Analysis Overview
SHA256
8451a7bc4fb65d5d2c44ff13b148ea4615142cda31224f2146a677ac8c332c84
Threat Level: Known bad
The file 2024-01-25_543370aebd0567663b796279469645c3_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Kinsing
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 15:33
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 15:33
Reported
2024-01-25 15:35
Platform
win7-20231129-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE} | C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3880D28-35FD-47cc-B941-16359417AE1A}\stubpath = "C:\\Windows\\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe" | C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}\stubpath = "C:\\Windows\\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe" | C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4} | C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}\stubpath = "C:\\Windows\\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe" | C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3880D28-35FD-47cc-B941-16359417AE1A} | C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81493773-DB94-41f2-8C83-3E1EFE8623E0} | C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD79DCD0-385F-470d-873C-7026A54FFC8A} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD79DCD0-385F-470d-873C-7026A54FFC8A}\stubpath = "C:\\Windows\\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4} | C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}\stubpath = "C:\\Windows\\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe" | C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF} | C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}\stubpath = "C:\\Windows\\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe" | C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEF928C-0F7E-4276-941A-12733F135A80}\stubpath = "C:\\Windows\\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe" | C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4} | C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9} | C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81493773-DB94-41f2-8C83-3E1EFE8623E0}\stubpath = "C:\\Windows\\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe" | C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F12371-E6DF-4618-9327-F8086AF456B5}\stubpath = "C:\\Windows\\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe" | C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}\stubpath = "C:\\Windows\\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe" | C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}\stubpath = "C:\\Windows\\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe" | C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F12371-E6DF-4618-9327-F8086AF456B5} | C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEF928C-0F7E-4276-941A-12733F135A80} | C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe | N/A |
| N/A | N/A | C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe | N/A |
| N/A | N/A | C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe | N/A |
| N/A | N/A | C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe | N/A |
| N/A | N/A | C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe | N/A |
| N/A | N/A | C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe | N/A |
| N/A | N/A | C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe | N/A |
| N/A | N/A | C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe | N/A |
| N/A | N/A | C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe | N/A |
| N/A | N/A | C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe | N/A |
| N/A | N/A | C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| File created | C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe | C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe | N/A |
| File created | C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe | C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe | N/A |
| File created | C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe | C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe | N/A |
| File created | C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe | C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe | N/A |
| File created | C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe | C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe | N/A |
| File created | C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe | C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe | N/A |
| File created | C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe | C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe | N/A |
| File created | C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe | C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe | N/A |
| File created | C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe | C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe | N/A |
| File created | C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe | C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"
C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD79D~1.EXE > nul
C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00D27~1.EXE > nul
C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D09D0~1.EXE > nul
