Malware Analysis Report

2024-10-23 21:11

Sample ID 240125-v3v3nsbga4
Target 2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye
SHA256 18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383

Threat Level: Known bad

The file 2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:31

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:31

Reported

2024-01-25 17:33

Platform

win7-20231215-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}\stubpath = "C:\\Windows\\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe" C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0ACC2C1-31AA-4c54-88CC-C42553879749} C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}\stubpath = "C:\\Windows\\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97389B98-1E05-420a-BF67-A8ECAB2F7336} C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97389B98-1E05-420a-BF67-A8ECAB2F7336}\stubpath = "C:\\Windows\\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe" C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}\stubpath = "C:\\Windows\\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe" C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EB5825-F13E-41e2-9ADF-3F33FE778B96} C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87E41688-2972-4dcc-9573-2ADC1EE6E69C} C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}\stubpath = "C:\\Windows\\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe" C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA2A2CD-B78E-49f0-B53B-250445045F5D} C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0ACC2C1-31AA-4c54-88CC-C42553879749}\stubpath = "C:\\Windows\\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe" C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51AFC40-4C64-4783-8F5E-5E96E6C80767} C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7} C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}\stubpath = "C:\\Windows\\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe" C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}\stubpath = "C:\\Windows\\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe" C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}\stubpath = "C:\\Windows\\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe" C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE163DC-7AD2-4248-AD30-A2FD4243E266} C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F} C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B67DBE8-DEFC-407f-B4DA-533859977F7A} C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}\stubpath = "C:\\Windows\\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe" C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FB5F6-1B1A-42bb-BB69-183B660D0222} C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FB5F6-1B1A-42bb-BB69-183B660D0222}\stubpath = "C:\\Windows\\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe" C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe N/A
File created C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe N/A
File created C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe N/A
File created C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe N/A
File created C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe N/A
File created C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe N/A
File created C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe N/A
File created C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
File created C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe N/A
File created C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe N/A
File created C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
PID 2404 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
PID 2404 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
PID 2404 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe
PID 2404 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2780 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
PID 2672 wrote to memory of 2780 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
PID 2672 wrote to memory of 2780 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
PID 2672 wrote to memory of 2780 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1664 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
PID 2780 wrote to memory of 1664 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
PID 2780 wrote to memory of 1664 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
PID 2780 wrote to memory of 1664 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe
PID 2780 wrote to memory of 2572 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2572 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2572 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2572 N/A C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1532 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
PID 1664 wrote to memory of 1532 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
PID 1664 wrote to memory of 1532 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
PID 1664 wrote to memory of 1532 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe
PID 1664 wrote to memory of 2104 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2104 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2104 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2104 N/A C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2820 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
PID 1532 wrote to memory of 2820 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
PID 1532 wrote to memory of 2820 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
PID 1532 wrote to memory of 2820 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe
PID 1532 wrote to memory of 2840 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2840 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2840 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2840 N/A C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2108 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
PID 2820 wrote to memory of 2108 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
PID 2820 wrote to memory of 2108 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
PID 2820 wrote to memory of 2108 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe
PID 2820 wrote to memory of 1468 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1468 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1468 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1468 N/A C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1980 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
PID 2108 wrote to memory of 1980 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
PID 2108 wrote to memory of 1980 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
PID 2108 wrote to memory of 1980 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe
PID 2108 wrote to memory of 2180 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2180 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2180 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2180 N/A C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2044 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
PID 1980 wrote to memory of 2044 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
PID 1980 wrote to memory of 2044 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
PID 1980 wrote to memory of 2044 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe
PID 1980 wrote to memory of 2012 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2012 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2012 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2012 N/A C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"

C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe

C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe

C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADCA~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87E41~1.EXE > nul

C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97389~1.EXE > nul

C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe

C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B67D~1.EXE > nul

C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe

C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{914FB~1.EXE > nul

C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe

C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{768D1~1.EXE > nul

C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe

C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94EB5~1.EXE > nul

C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe

C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA2A~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0ACC~1.EXE > nul

