Analysis Overview
SHA256
f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7
Threat Level: Known bad
The file 2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye was found to be: Known bad.
Malicious Activity Summary
Kinsing
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:35
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:35
Reported
2024-01-25 17:38
Platform
win7-20231215-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B}\stubpath = "C:\\Windows\\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe" | C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01} | C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01}\stubpath = "C:\\Windows\\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe" | C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}\stubpath = "C:\\Windows\\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe" | C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52} | C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6} | C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32} | C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}\stubpath = "C:\\Windows\\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE}\stubpath = "C:\\Windows\\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe" | C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671} | C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}\stubpath = "C:\\Windows\\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe" | C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B} | C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B} | C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3} | C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}\stubpath = "C:\\Windows\\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe" | C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092} | C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3}\stubpath = "C:\\Windows\\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe" | C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32}\stubpath = "C:\\Windows\\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe" | C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B}\stubpath = "C:\\Windows\\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe" | C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}\stubpath = "C:\\Windows\\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe" | C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE} | C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe | N/A |
| N/A | N/A | C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe | N/A |
| N/A | N/A | C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe | N/A |
| N/A | N/A | C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe | N/A |
| N/A | N/A | C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe | N/A |
| N/A | N/A | C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe | N/A |
| N/A | N/A | C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe | N/A |
| N/A | N/A | C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe | N/A |
| N/A | N/A | C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe | N/A |
| N/A | N/A | C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe | N/A |
| N/A | N/A | C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe | C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe | N/A |
| File created | C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe | C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe | N/A |
| File created | C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe | C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe | N/A |
| File created | C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe | C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe | N/A |
| File created | C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe | C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe | N/A |
| File created | C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe | C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe | N/A |
| File created | C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe | C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe | N/A |
| File created | C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe | C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe | N/A |
| File created | C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe | C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe | N/A |
| File created | C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe | C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe | N/A |
| File created | C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"
C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2203~1.EXE > nul
C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6D5~1.EXE > nul
C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74FD7~1.EXE > nul
