Analysis Overview
SHA256
6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8
Threat Level: Known bad
The file 2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye was found to be: Known bad.
Malicious Activity Summary
Kinsing
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:32
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win7-20231215-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2}\stubpath = "C:\\Windows\\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2}\stubpath = "C:\\Windows\\{17D57832-8389-4759-8B99-C609C534F0D2}.exe" | C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64}\stubpath = "C:\\Windows\\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe" | C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866} | C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397} | C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252} | C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866}\stubpath = "C:\\Windows\\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe" | C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37} | C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2} | C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9} | C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9}\stubpath = "C:\\Windows\\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe" | C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42} | C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}\stubpath = "C:\\Windows\\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe" | C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667}\stubpath = "C:\\Windows\\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe" | C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64} | C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}\stubpath = "C:\\Windows\\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe" | C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}\stubpath = "C:\\Windows\\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe" | C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5} | C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}\stubpath = "C:\\Windows\\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe" | C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}\stubpath = "C:\\Windows\\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe" | C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667} | C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe | N/A |
| N/A | N/A | C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe | N/A |
| N/A | N/A | C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe | N/A |
| N/A | N/A | C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe | N/A |
| N/A | N/A | C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe | N/A |
| N/A | N/A | C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe | N/A |
| N/A | N/A | C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe | N/A |
| N/A | N/A | C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe | N/A |
| N/A | N/A | C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe | N/A |
| N/A | N/A | C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe | N/A |
| N/A | N/A | C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe | C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe | N/A |
| File created | C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe | C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe | N/A |
| File created | C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe | C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe | N/A |
| File created | C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe | C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe | N/A |
| File created | C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe | C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe | N/A |
| File created | C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe | C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe | N/A |
| File created | C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe | C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe | N/A |
| File created | C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe | C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe | N/A |
| File created | C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe | C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe | N/A |
| File created | C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe | C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe | N/A |
| File created | C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E54~1.EXE > nul
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{17D57~1.EXE > nul
C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF80~1.EXE > nul