C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFE16~1.EXE > nul

Network

N/A

Files

C:\Windows\{4ADCA0F9-7E36-4875-9EFE-2F453C12FE4F}.exe

MD5 33b879acd436e5fa843fd5a2a827efd8
SHA1 9c1cde48368beef0941669b954827cf8a089ec2e
SHA256 09384b165b5d67a67a7a265c412af83b9208c72dc54af40088c508ed636dcf0c
SHA512 d976117dd9e537a0a615e01a1df4f2e66d42d2b9377bb0f71f8ad2adb30d23b7b34ace2618b5f00e7c5686a768b868489bc54838acac4292d06769da4712ec05

C:\Windows\{87E41688-2972-4dcc-9573-2ADC1EE6E69C}.exe

MD5 f5780656b25fdd72f0d81a5a3d91ba2d
SHA1 79f772ceffd54ecb2141e2189590afb0a972c374
SHA256 79ae65f4a3230530178afcc0d7dbb1d22e3b2a6c626ac6d9c1b46b11224f553a
SHA512 10d090fc1c0a961ccc6735bc274f5b0ce4796f467fdb0124f239e28ef3048be0db8ed67a574b40e597fa9d8f9f43074abc97f4bf3b20a2afa413e848851980fe

C:\Windows\{97389B98-1E05-420a-BF67-A8ECAB2F7336}.exe

MD5 e702938513f098b96d2f93382700fee8
SHA1 523a223bffa0f8611f01f0d6202aaab57e3de7c6
SHA256 5dafe9327c681dba4e7e36ef3c248a900c5a5eeb3e4ec883f242212118b4c7a3
SHA512 2de2ec285598b36c96d1f8fa647803801e75a7ef3435d7a7f9619ab367617a368c846d7daaecc403cf741a68bbf7d616d6704c7f7830838517973ecf728a5918

C:\Windows\{3B67DBE8-DEFC-407f-B4DA-533859977F7A}.exe

MD5 5b6dd4c9a4bd73c300482d3b6f8e348b
SHA1 bb7975648a4b654c0a33df075ac64c0ecc101cf3
SHA256 8d00a670cffce1c5b41c1293101e91f867ecae9ef8fe7a000d0cc4e487923ff1
SHA512 ee976d93b5316e17fc996cd446453329c626cd43b0221db1531b48f8d99bac6514a3bf8f27e1aacdeb1073eae243797ef6ed85d582654edf59e671711c35666c

C:\Windows\{914FB5F6-1B1A-42bb-BB69-183B660D0222}.exe

MD5 b26d7977fdf17571d15386d121e956ef
SHA1 05042f2acf30b437d0a866371401b315fbb0996d
SHA256 a97780f21dd82803e0e530d807b3109b6e973ca89498ed2877653b4feaef6e5f
SHA512 81d19ead5c720725b0a2c9396d7599e4b8c326809c079c673b8e1203ac3357e9e79b95be0f14b253824885a251cb3aa95502b5e5796f7ddc506a4642794af5f3

C:\Windows\{768D1E8A-DD90-49c8-85D9-D863E2D1FDB7}.exe

MD5 ff0920c54dd11bee0d10f621fc6678d3
SHA1 3878f4544958db757f10854f2acda1c658accfaa
SHA256 992992ff3d7ac2b10212dfa9bb8ce0d6c9fab99e6f6576385401e0b9757f25a6
SHA512 f3d02cc0fcb33ce689e4037183aae492724151ebce0e9e43e92ca5e1acd8880a03cdefdf341b9c92c2eaf6cb2218795396c183c0c1bcb4ad6d1385d5d1583216

C:\Windows\{94EB5825-F13E-41e2-9ADF-3F33FE778B96}.exe

MD5 7e2372068d47b4171149f0f1cace9dcc
SHA1 e425a3296b4491b15dd799f877671a0cd620ebc8
SHA256 56aa25e1955f016bf9201f87acab33edbf4ddc21a0c0b99aa8fca9b525a28573
SHA512 ac84cc4c73a793f84f37586c5b0bc3a6ad5bd1cd3fc29192111300fb0203902a98bb7ddfd69af23a5936d3f4891e1d220cd67d6dbff2ef1e176fe711192e9b42

