Malware Analysis Report

2024-10-23 21:11

Sample ID 240125-v155vsbfe5
Target 2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye
SHA256 6b9b930f8f0bce675b0424f3f8c916ceb91faf5509e8f828d122321d729d1b20
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b9b930f8f0bce675b0424f3f8c916ceb91faf5509e8f828d122321d729d1b20

Threat Level: Known bad

The file 2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Auto-generated rule

Kinsing

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:28

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:28

Reported

2024-01-25 17:31

Platform

win7-20231215-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B61504F-4900-43d1-B012-852754A63897}\stubpath = "C:\\Windows\\{1B61504F-4900-43d1-B012-852754A63897}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729651FF-3D46-4f07-831F-90659A4D2B08}\stubpath = "C:\\Windows\\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe" C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}\stubpath = "C:\\Windows\\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe" C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}\stubpath = "C:\\Windows\\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe" C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821974DD-F77D-4ddb-955B-701031B0542B}\stubpath = "C:\\Windows\\{821974DD-F77D-4ddb-955B-701031B0542B}.exe" C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}\stubpath = "C:\\Windows\\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe" C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06449BB-3986-46e8-B2E3-31F422FB22D3} C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B61504F-4900-43d1-B012-852754A63897} C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89135B9C-2D24-4d42-867F-49BA6D0B38D2} C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821974DD-F77D-4ddb-955B-701031B0542B} C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FBA430-A7F5-427d-8879-533A369B07DB}\stubpath = "C:\\Windows\\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe" C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341021DB-41EC-422f-BC75-C39983CF168A} C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341021DB-41EC-422f-BC75-C39983CF168A}\stubpath = "C:\\Windows\\{341021DB-41EC-422f-BC75-C39983CF168A}.exe" C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}\stubpath = "C:\\Windows\\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe" C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FBA430-A7F5-427d-8879-533A369B07DB} C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06449BB-3986-46e8-B2E3-31F422FB22D3}\stubpath = "C:\\Windows\\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe" C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7} C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}\stubpath = "C:\\Windows\\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}.exe" C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729651FF-3D46-4f07-831F-90659A4D2B08} C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56249AD4-2F74-4871-A85C-1E4D0E6576F3} C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ABEFE73-2C5F-496d-BEAC-623870CA553C} C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96} C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe N/A
File created C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe N/A
File created C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe N/A
File created C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe N/A
File created C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
File created C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe N/A
File created C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe N/A
File created C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe N/A
File created C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe N/A
File created C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe N/A
File created C:\Windows\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}.exe C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe
PID 2544 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe
PID 2544 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe
PID 2544 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe
PID 2544 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2816 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe
PID 2080 wrote to memory of 2816 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe
PID 2080 wrote to memory of 2816 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe
PID 2080 wrote to memory of 2816 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe
PID 2080 wrote to memory of 2452 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2452 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2452 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2452 N/A C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2740 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe
PID 2816 wrote to memory of 2740 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe
PID 2816 wrote to memory of 2740 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe
PID 2816 wrote to memory of 2740 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe
PID 2816 wrote to memory of 2716 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2944 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe
PID 2740 wrote to memory of 2944 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe
PID 2740 wrote to memory of 2944 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe
PID 2740 wrote to memory of 2944 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe
PID 2740 wrote to memory of 3020 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3020 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3020 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3020 N/A C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe
PID 2944 wrote to memory of 2308 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe
PID 2944 wrote to memory of 1732 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1732 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1732 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1732 N/A C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 320 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe
PID 2308 wrote to memory of 320 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe
PID 2308 wrote to memory of 320 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe
PID 2308 wrote to memory of 320 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe
PID 2308 wrote to memory of 1692 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1692 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1692 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1692 N/A C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2964 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe
PID 320 wrote to memory of 2964 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe
PID 320 wrote to memory of 2964 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe
PID 320 wrote to memory of 2964 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe
PID 320 wrote to memory of 592 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 592 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 592 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 592 N/A C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2940 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe
PID 2964 wrote to memory of 2940 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe
PID 2964 wrote to memory of 2940 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe
PID 2964 wrote to memory of 2940 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe
PID 2964 wrote to memory of 1504 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1504 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1504 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1504 N/A C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"

