Analysis Overview
SHA256
32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd
Threat Level: Known bad
The file 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:26
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:26
Reported
2024-06-10 04:44
Platform
win7-20240508-en
Max time kernel
144s
Max time network
120s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D}\stubpath = "C:\\Windows\\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E}\stubpath = "C:\\Windows\\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe" | C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31} | C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702}\stubpath = "C:\\Windows\\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe" | C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C} | C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C}\stubpath = "C:\\Windows\\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe" | C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}\stubpath = "C:\\Windows\\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe" | C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773}\stubpath = "C:\\Windows\\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe" | C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9} | C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}\stubpath = "C:\\Windows\\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe" | C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F} | C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E} | C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9} | C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA} | C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773} | C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}\stubpath = "C:\\Windows\\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe" | C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702} | C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31}\stubpath = "C:\\Windows\\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe" | C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA} | C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}\stubpath = "C:\\Windows\\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe" | C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9}\stubpath = "C:\\Windows\\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe" | C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe | N/A |
| N/A | N/A | C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe | N/A |
| N/A | N/A | C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe | N/A |
| N/A | N/A | C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe | N/A |
| N/A | N/A | C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe | N/A |
| N/A | N/A | C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe | N/A |
| N/A | N/A | C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe | N/A |
| N/A | N/A | C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe | N/A |
| N/A | N/A | C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe | N/A |
| N/A | N/A | C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe | N/A |
| N/A | N/A | C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe | C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe | N/A |
| File created | C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe | C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe | N/A |
| File created | C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
| File created | C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe | C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe | N/A |
| File created | C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe | C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe | N/A |
| File created | C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe | C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe | N/A |
| File created | C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe | C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe | N/A |
| File created | C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe | C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe | N/A |
| File created | C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe | C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe | N/A |
| File created | C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe | C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe | N/A |
| File created | C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe | C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"
C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{10794~1.EXE > nul
C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B303C~1.EXE > nul
C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{028D7~1.EXE > nul
C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{80140~1.EXE > nul