C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2B231~1.EXE > nul
C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3880~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3933~1.EXE > nul
C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1F34D~1.EXE > nul
C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe
C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{81493~1.EXE > nul
C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe
C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{41F12~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8BEF9~1.EXE > nul
C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe
C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe
Network
Files
C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
| MD5 | 732548a91f5c3dad090ebdc4c70ad04a |
| SHA1 | 2c16b7c766a8f3cbf66b3433e4911fbdd9fb9e86 |
| SHA256 | 34a7b3f902127fc043bf0341376eb55ec6048dfcd7d3b61c7263438c81105500 |
| SHA512 | 10d4004ac5c149bfbf6fc4fe5467ffd3790ec649c24aa0d06654413a8a420da50de932b1b89fd3d5237426999f9088dc2692cb7bd2cf1982897de7da860df777 |
C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
| MD5 | df5ac492a5c88faf8918e8ca4066ea9b |
| SHA1 | f966b702d3c25b83690f8b3c086d3e3afb2e5ca7 |
| SHA256 | 2ed35a26260778f95278c95768ef1fb294763dfb0ad39782d764777dba9db4c4 |
| SHA512 | 3eacbd5fbbcafa076b779971222bbe75f550fdea515cc3b7b36df6e6b6410c3fa3cd985d974db8be166066b3d5bf028d57181c21ff3d27498ffbe7c471c7c8ad |
C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
| MD5 | 6fe42ac39f01e5ed548bec7cf6ae3e8a |
| SHA1 | 26ea6f0ab6cd713d077b4b0c7fe040944f4af376 |
| SHA256 | d4f40e5d2589a0cebf5220a27cf985caf88b6691c5cdbf17398078831cd790e5 |
| SHA512 | d73f794cf7069c7db85a79b947dfac2e56e9856d096200c171d52cfb5c5472106f01b76db115db36e76152386fff6609c346f3fbfd7fb50c5a35f8e17c4fd390 |
C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
| MD5 | 1360d05d59bd1372b12e706e7d7d14be |
| SHA1 | 77cdcb9eb63b5e70ebb968f4598eb25778348cbe |
| SHA256 | 5959dfffa27eb06ac25c270b38e6ce9424650c15498959becfe096578f713d6e |
| SHA512 | 59e9f9c47e920e313dfbcb2b0238cb25f93f63aa4ad74111ab7232c8903fd3c25abfddf45fc3df8e6f2ee34568f860cb94aebcd748ec86ce20bcee261a25fa49 |
C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
| MD5 | a595b53b01a1f5a8aeab44316a5c53aa |
| SHA1 | 9af361a4dfae2b947864b2d69521e7fe7045bece |
| SHA256 | b10189fe31b95534000941c24910959074e70609e9931e734076dea7c77097ae |
| SHA512 | 899338213878487ee11195e2d330d13952bb0c12de5e35ccf0aff2b7b4a9325c80e67ec527a7ad76c7a853e62818158d7ae5233a2d71b7c1379e84f780cfb511 |
C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
| MD5 | 064e64f3291d3962b40c22ecc4c741c1 |
| SHA1 | de1392e42e9bbe86c73723ae6f4d8fb011cf34ac |
| SHA256 | 1c945b0169c24a02397d2ca86dfcdc314e9c9a2b31444555c88e62872ca6a151 |
| SHA512 | a08d732e115a0cd056ed9cee3bbb169897b72321607ff7d68161ed83653d7c22801660afdfa1a51ff4c787ed66ea017eeb16e74683760d4e8ff7f93012690791 |
C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
| MD5 | 247cf5ee8345efcac9674ef81c1f6054 |
| SHA1 | d0ef36ea4257bd270d1b33146ac7b0b654faac06 |
| SHA256 | eb796f7b295a29220ce8cc21dacc6811730165970326fdcfb1354bf722273ca7 |
| SHA512 | 8c696ad639f4cfa2a52517b2c43e644b4c485bd474954538f0d24b78069fd9d4687c87eb5c042a9464236d2d002f0ea81de71ae7ee9d10a6ec495c1cfc63a678 |
C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
| MD5 | 054b7033adfe351dcc80da1675929428 |
| SHA1 | 23bcbd9245a94f697f738738b26605b7733e66fe |
| SHA256 | 18df449258e402586f10528b78b90420a59585e9e57fdbbbc2a6b373f78271f4 |
| SHA512 | 268bb99a7d11522c77c8c55259b84fb941a76e877a9d6bc0c6a90ac669aa3c3c5a149cd3e00bc727c7e8aa8c17c1c962967b83e2e227b3bf87c9e38159ceffbc |
C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe
| MD5 | d687d89464b90631a61978fb8d99a66a |
| SHA1 | f49961973fe784c4317804048420a03850458e93 |
| SHA256 | 5b11daa82aa383d7bf6f9c6ca2c96ea7d1f433fb77ecbb32e860d1c90482282d |
| SHA512 | e6dcadddc8b634282a4d2faed5151f03fbcf49caa9d969a1decb42429c99d0eda8c87e76a0b49ddb25d564355b363af8adce40394cf7646c3e7233a857ebdd78 |
C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe
| MD5 | 3c217ceead78dd4cf0ee8c5603548e37 |
| SHA1 | 64b0efe122d8ad1472a98bba8ae95e3194fcaac7 |
| SHA256 | a39460f392d6cd4f420be6e09c6235797b8c04ca448fc6b1655788844a79ada5 |
| SHA512 | f082689658cdf4cf9c2088db823410c80bec60cdd84d0d565009787e23c1a0b5bb2769ce75edf25ed0d7e3964b3a3406bc93cdf7864c3caf18f9fb5331d65eaa |
C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe
| MD5 | e9c3e3c6fbba1349722856ef7049a48b |
| SHA1 | 6e3b0233c86acf449ce6d099671ceaae27280ab3 |
| SHA256 | cd78671337803e94192ad26325c00c6dee19bd44f39d2c0502e72e586a0b82f7 |
| SHA512 | f2246c8b753faadcc379761060376f64c9e2fdb86cabf40b0125d5538b492798e2a4ba6c2365fb739e7313e0d95fc8f523da143b58f981f00b331b75d90fccdf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 15:33
Reported
2024-01-25 15:35
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Kinsing