C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe

C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe

C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B615~1.EXE > nul

C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe

C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72965~1.EXE > nul

C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe

C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56249~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0ABEF~1.EXE > nul

C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe

C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe

C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe

C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{89135~1.EXE > nul

C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe

C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{82197~1.EXE > nul

C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe

C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00FBA~1.EXE > nul

C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe

C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34102~1.EXE > nul

C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe

C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE77~1.EXE > nul

C:\Windows\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}.exe

C:\Windows\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0644~1.EXE > nul

Network

N/A

Files

C:\Windows\{1B61504F-4900-43d1-B012-852754A63897}.exe

MD5 bca69945070660dd9e5ef2d9646582a2
SHA1 3568c4751dec50d618b64f8cdd77c76e944fa9f9
SHA256 3f322f04645883e31848d8722f008da4227ffa41c225b51ae340cabce8c26364
SHA512 7d4f7c29ee0816fa4d791c25725e5264a169a00f6f11cec163db8cdb075a3342f9cdf110dc4942edc708a98cd70cd816b3ac6e7ff74eede2481d6e92c6f50b00

C:\Windows\{729651FF-3D46-4f07-831F-90659A4D2B08}.exe

MD5 4ae8c8655438d6d798ba7f9a6bb0029f
SHA1 d3454c93b05ea9b08f7067d91110e8c083b81a9b
SHA256 3ce4189927083725c9a28087e1ca304d0754112cd457997c58757a4389420e6b
SHA512 1eb7c0691004895325ba3cd4e7b4d6cf035acc1524533a6c857180640f70ea16d4946c3b5200a10d02d96e3ef6ba2d6f4b2f74fa69bd444adea8f4ef510cf675

C:\Windows\{56249AD4-2F74-4871-A85C-1E4D0E6576F3}.exe

MD5 6af74a249b45f4cd4515163a5c8aa10e
SHA1 0cecfa365d783051f2a419e1d3a944a1f35a5404
SHA256 4539386fb972da5b6a3a40d7fb95e08ca4c20a03170f7591f634a93af6cb3542
SHA512 fce9cd3ebf0fdda7ec00bb0b3e925aa951758e5fcdf54a9b1e2eeabc5448a5ef4a97d1488535bb8b2b7fc849cb7c9d4c9587eb4b9ad87582869d2315ff9682c4

C:\Windows\{0ABEFE73-2C5F-496d-BEAC-623870CA553C}.exe

MD5 b304ce0d78f7143dd7acbe2dcb96585d
SHA1 45054018ad086bad92e9655f758fe0940ba33195
SHA256 d09d8e25d27a09d59f549e69e420ecc2f4a08d06b05ccfaf6426d7d03b066fe3
SHA512 54d6dec3c22a08b3a46453b45b0eee6b0129d8e2b7c5e4ec88e4f03c333d450be60c52f0dedc343b10611142a6ffaa54c2fa65413e5e7098f229137928590987

C:\Windows\{89135B9C-2D24-4d42-867F-49BA6D0B38D2}.exe

MD5 3bec96b268a1a3db20ff6d9aecf704f3
SHA1 f25d41d4d3c92ab5e1f4d7f0631e7a1d99060d63
SHA256 156ccf25d622a3ce90a3e1c050aef7d35e6df02b32321cc454471c1fb1e0a0d8
SHA512 97f543be734e46943e84533f4544e73a66d81e1ff0af82a740eb818966d5baaf6efc8986b0cab224ad979c7e720b7246de366c035089e42e414099c5dab77237

