Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v4sc6scfdm
Target 2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye
SHA256 6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8

Threat Level: Known bad

The file 2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:32

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win7-20231215-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2}\stubpath = "C:\\Windows\\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2}\stubpath = "C:\\Windows\\{17D57832-8389-4759-8B99-C609C534F0D2}.exe" C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64}\stubpath = "C:\\Windows\\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe" C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866} C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397} C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252} C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F854BA-FF15-4632-9317-A804AA7D7866}\stubpath = "C:\\Windows\\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe" C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37} C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E54950-01EC-4912-BAD5-05437E604CE2} C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D57832-8389-4759-8B99-C609C534F0D2} C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9} C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06622EAC-1E52-406b-B4E5-208306A316A9}\stubpath = "C:\\Windows\\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe" C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42} C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}\stubpath = "C:\\Windows\\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe" C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667}\stubpath = "C:\\Windows\\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe" C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF808C1-877E-44fe-8EE4-163492890F64} C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}\stubpath = "C:\\Windows\\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe" C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}\stubpath = "C:\\Windows\\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe" C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5} C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}\stubpath = "C:\\Windows\\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe" C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}\stubpath = "C:\\Windows\\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe" C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9438F7-0228-47c5-80ED-CB1080927667} C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe N/A
File created C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe N/A
File created C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe N/A
File created C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe N/A
File created C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe N/A
File created C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe N/A
File created C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe N/A
File created C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe N/A
File created C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe N/A
File created C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe N/A
File created C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe
PID 2976 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2308 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2308 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe
PID 2972 wrote to memory of 2192 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2192 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2192 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2192 N/A C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2948 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2948 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2828 N/A C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe
PID 2948 wrote to memory of 2596 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2596 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2596 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2596 N/A C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe
PID 2848 wrote to memory of 3036 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3036 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3036 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3036 N/A C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1088 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 1088 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe
PID 3032 wrote to memory of 2164 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2164 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2164 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2164 N/A C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1064 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1064 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe
PID 1088 wrote to memory of 1960 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1960 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1960 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 1960 N/A C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 304 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 304 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe
PID 1064 wrote to memory of 1180 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1180 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1180 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1180 N/A C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"

C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe

C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe

C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E54~1.EXE > nul

C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe

C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17D57~1.EXE > nul

C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe

C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF80~1.EXE > nul

C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe

C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06622~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0111~1.EXE > nul

C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe

C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72F85~1.EXE > nul

C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe

C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{397F0~1.EXE > nul

C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe

C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74F4C~1.EXE > nul

C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe

C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD9D~1.EXE > nul

C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B943~1.EXE > nul

Network

N/A

Files

C:\Windows\{B2E54950-01EC-4912-BAD5-05437E604CE2}.exe

MD5 f8636bd5f0ea0f40855002d55bc9d191
SHA1 f18ff5b31deb7a78ccfa4cdd3e37bf372507c725
SHA256 9b604c022fe5dbc51e32ad297d3c5d9c8766afb62ddc246bc0d73bf7f3d47835
SHA512 ca0277e35810334dc8e603aa3af0d9b358d7df50a692174ea1fc07b0fb012dea2c3ec6706a6efa2302199435f48b9946085151779349c661a8c2df803b174225

C:\Windows\{17D57832-8389-4759-8B99-C609C534F0D2}.exe

MD5 13e5638cb853afdf634c507892bcd9be
SHA1 c9744ac7b973f14149586bf3668ac36c36a4d92f
SHA256 58a961686c46b416a22ef01152c054580723e70bee485b095676bf262c530979
SHA512 91139837225f675bede0135b63c185f817d1f39244507a3913573a87a21c944c813835cac57ba935065cba457de0a16f4288d3a3465e5dcd15ef071b7c8872b2

C:\Windows\{3BF808C1-877E-44fe-8EE4-163492890F64}.exe

MD5 5d3683ea4b9dc89da03598960b730747
SHA1 4deb700b70309b04d992159d3be5e4589f69a1dd
SHA256 266454793ae27281d2c381985b653ddb3f7a4fdd9c7bf8e4a60f039948178653
SHA512 7dcbf9cd5f7c24228b10a5bbf680bb26dd012e14863369409e8951abd84d3a54553771ac1d9de84a32ea22d155381876a6d500831865414f15f983469174fe42

C:\Windows\{06622EAC-1E52-406b-B4E5-208306A316A9}.exe

MD5 d194c922e63c9823f2aec3f23e1fd91b
SHA1 8024adb3219593497734a398f8e4876740a4c973
SHA256 4a9a8116e0f33f5190f0a31842691656856571de27d370fe1b5903a0a8b68124
SHA512 d85f32ea3783b61c4fdcbd252ed6159a4e3629e6832b8c28e431ad4ba2d58cadba6b8af664f8b29471949027059d3ab3886020059e33dc432c85f4b0fff6e92a