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06622~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B0111~1.EXE > nul
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{72F85~1.EXE > nul
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{397F0~1.EXE > nul
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74F4C~1.EXE > nul
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD9D~1.EXE > nul
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7B943~1.EXE > nul
Network
Files
C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
| MD5 | f8636bd5f0ea0f40855002d55bc9d191 |
| SHA1 | f18ff5b31deb7a78ccfa4cdd3e37bf372507c725 |
| SHA256 | 9b604c022fe5dbc51e32ad297d3c5d9c8766afb62ddc246bc0d73bf7f3d47835 |
| SHA512 | ca0277e35810334dc8e603aa3af0d9b358d7df50a692174ea1fc07b0fb012dea2c3ec6706a6efa2302199435f48b9946085151779349c661a8c2df803b174225 |
C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
| MD5 | 13e5638cb853afdf634c507892bcd9be |
| SHA1 | c9744ac7b973f14149586bf3668ac36c36a4d92f |
| SHA256 | 58a961686c46b416a22ef01152c054580723e70bee485b095676bf262c530979 |
| SHA512 | 91139837225f675bede0135b63c185f817d1f39244507a3913573a87a21c944c813835cac57ba935065cba457de0a16f4288d3a3465e5dcd15ef071b7c8872b2 |
C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
| MD5 | 5d3683ea4b9dc89da03598960b730747 |
| SHA1 | 4deb700b70309b04d992159d3be5e4589f69a1dd |
| SHA256 | 266454793ae27281d2c381985b653ddb3f7a4fdd9c7bf8e4a60f039948178653 |
| SHA512 | 7dcbf9cd5f7c24228b10a5bbf680bb26dd012e14863369409e8951abd84d3a54553771ac1d9de84a32ea22d155381876a6d500831865414f15f983469174fe42 |
C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
| MD5 | d194c922e63c9823f2aec3f23e1fd91b |
| SHA1 | 8024adb3219593497734a398f8e4876740a4c973 |
| SHA256 | 4a9a8116e0f33f5190f0a31842691656856571de27d370fe1b5903a0a8b68124 |
| SHA512 | d85f32ea3783b61c4fdcbd252ed6159a4e3629e6832b8c28e431ad4ba2d58cadba6b8af664f8b29471949027059d3ab3886020059e33dc432c85f4b0fff6e92a |
C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
| MD5 | 77ebeaf1c77cd232f5d58e301c9c9a0c |
| SHA1 | 7221fa6e5aa9ea1c8a828fcbf4cb19ff5cc0d025 |
| SHA256 | f1581e4e0e67803159d8cbfae61985440f61a6b5142f3bd7dd8aabdf083cff15 |
| SHA512 | cfa8ea3a5822440a9ea372f9511ac11487350e5ebeac8a86e2c9820f5442d5fd3d07eb52e6c2835efcfbef809f87d4480b8874e68d1d2e5f0b6e0ae2e47a68e3 |
C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
| MD5 | b9f74aaf1c760a0381dee1072dfac1f7 |
| SHA1 | c99f3f4ec55b44ae54fc9ecbcdd33352d14ab1d5 |
| SHA256 | ab86044dc4279ec48e3ebcecf6966ffdcc22bfde932511a10086bd385fe5d1ce |
| SHA512 | 8b17889ac385e5d5fb8f8d334a04f33f0f2b2e038fa943da77f9cb4cb782ee4798cdb50bb59fb31c8877d0ba92b54e1e9d5737f9791f7e66a31f87a615f21029 |
C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
| MD5 | 3a0f27e631a0c863d4d91cdb38ad53fd |
| SHA1 | af24d9a400eef6c27ec7e4ccf7dc59d19702db75 |
| SHA256 | 8500fb7a3e3ead72a47e3e4096d2852cd0ab749f438c80d68a9c794bda02533a |
| SHA512 | 0d063a9c879da02e8a0225b868d4978fff8a929cab44e91e04321fb1ae5d45f21677898ee02af997e78a25c80ac418348e323104eda045c222956edfd2f3958e |
C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
| MD5 | 59d36d4390294d11c15e8abfc516ba8d |
| SHA1 | 5b8bc0ace86a9d595c33ff0d501ccd8b6d2ef324 |
| SHA256 | 23ec2f455766d08cac0aabaf4fcd79c9d6b804b779c4f44ba42fed9ce628ce42 |
| SHA512 | 05527cdf3a32124e93dc8304f2963bb4ce20a0f947d9002fd002e14de6d8aa766d7cd06f3c75601148a94c88952e1eb93a4dd41c5df4d01e36d6bcd81f228dd9 |
C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe
| MD5 | ec10885b689c92a090835cf00e5436c2 |
| SHA1 | 86dfdda0a842403f2bd1190c86b7a6f939e34a31 |
| SHA256 | e4083bcebd04998f1c37d7a51c46313c4c54fb0104d7b1904f7b497241dbb1c5 |
| SHA512 | 59f4a192bbe9702355200bafe5e27d1d7da72f83d1ace7692f034973aef7d3eaba6e3ab402868783c876e95ed0970da2a40255caf044e46be458c674f1318409 |
C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe
| MD5 | f83e728e819e98134dcd36b1ac108dff |
| SHA1 | 67e6ea54e3e9dbbc6e2cf1eaf66f953750b415dd |
| SHA256 | b863792b3a93592970e09c897e428214e9878261d399673531aeb3c90be20922 |
| SHA512 | c6080e9819b6da1fd5f9eb61436632a21da15d805bacb462cba1dd1d106c0107e7af738c8354a8ab7ccbc1b4c0be461fe6b0688e4a09e5dce94dc76aedffd950 |
C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe
| MD5 | 15f5416fba8a0145e9dfe5af4a4e9795 |
| SHA1 | 4b44de9f8863c869e7db8541fb8b82ec1cee632a |
| SHA256 | 4d712c38c94576fa0dcdf723bbfba4a99f9a460a3edc3209cfa96e70d4bf1b20 |
| SHA512 | 38a0c3c8e428d9803e52490b87b391df4eac5cf441b76942278b53dedf35601297bb664e80c2a6f933a197417438be8e55bc026169261354850f26f6b8b14d7a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Kinsing
