Malware Analysis Report

2024-10-23 21:11

Sample ID 240125-v32v8abga7
Target 2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye
SHA256 7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54

Threat Level: Known bad

The file 2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:31

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:31

Reported

2024-01-25 17:34

Platform

win7-20231215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC03C27-27CC-4916-B343-2F4AC224F458}\stubpath = "C:\\Windows\\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe" C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E27B70-1D31-4c42-BF59-0E162E2AD381} C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E08744-2D2E-4239-8953-DABFEF785620} C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E08744-2D2E-4239-8953-DABFEF785620}\stubpath = "C:\\Windows\\{19E08744-2D2E-4239-8953-DABFEF785620}.exe" C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}\stubpath = "C:\\Windows\\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe" C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC03C27-27CC-4916-B343-2F4AC224F458} C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}\stubpath = "C:\\Windows\\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe" C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E} C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DB05D2-F26D-488f-A57B-3823E9D8D86A} C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}\stubpath = "C:\\Windows\\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe" C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3} C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD} C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695} C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD} C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E27B70-1D31-4c42-BF59-0E162E2AD381}\stubpath = "C:\\Windows\\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe" C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}\stubpath = "C:\\Windows\\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe" C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F} C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}\stubpath = "C:\\Windows\\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe" C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}\stubpath = "C:\\Windows\\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe" C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}\stubpath = "C:\\Windows\\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}\stubpath = "C:\\Windows\\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe" C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF} C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe N/A
File created C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe N/A
File created C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe N/A
File created C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe N/A
File created C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe N/A
File created C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe N/A
File created C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe N/A
File created C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe N/A
File created C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe N/A
File created C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe N/A
File created C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2680 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2680 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe
PID 1032 wrote to memory of 2716 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2716 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2716 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2716 N/A C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2676 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2676 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe
PID 2680 wrote to memory of 2616 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2616 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2616 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2616 N/A C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 324 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 324 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe
PID 2676 wrote to memory of 976 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 976 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 976 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 976 N/A C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2776 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2776 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe
PID 324 wrote to memory of 2852 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2852 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2852 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2852 N/A C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 864 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe
PID 2776 wrote to memory of 308 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 308 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 308 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 308 N/A C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1924 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1924 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe
PID 864 wrote to memory of 1364 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1364 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1364 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1364 N/A C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2604 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 2604 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe
PID 1924 wrote to memory of 1636 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1636 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1636 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1636 N/A C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"

C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe

C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe

C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4614~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16FC0~1.EXE > nul

C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe

C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe

C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe

C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE15~1.EXE > nul

C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe

C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC03~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0FBED~1.EXE > nul

C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe

C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71E27~1.EXE > nul

C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe

C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe

C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe

C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23DB0~1.EXE > nul

C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe

C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{19E08~1.EXE > nul

C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C873~1.EXE > nul

C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE66~1.EXE > nul

Network

N/A

Files

C:\Windows\{B4614E0D-69AF-4aa6-BD27-2BE4B3458695}.exe

MD5 19f9c90d637b2d6bdc733ceda4b8f60c
SHA1 1b8e03776b79209b8c84138192e766510376d8a9
SHA256 6ec62ebce90b497f02ec64178822e4f5d6e3549b364e47eafbe07b118040a2e5
SHA512 d56ae1c95b613991aa1ed5286f77b4731c9d5ab55705cffdb6ef2424a6ff08019dd37fa8c5dfdce8cae676b271690aa50eda5644f7be2d0b9d6074678e1038dd

C:\Windows\{16FC00C2-2DF0-42d5-AC93-D8757E2CF4CF}.exe

MD5 18fcc94e776b63fd19a2adc7abce5d7b
SHA1 18354da0850abc62b1c298197ad337878dfa3078
SHA256 5b1c6c3d58f65467db09ddff8289813346f56fe259d78c94cbe2e4f32b9de5ef
SHA512 75c6273d56dc618fa7923f738adff7c7619f45206cf53d93b4d998d197b1abfb1786f6608ae5491398c4df7bb0bb64aadcf523e292558f666c3a79d9283596e6

C:\Windows\{3EE154F5-4B5F-4714-B070-BE394A1ECEFD}.exe

MD5 9db47a191c0a465c039a444678a8bc61
SHA1 cf369708cc42f8c177a7d055cccdb7614fe087e9
SHA256 46977a5b92aee18f63590f3b2c6c2857b3ae990bce1d602a31ebe89d77f634ed
SHA512 d6c3b4cd4809535acbe3479f0fe491eb498041d87f9e235900e3aec9b1798af5228cf986a1e1e2b4e49c7edd35cd05ebed775b26f7a2df0773f879d357902ec8