C:\Windows\{821974DD-F77D-4ddb-955B-701031B0542B}.exe

MD5 d47c43e31b044f9e4e93ee13b5e10343
SHA1 fa3ff9532d3fbacf10ae3481c53ebf167a8ababf
SHA256 36221aa2b5d56631f424a6fe2b41c4fc24f5b6d0a6b854090b8a1335a8bab5c5
SHA512 48f176b5d46d67a6e5674bee76611d53553c2b894585553228d40376bf1cf047680145b5f08047cabcc959ccaf9b96061e23f2eca1670445391e94d195391a87

C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe

MD5 2dfb9d185c1a262b5968ab6936fd9e98
SHA1 49b827485df0fe12608ab608d574a6128a6df55d
SHA256 6e9570e94cf881dd31dcfd74bc9cb5fdf9b98b5327bf1610e51f3bc371e0b552
SHA512 6c770dc44901d0a81153d0b036f31ffa048c8cb084c64092eca953b6a8ac9db1d3383b44645fd158a2fe84fefe2bf0c3fa61422f07f03439aa97d0de27f21055

C:\Windows\{00FBA430-A7F5-427d-8879-533A369B07DB}.exe

MD5 3025fa6c3ab33c371e56c6de6b442613
SHA1 16874fcb7dd48381d9f71598357dddbccc0a28a2
SHA256 96fce465c38beb4d7fdbb58b6b6be5292ec06fd2c8398a02fc17fd51799af7dd
SHA512 34351426403f62b92c9b93d77ead80eefb5fb612df5423cf7b8e676473072b8206030efcd50d44bec21328f9398770281dab067c5b5647fac76e8a51765710c1

C:\Windows\{341021DB-41EC-422f-BC75-C39983CF168A}.exe

MD5 b61319825b8e5563a2b3be0f8903ce70
SHA1 1cc43cd187589fc357fa1e3a9b073c911c9ef04e
SHA256 46e9b292525434362a524646d4e2d57b22bd9edd767591b0e3d8cf5221a773d0
SHA512 71f733d785037c940bd6e185480cd7f53f5a78c3b1b3795e18fe5b1d5ae328f8858fa5ba8f8d8283a4f3a72c62f342a4f26833e5c733a71131fdd0fc6e10b943

C:\Windows\{6CE771D5-7144-43b4-8B70-95BE6C2EDA96}.exe

MD5 23056ebad13a25a494c3e4d675219ed6
SHA1 3b9bdee4bd754ba4bd07dbd646855af244246e6e
SHA256 1388ec139b142f76e6732a9a7da3b7d01d54cea73aef907a42bf98d7fb3293dc
SHA512 95ea5d85a00468ec6c12393a3e48bf9aaaca447cf45e909c4762a9db0c424f5c1d15adb35985ebfb60c56c794e3b5dcdc5656090e446fea1377dfb6bbc846578

C:\Windows\{F06449BB-3986-46e8-B2E3-31F422FB22D3}.exe

MD5 a0370f10ac8cdbc3e1c39d7505ab403f
SHA1 d5eac4a315ff0d89666aba7a86a8c6142f6fda23
SHA256 3fc8bd4cf082e27869c9ac83e621e6eb6b93250c61147fe01c9cad57b0e1a633
SHA512 3f02a488b6a90c2198a72903638ac25bcce4511823b21177279fd9275e309bf58aa002ac1d17fc68db2d324dceac5a9cdddb2595f6e61649927dfc93c7bf5778

C:\Windows\{521EAE01-6D77-4388-9B6A-BD8D3942E7D7}.exe

MD5 83417829c93fd315f8eb8ac85c9ca070
SHA1 7e435ca855e82f50fb03af8757b8d1d6b48f4fa2
SHA256 7d2b80d6eedc41206fdd10fce788813b1bfb1120a9e1dbf9c5c4c6c19760b945
SHA512 3af55bce695fb08762d7f7dd61582d10505aeffd7e7418677995a6d0f4f1ecfcfc66d8b297658e0376aa27aa441f205fe4943794d2282ac74c06e7fa231c8ebf