C:\Windows\{B011163E-FCDF-492f-9DE2-5FA58ED78F42}.exe

MD5 77ebeaf1c77cd232f5d58e301c9c9a0c
SHA1 7221fa6e5aa9ea1c8a828fcbf4cb19ff5cc0d025
SHA256 f1581e4e0e67803159d8cbfae61985440f61a6b5142f3bd7dd8aabdf083cff15
SHA512 cfa8ea3a5822440a9ea372f9511ac11487350e5ebeac8a86e2c9820f5442d5fd3d07eb52e6c2835efcfbef809f87d4480b8874e68d1d2e5f0b6e0ae2e47a68e3

C:\Windows\{72F854BA-FF15-4632-9317-A804AA7D7866}.exe

MD5 b9f74aaf1c760a0381dee1072dfac1f7
SHA1 c99f3f4ec55b44ae54fc9ecbcdd33352d14ab1d5
SHA256 ab86044dc4279ec48e3ebcecf6966ffdcc22bfde932511a10086bd385fe5d1ce
SHA512 8b17889ac385e5d5fb8f8d334a04f33f0f2b2e038fa943da77f9cb4cb782ee4798cdb50bb59fb31c8877d0ba92b54e1e9d5737f9791f7e66a31f87a615f21029

C:\Windows\{397F073A-B8D5-4d69-9D1F-EAFD242D5DF5}.exe

MD5 3a0f27e631a0c863d4d91cdb38ad53fd
SHA1 af24d9a400eef6c27ec7e4ccf7dc59d19702db75
SHA256 8500fb7a3e3ead72a47e3e4096d2852cd0ab749f438c80d68a9c794bda02533a
SHA512 0d063a9c879da02e8a0225b868d4978fff8a929cab44e91e04321fb1ae5d45f21677898ee02af997e78a25c80ac418348e323104eda045c222956edfd2f3958e

C:\Windows\{74F4CCF2-BF8A-483f-90B0-51AFB3A4C397}.exe

MD5 59d36d4390294d11c15e8abfc516ba8d
SHA1 5b8bc0ace86a9d595c33ff0d501ccd8b6d2ef324
SHA256 23ec2f455766d08cac0aabaf4fcd79c9d6b804b779c4f44ba42fed9ce628ce42
SHA512 05527cdf3a32124e93dc8304f2963bb4ce20a0f947d9002fd002e14de6d8aa766d7cd06f3c75601148a94c88952e1eb93a4dd41c5df4d01e36d6bcd81f228dd9

C:\Windows\{1AD9D436-370A-4ee0-B265-3A018D5E6C37}.exe

MD5 ec10885b689c92a090835cf00e5436c2
SHA1 86dfdda0a842403f2bd1190c86b7a6f939e34a31
SHA256 e4083bcebd04998f1c37d7a51c46313c4c54fb0104d7b1904f7b497241dbb1c5
SHA512 59f4a192bbe9702355200bafe5e27d1d7da72f83d1ace7692f034973aef7d3eaba6e3ab402868783c876e95ed0970da2a40255caf044e46be458c674f1318409

C:\Windows\{7B9438F7-0228-47c5-80ED-CB1080927667}.exe

MD5 f83e728e819e98134dcd36b1ac108dff
SHA1 67e6ea54e3e9dbbc6e2cf1eaf66f953750b415dd
SHA256 b863792b3a93592970e09c897e428214e9878261d399673531aeb3c90be20922
SHA512 c6080e9819b6da1fd5f9eb61436632a21da15d805bacb462cba1dd1d106c0107e7af738c8354a8ab7ccbc1b4c0be461fe6b0688e4a09e5dce94dc76aedffd950

C:\Windows\{A8BFC557-4072-4ca1-8D75-7ECF708A2252}.exe

MD5 15f5416fba8a0145e9dfe5af4a4e9795
SHA1 4b44de9f8863c869e7db8541fb8b82ec1cee632a
SHA256 4d712c38c94576fa0dcdf723bbfba4a99f9a460a3edc3209cfa96e70d4bf1b20
SHA512 38a0c3c8e428d9803e52490b87b391df4eac5cf441b76942278b53dedf35601297bb664e80c2a6f933a197417438be8e55bc026169261354850f26f6b8b14d7a