C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1C01C~1.EXE > nul
C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26D32~1.EXE > nul
C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8441C~1.EXE > nul
C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe
C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0EE8B~1.EXE > nul
C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe
C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFFC~1.EXE > nul
C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe
C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B88D0~1.EXE > nul
Network
Files
C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
| MD5 | 7c2c750a390c08138b28045ec14e5da9 |
| SHA1 | 628ac48125906a3cdb5f0d91c38330f24c66e58b |
| SHA256 | 16a0cbbca6817b8f0523053b15f7bbbbf00deb764163eaa66c2cbc0ebb4d4633 |
| SHA512 | ce0937c20e4133c6ed6ace6553ba037f2de0ff009a9f7c8544c9dcc555a2739a1271540e12668039bd781ea8cfd69aefa3ede44f3f77ef73c7d2639447e3bc94 |
C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
| MD5 | 1cbeafb668317a7722c6466f66085ec5 |
| SHA1 | c81500d7ce44b2c736a0006d51fd250dc5bfded8 |
| SHA256 | 0241153823616050013a1c4b7f5d9e45ea38ab7b2c223b9c80f1c72397621e4d |
| SHA512 | b368b330c85104511a02710cf50f1a8c7c67f0e1ba45ee86d7c7d7fdd543c48e05394c18d154e63b6e4f80ce8080f7d8dc5e3b6424d417e43b216949aca201e9 |
C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
| MD5 | 32abf136737b41587b273bf80e2eef3b |
| SHA1 | 95ba1edec3b4c574f10ff360d816ec5bb5e15c06 |
| SHA256 | 4fb461a9b65778ccf66886b0d27676db8d917aea3a9c82d22fe620389571961f |
| SHA512 | 11c8388a6406885ef401300ab43f795fcbdc114de916dd2faf409dccc0fab0f2096c94986667c53c4a07f0ffd6de5a72f5661d6a2fd6dd1cf428a212e7f3e447 |
C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
| MD5 | 8f17fea1e1765e222a3ec6e30f75aeb2 |
| SHA1 | 9ed24768f56862f69b05d038f03b2fa737c708e6 |
| SHA256 | 8a58d79e41ccb0eca29ccc3d594577f49d645826a9ba26ea99a49a98c0f7bd26 |
| SHA512 | e4b1ef49b3affbb378e21c04c66b1a058e6290afea83851440fd537384a00db970ae7f33aceb6d4dbd984461da6cbc818ecf25331831bed62fcf96766af3462f |
C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
| MD5 | 15ac04327674cb3c511eb80b37a8205c |
| SHA1 | 0691e341ceac2b9e6383c36e81d371541b447e05 |
| SHA256 | cc9d7087b8820552acd5a4fbc0113b21a17d25005908cc9fda698a6666b81eda |
| SHA512 | 5860a33d58084d2cd0aeb5bc9b014cfcd1cd341e26366fd3f5376a9d11c8ad1591221b3e05c6f23971a590eaebfbe06d01e7359ad21d14b45d340a8483e4d5e4 |
C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
| MD5 | eb0111f0f0e4cb4190064121613d0bd6 |
| SHA1 | c67693986926a7099e1cd5f93482401eac5b7a97 |
| SHA256 | ed1e4ccc7accb1ce67aa9ea75eee37c236eff009aecdf90171aeae3edc54fb11 |
| SHA512 | 226237c4d19ec6a3c179f4fa8216af5996c89076b6e5d527ce08ebf71dd38d81446e162988cc70809e36839b7e271f0faced508b2790eb72f209e9a31dace377 |
C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
| MD5 | 8ad4e2ec5080bcbdbd9b6bff36c266c1 |
| SHA1 | 8f60e343c73665c6051e8d5726df713d825af971 |
| SHA256 | 885388e2da1da36fa00dbc3ac1cee1adadf7870027dceb6755cc748cf5abb3cb |
| SHA512 | 38752f6a03a59e3415ff0f5489931a1b4e6f3dc4229768190e4243e3cb932200e5eb6dd48d668314b1b1b5fbf4bd1254b65d4a211441cea373e3dbe3188df5e1 |
C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
| MD5 | 47ea89c92d8b695ed2bdbfb2188f2c5b |
| SHA1 | 638dd1566751cdf32145535b63c351ac5f91aad2 |
| SHA256 | c403c4cc26b6efbf43e76f7b3249d24b3d9c32aadb3bf75fdbf840e85f3878e9 |
| SHA512 | 3166b53375485a8ef40316d63363b194b5d30abe15dd43283071fd8ee1b14f4dee20fc5cf1adfe3f38745047d22d97f3c8a4d7c454b3501649b3b89700ead7bb |
C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe
| MD5 | e45e796a8ca92de1a58558505163dfeb |
| SHA1 | 5dcd257259f1ebcc069481fd99b3e548c90497cd |
| SHA256 | e5ac24180ef8fe260b8b06b5d00c61475e5c4939893ae42c2a048487b3f56edf |
| SHA512 | 77e1eb484d58329d4184d6b2b25d3c53db0dd28bcead0856cd26e0c019dc14f768afbea17650e075ef9ab541c3b2b24313ba9b7b76dd31cf40bf4ffd3e0e5ec3 |
C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe
| MD5 | 863a852135fe62a52596bf704159d36a |
| SHA1 | 2cac4b461da9d4a8b4df30da52f20f7f2ad7fa91 |
| SHA256 | b52f3cda897fca2beead34e08e941f16c7b9f2c0b83ac05e63b6ef668e3c4dc3 |
| SHA512 | 4d85535617e262bdb79da9b6ad2c32bcf2b485d564a0dc7aeaeb91b0f6ae8b27da07fd779648353af06d3294a2e0751d6c0d161da23707bb541751d68a365105 |
C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe
| MD5 | 7ed226c3e2880cc71aaecdca5a4a5550 |
| SHA1 | fe4345f38f059309fce810f17b3661040c5ec749 |
| SHA256 | 02bddfa355e3e2ca035c0e59681adbbc5d5e319197d6844027bae7c62856df65 |
| SHA512 | 668e81c5ce237fea5d940de424ff41805957351e477f4ec8e7d98f28bee06d1d427c40bb66f1da55e6d756f5e25eee0d94a1e75fa1f9f5d21a017a754e7cf8a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:26
Reported
2024-06-10 04:44