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:28

Reported

2024-01-25 17:31

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FF74D7-8240-4646-B438-9347DCCCFBB3} C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FF74D7-8240-4646-B438-9347DCCCFBB3}\stubpath = "C:\\Windows\\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A36AC0A4-9102-4e20-BB1A-4E6290431646} C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}\stubpath = "C:\\Windows\\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe" C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1} C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE98E750-937F-4264-A25B-0D0C00B33118} C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE98E750-937F-4264-A25B-0D0C00B33118}\stubpath = "C:\\Windows\\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe" C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E5A919D-9D46-4801-8DB3-245A3DB11C79} C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}\stubpath = "C:\\Windows\\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe" C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7772B8-E674-4f37-A1AB-71BF53FA2434} C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}\stubpath = "C:\\Windows\\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe" C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A36AC0A4-9102-4e20-BB1A-4E6290431646}\stubpath = "C:\\Windows\\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe" C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}\stubpath = "C:\\Windows\\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe" C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}\stubpath = "C:\\Windows\\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe" C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073C352D-E629-4a3c-82EE-ED06816343D6} C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073C352D-E629-4a3c-82EE-ED06816343D6}\stubpath = "C:\\Windows\\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe" C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}\stubpath = "C:\\Windows\\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe" C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F53C3930-F924-4c29-A7F9-46F9531A802D} C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55} C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950} C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C} C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87313B54-3E11-4117-9C7F-457B6183AE02} C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87313B54-3E11-4117-9C7F-457B6183AE02}\stubpath = "C:\\Windows\\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe" C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F53C3930-F924-4c29-A7F9-46F9531A802D}\stubpath = "C:\\Windows\\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe" C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe N/A
File created C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe N/A
File created C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe N/A
File created C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe N/A
File created C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe N/A
File created C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
File created C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe N/A
File created C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe N/A
File created C:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe N/A
File created C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe N/A
File created C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe N/A
File created C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe
PID 4048 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe
PID 4048 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe
PID 4048 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3620 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe
PID 4544 wrote to memory of 3620 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe
PID 4544 wrote to memory of 3620 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe
PID 4544 wrote to memory of 4032 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4032 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4032 N/A C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4912 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe
PID 3620 wrote to memory of 4912 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe
PID 3620 wrote to memory of 4912 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe
PID 3620 wrote to memory of 4052 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4052 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4052 N/A C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4472 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe
PID 4912 wrote to memory of 4472 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe
PID 4912 wrote to memory of 4472 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe
PID 4912 wrote to memory of 4036 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4036 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4036 N/A C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3716 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe
PID 4472 wrote to memory of 3716 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe
PID 4472 wrote to memory of 3716 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe
PID 4472 wrote to memory of 4860 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 4860 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 4860 N/A C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 4056 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe
PID 3716 wrote to memory of 4056 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe
PID 3716 wrote to memory of 4056 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe
PID 3716 wrote to memory of 1924 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 1924 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 1924 N/A C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1480 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe
PID 4056 wrote to memory of 1480 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe
PID 4056 wrote to memory of 1480 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe
PID 4056 wrote to memory of 2356 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2356 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2356 N/A C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4520 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe
PID 1480 wrote to memory of 4520 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe
PID 1480 wrote to memory of 4520 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe
PID 1480 wrote to memory of 4872 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4872 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4872 N/A C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 5112 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe
PID 4520 wrote to memory of 5112 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe
PID 4520 wrote to memory of 5112 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe
PID 4520 wrote to memory of 3868 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3868 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3868 N/A C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4028 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe
PID 5112 wrote to memory of 4028 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe
PID 5112 wrote to memory of 4028 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe
PID 5112 wrote to memory of 4792 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4792 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4792 N/A C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3148 N/A C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe
PID 4028 wrote to memory of 3148 N/A C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe
PID 4028 wrote to memory of 3148 N/A C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe
PID 4028 wrote to memory of 2148 N/A C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"