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9345FE6F-26A0-4b95-9E5F-22111FD928A0} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74EA0D4-245B-46fd-81A8-16A54F38C66E} | C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC} | C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877A13DB-26E0-45d2-97F3-88800F241ECE}\stubpath = "C:\\Windows\\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe" | C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10628B35-15DA-4a66-BB73-A6E17CB20A12} | C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}\stubpath = "C:\\Windows\\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe" | C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}\stubpath = "C:\\Windows\\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe" | C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877A13DB-26E0-45d2-97F3-88800F241ECE} | C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68474-7A50-4708-8D90-285F8E96A42E}\stubpath = "C:\\Windows\\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe" | C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8EB071-039F-4452-9645-2222B8EE8AD6} | C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35} | C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}\stubpath = "C:\\Windows\\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AA31-708D-4f53-8B34-1158D1B95248}\stubpath = "C:\\Windows\\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe" | C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68474-7A50-4708-8D90-285F8E96A42E} | C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8EB071-039F-4452-9645-2222B8EE8AD6}\stubpath = "C:\\Windows\\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe" | C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA} | C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}\stubpath = "C:\\Windows\\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe" | C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44260CDA-6C02-4d8a-9F60-A4D4514001B9} | C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}\stubpath = "C:\\Windows\\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe" | C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6} | C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}\stubpath = "C:\\Windows\\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe" | C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}\stubpath = "C:\\Windows\\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe" | C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AA31-708D-4f53-8B34-1158D1B95248} | C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10628B35-15DA-4a66-BB73-A6E17CB20A12}\stubpath = "C:\\Windows\\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe" | C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe | N/A |
| N/A | N/A | C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe | N/A |
| N/A | N/A | C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe | N/A |
| N/A | N/A | C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe | N/A |
| N/A | N/A | C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe | N/A |
| N/A | N/A | C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe | N/A |
| N/A | N/A | C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe | N/A |
| N/A | N/A | C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe | N/A |
| N/A | N/A | C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe | N/A |
| N/A | N/A | C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe | N/A |
| N/A | N/A | C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe | N/A |
| N/A | N/A | C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe | C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe | N/A |
| File created | C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe | C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe | N/A |
| File created | C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe | C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe | N/A |
| File created | C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe | C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe | N/A |
| File created | C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe | C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe | N/A |
| File created | C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe | N/A |
| File created | C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe | C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe | N/A |
| File created | C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe | C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe | N/A |
| File created | C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe | C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe | N/A |
| File created | C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe | C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe | N/A |
| File created | C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe | C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe | N/A |
| File created | C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe | C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"
C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9345F~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{44260~1.EXE > nul
C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC3E9~1.EXE > nul
C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B74EA~1.EXE > nul
C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{38D0A~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02A5F~1.EXE > nul
