Analysis Overview
SHA256
d32e94cc155927325cbfc77b11b484858b78467267dea5486a2c33dad67d9db1
Threat Level: Known bad
The file 2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:52
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:52
Reported
2024-06-03 05:55
Platform
win7-20240221-en
Max time kernel
144s
Max time network
119s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81267C97-6232-4926-A2E6-BDA6A81A1615} | C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA846BBE-CD54-44e8-880B-B24FF40C36BE} | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}\stubpath = "C:\\Windows\\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF300A2D-F9B8-458a-9158-CD5898757131} | C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9} | C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BB6053-1538-498e-888D-2454C4DB0E62} | C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}\stubpath = "C:\\Windows\\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe" | C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81267C97-6232-4926-A2E6-BDA6A81A1615}\stubpath = "C:\\Windows\\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe" | C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA53F5E7-7862-4fa6-9217-B6309E82D047} | C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A} | C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}\stubpath = "C:\\Windows\\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe" | C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2366735B-93C7-4245-92CF-9B836D90F00F} | C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}\stubpath = "C:\\Windows\\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe" | C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6F1B7F-B217-4037-A6E2-290D3EB97899} | C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF300A2D-F9B8-458a-9158-CD5898757131}\stubpath = "C:\\Windows\\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe" | C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA53F5E7-7862-4fa6-9217-B6309E82D047}\stubpath = "C:\\Windows\\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe" | C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}\stubpath = "C:\\Windows\\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe" | C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EF5686-3A97-4e72-8AB8-DE73691E9264} | C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2366735B-93C7-4245-92CF-9B836D90F00F}\stubpath = "C:\\Windows\\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe" | C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BB6053-1538-498e-888D-2454C4DB0E62}\stubpath = "C:\\Windows\\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe" | C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A} | C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}\stubpath = "C:\\Windows\\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe" | C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe | N/A |
| N/A | N/A | C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe | N/A |
| N/A | N/A | C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe | N/A |
| N/A | N/A | C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe | N/A |
| N/A | N/A | C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe | N/A |
| N/A | N/A | C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe | N/A |
| N/A | N/A | C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe | N/A |
| N/A | N/A | C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe | N/A |
| N/A | N/A | C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe | N/A |
| N/A | N/A | C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe | N/A |
| N/A | N/A | C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe | C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe | N/A |
| File created | C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe | C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe | N/A |
| File created | C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe | C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe | N/A |