C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C0E~1.EXE > nul
C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB5F~1.EXE > nul
C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA2D~1.EXE > nul
C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD6F~1.EXE > nul
C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{761F8~1.EXE > nul
C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{329E3~1.EXE > nul
C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe
C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B19~1.EXE > nul
Network
Files
C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
| MD5 | 47ffb9d1a74fc3f6d8eee8a33a267085 |
| SHA1 | a593c59cc0a288ce55b079b341f34d0c82bbeba0 |
| SHA256 | 890a73326fc6b57cf06df206cbdf87a41f8e37e07e34476ac9ff0ef7a02fb67c |
| SHA512 | 5ef78ea012f8c634b6b00f8c6b42ae13a9218e63e4df56ccb9defe94d16b8aa516f70e75a33bca58c2a3bff6d9d55ca564b48d8165176ea8e56d69c7757c6987 |
C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
| MD5 | 5121560d9c7b27bd1f6bd1343285b3c7 |
| SHA1 | 2eca5b200b0d294b8ef7ad51fc63d755dabb9dde |
| SHA256 | 310cd477aad24dbccc318d82474d90fc527ebaccad535fa3569c66c59297c769 |
| SHA512 | 3bed528af8b976bf322692d97e1d2012d22ca3c5da8444d90ed12c8246fa9f94ca13e64bccacfd573bd734b766c6948f4d3d56d92f596de39bd24c7acf805d18 |
C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
| MD5 | 3d1a8cc9a22323c8b5bd4856afeb97ef |
| SHA1 | a137948c84026f774ddfd5bf407160cfe0266dce |
| SHA256 | 49ff13c5015fd582c7d76b0eeaa80fda4a8b962df402306c34385ce71ff81760 |
| SHA512 | fbd963026e20d8ea4292ebdbd0d8991ebe6d325f6eb0a1947e4feae14b5921d40d9f27695cf5292078c016cb498637a741d8a0ca26be82cc7b9072263e0c44ae |
C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
| MD5 | 7b16cb8525808061c27d5af2a80f4a9d |
| SHA1 | 05a4823c9c8b7308c515ad6421138c52da1b3541 |
| SHA256 | 57faa34f1f88192a32754325ac24412397179140673a996ddbd782ea57936383 |
| SHA512 | eb4b71c2b9ddb38387fec77b8feada41d5bef7fc6cb299b75f34642cfd9c6a403b58791c03509424c54d44c3446d810fed7985eea763b552bdd42fb19ae88350 |
C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
| MD5 | 19e8f65c7bd46c08d1f9195bf135b7c5 |
| SHA1 | 1d73cf8d23d00d7d5d44c699930986ab8616c4ef |
| SHA256 | 2aa839190bd3c9a618a6e3f04cf2e416ba5b930f5cdac28bc4491c1cce3cfc27 |
| SHA512 | 362b2275f6c0a9d099990ba07e95ad1c1b914d0042c1584174481d1570c82557a42d70ae5346fcb2804ee8384ce20e4b3b33c60a7cb9a593427ac1eaf55c5a92 |
C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
| MD5 | d040805ee8e2997a065268c8465ef8fb |
| SHA1 | b801c312e1398dca896dca2ce007518b39841051 |
| SHA256 | 26d3216cf07554d352cc3f9888722eba56063fea2571289412460cf4885ea2ed |
| SHA512 | 6875479b37f785e606d5f8e13582024f31cef44afca5270772ce754289694bfc3080c8288ed2accdf019762667141f0ea5cc7de49e637ba79ec674421e18eb84 |
C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
| MD5 | 789a2daed7f46f8245848477d39387b8 |
| SHA1 | b0df7fd30f965459dfddde25810c6764ead3ca0c |
| SHA256 | a60a9a1ab03f054a85d56e41b96bf8036103b37f400c2bda0d5e4425eed027de |
| SHA512 | c641ff6a3fa10409f4b462152ea9393c31d44e66f4666bda4d17f713b5298b1f0d9ac1218026e8036958415ac5f2d1935023caa554dac993153ee9ce0cc3221e |
C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
| MD5 | f0d3d67f6e118a2c48da4dd583b830b7 |
| SHA1 | 0d82d2e86aef0c7c80afe775c30905cbbef6f788 |
| SHA256 | 28198ae310fb3dca0f7bae2301d061ca94d123f5ea6dd75cdbd753e7c2fa306f |
| SHA512 | 84dd07e7b388db1cc54ae6e77e9abe52e2757bf1aca53ad4897e9a02d829fb06b77bac3db39bc954c1bdef8fd13da7e3247cfb0b6c04747558d05229b27d1c63 |
C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe
| MD5 | 525cc651d1bb22f20ff19838ed6cb213 |
| SHA1 | 87356727da1de0f862ee507ecc8d06cb671263bd |
| SHA256 | 21e72d61c2730f3c8bb128898a2afcd193b101f3adf287a70b846d2e3f4ab079 |
| SHA512 | bf05c04511e2a7d47880a7238e8d483090abc2fc6776c397c1d110e3cd19951e7b9c311a0f1e203e39a41acc32c72956aa1471cb4d1f0c7dd5ffa458113135ea |
C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe
| MD5 | 7384dadd21bc33db21c3f2d1acfd1510 |
| SHA1 | 5fb8804f387e7b310db17bb555ca97a3d3b630eb |
| SHA256 | 3d1bfc113c620c2e314388f8c753e01db5d169ef328dcf68e3cfccca1180e1f2 |
| SHA512 | 8ba57ec77dc7359b0d1348a601a89047229e01bca48f2fbe9389d393790da80614d102da93775f1ad248ddd66fb61b341292862ee741d4fd3fa85e77896ae01b |
C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe
| MD5 | 09478b1b0b60a04ccc19eb96f2c7639d |
| SHA1 | d6ef3078c522e0b78850f3988e2ae3d29b1fe40e |
| SHA256 | 9738555394d63d8d0eb3b3dc895ce394ab496914aa47af71c84c917aca67a4fd |
| SHA512 | 3178691e75822ce93c3a0c09d7665d9cf00c08b85f05fa5f1373dc231bbf2df90bed6d5d24620984847b2b39b61023fb326b17b4dd50bdd7f4c23438d9b73db6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:35
Reported
2024-01-25 17:38
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Kinsing