C:\Windows\{AFA2A2CD-B78E-49f0-B53B-250445045F5D}.exe

MD5 27dd5281edeab54fe477c7468e17a29b
SHA1 2865f6e217caec9fa34f8c70e56ec5aad32876f9
SHA256 74cb78644cbca0c2544f733a2478caca9daa4d6d10d4abfc8a9a36d500a1844d
SHA512 16ebb530bfde796ec757c31a295a2007de0f22549838ab57d20208d3707084503f79e905f0a5ebdd8cc75d1b5fbd6f35497762b556ca1b73a85a547383c34ac1

C:\Windows\{B0ACC2C1-31AA-4c54-88CC-C42553879749}.exe

MD5 f0b54aff638b19b93c01beb9b7ab4f5c
SHA1 5d906f38f8bf020f44776e79537d173f1b691536
SHA256 b6969996924412c771ca557c52e22c5e4980c07b7cef68ee6b53dcc7a4392e0c
SHA512 128bbe90dce3eb29a5f009f7c1b9ab8bcfd2105d278b4496b6ce8c2ed08df00732bfadd314e13e646901a026fe3a792186a494d59ea5a8abb122f39587387c21

C:\Windows\{DFE163DC-7AD2-4248-AD30-A2FD4243E266}.exe

MD5 d20bb5fda7a254dbea55ae36637ff687
SHA1 8eb76d7598f61eaa108968b248014baedc21fe71
SHA256 0e8122996f5d87b5224a91fdda139ef278db660e812ec81b6e647cca0eb09433
SHA512 f76ab5cf679eec27e9e1719196e2c21ba6c7e4add96c2956ae5ac9e26657dcbf5a7fab457a9d18667c9e33d0aab58acc94f5291ffb5d84b464af57f01511de7f

C:\Windows\{F51AFC40-4C64-4783-8F5E-5E96E6C80767}.exe

MD5 5d0d6aacd2c901308c902a5d1a9425f8
SHA1 9cba4df3d34d678f033512d820dabd926d7d6527
SHA256 d72e9b373824e2e8c0b75737b483eec0cfef33c6aaa9cfd8ce8545cbea732345
SHA512 6c8798acc370e6508ca550183571bae195d4dff801d7f252d8fac325e1018a3c451caaea031d537013c9497fa34b2913f5976ced29e1af2209157e65786c51ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:31