| File created | C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe | C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe | N/A |
| File created | C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe | C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe | N/A |
| File created | C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe | C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe | N/A |
| File created | C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe | C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe | N/A |
| File created | C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe | C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe | N/A |
| File created | C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe | C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe | N/A |
| File created | C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe | C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe | N/A |
| File created | C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"
C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA846~1.EXE > nul
C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF300~1.EXE > nul
C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AA53F~1.EXE > nul
C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC37~1.EXE > nul
C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDB2~1.EXE > nul
C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23667~1.EXE > nul
C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16BB6~1.EXE > nul
C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe
C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A6B~1.EXE > nul
C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe
C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B0EF5~1.EXE > nul
C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe
C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E6F1~1.EXE > nul
Network
Files
C:\Windows\{FA846BBE-CD54-44e8-880B-B24FF40C36BE}.exe
| MD5 | 8d2b53700b45061f90185d1400cead08 |
| SHA1 | c211665773ec4317ae19ce8b44cd975084ebfad0 |
| SHA256 | 5d09425efe9e916638a1856207b81e13126a1341b44269d8ac4c05c06b25f17c |
| SHA512 | b7845adb2bf209972bc3969c0c6f480ce18d271ed0a84ffdd07d987b233d85850053f16fce4ba8877d35338805790eead4fc80e4f6788c32dbf3a5bd52fe3e45 |
C:\Windows\{FF300A2D-F9B8-458a-9158-CD5898757131}.exe
| MD5 | f96dffc6c1e38f3d912ccc45da81c73e |
| SHA1 | 648ae9156c1b88a86a7070cbbe2c08c0e77cdc08 |
| SHA256 | 7f0058dbafe883c4c11a3e8f93033a9e70a0a7a968ab68d28515805f19182f9c |
| SHA512 | bcf020e85f3f9cf15922d0baea2aefed1dc3232e8852406a950f964c13fe493fcce4ba6aaa4c026d62e10bdaaeddea6f3712266d6b786cfa8a3eb4da3e694001 |
C:\Windows\{AA53F5E7-7862-4fa6-9217-B6309E82D047}.exe
| MD5 | 131d7b0739ab4c5b6e5801da22949d9a |
| SHA1 | e6bc9683f3c09581d771756b79e15458e8df23ea |
| SHA256 | 12b3d69e6fa210a5f1f7037e7ca6697324f27b2a5523934e0ed30ab951b08ab9 |
| SHA512 | cf4f46f52b9893e69077f1ec0b9e3b930b0eefb2f4cf98d3982d04229b7650926406897d74e7348575ef4401396fca1e586b98b2fbdd72cbf07d5d5c1872f6dc |
C:\Windows\{8EC378A5-01FA-4829-B7B1-8827DCE08AC9}.exe
| MD5 | ae07989076476c2cbcb9deed75b69acf |
| SHA1 | 19bb5e6150e72e85e101d9a3889380c4c3c394ba |
| SHA256 | 2adc794068ecc749c526c5dd63dd5c89168d94ba7d6794882f97dab3b5f6ac37 |
| SHA512 | 01bdd00b778b057e2b3eeb807b081356db88cb13f37deba71408cf8fb5b132c111daabddf608d1b6bb49e8a68d059c80e40f899431b9af55003ef61dc813cca0 |
C:\Windows\{8FDB2D1F-16CB-461d-A75D-06DD08E05D5A}.exe
| MD5 | beac2e4f7abad46c4bdff98035d9bca0 |
| SHA1 | e199be741618b39a804c2c6f643b5b93d3c6cdd5 |
| SHA256 | bf95471605c2827f1f2f1f270493e38d251d7a07d439111c047fabe7186f2723 |
| SHA512 | e1bed5acc850d094e4604a78d24bc25984bb6a383f7d92cdfd53af81d5aada2c561ef51771c00a11a550eb8b50192e3de6dfc074c1f0ee5442844ddb829891f6 |
C:\Windows\{2366735B-93C7-4245-92CF-9B836D90F00F}.exe
| MD5 | 426f36fecc559c6f61f643eddc5005ef |
| SHA1 | a4f7b968d68384859b834e4853402b138d56f638 |
| SHA256 | 49c8f885bdc1ff4722d5c500431caf6c610db310b8bac54b1e5b7be3311d2c31 |
| SHA512 | 9651e290d6c384ad42f0e726c73024e47a77183c8b09f4274d5cebfbd6b4ec3e58d3c2dd305305ec47ca194a2dce65fe6b7b6490a70fae770ccc0e0fff41d7c8 |
C:\Windows\{16BB6053-1538-498e-888D-2454C4DB0E62}.exe