C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe

C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33FF7~1.EXE > nul

C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe

C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A36AC~1.EXE > nul

C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe

C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe

C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe

C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F400F~1.EXE > nul

C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe

C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE98E~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE10~1.EXE > nul

C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe

C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AFEE~1.EXE > nul

C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe

C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{073C3~1.EXE > nul

C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe

C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe

C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe

C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87313~1.EXE > nul

C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe

C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7E5A9~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61D27~1.EXE > nul

C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe

C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F53C3~1.EXE > nul

C:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe

C:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe

MD5 28ef37cade7b1efdc86a481ffc9c96ef
SHA1 cf98cc4d9a5049401cc9270153a7f9dd2da36029
SHA256 38cafd013ee395ed27794ce195489aee570674e1512bed1572edd9d27317484b
SHA512 d53025f4efb5034a6558eec8a9fdb435e2162375e599855e38114524fbd6483d113c33db90c60daf47ed8c6a26dbf7a98515b11399ca0cd08585ad1df09deffe

C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe

MD5 49a5b6c28b90d60d6f781cf8429af135
SHA1 6a858e41b7de4dfa1ac3fb6bb2958a9926c377c5
SHA256 f3cfccf4373ec5035605648e6e15f75b3555e00bef8bdd8ca7b7eefe8f02a0f7
SHA512 97a5bff487a113b959d5b2f7250f2f6a2e735a34227c27766fe098899f75307f410d882b018392798b276e1da67370a7955993cab63e49ecc57c38487c67a272

C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe

MD5 374dd43a9ebcad2f9b0f712ba1765e58
SHA1 909d4187a49ae9aa302140594b5acd25105f9b93
SHA256 73b2b15e59de882f145b43ca60e7db4261bf8410ad4b93019fceb1d098957464
SHA512 0460ad23b4a36284f002a1f7281ac6f3375dfe7f235b305b4238168d88aefb2e45309f3d50b8579cf775032c441c3bd08e8f0273e51483a0db72b0c0436f9565

C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe

MD5 f4518a6402377f32c8a5fec3cb6eee02
SHA1 5e8049021a2bbac7060c5d33eda548b4ecb20950
SHA256 2374731bdcc39b1ce25065db412b6e4bb3a4a319d42ec8c2e81e8779bf1e1ade
SHA512 2725f11a0f0bf4290966bd01762f72c866d73d24d4fcddbd731e8a8196301ad3c2bed91009accb5802ac8c961737d9e2239d6f7b79dbfe61110a1161ac7606df

C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe

MD5 e8c7270a751d0adf29fa4339dbdaf646
SHA1 4a9c1b994598168fbd5063024709c551c9aca615
SHA256 e1a532f3294b87275d14627cda3363a6054f0f6255082542932b517ca236fcdd
SHA512 97f1aeeaf6a60c66965a4cd2ce15f94b117f737318ed4046ec1461f85a65bbb4f03b216bc27cae255b5fa1ba950c509e90ed746815d10cd19850fefe73c6be7d

C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe

MD5 8eefa48799dc635726f304490931d480
SHA1 1e226d11f370babfb3c72cf125a63b28f9e61642
SHA256 038d868199b8ae5da206c24af4cee25d855e39806a9ff4a57a526c033d6b858a
SHA512 b0d55dd0b1ffbcaf4f2121e1d98ed88737ab41bc833d21a94809d183eac4b5aac83f98cae232ad02a2cd24f4a53d9166afcd7186523d223eda6c0e2bf65d14f2