C:\Windows\{0AC03C27-27CC-4916-B343-2F4AC224F458}.exe

MD5 cacadb5beead67697a4be3e4c49989dd
SHA1 0b3238dbf2a46fd1e7f7440ea6f5415d66f10c65
SHA256 4e33a1ad56df8dee7363ad726ec61713048fc5b9b7a5b62e177dd67a2c1f69c3
SHA512 35c3373336167046ec0c59f2bb9577531827fa224dc2cb83a1e60d3515c75032f1ef5a4f655f91996f92072b8477021c99cdefcc422e2163a6ee951dfb7aa3c2

C:\Windows\{0FBEDC4E-65DD-4972-A3BB-0621AEEA411E}.exe

MD5 fe8fc635b6ec2cf27fda3217c652cb53
SHA1 283ef87ed4c81b6b13d205787cac0170789310b3
SHA256 f0facdf16413cc095f5c0f5e01d6493ed3e3f9d152c5de8ec7213e47b28a9d47
SHA512 c119e867484fda0cd7b3614c6ac755ee745d52cb234e71530fecda6030140cecc4d43d66935805f9ccae8ae8718aa15288f1835bac333e18859a061b179a8825

C:\Windows\{71E27B70-1D31-4c42-BF59-0E162E2AD381}.exe

MD5 892ecfb5909f6162a7a1c655fa96b62a
SHA1 9cb8be32fe84af119f5f14c19f1bf0e92ac7110d
SHA256 481a380a3ccacd070b3ab749551ea18a9f9b5794e6a2c1e0cd3aba1261ce28e8
SHA512 0a66c2b560542068e71e0cb832d309a869642f0bc6d97a3e6abdede5c9825bab92a5901ee2630cebb3befb6c29037893d4a6c2a1105bb96bb86440ceffcf46a3

C:\Windows\{23DB05D2-F26D-488f-A57B-3823E9D8D86A}.exe

MD5 129cee2900c1c6dac514e5616fe4b89c
SHA1 52c8ee9712a37ec65a74d8735691a41aa0380988
SHA256 8f994f91206d7c2cf1d6ad1972c2a031debce15f936f51c3efe27baae6c01dfc
SHA512 4757d8872068451e6ac4126fed3a1295229c8201886b59404b90b863544abeb51503d090fa8e83549cd05452c6410bf2a7932e36d890f46b36823acd7bd641b5

C:\Windows\{19E08744-2D2E-4239-8953-DABFEF785620}.exe

MD5 f78165ea49828b15f056ed764984cd81
SHA1 feeb3a7213344219b65a0e65498a4ca36d9a4579
SHA256 55e5567f0aa17a79f703c389c28d11589344e25758dd2f2205832d749d0db5f7
SHA512 6f3e61ed61571aea43c758307562df141b140202e29ef6d9ad2f0def4ae501a54e20f645a6eda3b33febed5e0e84de922bcd94a1633e9e3d3aa347680adc33de

C:\Windows\{5C873FFA-552F-4c86-9FF5-F596D7AFF3B3}.exe

MD5 80442e84d4a2585adb951a2e4e4bf054
SHA1 efc27472de185f7a52087460139ec4b57733988e
SHA256 135b9d7254e7d72b15633dce74ddaf67b26f46835ee177adf1bdfd221861febd
SHA512 155f6f55ba5e62f3effce159191d8404eb67fd8393ab8ced89b1f7c156d8ccd2e11cc9d7ebb31a9e39430c44d10d01911974075f219c39077631c684d71b1ef9

C:\Windows\{DBE66E56-31B5-4f2d-BB1F-1033D04F3F5F}.exe

MD5 159af159816c1f151c9b377302c5f000
SHA1 ef64640a34d7ca48089b033aab96db8a78fba380
SHA256 9853f47603eefad6dcce978efeb1182070a280e9e70b84413f3fa19b82f00dd5
SHA512 e62bd2ce9002bd5ac4bec50e9d8bd4db70f8541d0f490420b334320cd26c30750dbf5c629f88b6eb53b5ca29f745c61387223284a8ba4ce92f89d7c784ecb883