Reported

2024-01-25 17:34

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC964B1-BCAA-4158-A604-6E556C646EDC} C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC31105-4917-4f29-BF39-BE93D8666FAD} C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239} C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41759B85-D583-4309-808F-D598DA2A93EC} C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41759B85-D583-4309-808F-D598DA2A93EC}\stubpath = "C:\\Windows\\{41759B85-D583-4309-808F-D598DA2A93EC}.exe" C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18F2EAC-792D-4b36-A108-BAA69867C0F1} C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC964B1-BCAA-4158-A604-6E556C646EDC}\stubpath = "C:\\Windows\\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD} C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362A468D-AD47-4af2-A09A-79C360CD61C7} C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}\stubpath = "C:\\Windows\\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe" C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FECBB-063B-45a5-AB2D-22AD75E80B91} C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FECBB-063B-45a5-AB2D-22AD75E80B91}\stubpath = "C:\\Windows\\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe" C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC31105-4917-4f29-BF39-BE93D8666FAD}\stubpath = "C:\\Windows\\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe" C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}\stubpath = "C:\\Windows\\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe" C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A} C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}\stubpath = "C:\\Windows\\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe" C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD9C2F7-8718-48f3-BA09-A446A9D66601} C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}\stubpath = "C:\\Windows\\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe" C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362A468D-AD47-4af2-A09A-79C360CD61C7}\stubpath = "C:\\Windows\\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe" C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}\stubpath = "C:\\Windows\\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe" C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}\stubpath = "C:\\Windows\\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe" C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF} C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E1EE97-CC13-4fa6-8264-79491A81533A} C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E1EE97-CC13-4fa6-8264-79491A81533A}\stubpath = "C:\\Windows\\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe" C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe N/A
File created C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe N/A
File created C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe N/A
File created C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe N/A
File created C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe N/A
File created C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe N/A
File created C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
File created C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe N/A
File created C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe N/A
File created C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe N/A
File created C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe N/A
File created C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 2132 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 2132 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 2132 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 880 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 880 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 880 N/A C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 3732 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 3732 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 3732 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 4988 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4988 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 4988 N/A C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 4848 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 4848 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 4848 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 1840 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 1840 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 1840 N/A C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4488 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 4488 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 4488 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 1580 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1580 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1580 N/A C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 2944 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 2944 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 2944 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 4996 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4996 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4996 N/A C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 2208 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 840 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 840 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 840 N/A C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 788 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 788 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 788 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 3120 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 3120 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 3120 N/A C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 3628 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 3628 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 3628 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 2548 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 2548 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 2548 N/A C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4560 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 4560 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 4560 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 5036 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 5036 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 5036 N/A C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4336 N/A C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 4336 N/A C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 4336 N/A C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 684 N/A C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"

C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe

C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe

C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC96~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31D59~1.EXE > nul

C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe

C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe

C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe

C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD9C~1.EXE > nul

C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe

C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{362A4~1.EXE > nul

C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe

C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E93E2~1.EXE > nul

C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{155FE~1.EXE > nul

C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC31~1.EXE > nul

C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe

C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD2F~1.EXE > nul

C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe

C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{18E1E~1.EXE > nul

C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41759~1.EXE > nul

C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C91C7~1.EXE > nul

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 145.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe

MD5 b3b712819d2355a41e5d245e1a60253e
SHA1 b31f318dd7f8139173b3366acde3b9c776ba2195
SHA256 c193597542339e00e71ae62024a5b424ffdfa6847d7b0b3b01f897d4e25841b9
SHA512 12b7cde73131459f60d24533215d7383d4a8d0a767fa70862419ec915b25f498d97cb27144f10c1200a9aa4d05ef4f58d40812c972f62bcbb6685ae96980c848

C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe

MD5 23da486df77f8e313ed52707e9e61eab
SHA1 8dd1aa08ecd7a3d92676b314dd21573d71e0298a
SHA256 b9be9a8c4b1a724b4b5e29edb3eb24df9c6dd8df7a0d3b5f88c716c319e9cba4
SHA512 bebd36652622b69855cb6eb6148c1c0aea6d7594dbd1b2c1f90acde47dca38c593a81c3e588c3e9ff814b233e236121aea27e0036ef269ddc6c7467efbaad54b

C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe

MD5 fcb4c8a8bc96f8d16451c4703d628d38
SHA1 901b7ac6101f9819f3b0899bb9d7170136f6cc06
SHA256 8c608c72afa76bdc31225e8a0c886fe49dd6d87686b80eb31b31b5aa9572ad52
SHA512 bf7a6c9aef61eddcdd6b4012bdc5cee64a1bba1fcf278fd69696d3ba82658dcbda4a9b5a5c346ad01255b1ae96a0a85477d547abd6902fd40b151ab781c4e96b

C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe

MD5 2dad342ad75567ae7bf529da0e1d5719
SHA1 ea380b4203198e20494a6e54c634cba782971ef4
SHA256 ed7166d2434c1d85f343c18cb1352427477eff62c46c61ac494421be6c800afe
SHA512 7c451a5e36f18596cc9edc0ce4bc542319bdc594d2af928193b38cfb39291e0c56e668cc75bff24739d7d8e3e014dd6b559f8cad8ab3ed7dfcf51937a321a8af