C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe

MD5 85211c5be5abc8d8a3667aa7cac3727e
SHA1 b8ef71d76f49dacee20bbaeec6ffa562a12a8b9b
SHA256 82743099ffe728db2ef4f5ab4cba700f4efd969b1b3b17a08271fe694407de8d
SHA512 c4abb301c67bdf1d9df570b06e1b58302c0b441fa1cf893d71bc2457abe6100f4f341856b4dbbc1be976b36111a4ca62d8e8e10b49968acd2dc381088e5afd60

C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe

MD5 b5ed4219929e8be6facd4d4a2dd6fcbe
SHA1 ff179cd1862ceaaa1957ce2e796228616dee5ce4
SHA256 152712028eef91213bd791ee5c5ead91d66cc0b9969bd5ad4c2e4b86c62ed9d5
SHA512 9f62c1a083a12a5b7074246ac641c780577c87fb362eedb180545459b4f8c8f599fd561d7385507edc4b470cb2e6e1b18a00bc2703cc5ebbf3af0b142595b563

C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe

MD5 08f32bdfea2490d1dd1ea21432fcdc47
SHA1 7340be730b366aafa03a53cd4226c97bedef659c
SHA256 00ac7236250e44b6a5af138e0577a25fdbb886d1544ecd9cd8ea36783f1ef80c
SHA512 13eb961a87b853ac53bbecb7d581228d6c654dc331abb511672dd4a195cd893d5c9cdf5596faaabff614aab84d80e38dab41d63a3f3d25ea476125c87580e933

C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe

MD5 12b4fa7829c631d9630a41d3d7b1bbc7
SHA1 8fe29dbf09e54bc18f241e72a5828887dc508ea6
SHA256 5a058907ea3eb13b6a6512c53a38f5b3c6bcaa8ce5f502913a16a09a8445ea1f
SHA512 35093bb14b7f2a5610c8323e114bfb654ed8bc9feedf16e9189e100b1421d1285794964460284fcb0407457ca13661f90e87ad39d81b19088a40d879672b63a8

C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe

MD5 b4c0ae4e1f158c74435d2b4726d34e3f
SHA1 957e0847350af9849e9984fdb8ce37b0ba720cb2
SHA256 37f795fd17943d82b776a32cabf059229961e6569a3d550184529e866232cc76
SHA512 2dd897904c3fc08a14d08e2f943147a40e5a1d84cdd64fe8970303da83a54bcb2c5bf33d3ef6c83acb15fa2d06defc6a82c44c648e624438f771bf04b745f2fd

C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe

MD5 053b7cfd6ecb9c65433632fd3f476564
SHA1 3d30b4d81bb6df6dd829d794b8d5a98feaa5e178
SHA256 2756b1386f66482f676fb0ec18b0e6bfb00b421928a607436db8ae6c751a8b77
SHA512 bda537984f28b04a70e091ef11a2797149c16b387e1d5501884752fd1d812b81e37207a4b40db0f322ca93d87f7d538ac09d9a71f70c4e55ba97266aad26fcb4

C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe

MD5 59b4e1c91a925fb5abdc5ba2647416aa
SHA1 77c12e669b87eaddd9ec89ad0c26e1ab37c5c5cf
SHA256 0a4968ad7638304ddab91afa32336b86b52f72e53c561481a73a9d603bf392f9
SHA512 9ccbade0f91424546dbbe4daf263f00c9e9058a43168f910a8ec9b4254bd366b9d08628af9c7e24bc5a4f4378464fb69ba12b850dfdf1e3c971aa507412e0ff3

C:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe

MD5 1c194d3ff51b945a250be415c17c2c7f
SHA1 9ec8e4b97988412344e012d3b5528b7c59035bd6
SHA256 59bb2e88a6ab77485435b5c6024dd682dc510d9cea23a60b8964354a3449f8f9
SHA512 9d8522d89f4aec3d98efaa803145ddf0337ab561186787808efcb8da40fb45bee83c66f27310632725ff59a0aa9539b070fe688a4681b086e24f7d29fc51e40f