Malware Analysis Report

2025-01-18 02:37

Sample ID 240125-szaapaagar
Target 2024-01-25_543370aebd0567663b796279469645c3_goldeneye
SHA256 8451a7bc4fb65d5d2c44ff13b148ea4615142cda31224f2146a677ac8c332c84
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8451a7bc4fb65d5d2c44ff13b148ea4615142cda31224f2146a677ac8c332c84

Threat Level: Known bad

The file 2024-01-25_543370aebd0567663b796279469645c3_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Auto-generated rule

Kinsing

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 15:33

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 15:33

Reported

2024-01-25 15:35

Platform

win7-20231129-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE} C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3880D28-35FD-47cc-B941-16359417AE1A}\stubpath = "C:\\Windows\\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe" C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}\stubpath = "C:\\Windows\\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe" C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4} C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}\stubpath = "C:\\Windows\\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe" C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3880D28-35FD-47cc-B941-16359417AE1A} C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81493773-DB94-41f2-8C83-3E1EFE8623E0} C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD79DCD0-385F-470d-873C-7026A54FFC8A} C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD79DCD0-385F-470d-873C-7026A54FFC8A}\stubpath = "C:\\Windows\\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4} C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}\stubpath = "C:\\Windows\\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe" C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF} C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}\stubpath = "C:\\Windows\\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe" C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEF928C-0F7E-4276-941A-12733F135A80}\stubpath = "C:\\Windows\\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe" C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4} C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9} C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81493773-DB94-41f2-8C83-3E1EFE8623E0}\stubpath = "C:\\Windows\\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe" C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F12371-E6DF-4618-9327-F8086AF456B5}\stubpath = "C:\\Windows\\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe" C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}\stubpath = "C:\\Windows\\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe" C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}\stubpath = "C:\\Windows\\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe" C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F12371-E6DF-4618-9327-F8086AF456B5} C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BEF928C-0F7E-4276-941A-12733F135A80} C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
File created C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe N/A
File created C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe N/A
File created C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe N/A
File created C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe N/A
File created C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe N/A
File created C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe N/A
File created C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe N/A
File created C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe N/A
File created C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe N/A
File created C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
PID 2036 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
PID 2036 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
PID 2036 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe
PID 2036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2748 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
PID 1916 wrote to memory of 2748 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
PID 1916 wrote to memory of 2748 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
PID 1916 wrote to memory of 2748 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe
PID 1916 wrote to memory of 2992 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2992 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2992 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2992 N/A C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe
PID 2748 wrote to memory of 2852 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2852 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2852 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2852 N/A C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 3056 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
PID 2584 wrote to memory of 3056 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
PID 2584 wrote to memory of 3056 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
PID 2584 wrote to memory of 3056 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe
PID 2584 wrote to memory of 2132 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2132 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2132 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2132 N/A C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2888 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
PID 3056 wrote to memory of 2888 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
PID 3056 wrote to memory of 2888 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
PID 3056 wrote to memory of 2888 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe
PID 3056 wrote to memory of 2684 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2684 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2684 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2684 N/A C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2908 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
PID 2888 wrote to memory of 2908 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
PID 2888 wrote to memory of 2908 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
PID 2888 wrote to memory of 2908 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe
PID 2888 wrote to memory of 944 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 944 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 944 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 944 N/A C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe
PID 2908 wrote to memory of 1808 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1808 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1808 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 1808 N/A C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 1704 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
PID 2912 wrote to memory of 1704 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
PID 2912 wrote to memory of 1704 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
PID 2912 wrote to memory of 1704 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe
PID 2912 wrote to memory of 2072 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2072 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2072 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2072 N/A C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"

C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe

C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe

C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD79D~1.EXE > nul

C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe

C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00D27~1.EXE > nul

C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe

C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D09D0~1.EXE > nul

C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe

C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B231~1.EXE > nul

C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe

C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3880~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B3933~1.EXE > nul

C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe

C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe

C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe

C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1F34D~1.EXE > nul

C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe

C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81493~1.EXE > nul

C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe

C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41F12~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8BEF9~1.EXE > nul

C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe

C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe

Network

N/A

Files

C:\Windows\{AD79DCD0-385F-470d-873C-7026A54FFC8A}.exe

MD5 732548a91f5c3dad090ebdc4c70ad04a
SHA1 2c16b7c766a8f3cbf66b3433e4911fbdd9fb9e86
SHA256 34a7b3f902127fc043bf0341376eb55ec6048dfcd7d3b61c7263438c81105500
SHA512 10d4004ac5c149bfbf6fc4fe5467ffd3790ec649c24aa0d06654413a8a420da50de932b1b89fd3d5237426999f9088dc2692cb7bd2cf1982897de7da860df777