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402}\stubpath = "C:\\Windows\\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7} | C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F} | C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}\stubpath = "C:\\Windows\\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe" | C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861} | C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402} | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}\stubpath = "C:\\Windows\\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe" | C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}\stubpath = "C:\\Windows\\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe" | C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1} | C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A} | C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861}\stubpath = "C:\\Windows\\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe" | C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02} | C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}\stubpath = "C:\\Windows\\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe" | C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A}\stubpath = "C:\\Windows\\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe" | C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874} | C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E}\stubpath = "C:\\Windows\\{F4455941-3769-4acc-8800-12209B85342E}.exe" | C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC} | C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2} | C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}\stubpath = "C:\\Windows\\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe" | C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1}\stubpath = "C:\\Windows\\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe" | C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E} | C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}\stubpath = "C:\\Windows\\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe" | C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}\stubpath = "C:\\Windows\\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe" | C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E} | C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe | N/A |
| N/A | N/A | C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe | N/A |
| N/A | N/A | C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe | N/A |
| N/A | N/A | C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe | N/A |
| N/A | N/A | C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe | N/A |
| N/A | N/A | C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe | N/A |
| N/A | N/A | C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe | N/A |
| N/A | N/A | C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe | N/A |
| N/A | N/A | C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe | N/A |
| N/A | N/A | C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe | N/A |
| N/A | N/A | C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe | N/A |
| N/A | N/A | C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe | C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe | N/A |
| File created | C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe | C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe | N/A |
| File created | C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe | C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe | N/A |
| File created | C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe | C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe | N/A |
| File created | C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe | N/A |
| File created | C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe | C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe | N/A |
| File created | C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe | C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe | N/A |
| File created | C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe | C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe | N/A |
| File created | C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe | C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe | N/A |
| File created | C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe | C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe | N/A |
| File created | C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe | C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe | N/A |
| File created | C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe | C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"
C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF5C~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{802E5~1.EXE > nul
C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5C1~1.EXE > nul
C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FAC~1.EXE > nul