| MD5 | efd69e53fe69d20415f3cbaf6242ba1f |
| SHA1 | 232edeacba17cc41e67acc9712b845cd84543e0a |
| SHA256 | f6cbfd862332d6b919dc282267bafc1125688f95c84cd36b4b1286c3aac00214 |
| SHA512 | c7e5d18f81bf6d2d9ade477237ceced727d9e8089f5a046130ce3e69e0317edba484d689c48114c4892ec361af67ab374da69cb0576aa6d96b18d35b2587f3d5 |
C:\Windows\{D5A6B167-FBCB-4f2d-8C04-AF0282376A1A}.exe
| MD5 | 37f171e2534b956a8c6126ec37bb7aa0 |
| SHA1 | 6be84998584938e3b11d4b4bf7016b35cd847a03 |
| SHA256 | 7058c91285a6232730e0c13b6d6a097ca1e9810f34c1ee42ff1d51ccf33e262c |
| SHA512 | 6d3d92dcb814c20ee0280cdcf0aabbe47911a7b461b539eae0839a2242493992e2d8b6c6aafba4bee364620a9eadc7c123b82181b9a616e39c77bfaf3809b281 |
C:\Windows\{B0EF5686-3A97-4e72-8AB8-DE73691E9264}.exe
| MD5 | 17c2571af7e9e17c604b4ba87fde2a5c |
| SHA1 | c3a23d83aa5b7389c40e07b21e7f89b67f0e8a7d |
| SHA256 | f0fcff1af5d6c202939405cb0c6223b8655a6b5fe98888af9232f73522e60510 |
| SHA512 | d7d41a0c676380b39af91bedb8d813f82049321f30b549f4e17aa8f7f76780e0e734cc13d29488f70cec982beab58b73bcf4a1be44349f09b90046e5464150bb |
C:\Windows\{0E6F1B7F-B217-4037-A6E2-290D3EB97899}.exe
| MD5 | f6b268eade266418f413cd97569c6560 |
| SHA1 | 5398f90785fd15f70fbffa1905b257e3c1196ee2 |
| SHA256 | 283176c68403342b5b071f15a7dcc5b2bd8a46b2b56b5b8f411dede75bd30386 |
| SHA512 | 79f47c437bec876abe8dad227d9a0f684b0122c14f0656170a1c896a18c3caa7f0fe03bc1609e720d2155c9eae21139418004c1917211b4d4abc17bef8d3dff3 |
C:\Windows\{81267C97-6232-4926-A2E6-BDA6A81A1615}.exe
| MD5 | ccb7c37fe6385586b5d4cf32d91e46d7 |
| SHA1 | 80f7c6dc3944bf452b68d0bfab9fd4b6fdb8770d |
| SHA256 | fbcdb2025e5e73d32ca98c1849d2d2fbd390ed2923dd25d33515a39a1a007124 |
| SHA512 | 2771f47dc1fe62f24eaca2fd1bad1e3347162accdb6fcb8d296a7fc86f1cc342f48129b174323cf4e2e114c53aa5e3de752c0a58c71e04b26fa1ef9b9786efc1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:52
Reported
2024-06-03 05:55
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}\stubpath = "C:\\Windows\\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe" | C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0F0170-6B4F-47a5-9267-2F5231398AD9} | C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}\stubpath = "C:\\Windows\\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe" | C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D} | C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD} | C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD6283E-EE52-4450-90E8-2AE68505C77C}\stubpath = "C:\\Windows\\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe" | C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F17EA-7D05-4688-BB77-D889F91CAD31} | C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F17EA-7D05-4688-BB77-D889F91CAD31}\stubpath = "C:\\Windows\\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe" | C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}\stubpath = "C:\\Windows\\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe" | C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}\stubpath = "C:\\Windows\\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe" | C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86307BF9-1763-464c-9C41-C9B961BF4F5D} | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}\stubpath = "C:\\Windows\\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe" | C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}\stubpath = "C:\\Windows\\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe" | C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC569677-4B9E-4e79-B848-5CABD6A75979}\stubpath = "C:\\Windows\\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe" | C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA} | C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}\stubpath = "C:\\Windows\\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe" | C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86307BF9-1763-464c-9C41-C9B961BF4F5D}\stubpath = "C:\\Windows\\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AABAEAE0-19D7-41a8-AC36-84738DAE2044} | C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}\stubpath = "C:\\Windows\\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe" | C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC569677-4B9E-4e79-B848-5CABD6A75979} | C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD6283E-EE52-4450-90E8-2AE68505C77C} | C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1} | C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616126DC-B702-4fcc-972A-8E27CA4F2E3D} | C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9} | C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe | N/A |