C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF8F~1.EXE > nul
C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{877A1~1.EXE > nul
C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D68~1.EXE > nul
C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{10628~1.EXE > nul
C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe
C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F8EB~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
| MD5 | 5c7fa23e346b7a0f403fd6b7e45f54eb |
| SHA1 | 80da288545b01d4c6636cf0733775d329ef8dec4 |
| SHA256 | 71d631b09ddeaffac462efe7295c8379c71e2749c5fe24c7fa99ef04b2d9f675 |
| SHA512 | b359a6fd1cf650f6f8643fc658bc1aace0bc19c35fc1dd2ab8729fcd3fd9923bb39e0f656240cb8e5e1e3e0e0b75e1a029c66ce4ab9ff3987926f2f4b4bab783 |
C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
| MD5 | 1ff2b6616482de34ae61a39eb8567249 |
| SHA1 | 54db2744add2157ef6d20cb1a210fbc29291a4aa |
| SHA256 | aa5829caa7c8005bef9112e246a29367fa818e04a728c68071565ea169abd57b |
| SHA512 | 39a4321129d59ccf3c4ab113d80d474615c85444f735ec737f58be5dbcf1e5dfb8ec5f24d58410799086ffd324803e67ffb3d25c9389fc2c6ae5352f3995e4d5 |
C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
| MD5 | 5e43ea9d5051ef35b3b96f4f1d87b3be |
| SHA1 | 3a5adc95fcad2509c330bb8593647cd02145cf1c |
| SHA256 | 261d1874a7f5ccb16eecee6e26e841966eb0de153a6c5b13a29221503f79e1bd |
| SHA512 | 437b9903af4c7ee573b6c058b9ff617b32469cd047d6cb186fbc6f60a96c16df5e072e69a71590cd2c4e911b8c8b531ffdf11253ce78264bd2d990f12e2f96a6 |
C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
| MD5 | 2d2039f76d54da16b003674fc02a0529 |
| SHA1 | 43319b5345484b21adb8550e6eab752f55485f8e |
| SHA256 | d408fc1e9f4448c293e4c525b94f0757129e34cbac01ef63183cb990f3ae69e5 |
| SHA512 | 1c0a1c756707cb82ea591bdd330946dd78726c190c403ccd293eb51176728df9fbfff5c0cde2ab99c05e0381baf1a8567abc7185e043460c542ccfb3ac06870a |
C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
| MD5 | b935303f59721dc2b83c1917fb36a15a |
| SHA1 | b2ec1859d611b12d77281d27bc5e717bcf18dcef |
| SHA256 | f18e262d6276e1ca7ffbc0aa07c7d4cf2fc27bcb170abb676cd6b677e1c3c721 |
| SHA512 | dcc4b7187aa5a16dbfa8ad0183587beca9bbfe594e10c1ebb94acf404393a5830fc2b6c3e88c249971ea424978bd8468c9b50687f4569ca29ee3078eec67f1ca |
C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
| MD5 | c6d20dd14b1974025ccc2136644f94a1 |
| SHA1 | 9f1b23da1a0fa81f8203f0721c80b1ca3e9b2a40 |
| SHA256 | 81934ed817611180edbbfb31ed41db82578b7798cb405f020e7a9f8603f372a7 |
| SHA512 | 118d4dc2b3b13c898dec38b9c303df9fde907d65114652d00b03f053668b3de4507e26111c3e444045965a8b35658c2b2fa10546c4371bbc8946870211a0fdfa |
C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
| MD5 | 67fa85453242b30405f6c8b6faa923b4 |
| SHA1 | 2eaa48403777c167cd24c0a2285f60899a60a793 |
| SHA256 | e6c96122e53e156ed3a660efdbe119a30f453c86b00bb54c45a9d697865a48a4 |
| SHA512 | 02aabc715f45533a7729fb16e994b71bc3a30768f00e7f8d2510fc42c915a589ba383818b4e7fe41e480a881303f259c6864ed20ca744ee5b78a597147e1310f |
C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
| MD5 | e650135ae093c96f30ff6ab14c76ee6a |
| SHA1 | e837cddc42a7c9c6fe084c91a47174d6bb75cea3 |
| SHA256 | 6686c14c497813c085b37d130d3124c178f0a62405129fdd06db3f9eb763b33f |
| SHA512 | da399ffe3ab626765ffbad74406febdffd6d4368bb497f3fefe0a872326cd4dab716ea4b5eff442794689d86a0acab92f45967acb2ff557abd4c51569814eda7 |
C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
| MD5 | 9689c069a4adfd5aff1d4e63b87e67a5 |
| SHA1 | c8029b04568130fddcc9222db8761684043743f2 |
| SHA256 | 1116d66fe44794a9b2078102e766e5f9df38bae5d569da4ee8ef9f84574468cf |
| SHA512 | f238e016d63d333c2fc6a53b258aee8d699f31b1ab3b2c72c4f304b7155e975e1918b150f6f65831efae1ee8a4b06fe97f92be513ec3bda442da3e3ecd354d5b |
C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
| MD5 | c4a79693e710130feb7878f740a3f619 |
| SHA1 | aca9480a5d91f4555f7df12eb10461d9386f0481 |
| SHA256 | 17d33c9bdfe19cad3caedfae62b3977cd3c60740a8702839677188fbfcdefa15 |
| SHA512 | 5f3c40e0b5c0d7a65267c89209f0c494c1b51ac88b4536d830f5534f2f60a4f311633aba5255bb84086c4f342ec1835fc4237ffec9d16f7316a81101412c8336 |
C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
| MD5 | 794c800dd3938efa772d24903c94d955 |
| SHA1 | 361a75566110fa574ff28b5f531d73c82e29b286 |
| SHA256 | d6715f2b4fa2cd7d7bea2b04b9bff3ac100f232e39943ee2701b7cc930011243 |
| SHA512 | 8e900206e726f238b797e5f274d73adc0e2c3b8168b5f7f65016fb5f5a190395a2371a3f365bd8bac020f54194c9eff2fe54301e02dca18c135337b8d5cb7c90 |
C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
| MD5 | 0d96c697beb6855e49bc2045b1a03470 |
| SHA1 | 4ac14e0ee0cfa97c2939c844ef1db8fbafe021a8 |
| SHA256 | 7492f6d180d28177ca5eae4feb42504d2d52852b88ceef86fca766c23a4b5704 |
| SHA512 | 8a919995a048d03e3ea56782f786797a9a5a3b6675ed23ee626a2ee93bb685f31853f7215be091b6b2e619dca5e88c561ba409ce5e9a47a860a9357c1c1b6d35 |
C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe
| MD5 | 8d36ede9e13bd45a674f5494b97670b7 |
| SHA1 | d5b1ebe414cd8d35408e12931ec0ace2867cefac |
| SHA256 | 7a6d48d2df62c6d44df0fda1d460d2f13cb652455e211d3898ea9498a669198e |
| SHA512 | dfb2e68f94ffe6001b6076001b7e9dfb625ff4d9e9e0d99ad35e02b176cb43affa063cb11e909c17a4c2f78332f9ae69a3e53d50056470191ea8e28fed8ea70b |