C:\Windows\{00D27FCA-2AD4-4a3c-B5B8-F62DC3CE22AE}.exe

MD5 df5ac492a5c88faf8918e8ca4066ea9b
SHA1 f966b702d3c25b83690f8b3c086d3e3afb2e5ca7
SHA256 2ed35a26260778f95278c95768ef1fb294763dfb0ad39782d764777dba9db4c4
SHA512 3eacbd5fbbcafa076b779971222bbe75f550fdea515cc3b7b36df6e6b6410c3fa3cd985d974db8be166066b3d5bf028d57181c21ff3d27498ffbe7c471c7c8ad

C:\Windows\{D09D0DAC-B687-43e0-A1F6-F53E05E83FF4}.exe

MD5 6fe42ac39f01e5ed548bec7cf6ae3e8a
SHA1 26ea6f0ab6cd713d077b4b0c7fe040944f4af376
SHA256 d4f40e5d2589a0cebf5220a27cf985caf88b6691c5cdbf17398078831cd790e5
SHA512 d73f794cf7069c7db85a79b947dfac2e56e9856d096200c171d52cfb5c5472106f01b76db115db36e76152386fff6609c346f3fbfd7fb50c5a35f8e17c4fd390

C:\Windows\{2B231D66-EB81-4b7b-900B-EEA7F9DB84CF}.exe

MD5 1360d05d59bd1372b12e706e7d7d14be
SHA1 77cdcb9eb63b5e70ebb968f4598eb25778348cbe
SHA256 5959dfffa27eb06ac25c270b38e6ce9424650c15498959becfe096578f713d6e
SHA512 59e9f9c47e920e313dfbcb2b0238cb25f93f63aa4ad74111ab7232c8903fd3c25abfddf45fc3df8e6f2ee34568f860cb94aebcd748ec86ce20bcee261a25fa49

C:\Windows\{C3880D28-35FD-47cc-B941-16359417AE1A}.exe

MD5 a595b53b01a1f5a8aeab44316a5c53aa
SHA1 9af361a4dfae2b947864b2d69521e7fe7045bece
SHA256 b10189fe31b95534000941c24910959074e70609e9931e734076dea7c77097ae
SHA512 899338213878487ee11195e2d330d13952bb0c12de5e35ccf0aff2b7b4a9325c80e67ec527a7ad76c7a853e62818158d7ae5233a2d71b7c1379e84f780cfb511

C:\Windows\{B3933E17-22EE-46b7-88A9-CBB49CCCBAC9}.exe

MD5 064e64f3291d3962b40c22ecc4c741c1
SHA1 de1392e42e9bbe86c73723ae6f4d8fb011cf34ac
SHA256 1c945b0169c24a02397d2ca86dfcdc314e9c9a2b31444555c88e62872ca6a151
SHA512 a08d732e115a0cd056ed9cee3bbb169897b72321607ff7d68161ed83653d7c22801660afdfa1a51ff4c787ed66ea017eeb16e74683760d4e8ff7f93012690791

C:\Windows\{1F34DA78-F45D-46ce-B7EE-ACA22A8113B4}.exe

MD5 247cf5ee8345efcac9674ef81c1f6054
SHA1 d0ef36ea4257bd270d1b33146ac7b0b654faac06
SHA256 eb796f7b295a29220ce8cc21dacc6811730165970326fdcfb1354bf722273ca7
SHA512 8c696ad639f4cfa2a52517b2c43e644b4c485bd474954538f0d24b78069fd9d4687c87eb5c042a9464236d2d002f0ea81de71ae7ee9d10a6ec495c1cfc63a678

C:\Windows\{81493773-DB94-41f2-8C83-3E1EFE8623E0}.exe

MD5 054b7033adfe351dcc80da1675929428
SHA1 23bcbd9245a94f697f738738b26605b7733e66fe
SHA256 18df449258e402586f10528b78b90420a59585e9e57fdbbbc2a6b373f78271f4
SHA512 268bb99a7d11522c77c8c55259b84fb941a76e877a9d6bc0c6a90ac669aa3c3c5a149cd3e00bc727c7e8aa8c17c1c962967b83e2e227b3bf87c9e38159ceffbc