| N/A | N/A | C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe | N/A |
| N/A | N/A | C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe | N/A |
| N/A | N/A | C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe | N/A |
| N/A | N/A | C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe | N/A |
| N/A | N/A | C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe | N/A |
| N/A | N/A | C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe | N/A |
| N/A | N/A | C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe | N/A |
| N/A | N/A | C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe | N/A |
| N/A | N/A | C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe | N/A |
| N/A | N/A | C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe | N/A |
| N/A | N/A | C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe | C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe | N/A |
| File created | C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe | C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe | N/A |
| File created | C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe | C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe | N/A |
| File created | C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe | N/A |
| File created | C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe | C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe | N/A |
| File created | C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe | C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe | N/A |
| File created | C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe | C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe | N/A |
| File created | C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe | C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe | N/A |
| File created | C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe | C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe | N/A |
| File created | C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe | C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe | N/A |
| File created | C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe | C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe | N/A |
| File created | C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe | C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_219fdd7a2e799bc73897c15032975d41_goldeneye.exe"
C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86307~1.EXE > nul
C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB00~1.EXE > nul
C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF75C~1.EXE > nul
C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AABAE~1.EXE > nul
C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC569~1.EXE > nul
C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD62~1.EXE > nul
C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{435F1~1.EXE > nul
C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B8D~1.EXE > nul
C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8209F~1.EXE > nul
C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0F0~1.EXE > nul
C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe
C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4A3C2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
C:\Windows\{86307BF9-1763-464c-9C41-C9B961BF4F5D}.exe
| MD5 | 8b0214bec5b3bc2500030f930226d898 |
| SHA1 | c02a00fdae849a59be41a5c7c627b045fce11703 |
| SHA256 | e624b26e9abe86b85ed00580116213b8b6c024edb69b296e76dff079f1f5f013 |
| SHA512 | 3d34b20b2cabdda26d17b950832d91b04df1bbcc80a47be8a0df37c69d89ac4830de1ed718dc46cbbeef3a4380f8575f4e949c68c9d632822e3aee2870ffd4d5 |