C:\Windows\{C43D41A5-38AF-4bca-ACEC-0C3E761E66AD}.exe

MD5 91e95812beaa2ae0234641d91afc62a1
SHA1 9400fdbcbe06656841fe572d212022d183fe6f59
SHA256 e3a08858f47f4cfb0d10425745ac70098bed9100911f3c413332125184e308ce
SHA512 f19e39225210f974bcb59faa3e71ba901237038f9412c096a5e4628b92934103a0bdad922014ed4a0056e68c07a0cbdefc6b4988353d7a9e498b280da62b6ec6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:31

Reported

2024-01-25 17:34

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF81597-1C6F-41ad-8141-3D9A87E92214} C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7} C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}\stubpath = "C:\\Windows\\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe" C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BACB84-B96C-4d2f-A87D-691A29645D5A}\stubpath = "C:\\Windows\\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe" C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}\stubpath = "C:\\Windows\\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe" C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0519B459-C133-407a-8BF7-9631A0AE8D57} C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B528F6-8DFC-42cd-8435-1126B41066BA} C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF81597-1C6F-41ad-8141-3D9A87E92214}\stubpath = "C:\\Windows\\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe" C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345B2311-85CC-40fd-ACB3-D650820F0C6B} C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345B2311-85CC-40fd-ACB3-D650820F0C6B}\stubpath = "C:\\Windows\\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe" C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BACB84-B96C-4d2f-A87D-691A29645D5A} C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9} C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}\stubpath = "C:\\Windows\\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe" C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0519B459-C133-407a-8BF7-9631A0AE8D57}\stubpath = "C:\\Windows\\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe" C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236D06D-405B-4cce-A3AF-F71CA9745CC9} C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762} C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAA1936-54A4-4209-A3F4-6968C197C43F} C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B528F6-8DFC-42cd-8435-1126B41066BA}\stubpath = "C:\\Windows\\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe" C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}\stubpath = "C:\\Windows\\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe" C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}\stubpath = "C:\\Windows\\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAA1936-54A4-4209-A3F4-6968C197C43F}\stubpath = "C:\\Windows\\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe" C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E} C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe N/A
File created C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe N/A
File created C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe N/A
File created C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe N/A
File created C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe N/A
File created C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe N/A
File created C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
File created C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe N/A
File created C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe N/A
File created C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe N/A
File created C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4756 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 4756 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 4756 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 3980 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 3980 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 3980 N/A C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 1256 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 1256 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 1256 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 4876 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4876 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4876 N/A C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4476 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4476 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4476 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4100 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4100 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4100 N/A C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1704 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 1704 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 1704 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 4524 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4524 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4524 N/A C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1284 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 1284 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 1284 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 3120 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3120 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3120 N/A C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 5060 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 5060 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 5060 N/A C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 4920 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 4920 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 4920 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 408 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 408 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 408 N/A C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4848 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4848 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4848 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4208 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4208 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4208 N/A C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2352 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 2352 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 2352 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 4936 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4936 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4936 N/A C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2448 N/A C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2448 N/A C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2448 N/A C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2964 N/A C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"

C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe

C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe

C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E635E~1.EXE > nul

C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe

C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0FF81~1.EXE > nul

C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe

C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8368~1.EXE > nul

C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe

C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFAA1~1.EXE > nul

C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{345B2~1.EXE > nul

C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe

C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56BAC~1.EXE > nul

C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe

C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7171C~1.EXE > nul

C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe

C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{304AF~1.EXE > nul

C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0519B~1.EXE > nul

C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B3B52~1.EXE > nul

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe

MD5 e8308692e2234d9afcdf87d2c22df565
SHA1 3a9af6563d0e457ca71a7a443658b4802ed79530
SHA256 f3ec195747534d277b5c0b6b4583ecf86b0c75c8b18b5d9882007423c0807caf
SHA512 aab4a1fae38cc3767b52e4d13c7ad5f7d796a55aa2a40b7ee6249d59776d775946ce5f8fa0aeb442c9482f9ff78a7f9328e49617f946d0ba76c132b9703efd9f

C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe

MD5 dfaae9d99804e2b795919c3f52216b42
SHA1 c34f7d209a9b690bf5ea36e36c2aacda71681449
SHA256 600ba21c45789ea3263c47802844c13b8a7dfd72339ca099b4ba480d456ccf60
SHA512 e5deca87d6f17a125c994ad20793b65c64c5a4bba0b49dabbae8d55fa6c92d7ddd8494b36cc5ba8aa116e6d20f1e29fb27ce7c4f857d9b6d64c761721f4e0250