C:\Windows\{41F12371-E6DF-4618-9327-F8086AF456B5}.exe

MD5 d687d89464b90631a61978fb8d99a66a
SHA1 f49961973fe784c4317804048420a03850458e93
SHA256 5b11daa82aa383d7bf6f9c6ca2c96ea7d1f433fb77ecbb32e860d1c90482282d
SHA512 e6dcadddc8b634282a4d2faed5151f03fbcf49caa9d969a1decb42429c99d0eda8c87e76a0b49ddb25d564355b363af8adce40394cf7646c3e7233a857ebdd78

C:\Windows\{8BEF928C-0F7E-4276-941A-12733F135A80}.exe

MD5 3c217ceead78dd4cf0ee8c5603548e37
SHA1 64b0efe122d8ad1472a98bba8ae95e3194fcaac7
SHA256 a39460f392d6cd4f420be6e09c6235797b8c04ca448fc6b1655788844a79ada5
SHA512 f082689658cdf4cf9c2088db823410c80bec60cdd84d0d565009787e23c1a0b5bb2769ce75edf25ed0d7e3964b3a3406bc93cdf7864c3caf18f9fb5331d65eaa

C:\Windows\{11E37B04-3D10-4f0b-9BF7-33C90A9551F4}.exe

MD5 e9c3e3c6fbba1349722856ef7049a48b
SHA1 6e3b0233c86acf449ce6d099671ceaae27280ab3
SHA256 cd78671337803e94192ad26325c00c6dee19bd44f39d2c0502e72e586a0b82f7
SHA512 f2246c8b753faadcc379761060376f64c9e2fdb86cabf40b0125d5538b492798e2a4ba6c2365fb739e7313e0d95fc8f523da143b58f981f00b331b75d90fccdf

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 15:33

Reported

2024-01-25 15:35

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9345FE6F-26A0-4b95-9E5F-22111FD928A0} C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74EA0D4-245B-46fd-81A8-16A54F38C66E} C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC} C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877A13DB-26E0-45d2-97F3-88800F241ECE}\stubpath = "C:\\Windows\\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe" C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10628B35-15DA-4a66-BB73-A6E17CB20A12} C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}\stubpath = "C:\\Windows\\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe" C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}\stubpath = "C:\\Windows\\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe" C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877A13DB-26E0-45d2-97F3-88800F241ECE} C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68474-7A50-4708-8D90-285F8E96A42E}\stubpath = "C:\\Windows\\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe" C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8EB071-039F-4452-9645-2222B8EE8AD6} C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35} C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}\stubpath = "C:\\Windows\\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AA31-708D-4f53-8B34-1158D1B95248}\stubpath = "C:\\Windows\\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe" C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68474-7A50-4708-8D90-285F8E96A42E} C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8EB071-039F-4452-9645-2222B8EE8AD6}\stubpath = "C:\\Windows\\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe" C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA} C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}\stubpath = "C:\\Windows\\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe" C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44260CDA-6C02-4d8a-9F60-A4D4514001B9} C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}\stubpath = "C:\\Windows\\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe" C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6} C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}\stubpath = "C:\\Windows\\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe" C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}\stubpath = "C:\\Windows\\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe" C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AA31-708D-4f53-8B34-1158D1B95248} C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10628B35-15DA-4a66-BB73-A6E17CB20A12}\stubpath = "C:\\Windows\\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe" C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe N/A
File created C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe N/A
File created C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe N/A
File created C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe N/A
File created C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe N/A
File created C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
File created C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe N/A
File created C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe N/A
File created C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe N/A
File created C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe N/A
File created C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe N/A
File created C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
PID 1864 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
PID 1864 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe
PID 1864 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2284 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
PID 2144 wrote to memory of 2284 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
PID 2144 wrote to memory of 2284 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe
PID 2144 wrote to memory of 344 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 344 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 344 N/A C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1096 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
PID 2284 wrote to memory of 1096 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
PID 2284 wrote to memory of 1096 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe
PID 2284 wrote to memory of 2968 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2968 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2968 N/A C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 4040 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
PID 1096 wrote to memory of 4040 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
PID 1096 wrote to memory of 4040 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe
PID 1096 wrote to memory of 4936 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 4936 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 4936 N/A C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 3472 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
PID 4040 wrote to memory of 3472 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
PID 4040 wrote to memory of 3472 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe
PID 4040 wrote to memory of 2228 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 2228 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 2228 N/A C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 728 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
PID 3472 wrote to memory of 728 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
PID 3472 wrote to memory of 728 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe
PID 3472 wrote to memory of 2416 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2416 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2416 N/A C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3912 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
PID 728 wrote to memory of 3912 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
PID 728 wrote to memory of 3912 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe
PID 728 wrote to memory of 3924 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3924 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3924 N/A C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 2192 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
PID 3912 wrote to memory of 2192 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
PID 3912 wrote to memory of 2192 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe
PID 3912 wrote to memory of 4520 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4520 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4520 N/A C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3500 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
PID 2192 wrote to memory of 3500 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
PID 2192 wrote to memory of 3500 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe
PID 2192 wrote to memory of 2616 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2616 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2616 N/A C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 1864 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
PID 3500 wrote to memory of 1864 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
PID 3500 wrote to memory of 1864 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe
PID 3500 wrote to memory of 2040 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 2040 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 2040 N/A C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2452 N/A C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
PID 1864 wrote to memory of 2452 N/A C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
PID 1864 wrote to memory of 2452 N/A C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe
PID 1864 wrote to memory of 4740 N/A C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_543370aebd0567663b796279469645c3_goldeneye.exe"

