8 |
| SHA256 | 27e560f0abf4d09864dda1df5471043ecbc67a9facb255cc39b5fb8f8a31b698 |
| SHA512 | 9aa0ab6a7fc8acf2b2ee717030470dfd6e6e11a07b38117bf8d972d91ac32702909607fd9479d1734b743a536a622d64ed9a52bb87dc569b4a5501ba9ce6d7fb |
C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
| MD5 | 9a60153d16a63fb17944c59ab0b694de |
| SHA1 | 1a2b9457b2584e7e631091a04f1d70e222804cde |
| SHA256 | f7e798f31bea8ca86b5b272883cb38c506fe76cce9ed5437a05322e552ebc402 |
| SHA512 | ce25dbfc1a1c53c9fbdaf3d820d65f0f0e582078e97b26ebb2d18349ee5286b0acb8b31a13ba6f7d6068daa0796a78acc748bbfef247a6344f4bf2fb6dbe165d |
C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
| MD5 | 24fc97171619e6a892af1aa6a60ad421 |
| SHA1 | 564485de8d3ef0a333f80e70d6ec0eaf38a94721 |
| SHA256 | 53e4a8811aa1ef84e8c8f96321ba9f3b65b694f3312ae14443e65ba91712f271 |
| SHA512 | fc510a331c3f94f9fe343116cdb6fc592aaf819826e6bedf6a328ee9321dfaa25896f5d365fd9dbe9e09a598740aed49c1c1620ac7cc030ba91a2dd10d8c1dbb |
C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
| MD5 | 8f18f1106410cc241aa6e22a444b5535 |
| SHA1 | 70141f1019add2cce2fcd3c6ea6afce727f1ec48 |
| SHA256 | f7f28ccd94520285daf62799b364bf7519d333d9f726216b3aa6caac0510115e |
| SHA512 | f74e7ff539c4acce91b7f17a61c9a99080d4501211488294217f4f51342e7cc5e2ec446aef0805c5f6cb81e07530cef07f1d2135d7836265cd074d8c5d6a02d3 |
C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
| MD5 | 32e536437cade2f388f78ac411f54c1e |
| SHA1 | 4586bae80be4f17e14aa68540a12ba3668d5f8ff |
| SHA256 | 1e0c8272234b4b55c2e76eb7d284e8b27c91c3b97afdc5e8617a432620499ef5 |
| SHA512 | b67448bcceb057dd7e58cf147968fc45bc0bacc5b29cbb4ea2f728fb7204de9a5bfb2846adfcf76d79e4a128948d3f0fb410be5b1431e0bc1e7312f536bc8879 |
C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
| MD5 | bd26f557f376d3f9d301c038503e106f |
| SHA1 | d9a40c33dbe30ffee391dccaee58ee33784d9bc2 |
| SHA256 | 3935db407a0dcc76247589f3f86205a68922cd367128ea4fb7ab4c7a4ab0ceae |
| SHA512 | dc7a5d6dfd436d23a31fb1803114c378cd8b41dc5911ff80fcba2b713f82f350101eaa692bda0b2a07d8f6d757f783a20b45420772b97f2c0f51239ca357b3c4 |
C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
| MD5 | e152146427e118b2230e15424b91019b |
| SHA1 | 2b6a2403214715a5607eb067ba2895010f1bdd34 |
| SHA256 | 69d19b2e9cc74b7ca079b03c8cf7d99e96bd7840191562e98d9ded705f6e26a1 |
| SHA512 | c589533548512f1ad900115692acde76b40efd5728bb0c5039f8fbbd7e74b89fdf16489378af69243b68b6a63028756ef45c7f10b61b7ab437511a5e42644a36 |
C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe
| MD5 | 7a13ac389293950deec8fd8b40f7a535 |
| SHA1 | e5a102cc35eebd1ee8cfa1aa46e590a1c7d4c888 |
| SHA256 | 2bf4fce610797f3873c472ffc10c5916b6c214d62623ba54807acae575cd6f5f |
| SHA512 | 82c5931785da4ab26e96913baf354a0658d479a9ab5f6bb1b5ee4048d3cff49f8418696b6b738f5373028450b078bb5f4eec2121eaf88d53435c9b12e565c8da |
C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe
| MD5 | 478958ff58825f015071757f8d75448d |
| SHA1 | fffafab9988ad965e02dbdbcda4020956419cda9 |
| SHA256 | 92d64707f479a711c1d23b3b7ca1778e0aa86fc026182f7d1d0342c1dc7bcd69 |
| SHA512 | da73e7008c5b11e1effe45c2b085ff5a26a593b0ae9c3aea8dd2810064e5b9d194da365fb49e1a717cae916f055b3923c9264c737c50e613ad7fca03e06a63ca |
C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe
| MD5 | f9f7e8a3221ba80b83e66a6852836a0a |
| SHA1 | 03d8e2a8708e9e6dba6884970eba44736b063c71 |
| SHA256 | ef71a3882825a498b765195ceb699591b1e7863f429736d68fa132b5a25cf678 |
| SHA512 | 6ebea0766dfd240014ce86b6653fad34ebf0d384e08645a9637bd970495925953322cf4f3a4a874b063eadc0e1cc27fb704ce40d71b28e2d7a79417ae4c3b3b1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 14:42
Reported
2024-04-06 14:45
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246}\stubpath = "C:\\Windows\\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe" | C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5} | C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5}\stubpath = "C:\\Windows\\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe" | C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A} | C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2} | C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23} | C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}\stubpath = "C:\\Windows\\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe" | C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC}\stubpath = "C:\\Windows\\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe" | C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7}\stubpath = "C:\\Windows\\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe" | C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}\stubpath = "C:\\Windows\\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe" | C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7} | C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7}\stubpath = "C:\\Windows\\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe" | C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05} | C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923}\stubpath = "C:\\Windows\\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4} | C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}\stubpath = "C:\\Windows\\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe" | C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}\stubpath = "C:\\Windows\\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe" | C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7} | C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C} | C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}\stubpath = "C:\\Windows\\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe" | C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}\stubpath = "C:\\Windows\\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe" | C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246} | C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC} | C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe | N/A |
| N/A | N/A | C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe | N/A |
| N/A | N/A | C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe | N/A |
| N/A | N/A | C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe | N/A |
| N/A | N/A | C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe | N/A |
| N/A | N/A | C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe | N/A |
| N/A | N/A | C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe | N/A |
| N/A | N/A | C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe | N/A |
| N/A | N/A | C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe | N/A |
| N/A | N/A | C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe | N/A |
| N/A | N/A | C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe | N/A |
| N/A | N/A | C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe | C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe | N/A |
| File created | C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe | C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe | N/A |
| File created | C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe | C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe | N/A |
| File created | C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe | C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe | N/A |
| File created | C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe | C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe | N/A |
| File created | C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe | C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe | N/A |
| File created | C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe | N/A |
| File created | C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe | C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe | N/A |
| File created | C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe | C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe | N/A |
| File created | C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe | C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe | N/A |
| File created | C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe | C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe | N/A |
| File created | C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe | C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"
C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BBA~1.EXE > nul
C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61E6F~1.EXE > nul
C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A59D8~1.EXE > nul
C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{88A40~1.EXE > nul
C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3FF~1.EXE > nul
C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{314C4~1.EXE > nul
C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15EC8~1.EXE > nul
C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9959A~1.EXE > nul
C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{570DF~1.EXE > nul
C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3276~1.EXE > nul
C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe
C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D210A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.211.222.173.in-addr.arpa | udp |
Files
C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
| MD5 | 560739613c1a854cb343dcf04aa4acce |
| SHA1 | ee5885b9c619c9ff6183286450a6a1d5f716f1f0 |
| SHA256 | cd690125196f4855d8f2bd122f5b05e05584f0ef1cee3589c4f6eb52c4e462c2 |
| SHA512 | fe5467c92c855efd2699b76cdd40a1eb13047c74e283241fd48177a03aef8c928b9813455a1ba4430647a35689faf4ab77cbbdca4e3d191c3cbc206a4ce362d8 |
C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
| MD5 | 515cf1649174f66ab4eee6b997b49b62 |
| SHA1 | 81f2b1fbe71575017c26db5945114e5bc0c66fb7 |
| SHA256 | 167fc171af80760c75d224e812600ad08e0392876451da957955993e5aa30ed3 |
| SHA512 | 36cc0ab66659689e60d4e8e47b00effc88bfcfce42909c0bfe2c16902764405a745d708bf41b07f3759d3dc1afb6b6fb403bacaf3061d318e184314407809a00 |
C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
| MD5 | d4a60d4081a06368a51298af0d52be7a |
| SHA1 | e545eb93c7a047482aafb8788bec0e7759bbe7a2 |
| SHA256 | 6d311f2b7e26062a3d27cac84e6f4d793503e4b3f303923b2cb056a861eba1db |
| SHA512 | 25787df952015e4211da8e7d4150227c601f617483ede520b645279583f0def2ad31f40c43f2c8d57683e63430171d107150b1980a8b6cf26393005b9d144e8c |
C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
| MD5 | d9d155435f2cd540813ea0f8a35f1453 |
| SHA1 | bdc0b89ea420bc24a235e2257370e34d7f123b20 |
| SHA256 | 970a03bd611cc35293acc6ee094ea1725a78e434be442d1420a8e78b38261d0f |
| SHA512 | 04a221fe9420a3daa7653886020356cc2a374840f3960a836da42d1309a8566da612b5a8a53cd8c9625044edd70a445a14c35adafd2b206685c3bd6d3d8d5e6c |
C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
| MD5 | 6d6990a596a8e9fc5fc8093c744b847b |
| SHA1 | d18b8e53ed7ce3c475fce52b534a1a0480672c37 |
| SHA256 | 7de63034ed618e534fa677829b2fdc03e626194c84f590a70e264581516bf546 |
| SHA512 | 1a7021f71771025931e94bd21594c3c085022b49d6e480a6c7fbbf94cbba6eaaa0ad65efc6f4eb5b059be6a1ff2edcdd8ef8b7d0d7ab84441f6016e52ca2ac0c |
C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
| MD5 | 4d7474c3aeaf8e85c0324cb950d9b032 |
| SHA1 | c2d041b1809492a40276c3c115314db8580fb127 |
| SHA256 | 3bca392a8d4d07a0f9d13e77f26190116c440325bf42bb242ae8b69383bfe724 |
| SHA512 | 516eb5a24e63fbdb6428f0df18a051706c15dc6f27743c3fa884ae550fac121707d4438bdd5ffd627e8bd9a1dad16aa808fa5ff819372ef3734073a34349ef3d |
C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
| MD5 | 137289282035a413a86a74e5ac09da39 |
| SHA1 | 75bd7b4bff84b7196d7d2ff6f1f7768a8d874209 |
| SHA256 | 2989088fb07460d1dc257cf7903e7776a592be04beafba6a72077a9f728d2ee3 |
| SHA512 | 9c5c69d2e55b1790ea80daeb6e73985f8006e70a2064c4e6417c76de4cc261fa4d95a63aaf541686ff3d9a231aabab839bbd46e9c140521b98deaaa97bd00b5f |
C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
| MD5 | e8bc5464718ff27d0e45a6361b34e481 |
| SHA1 | 0faf46aae8e3726868c0bb57afe47b7d04420149 |
| SHA256 | 50729c89cd192a5f122c3e8025597ed74f87316295eea30de722ffbb2d782882 |
| SHA512 | fd5e2e19d14dd1842feb45650838324b32266ce082e0a6668543ed005bf018630aae3c00d518627191b5189c903e65d7e561d0c8a2a81a9d676b8f946c31f412 |
C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
| MD5 | 72c1f258ca58979ec6ce70478daf5edc |
| SHA1 | 7d16e46f4d578df35431efdb6a7168d3e31cc2f5 |
| SHA256 | 4ff65f920bb44c26e9ca0ebc055a7b7adb84374f6340194e652e783a9b774c65 |
| SHA512 | 3d22644dbc8a277b1b4c9f0313b8c65569d835d09ff283c37dce0012a89d2ee1fa8d62a7c0843b761a8fb78b70df520b10b67aa23cc51efe528adc2e4dc2e34e |
C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
| MD5 | 88fea583604f60b4180925d980292692 |
| SHA1 | 8a183fa243fd39bc0b42ec91d1aab05612ebde70 |
| SHA256 | 52458ed9bd7d64541f04079d6c55efea76faa2317df6e016e8aa780056c243ec |
| SHA512 | fae54f84437f6411dd4b6e2ad4b05d68cf7e5c83bbaf8320d8ebd8eaa90cd895f77c0217bf08b0f0f8620c113e8f5c94c24f8ef10cf00604278b9596718a6a86 |
C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
| MD5 | 0a937690d89886e87fa356050fcb4eee |
| SHA1 | 12d52711b3b67df7cfa3bbeda14fe641c963efb5 |
| SHA256 | 115a904b7996e652d5695c32d228945ee17d1564a396b77d0964345501e60f40 |
| SHA512 | 4ef2d401167616c3b01e3284539870474b0db59480e3e1fa3a6cca1f5132bd3297a15a3413aba5e756f581fda21fa8867ef4827de07eec81cbfb0a87e7bb897d |
C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe
| MD5 | 262d88851d72d5c3802afe65bacdb0ca |
| SHA1 | 50adb5e5ff4317628300ce45bfafbcd679ea6d8f |
| SHA256 | acba00a9f1580c55f4ebc285e485566d6a97d2c34ac6961713516ce5ad1c48fe |
| SHA512 | 73f5fce36d240e369fbe71453c5a997ca2f9ae63ed0c69e093f3df900972f9910fde145facefab3b89e5a3d8bbc5df276b822f885321b168309db55eaca95551 |