C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74E51~1.EXE > nul
C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16687~1.EXE > nul
C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{919E2~1.EXE > nul
C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF6B~1.EXE > nul
C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4C0~1.EXE > nul
C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F4455~1.EXE > nul
C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB097~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
| MD5 | 20b6b1eb5c60693ec200d49c7b46d39a |
| SHA1 | 8723cefd3c7376bd1f62c62b879da53adb67fb68 |
| SHA256 | 05ed682bf304f42891eee86d41194013309c95dd5032bc0415d0226382e1348f |
| SHA512 | f8c5e3cd75c667246335a23021310785dd32c1b6dcdcd091ac0b23c48e4837429c307a9bd8e666eae41fc67cdc796e626e684c8330a21fc4b94b7b9939131480 |
C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
| MD5 | 4cf52c253e2438515a9aa31357c3d025 |
| SHA1 | 602a80c58468dfa76f5ab65f79dc4d9734070678 |
| SHA256 | 070436da7c3288b12d4a081398cd51c0b1055b213e173a24b8d63f1396ed9513 |
| SHA512 | 5f1c159d6546e372173c4220a00b2c583a42c2e087a2316308851c09b21bccfd97bed06d6400e7f5ac8bf6cdf47ea565f8f54bf6dbea5befa5fb8909fe79fc79 |
C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
| MD5 | 11f6c73f081b3a0036e9c163c208cdef |
| SHA1 | 71c37f7887658c128ba264d021efc34738fe735d |
| SHA256 | 7fe8b6a9294f129ea2c08f92f45acb7277cefd1f5694543075d4c04897eb3bc9 |
| SHA512 | 6bf74d6d3bdf1387ddcc9418ebc405fcbecebdca15a2ff09f0615ccfbd00a6d9f5e002b42dbe186d86b5c4c035b0757ff535e2a741702a876e627862ab181dc3 |
C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
| MD5 | c7cc37cf8157663c74a2b7429629605f |
| SHA1 | 481f83c0f6923e43070a8cecc9523d3e4e8bb1f7 |
| SHA256 | 5205ae9d05e5d504d88a57bde57796aeadcb221aca22e0094292e4b5805171b8 |
| SHA512 | 79cd4b1a34f66c9ff32ab40d59218b6217f6292b84f502928dccdd20c7ef1ede43c5331d6b0984107a4cd3a5e472ff5a3a69cb2529847f0419f59995892d51ec |
C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
| MD5 | 1c622e73dd1ed14f920eb2fc6966f1d8 |
| SHA1 | fd44eb1bc32243a5aaf209137d7f4d716b753119 |
| SHA256 | 760584b27dde312b867eb77363220489b2cbea8c44d542e90d335b25e02f07e2 |
| SHA512 | 36a10bec646bae4d980fcdb56b49157a6025b6073b636849e6c5d1eb57fd72cc417429e9660b91889a75798ddcf71c06d58075e73b460c8809d365799d6a12d8 |
C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
| MD5 | ba3a8a9852bf1efc8f57b00c365cd744 |
| SHA1 | dcbeed06b7d34175155de5d3aa63c6024972a621 |
| SHA256 | 509abdd2297784a4d9f4e6c801136247fe209c425184415b7dbbf3853d674cca |
| SHA512 | b64f054b576e66271ab81fe61797db903b10b94a90e0517b44f846c26e231de2c798934ddb56c97f3b26d986a805a571fea878941fdcce1bbbcd3b4d4cb527f0 |
C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
| MD5 | 42c4962ce22f7ad87443e6e099e6a838 |
| SHA1 | 58d68adcf0617b749112b9cbd4654c3e4e0184e5 |
| SHA256 | 64bef5a4671bc2dce468391f62e8ebe6192b8a36681758dc5587993d4d9a2f0e |
| SHA512 | 3f1b8753d1102132d0ea9bf01988719db3178a5e212838d5cb15bb9830fab9aa913e4b637605ff998662e7f50c4dd087900c50e62d4257178900fcc6ada01dd4 |
C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
| MD5 | 73091a021f6771c9da54f14d294b83d4 |
| SHA1 | d200f7a36e620271ab178a308bf86b58cbe9c58f |
| SHA256 | c6d8a5e5940cd828152a69b6c0adf21e69523385fab15efb9c9abb8b7dc9f27d |
| SHA512 | 6ffab31d2e57a282aade3104803988d77b59b375ca178999a105c50da4ce080bb508ada1b8178b4c26eb716bd6f9a634c5778a16723ed9c26dd37bdccaece6bc |
C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
| MD5 | 18f54dc3262e8cc5ec56ef6e5eb9fa9a |
| SHA1 | 9ae30aa10b344956366ba50cce4e74af9a1ae0fb |
| SHA256 | faf2e704d98a222f46140f2b7305985c815dfe63c8a3dfbd067e8784ee8d7170 |
| SHA512 | 9f41412100e390627632167ccac047c65a2784c97ee541afbbee426f3c9c7349bc242ef6528648dc5466e226607eef9eaa220d303654092b79455b5d6113d4e9 |
C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
| MD5 | 4b5e2996a1c41bf05ceb523cc735f7f9 |
| SHA1 | 6345e6ff54628109d8b23cb19981536ca57d28d6 |
| SHA256 | 2b2fa5a5f9a7129ea5c3c1a4f17e8cf45cadc1f29919a2f80ce5517fcf1d6911 |
| SHA512 | 8563873aac7d67e2e6ba28d3621e36337ecd4e4b4e73fa0be568312987482b99cb774ab219687af423b2edeed86b28b4d0e78558a3ec0fb250f0db10bef12988 |
C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
| MD5 | 875c820a35b6fba7d71fa19f7b43a781 |
| SHA1 | 82ba243ae785cc84ad4ce827e0a38678baf78560 |
| SHA256 | dad860e597b58dbefdf64ae78770c0b8d626ac1a2a16b4f5e00becf435a147cd |
| SHA512 | e74f64fb4ced272a12ba91a607cbd84c8a2e575fbac1ac5b65d3bd2915eb6036a5fa17a6010e923dbe605025f103ce4e34bacef5e15aed1dd1ca7a2d95eb97dd |
C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
| MD5 | d070d08fe8d5a1835e7ab685993ed67e |
| SHA1 | cd0a83285fc82b219a1ca923f97dfd99a408d59c |
| SHA256 | 34acbccebb394464b3f9d8bb5f160439d543890ee1e35351924b929d1bc228df |
| SHA512 | 900b217de59c5a00e55653c7b2daffa23a15744eb599874fbaed1c949a877847dd8e653d33b99af0289eeb4ed83e80846b4f843fe1307684b39e22c8f6041209 |