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}\stubpath = "C:\\Windows\\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe" C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861} C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38}\stubpath = "C:\\Windows\\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe" C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38} C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B} C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3} C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB} C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54} C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}\stubpath = "C:\\Windows\\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe" C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}\stubpath = "C:\\Windows\\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe" C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC} C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB}\stubpath = "C:\\Windows\\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe" C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588}\stubpath = "C:\\Windows\\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe" C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8} C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC} C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}\stubpath = "C:\\Windows\\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe" C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047} C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC} C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}\stubpath = "C:\\Windows\\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe" C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3}\stubpath = "C:\\Windows\\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe" C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588} C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54}\stubpath = "C:\\Windows\\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe" C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861}\stubpath = "C:\\Windows\\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe" C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}\stubpath = "C:\\Windows\\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe N/A
File created C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe N/A
File created C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe N/A
File created C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe N/A
File created C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe N/A
File created C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe N/A
File created C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe N/A
File created C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe N/A
File created C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
File created C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe N/A
File created C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe N/A
File created C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
PID 1636 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
PID 1636 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
PID 1636 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1692 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
PID 772 wrote to memory of 1692 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
PID 772 wrote to memory of 1692 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
PID 772 wrote to memory of 3560 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 3560 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 3560 N/A C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2752 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
PID 1692 wrote to memory of 2752 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
PID 1692 wrote to memory of 2752 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
PID 1692 wrote to memory of 4992 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4992 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4992 N/A C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3480 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
PID 2752 wrote to memory of 3480 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
PID 2752 wrote to memory of 3480 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
PID 2752 wrote to memory of 3484 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3484 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3484 N/A C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 5088 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
PID 3480 wrote to memory of 5088 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
PID 3480 wrote to memory of 5088 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
PID 3480 wrote to memory of 4012 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4012 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4012 N/A C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4636 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
PID 5088 wrote to memory of 4636 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
PID 5088 wrote to memory of 4636 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
PID 5088 wrote to memory of 464 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 464 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 464 N/A C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4036 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
PID 4636 wrote to memory of 4036 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
PID 4636 wrote to memory of 4036 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
PID 4636 wrote to memory of 4240 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4240 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4240 N/A C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 3456 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
PID 4036 wrote to memory of 3456 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
PID 4036 wrote to memory of 3456 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
PID 4036 wrote to memory of 4580 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4580 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4580 N/A C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4684 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
PID 3456 wrote to memory of 4684 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
PID 3456 wrote to memory of 4684 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
PID 3456 wrote to memory of 4464 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4464 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4464 N/A C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3508 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
PID 4684 wrote to memory of 3508 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
PID 4684 wrote to memory of 3508 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
PID 4684 wrote to memory of 3788 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3788 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3788 N/A C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 3956 N/A C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
PID 3508 wrote to memory of 3956 N/A C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
PID 3508 wrote to memory of 3956 N/A C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
PID 3508 wrote to memory of 2380 N/A C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"

C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe

C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe

C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11A9A~1.EXE > nul

C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe

C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B47~1.EXE > nul

C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E25E~1.EXE > nul

C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe

C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{502EC~1.EXE > nul

C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe

C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C774A~1.EXE > nul

C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe

C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{24830~1.EXE > nul

C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe

C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7F519~1.EXE > nul

C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe

C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67237~1.EXE > nul

C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe

C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85270~1.EXE > nul

C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{221E3~1.EXE > nul

C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55DAD~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe

MD5 69024dc6ec2573df3219cafbf694d45e
SHA1 d953e80a307368608f610effaca983deb6907eba
SHA256 3bd99d472ea28ac8891bfa42383532f8bffb35d1892ee0c1128bf8cffd6b5b83
SHA512 8154e7181d11ec2c4cb5d25317a1829cff67e15931bb52c7fd8923aeafc733c6ecc5a7d9b2ab39310b63e5e082ad3a980610a4ee9d67c1024bdde510b23e9dae

C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe

MD5 7eb1c02bb3eddbbedeb86f5b060af21c
SHA1 72490a782c8ae5a26e315fbb1a8168fef638e724
SHA256 c4b54bd03b5701d71e7aa122202fad75ecb2f014d905c165adf3f3b7060d0c22
SHA512 0266b4c6a723c1d808903cada3c53cf83fbbd3dbb9f44c1fce0f89a5365f523fb3cd3895ac3c8239a742670c673c2a3c8fa5c536610308425ff74227c8995a30

C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe

MD5 30710f9540ff9c5b1db57bc365bc5ea3
SHA1 8d6059b3edf46708686e37fd588cda8d3c897dc2
SHA256 c8a8c9d6af55e36ec44542c781a83b7e65219908661b6f61c0d2c837cde8782d
SHA512 9c23c489e1b2bfbf67f2bb4b2ea278d6fa823aee90d55de6fb93d79a2ccf868a6450e5dc906ef573a37379c8b75ee63318ef466d54746660217a50e42d5c0364