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}\stubpath = "C:\\Windows\\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe" | C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861} | C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38}\stubpath = "C:\\Windows\\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe" | C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38} | C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B} | C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3} | C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB} | C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54} | C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}\stubpath = "C:\\Windows\\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe" | C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}\stubpath = "C:\\Windows\\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe" | C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB}\stubpath = "C:\\Windows\\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe" | C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588}\stubpath = "C:\\Windows\\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe" | C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8} | C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC} | C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}\stubpath = "C:\\Windows\\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe" | C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047} | C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC} | C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}\stubpath = "C:\\Windows\\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe" | C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3}\stubpath = "C:\\Windows\\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe" | C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588} | C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54}\stubpath = "C:\\Windows\\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe" | C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861}\stubpath = "C:\\Windows\\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe" | C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}\stubpath = "C:\\Windows\\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe | N/A |
| N/A | N/A | C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe | N/A |
| N/A | N/A | C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe | N/A |
| N/A | N/A | C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe | N/A |
| N/A | N/A | C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe | N/A |
| N/A | N/A | C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe | N/A |
| N/A | N/A | C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe | N/A |
| N/A | N/A | C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe | N/A |
| N/A | N/A | C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe | N/A |
| N/A | N/A | C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe | N/A |
| N/A | N/A | C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe | N/A |
| N/A | N/A | C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe | C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe | N/A |
| File created | C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe | C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe | N/A |
| File created | C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe | C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe | N/A |
| File created | C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe | C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe | N/A |
| File created | C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe | C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe | N/A |
| File created | C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe | C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe | N/A |
| File created | C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe | C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe | N/A |
| File created | C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe | C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe | N/A |
| File created | C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe | N/A |
| File created | C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe | C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe | N/A |
| File created | C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe | C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe | N/A |
| File created | C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe | C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"
C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{11A9A~1.EXE > nul
C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B47~1.EXE > nul
C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E25E~1.EXE > nul
C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{502EC~1.EXE > nul
C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C774A~1.EXE > nul
C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24830~1.EXE > nul