C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe

C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe

C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9345F~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{44260~1.EXE > nul

C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe

C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe

C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe

C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC3E9~1.EXE > nul

C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe

C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B74EA~1.EXE > nul

C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe

C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38D0A~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02A5F~1.EXE > nul

C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe

C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe

C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe

C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF8F~1.EXE > nul

C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe

C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{877A1~1.EXE > nul

C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe

C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D68~1.EXE > nul

C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe

C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10628~1.EXE > nul

C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe

C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F8EB~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Windows\{9345FE6F-26A0-4b95-9E5F-22111FD928A0}.exe

MD5 5c7fa23e346b7a0f403fd6b7e45f54eb
SHA1 80da288545b01d4c6636cf0733775d329ef8dec4
SHA256 71d631b09ddeaffac462efe7295c8379c71e2749c5fe24c7fa99ef04b2d9f675
SHA512 b359a6fd1cf650f6f8643fc658bc1aace0bc19c35fc1dd2ab8729fcd3fd9923bb39e0f656240cb8e5e1e3e0e0b75e1a029c66ce4ab9ff3987926f2f4b4bab783

C:\Windows\{44260CDA-6C02-4d8a-9F60-A4D4514001B9}.exe

MD5 1ff2b6616482de34ae61a39eb8567249
SHA1 54db2744add2157ef6d20cb1a210fbc29291a4aa
SHA256 aa5829caa7c8005bef9112e246a29367fa818e04a728c68071565ea169abd57b
SHA512 39a4321129d59ccf3c4ab113d80d474615c85444f735ec737f58be5dbcf1e5dfb8ec5f24d58410799086ffd324803e67ffb3d25c9389fc2c6ae5352f3995e4d5

C:\Windows\{EC3E935B-F227-4a72-9AF3-9C1406B88CD6}.exe

MD5 5e43ea9d5051ef35b3b96f4f1d87b3be
SHA1 3a5adc95fcad2509c330bb8593647cd02145cf1c
SHA256 261d1874a7f5ccb16eecee6e26e841966eb0de153a6c5b13a29221503f79e1bd
SHA512 437b9903af4c7ee573b6c058b9ff617b32469cd047d6cb186fbc6f60a96c16df5e072e69a71590cd2c4e911b8c8b531ffdf11253ce78264bd2d990f12e2f96a6

C:\Windows\{B74EA0D4-245B-46fd-81A8-16A54F38C66E}.exe

MD5 2d2039f76d54da16b003674fc02a0529
SHA1 43319b5345484b21adb8550e6eab752f55485f8e
SHA256 d408fc1e9f4448c293e4c525b94f0757129e34cbac01ef63183cb990f3ae69e5
SHA512 1c0a1c756707cb82ea591bdd330946dd78726c190c403ccd293eb51176728df9fbfff5c0cde2ab99c05e0381baf1a8567abc7185e043460c542ccfb3ac06870a

C:\Windows\{38D0AA31-708D-4f53-8B34-1158D1B95248}.exe

MD5 b935303f59721dc2b83c1917fb36a15a
SHA1 b2ec1859d611b12d77281d27bc5e717bcf18dcef
SHA256 f18e262d6276e1ca7ffbc0aa07c7d4cf2fc27bcb170abb676cd6b677e1c3c721
SHA512 dcc4b7187aa5a16dbfa8ad0183587beca9bbfe594e10c1ebb94acf404393a5830fc2b6c3e88c249971ea424978bd8468c9b50687f4569ca29ee3078eec67f1ca