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A}\stubpath = "C:\\Windows\\{06DB9891-8343-4caa-822E-60B5E012922A}.exe" | C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD} | C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}\stubpath = "C:\\Windows\\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe" | C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}\stubpath = "C:\\Windows\\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe" | C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}\stubpath = "C:\\Windows\\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe" | C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704} | C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}\stubpath = "C:\\Windows\\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe" | C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A} | C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9} | C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}\stubpath = "C:\\Windows\\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe" | C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9} | C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E} | C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E}\stubpath = "C:\\Windows\\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe" | C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}\stubpath = "C:\\Windows\\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe" | C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E} | C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31}\stubpath = "C:\\Windows\\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1} | C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}\stubpath = "C:\\Windows\\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe" | C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811} | C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6} | C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}\stubpath = "C:\\Windows\\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe" | C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704}\stubpath = "C:\\Windows\\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe" | C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2} | C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe | N/A |
| N/A | N/A | C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe | N/A |
| N/A | N/A | C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe | N/A |
| N/A | N/A | C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe | N/A |
| N/A | N/A | C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe | N/A |
| N/A | N/A | C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe | N/A |
| N/A | N/A | C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe | N/A |
| N/A | N/A | C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe | N/A |
| N/A | N/A | C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe | N/A |
| N/A | N/A | C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe | N/A |
| N/A | N/A | C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe | N/A |
| N/A | N/A | C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe | C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe | N/A |
| File created | C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe | C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe | N/A |
| File created | C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe | C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe | N/A |
| File created | C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe | C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe | N/A |
| File created | C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe | C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe | N/A |
| File created | C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe | C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe | N/A |
| File created | C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe | C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe | N/A |
| File created | C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe | C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe | N/A |
| File created | C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe | C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe | N/A |
| File created | C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe | C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe | N/A |
| File created | C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe | C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe | N/A |
| File created | C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"
C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F0104~1.EXE > nul
C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A68~1.EXE > nul
C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD4CB~1.EXE > nul
C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8825~1.EXE > nul
C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F50FC~1.EXE > nul