C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7F519~1.EXE > nul
C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{67237~1.EXE > nul
C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85270~1.EXE > nul
C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{221E3~1.EXE > nul
C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe
C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55DAD~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
| MD5 | 69024dc6ec2573df3219cafbf694d45e |
| SHA1 | d953e80a307368608f610effaca983deb6907eba |
| SHA256 | 3bd99d472ea28ac8891bfa42383532f8bffb35d1892ee0c1128bf8cffd6b5b83 |
| SHA512 | 8154e7181d11ec2c4cb5d25317a1829cff67e15931bb52c7fd8923aeafc733c6ecc5a7d9b2ab39310b63e5e082ad3a980610a4ee9d67c1024bdde510b23e9dae |
C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
| MD5 | 7eb1c02bb3eddbbedeb86f5b060af21c |
| SHA1 | 72490a782c8ae5a26e315fbb1a8168fef638e724 |
| SHA256 | c4b54bd03b5701d71e7aa122202fad75ecb2f014d905c165adf3f3b7060d0c22 |
| SHA512 | 0266b4c6a723c1d808903cada3c53cf83fbbd3dbb9f44c1fce0f89a5365f523fb3cd3895ac3c8239a742670c673c2a3c8fa5c536610308425ff74227c8995a30 |
C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
| MD5 | 30710f9540ff9c5b1db57bc365bc5ea3 |
| SHA1 | 8d6059b3edf46708686e37fd588cda8d3c897dc2 |
| SHA256 | c8a8c9d6af55e36ec44542c781a83b7e65219908661b6f61c0d2c837cde8782d |
| SHA512 | 9c23c489e1b2bfbf67f2bb4b2ea278d6fa823aee90d55de6fb93d79a2ccf868a6450e5dc906ef573a37379c8b75ee63318ef466d54746660217a50e42d5c0364 |
C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
| MD5 | 3a6dce5fa139d229a1f5f9b51717d2a0 |
| SHA1 | 691c833d12e16d7d45357879148d93203eac8289 |
| SHA256 | f5439e0234a8d7893847592d4316125fe0e8e22fcec829234aa8d072b3eb3ea6 |
| SHA512 | b93d3ffd98f05ef20be55da35d7084a5f745c9f44e929465ec9e9fbc6dc16ea5ffe28d5c88f3113ee9b1a4cb659bb159106bf17677ab02640070c5b5bf3ae9e1 |
C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
| MD5 | 49ace39d602160f4e3f8c5b3bb0922b0 |
| SHA1 | 83cfbfab882d317b386bb1260f6cce9517213caf |
| SHA256 | db3fe6113991cea4b4456bcb647f308d41cbd6381a03879d476f7ee09c1f5842 |
| SHA512 | c50e5cb1bd8cefb45b8351ba462aebe881f8b3f5f581a01dd2c0237f3def85920e05e4e46bb016450e9daac6e831c2f38a100c76f57e62b632837485cb444f5a |
C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
| MD5 | 0ae64d694da20642c4e5893d654b42a7 |
| SHA1 | c21c75a1363d62897b0cc31331600b674db2f0a8 |
| SHA256 | 6753ec0a8c2842fb0a150ed5d7b2febe4d0372d4d906167632690ac4ca928386 |
| SHA512 | 4d3cef5a0d4ae022093f7ac8479564f13c81a37178a51035c78bbc812a225957d6ded2d17fa54a80184efbb7240c9447d1e1670e6b7d317c850e6c9302e32cc1 |
C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
| MD5 | 9e6299e759a5d92a5fe00f5b7341f6c7 |
| SHA1 | e3605512ed72e5dc96f55bf0f22aca0c1f0e144c |
| SHA256 | 5eadfb3613cc15a56f3f5dc13f5f688954541983933d171665adc40f872fed29 |
| SHA512 | 09d6259ef039fe6ece5ef16a19eb9488a69b40d338db3dd8acf9f3bd445cce0fe7c58d90dd5e6c7b6ffc5163dd5172f5ccc3c999b22dc897d0a89aa4a7add63c |
C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
| MD5 | 4c4c867ce4a184c7a0e449829b2f7ea5 |
| SHA1 | 8183bb3f8da523988acc3133a29856fb9829402a |
| SHA256 | 173b68790b31496802eef9133d0722a3042768985306b7ad2ad253b59f23739f |
| SHA512 | 9a921687012166fe68502888b08300a415178534d317c5d0e50174f41abe057f149507d936946014034bc3a6649a4b6da9aeb5a29b1b0d576d8148961f166c5b |
C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
| MD5 | 4bff1603dcd89edbc0d812c4296ae809 |
| SHA1 | 09f421d7d0c5b499c231460b0e909025b056056a |
| SHA256 | 28a853069b86ebdb6ddd759fca342fb2c01264ca33b852c8719e6f411d3b1284 |
| SHA512 | 2d06faec0f841142e2af7100001fd4334dd81a2dcf05d591062fc4a7efd587ee84e3fa199b97577aead6ba438fe1a6134dc2ea63fc0b8d3539701cc67c5f8f9d |
C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
| MD5 | e65d19488abc72f5b726c53e0d81d759 |
| SHA1 | ca6972af1e4dc928ed39b6ebd41a3b4c8e87a260 |
| SHA256 | ce75f0d04811a919c62802b16e2250a86743dc5307de84155557273548e85d25 |
| SHA512 | 3cc713fbe26298f17b7fe791eed1c2791100f13193c52140e04562605a865e7f9e6993c52dda833597876ce8e15c3073a2df4ec244e9abe60a4ff12e730084ab |
C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
| MD5 | d77a05685576ee077b35b9a1ea1d790f |
| SHA1 | 4a2455e05286222b73a9dc9d60066559877f54df |
| SHA256 | 5bf66d84220e665ac7c2750ec34f04930f436a6422ba953ada25613c8e9098e2 |
| SHA512 | 3246cdf4c6e5d90465f79c628d239b57dde6ba85db04e780056b12067141ca5d2ff6ad4a19b9b900b75dcc321a335f84d34444c92f338bc71fdf8bc71bba99f0 |
C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe
| MD5 | 85b3a951a3a110a9a8f1219ac9ccc26d |
| SHA1 | 1960de13df25cf2f89c89be5c67ae975573581e5 |
| SHA256 | 5e6ac7553986dd14f472078c91faa8d829dce2dcccd6955415ee7b5a7beb4450 |
| SHA512 | 6993bb31bd54d94fa5ba7ae4a7681d74da6657543633416d039bb4837113389ad6a32cba9b1958eb7fe73384d70afc708db6e00187c019cc02b74f62c9b4ee6a |