C:\Windows\{0FB008C9-61DD-4e06-8EB2-EB12ACBF54F9}.exe
| MD5 | bb64dde487cead9c101c748099e1ea1a |
| SHA1 | 556f4e71e1f98fc46dd75823494b6d6549830074 |
| SHA256 | 2c8b551e4b56807be8dd0adeac85256c5992ccfcc4f33f38b4f13b69b309afa1 |
| SHA512 | d02c84761025cb48e25d8183487aee90529f9191bdf6c651884c3a5ce7fe43343e239154e028ce3e118f3d916979bca9bfb799874025e3af54a1b6c2afec5c66 |
C:\Windows\{AF75CB8B-337F-41b9-8A3D-69E76D30C0CD}.exe
| MD5 | b60efc1743117391409232640cfc90af |
| SHA1 | d23124fd1041099fa8c615b078d8ba3e0474719e |
| SHA256 | 78c36c814382712e9b33fc39081c70dc4b2648c06e9208f7409e420bd25330e4 |
| SHA512 | f59a70ca3a830586954495cf7704d1933241f9b2ad04880d297b644bcf79927a60b57b63ca13c4272b48a3b27ceab455d081d39cdb04bcb660bd2443912fb6e9 |
C:\Windows\{AABAEAE0-19D7-41a8-AC36-84738DAE2044}.exe
| MD5 | e1c1f82064aac3e0b6e918f9f423b4ac |
| SHA1 | b735644d0de8f65ebb81a2578c841e0d3b75b5ff |
| SHA256 | 36bf8f517817af5233e9d6e176f7025c726b0d89117626e36d19e0f679e0242a |
| SHA512 | 6235a069a1cf08ac6bcb4fc99ee71de7670066e63b532bb9f1ab85ddbdecc56fbebdb4a50b3f545bc2281ad6fb46addc0a7ff8263c4cbc7fe1df1ed7eab90039 |
C:\Windows\{AC569677-4B9E-4e79-B848-5CABD6A75979}.exe
| MD5 | 6e3388c50359eee501880d7db4ab923c |
| SHA1 | ec010b2ec4333808ceb3ad05271249c496c99a41 |
| SHA256 | 253934317d6c7d9ac9e251d2afd26dfd31de886dbba4119b07a4c6889e671f59 |
| SHA512 | 80d678a85153413522e36bd744b36ad7a47688941d0cc271afff9acca97dd1281ca921d45f2cf38bef5ebcec4efb96b52f643841978130639159c6ff0e7f77d8 |
C:\Windows\{3AD6283E-EE52-4450-90E8-2AE68505C77C}.exe
| MD5 | 4b1831ed0e7a887f13d60ea18ee51517 |
| SHA1 | 5136c38f6acd4ccf91ac267970deb1c2c7872e8f |
| SHA256 | d39c424f17e6601f2012198895df980f21c0af27efd7103b29095259e4943c38 |
| SHA512 | 3b115f0dadad7671ed782e2f0d620fce789b041575f6f1ec4d09e627ba5c6f9e3d657ce3a91641b8e6e8c0395a3716471582d0d04018c0a375e2cb5092b129e6 |
C:\Windows\{435F17EA-7D05-4688-BB77-D889F91CAD31}.exe
| MD5 | 222ceb24b063460367b15d20ac50e647 |
| SHA1 | 19362a4db8b571a6b7e3d54a19b578076b9324f7 |
| SHA256 | d1d33ff2637972c2c962384096e8b3d0b76924e3952448769288513154d6d26f |
| SHA512 | 4886e58835fb1cae960c1bf7cabefdf60a1fa187fc5dad5b5d3cd38a50c5483da944b315bfe838dffe135455748a67ba49182d9bdff305e9be09c5295dec9ed1 |
C:\Windows\{A9B8DD2E-08C1-4138-AA21-8F2E9C2BCB0D}.exe
| MD5 | 4f9fdf351c6aadd588d85ce96f190718 |
| SHA1 | 455335ca7c64ba757a5f0dab2a4461c30b5bbd80 |
| SHA256 | ee66e704ef4653b16fbe71187701abae2f37bd7d8c80a5107a2a8129a54ad1ec |
| SHA512 | fb0976917b4ff965e96b28e3df749d2f85a10e3133b7f8a8c956ab12e047023ed0f17ef05fb1e556e0d113807a562a311c294dbc2edea9c125c6c801c2e61dbb |
C:\Windows\{8209FF4B-FF8E-41f1-9349-62CD65E3C1AA}.exe
| MD5 | 06b23b0881a1818f34864746dd112c88 |
| SHA1 | 5732b8b9d11d55c6aedf262961f54511b2f9b670 |
| SHA256 | 6a097d3df8d80f47abb5d31d908ae4f049d6cb1fcba45ce0a6480d1b19708698 |
| SHA512 | 60f7dc5dc045dd59c24ecece3d0b97ada6c4f560f36ffc32e80244019a42315d5e63c5eac20bbeb4e8a4b126c5abd80504fb3ef2cf161c94070d0ba989bf11a2 |
C:\Windows\{4F0F0170-6B4F-47a5-9267-2F5231398AD9}.exe
| MD5 | f1ed5321098f0867cdb4c03bf0a77a65 |
| SHA1 | 97ba541940e8186b7a95f9807810b3da886cb98c |
| SHA256 | 9c9d8a0186daf27c1f0e07006b569feb0e8e4bff51ff760b53e0d2f6b8e2986c |
| SHA512 | f2f1f317f996ce6d44e0b4352e35b1c2869c931cb6b2e6163e1f4ff9e93c88c90ee20863a19623cffea51fe32c9a0c29a5dee574fe287e9f5a53d0ff84356803 |
C:\Windows\{4A3C271D-B527-4aef-BAD8-41FC19A14AA1}.exe
| MD5 | 147823e0c53c16c294cb7f028439c109 |
| SHA1 | 8a22e34fe8e789e09d1f808977e2bad9524caa43 |
| SHA256 | 9126f9979e7115fcbc5e82f75d6533650372d04c1fc6ab105357ea6fc97ce631 |
| SHA512 | d479e13298ef55686b68b8b0233941c8fd434d5a22f7f064ae5f954ba7d97db41629854f63c95544d2eedf5bc7c75dc61706644b1f2b731d8f391c8b25c30ee1 |
C:\Windows\{616126DC-B702-4fcc-972A-8E27CA4F2E3D}.exe
| MD5 | ef562588cd9aff34783ebd38b97283ae |
| SHA1 | 68a9bd45ef78a88bafb46358ed7001fa4b6d26fa |
| SHA256 | eebbd185eb71c78c261c6a882aaccc9ca906b6241285dd25d0fcec781c92d3c6 |
| SHA512 | 9051d177a2a867495f850e3ece85abcb4a840120d6cd34f8c0e336be6df4d5a141812d466c37c3d78fb19c7c899c0c7abe88fd38031025c6f10d3e32bc403c80 |