C:\Windows\{02A5FD05-BF39-4b71-9DE4-65D09772C2CA}.exe

MD5 c6d20dd14b1974025ccc2136644f94a1
SHA1 9f1b23da1a0fa81f8203f0721c80b1ca3e9b2a40
SHA256 81934ed817611180edbbfb31ed41db82578b7798cb405f020e7a9f8603f372a7
SHA512 118d4dc2b3b13c898dec38b9c303df9fde907d65114652d00b03f053668b3de4507e26111c3e444045965a8b35658c2b2fa10546c4371bbc8946870211a0fdfa

C:\Windows\{EBF8F3BD-1117-4cd9-8B8C-7C8D61B206DC}.exe

MD5 67fa85453242b30405f6c8b6faa923b4
SHA1 2eaa48403777c167cd24c0a2285f60899a60a793
SHA256 e6c96122e53e156ed3a660efdbe119a30f453c86b00bb54c45a9d697865a48a4
SHA512 02aabc715f45533a7729fb16e994b71bc3a30768f00e7f8d2510fc42c915a589ba383818b4e7fe41e480a881303f259c6864ed20ca744ee5b78a597147e1310f

C:\Windows\{877A13DB-26E0-45d2-97F3-88800F241ECE}.exe

MD5 e650135ae093c96f30ff6ab14c76ee6a
SHA1 e837cddc42a7c9c6fe084c91a47174d6bb75cea3
SHA256 6686c14c497813c085b37d130d3124c178f0a62405129fdd06db3f9eb763b33f
SHA512 da399ffe3ab626765ffbad74406febdffd6d4368bb497f3fefe0a872326cd4dab716ea4b5eff442794689d86a0acab92f45967acb2ff557abd4c51569814eda7

C:\Windows\{E4D68474-7A50-4708-8D90-285F8E96A42E}.exe

MD5 9689c069a4adfd5aff1d4e63b87e67a5
SHA1 c8029b04568130fddcc9222db8761684043743f2
SHA256 1116d66fe44794a9b2078102e766e5f9df38bae5d569da4ee8ef9f84574468cf
SHA512 f238e016d63d333c2fc6a53b258aee8d699f31b1ab3b2c72c4f304b7155e975e1918b150f6f65831efae1ee8a4b06fe97f92be513ec3bda442da3e3ecd354d5b

C:\Windows\{10628B35-15DA-4a66-BB73-A6E17CB20A12}.exe

MD5 c4a79693e710130feb7878f740a3f619
SHA1 aca9480a5d91f4555f7df12eb10461d9386f0481
SHA256 17d33c9bdfe19cad3caedfae62b3977cd3c60740a8702839677188fbfcdefa15
SHA512 5f3c40e0b5c0d7a65267c89209f0c494c1b51ac88b4536d830f5534f2f60a4f311633aba5255bb84086c4f342ec1835fc4237ffec9d16f7316a81101412c8336

C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe

MD5 794c800dd3938efa772d24903c94d955
SHA1 361a75566110fa574ff28b5f531d73c82e29b286
SHA256 d6715f2b4fa2cd7d7bea2b04b9bff3ac100f232e39943ee2701b7cc930011243
SHA512 8e900206e726f238b797e5f274d73adc0e2c3b8168b5f7f65016fb5f5a190395a2371a3f365bd8bac020f54194c9eff2fe54301e02dca18c135337b8d5cb7c90

C:\Windows\{4F8EB071-039F-4452-9645-2222B8EE8AD6}.exe

MD5 0d96c697beb6855e49bc2045b1a03470
SHA1 4ac14e0ee0cfa97c2939c844ef1db8fbafe021a8
SHA256 7492f6d180d28177ca5eae4feb42504d2d52852b88ceef86fca766c23a4b5704
SHA512 8a919995a048d03e3ea56782f786797a9a5a3b6675ed23ee626a2ee93bb685f31853f7215be091b6b2e619dca5e88c561ba409ce5e9a47a860a9357c1c1b6d35

C:\Windows\{DB8D9AF1-43D7-4a0e-B995-B0DEC1A1BB35}.exe

MD5 8d36ede9e13bd45a674f5494b97670b7
SHA1 d5b1ebe414cd8d35408e12931ec0ace2867cefac
SHA256 7a6d48d2df62c6d44df0fda1d460d2f13cb652455e211d3898ea9498a669198e
SHA512 dfb2e68f94ffe6001b6076001b7e9dfb625ff4d9e9e0d99ad35e02b176cb43affa063cb11e909c17a4c2f78332f9ae69a3e53d50056470191ea8e28fed8ea70b