C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe

MD5 e4af7fbfb899ee94a2e58c870c0b8936
SHA1 1bd7982afbb2a47e353d990049fd2038f50ca08d
SHA256 47381d2637731a18a8d407863dae01c8fccf342e858e9e26f495f5a77f37b064
SHA512 3711e13f3f9d496b40ebc872010c532b2f31e23ae70fd77ded1c712bc63b715ad980a562628fa05e3a753d88828b689a11540a30a9043228d63767244dc5bc04

C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe

MD5 33378e0062c4444ea869a54ff4013e59
SHA1 248d59072670ab1b17e408032bf7e0c09db89688
SHA256 bb7988da621577f2aac4e068037f2ef82c9a313714507f96cfea20d2d3622cd1
SHA512 e8cb1c6e64f0cfa13248da72d9b9d1c03013284020467f535125ac05ccd757f51954c524cb31af98829815b9f8f1d121bc0b10c76e9a38e2dc93f0f5de0dbefa

C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe

MD5 d538a071798692e137e3fb81c8c6014f
SHA1 25fc81fb986c2ebaa307273f461e668828071237
SHA256 a410652778d71bc13ffb45e6fcd0de901112300e38ccf97103f4636605fe4c78
SHA512 572ef50a62ca7068fd04472ca5bd83b20a674b5e48d60b3811da4abb890904789a98578492886fc35afd177dc8d3dec0405ea8e5a36dbc8d2fb107b560613549

C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

MD5 d62140265ff48530e57177cfe50119e2
SHA1 4c73e4a8ea8630737e7551e610a0811686a69fd8
SHA256 4ce2677e62c2000a53797c722c59cd76b9cfab89ed6b068758d9a195f59d94b8
SHA512 9bad2284a60278443b0641ac9dd384ea79957136f8d242f3d817149f09517c38c0d771f70870e09ed6ee6528bfc72b401f07e5babb8f8e75793989617a63ec21

C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe

MD5 348af5267597cd59d0696f214c227d5e
SHA1 d3a23031153b6451ee853510f28e6fd395b8462c
SHA256 fb55ea5eb15e2fef711642ceaf93afcd28c01aa44c51bfd686e219c5fd2774da
SHA512 37c6941f71cc5d0ef994345184df14bb6b2fa9249d47347c2e87950ad8377e4e18fc67c057964b978711843da110c2be0369d029c5045a1a0ac5b9f514ef4e9e

C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe

MD5 3d5d196f86cc08010d95e5a9f80f1053
SHA1 5e069b77f39a6da52dea9f119b0953b393a748e6
SHA256 ed30ab9adc68da5f6e5e47caf83b3fdcb90ddc17714308c7b5ae59990b675da2
SHA512 fa9245e0f357d21bbd400b614d288d1fdae4d6a843c45bab32866f7d8291aaaf99e66f9c2a5cae40abdab3642eae8e7ecfe4353911c14f1b2fcd87affcda7b1e

C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe

MD5 74847ce7fbdc36fe1efb96744a248a58
SHA1 c4d82404b7631ee69421e1d64ecb4065c635b016
SHA256 e552fbf83933b8163078ce1b2a280d074cebbfde5c29d6ad195ed7d405178b7b
SHA512 22de10df27483bea4831814b67236f692817ec8bc8b9d874597d54fd5a3450d7f78b93ca51e3d364ac544a8cdf3dd95c224eb7056c74f68a60215cc10c7ff7d0

C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

MD5 ce34f6a7d9868f67bf36568df7b7b7a6
SHA1 bded85f5c7190dc371552fa6d293179d5e7cedcb
SHA256 e6c03b7ba0daef9c01e8ad38ba5d2c501169a4688e1833f5765077fe8f886b5c
SHA512 8295566a0f162fd27fa2ccbb578ea095b07c4f8aeeb23da546240c7f335e9d3ccde585d94855dd7805f081a24efb6b24924217df194d52f9c61d70dd6fce8710

C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

MD5 a504990bc15f986c2320e27c25f05d15
SHA1 7b80ca27d11f4f09aeb67875c5672bab4f080b61
SHA256 93404d6b6e8068c7c03f30ce14cef4b32a42903ac469753891d04bdf166ef169
SHA512 160cc8468b152fcfc4a867a8f374acdcda776b5860264b760440c73aee17e54299b813bbe58fb22435fe45c8ebe2c80fd5e630c427650bce6713941e2bd4955c