C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe

MD5 a4a2798f3b51ae59879231316f5232f3
SHA1 ed6c3a6d2c877407a841c6a592b68f0c6b6c51b5
SHA256 4e80242d1417b52ae239ec8da2170c4bf72d6d5906e49571d4c39e0088478d03
SHA512 d698d5918879dd230a5a28bcaa2758e66445fcf6eedc6cc4c3147abf448a1113ccbfaee0f1f5d298448ea889e07d19bf0242dfbd871b481d59805ad5763f21db

C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe

MD5 4c41233f1ca06ef01f77ab600d45effd
SHA1 67c03936caba21d771b3cda99d0a7b5a01563209
SHA256 608ce408f794e100c5890a4a7a7513966f2ab97021c65a327b29e08b1bc25caf
SHA512 f7e4b457dfecfad3e6a126d625c0c908ec73e2bff611b3dbfc97b4bd59f958cda482167685c8a31cb4efc61ec355e31fb0fbd1a67f6dff91f4430c9fdb172fcb

C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

MD5 b6d276ef85383d8f27f19b8dfed623f5
SHA1 481cdd55fd63c9929cf073a6d94a7966b7f56760
SHA256 0297743b0098af96705b5241997906684895ae9faba91f2392a68245a67a5976
SHA512 af00fb1438eb17c5e9c80c608b14d1b0d54da44ac35d6d7e5b581582ee9ae35ca20e028581bd5b04ccb4c865b3e1477184e441359ffcb7b26a51674e2027245a

C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

MD5 1dad67fb726306e6e0d5bd0c03c26d82
SHA1 6255c7911f0e30329456a6250ace901ecb848bb4
SHA256 164ed231ba7946300630fca66f708a3c7c3daebaf54815eb106da362bb7c44dc
SHA512 36f79b73f96b15c85d524acd06d8c824bb1ccdec0181dcda7c5dc015bcc0c489d3244308c1e473c3f4b74333c96019b3ddc393b2bf1e04737d95f5584b5abf4f

C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe

MD5 6300a421b2e23cb72dc96b588b0f235d
SHA1 90d114f033929b6a0655fdf81124befb1651ad3e
SHA256 c187bda316b670fdb0b07fc0ac44d0220f77d6fad5b5e1641911e665680ccab6
SHA512 d0ca9968a16b7759c933ccee4d06d993dbcc03b131982917b23eeeea458bacc48267a65cccc5cc53edbaa64ae928108d5d48d93b7cf38f8473e499476e366386

C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe

MD5 ecfdca7af9112762e965f99ca03b999e
SHA1 de0fedba07e85444e38f1c94903512177c03aa44
SHA256 a1cff0bec52437d94b822c3939716ca435f3703c6c428e9cc574ed3332181c89
SHA512 ea02e28f626637a07caeeb7fd311010746fcb1bbc9e96b48ad639e3d1eccfb5f172d875365ba922f387e827771932ce8622b16a05bba65bcedf26db6a5303c11

C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

MD5 be3c56b55017eed6d3a64ed4166b93ee
SHA1 002172e54febb03685d466c08112b4bebc6f4ce7
SHA256 4bfaec2bed8d24cd96d2f2ceedce07eba542bb6e53627ec98657f60a22ba4cb5
SHA512 5c09780e1dc6b9af559f7909c1ea034fe26e9d3ecaa576d012ad51be04a4d3be28d72f13cb2f39e12194f02b9869da2b2ce46ae0e4eec94bc22da7f08d348e1d

C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

MD5 35961e7db13a4c47262e9cf409ce4c48
SHA1 d256f2305c42b71236ff9dbe968331851c9272d5
SHA256 8261dd8ce0099fc37aa413fdcbaee66f0a1513656ff08a377d184a96e95a8de5
SHA512 9dfc3e8d8640ad2ac29d4da6b275bdbd2eeac3a5b428cc9bea2b6c24b83da215fc09c24c96d0637403768e5d972a63929c18cbf461e62cde0acca4c667a3d1ea