C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{253CE~1.EXE > nul
C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{129BE~1.EXE > nul
C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0BAF~1.EXE > nul
C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6109~1.EXE > nul
C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06DB9~1.EXE > nul
C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe
C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA2E~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
| MD5 | d2b566b208dd8db8a9d12bc97169351f |
| SHA1 | 29feb60c0598ada5572c70ea3084c66ff1935519 |
| SHA256 | 142899008b4852574767770070a70ff208310acf32cc381a43dfce5ce67b734f |
| SHA512 | 95fdc3806e0ca1a089df41227f87cfb321d0fb3fb861786ee90aac7cf7ac835272bc979ef87dbd85232c7f91e3b95237d134f6143e062fbf3b1e297649439a1d |
C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
| MD5 | e01abea8d50e1c91c18d6887bed33a29 |
| SHA1 | ff616546bee9aa5047a998dc5cd65951ce4d113f |
| SHA256 | 025fda0d9a27a811ac20b7a46f664103039557180c09c3789e4ed8e3e04218ff |
| SHA512 | fe79362bcf8c7850f6b0c757a34cee48012cc90801dac27d37e173be234b32a156338fbb903f38473b14de02f938d41f654eaa02bda29fb208a8d821cb97ac68 |
C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
| MD5 | 5a3c70114c8e0edc502fc16b02391be7 |
| SHA1 | 33840bb2840bd2385a6e789a7a1849130732ec3f |
| SHA256 | 285d27c2154ae895a14f7a2fbbd2c748fec1eacc1ad0274f316979b81f3c0d3d |
| SHA512 | 3168e07d23932c7302f7d8af9b8e3fba7317f2ccca7e8252b8b98732eb7add542173e41fab0d4bea8ad1a38569455ab0b0eec2ca285a7103c7ef17c10d42ab4b |
C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
| MD5 | 63496a663cf80c04bd1a8013932051db |
| SHA1 | cabef2e745be4f0bf42dd6e345c0fd3d9b9d958c |
| SHA256 | 76121bd0b5afc4f021707461b552c137b6c628d33bc2e5ea9a47ef317811df93 |
| SHA512 | 9273206fdfaed99724beb9396188de24d15bba788e4df1ab22e129cc6449a93da22add947aa67029dbf7d281e8ab67b2cba19d5cb507e9b55f31c118eb568a54 |
C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
| MD5 | 2de345ffaa5fc9a54cf8d203651457d3 |
| SHA1 | 29649874ef298e5977266d2172bbffc344274e61 |
| SHA256 | 015ee27a72650314b90084ff0b97955f1d80b864728390b3d93477fc7bd413dd |
| SHA512 | 529381786394afc1d7c71ef8058a939e7ea3c1c3584c4836dd2b02ade2b8705362015a22eb94638dc06d55e6b5f667057a0af1086aa329b4724d88a6d1152fe4 |
C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
| MD5 | d91e159db83f6e991d2edbc75100c43d |
| SHA1 | 3becb2fd7b4f4a141f542daec824c05c799cadc0 |
| SHA256 | e288847f94b9561f60b82b35856a51caca76ad381baf38afd2c75d49f3e72d71 |
| SHA512 | 5e0cfbdc4f45a1b8329fa76946931d32f2f4a044f1b97a8513f9f4fbc51dd9134c7491c2c29433e15da9f2fe979d4cb956c8d198e91de7fd0773777209eeb7e5 |
C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
| MD5 | 4c9fa31fb9b23340cb293ee6b19fc12f |
| SHA1 | d5615a2162383b95855c0aff123f18d9fed1cd0e |
| SHA256 | fc1dfe89163ec96026341b5b996383eae1657bf4382b49ecd3a0c846850dbc99 |
| SHA512 | b17ab89450460e92c85ab5a67b63fe803faa74ee344f4690c9c81e31a2ae09633f1f1ae09dc6b2b1652bec46c5c6306b3400e623fbc3be923b4ab52ac3ecb3a4 |
C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
| MD5 | cb56216678cbe1c8c04bb174cf61b548 |
| SHA1 | 270bf37f78b17bce6a4879f44c8a77a662ba98ab |
| SHA256 | 210e1065f01360794b86cf66364007d4fd17d48c9881d8768d52ab1da28a0e75 |
| SHA512 | 78b46053e59fb442a1cb7a51bad0e9aa6c8cdc992a54fd5d0f41e3152cc23810c584a9e164f9d81bf848b521b65a1cc5976db02503e1c4d9c099021f82629fd3 |
C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
| MD5 | 4b8cb53c1cd076eaf9f05ac1e4e3f397 |
| SHA1 | 2abe56f609844b6bfea3922ad253c4e76eb61b80 |
| SHA256 | 0024cb315cefe4140677100db5468c87557aaa9715b268e8f91a2201aa12f708 |
| SHA512 | 1867f03639a99b6a8bf67b2e1626dd40ea2b73ac52ff6c65c1a544d534254d6c9c20d19ed3e3d4041228d464ffada615d18056e9a6c3faea96a1e3acc33c59e5 |
C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
| MD5 | 52a6508c83201961279cffdf15166ad8 |
| SHA1 | 687a35703df12796f771fff8871ba46448c24078 |
| SHA256 | a413c57847b54e725f79c6ef322f32472c6cd044d2c915ee7005db360dab5638 |
| SHA512 | e3d1f2288733650e712f227bbe6025d3ac2dca8a517291adb89ae7b7e3273478be631a27d32cbd5a779d75ed04370035db06340e8494b53556323b392020805a |
C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
| MD5 | 849aafc33d8e9e9f802ae9635d93271c |
| SHA1 | f9431ed1c778401aa507d428a490da841c6dc935 |
| SHA256 | cc61ec33126ff3adcd4c6000bf49c7efe0ed19ce92e56c69ed82d1da0eb25dda |
| SHA512 | d5f3669f7639ad4cb4cdc8fe59c60fe6308a080cfd4132337a9adde3f79030ea7e636bb409e17fece7e77a7334e882ae0af92d8081b8a70b7e634b875067740b |
C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe
| MD5 | 6620dcf96063862d0c76038b19b90ce8 |
| SHA1 | 9b459e3c57b50816220ed43c35dc3ba366179de0 |
| SHA256 | 4ac32cc2406c9d8b7c7686654c0a89968412a4f588c76b61e2f3f7ddf59a5180 |
| SHA512 | 708230c1661ed1b7acde2b33b48423d3cb2eaeef7680b1c8c83a710064ffa9a03952bcb0c1dcbaaf1b439556b264ac13b27cda04fbbd47d450e4b595e5d971fd |