C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

MD5 3a6dce5fa139d229a1f5f9b51717d2a0
SHA1 691c833d12e16d7d45357879148d93203eac8289
SHA256 f5439e0234a8d7893847592d4316125fe0e8e22fcec829234aa8d072b3eb3ea6
SHA512 b93d3ffd98f05ef20be55da35d7084a5f745c9f44e929465ec9e9fbc6dc16ea5ffe28d5c88f3113ee9b1a4cb659bb159106bf17677ab02640070c5b5bf3ae9e1

C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe

MD5 49ace39d602160f4e3f8c5b3bb0922b0
SHA1 83cfbfab882d317b386bb1260f6cce9517213caf
SHA256 db3fe6113991cea4b4456bcb647f308d41cbd6381a03879d476f7ee09c1f5842
SHA512 c50e5cb1bd8cefb45b8351ba462aebe881f8b3f5f581a01dd2c0237f3def85920e05e4e46bb016450e9daac6e831c2f38a100c76f57e62b632837485cb444f5a

C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe

MD5 0ae64d694da20642c4e5893d654b42a7
SHA1 c21c75a1363d62897b0cc31331600b674db2f0a8
SHA256 6753ec0a8c2842fb0a150ed5d7b2febe4d0372d4d906167632690ac4ca928386
SHA512 4d3cef5a0d4ae022093f7ac8479564f13c81a37178a51035c78bbc812a225957d6ded2d17fa54a80184efbb7240c9447d1e1670e6b7d317c850e6c9302e32cc1

C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe

MD5 9e6299e759a5d92a5fe00f5b7341f6c7
SHA1 e3605512ed72e5dc96f55bf0f22aca0c1f0e144c
SHA256 5eadfb3613cc15a56f3f5dc13f5f688954541983933d171665adc40f872fed29
SHA512 09d6259ef039fe6ece5ef16a19eb9488a69b40d338db3dd8acf9f3bd445cce0fe7c58d90dd5e6c7b6ffc5163dd5172f5ccc3c999b22dc897d0a89aa4a7add63c

C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe

MD5 4c4c867ce4a184c7a0e449829b2f7ea5
SHA1 8183bb3f8da523988acc3133a29856fb9829402a
SHA256 173b68790b31496802eef9133d0722a3042768985306b7ad2ad253b59f23739f
SHA512 9a921687012166fe68502888b08300a415178534d317c5d0e50174f41abe057f149507d936946014034bc3a6649a4b6da9aeb5a29b1b0d576d8148961f166c5b

C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe

MD5 4bff1603dcd89edbc0d812c4296ae809
SHA1 09f421d7d0c5b499c231460b0e909025b056056a
SHA256 28a853069b86ebdb6ddd759fca342fb2c01264ca33b852c8719e6f411d3b1284
SHA512 2d06faec0f841142e2af7100001fd4334dd81a2dcf05d591062fc4a7efd587ee84e3fa199b97577aead6ba438fe1a6134dc2ea63fc0b8d3539701cc67c5f8f9d

C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe

MD5 e65d19488abc72f5b726c53e0d81d759
SHA1 ca6972af1e4dc928ed39b6ebd41a3b4c8e87a260
SHA256 ce75f0d04811a919c62802b16e2250a86743dc5307de84155557273548e85d25
SHA512 3cc713fbe26298f17b7fe791eed1c2791100f13193c52140e04562605a865e7f9e6993c52dda833597876ce8e15c3073a2df4ec244e9abe60a4ff12e730084ab

C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

MD5 d77a05685576ee077b35b9a1ea1d790f
SHA1 4a2455e05286222b73a9dc9d60066559877f54df
SHA256 5bf66d84220e665ac7c2750ec34f04930f436a6422ba953ada25613c8e9098e2
SHA512 3246cdf4c6e5d90465f79c628d239b57dde6ba85db04e780056b12067141ca5d2ff6ad4a19b9b900b75dcc321a335f84d34444c92f338bc71fdf8bc71bba99f0

C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

MD5 85b3a951a3a110a9a8f1219ac9ccc26d
SHA1 1960de13df25cf2f89c89be5c67ae975573581e5
SHA256 5e6ac7553986dd14f472078c91faa8d829dce2dcccd6955415ee7b5a7beb4450
SHA512 6993bb31bd54d94fa5ba7ae4a7681d74da6657543633416d039bb4837113389ad6a32cba9b1958eb7fe73384d70afc708db6e00187c019cc02b74f62c9b4ee6a