Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v684pscgbn
Target 2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye
SHA256 5d9f1973f2ec098801c0e432c5452fc74da5cf7a5406e70d535c85f9b71e66a5
Tags
kinsing loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d9f1973f2ec098801c0e432c5452fc74da5cf7a5406e70d535c85f9b71e66a5

Threat Level: Known bad

The file 2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye was found to be: Known bad.

Malicious Activity Summary

kinsing loader persistence

Auto-generated rule

Kinsing

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}\stubpath = "C:\\Windows\\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9} C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}\stubpath = "C:\\Windows\\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe" C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}\stubpath = "C:\\Windows\\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe" C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA} C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}\stubpath = "C:\\Windows\\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe" C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}\stubpath = "C:\\Windows\\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe" C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E70146-1B83-4898-9822-863C03A3DD16}\stubpath = "C:\\Windows\\{51E70146-1B83-4898-9822-863C03A3DD16}.exe" C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F25698-5C55-4306-A01C-0351A7E8B4D1} C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}\stubpath = "C:\\Windows\\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe" C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}\stubpath = "C:\\Windows\\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe" C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133F6D0E-34CD-42f3-A145-3E0E68096AAA} C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774B8040-6332-4a12-9EE0-A7B90CB78FB8} C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE} C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A} C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E70146-1B83-4898-9822-863C03A3DD16} C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237B8235-A692-4210-8215-42138B313AD6}\stubpath = "C:\\Windows\\{237B8235-A692-4210-8215-42138B313AD6}.exe" C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56242C18-F26A-4019-9438-F64128E548A7} C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56242C18-F26A-4019-9438-F64128E548A7}\stubpath = "C:\\Windows\\{56242C18-F26A-4019-9438-F64128E548A7}.exe" C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E} C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C} C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}\stubpath = "C:\\Windows\\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe" C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237B8235-A692-4210-8215-42138B313AD6} C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}\stubpath = "C:\\Windows\\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe" C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe N/A
File created C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe N/A
File created C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe N/A
File created C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe N/A
File created C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe N/A
File created C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe N/A
File created C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe N/A
File created C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
File created C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe N/A
File created C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe N/A
File created C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe N/A
File created C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 2260 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 2260 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 2260 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 4860 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4860 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4860 N/A C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1424 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 1424 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 1424 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 3556 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3556 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3556 N/A C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 4500 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 4500 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 4500 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 3656 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3656 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3656 N/A C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2780 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 2780 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 2780 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 3228 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 3228 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 3228 N/A C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 4440 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4440 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4440 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4612 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 4612 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 4612 N/A C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 4840 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 4840 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 4840 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 3632 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3632 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3632 N/A C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 1136 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 1136 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 1136 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 2424 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 2424 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 2424 N/A C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4400 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4400 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4400 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4876 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4876 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4876 N/A C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 552 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 552 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 552 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 3780 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 3780 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 3780 N/A C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 3408 N/A C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 3408 N/A C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 3408 N/A C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 2340 N/A C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"

C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe

C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe

C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB16~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51E70~1.EXE > nul

C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe

C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe

C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe

C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{549A3~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{237B8~1.EXE > nul

C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2CE~1.EXE > nul

C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe

C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe

C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe

C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F25~1.EXE > nul

C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe

C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{56242~1.EXE > nul

C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe

C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BAABA~1.EXE > nul

C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe

C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{133F6~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86AEA~1.EXE > nul

C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{774B8~1.EXE > nul

C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe

MD5 26165d1498b4136eb952c3d5042cd3c3
SHA1 451bc93acc40f762bcdd5486e5603ef73a391a52
SHA256 c6a78393b269b48b87d8fd89a0d2a42afb17ede5bcb026999c973ad60352ee37
SHA512 02430b061cdd2db89010cef2ae3ea1de51c6052e83062d487d9c91d6471bbcae908c1d9f10646cd4d362bb132e26d76f459938abad140db3c15e260962de6782

C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe

MD5 f4169f68df5592f8b3c1b57aafa84102
SHA1 4a47ff6c0f68f724e326e638f2f151d4f54a5cac
SHA256 6e669720a2f6ce76d8f82b0b36c047d6af90fa780925a1a66ddcd01af0e78c76
SHA512 c02e9926fa4a70db73d5572daa0d2842531caf814f6d909964828fb923b2c8a0f6ca9c5c6f565f4c608f8c2208a12111d32fe6a58d1e6b7283f14fa890f87a3a

C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe

MD5 46ce47fde58aebfcfefaa51ce237af85
SHA1 87dd40ad6ff2c5fdb69314305857e819674b17d3
SHA256 babcc30ae6a7b72d767eac88ca3cba6584c85798005a2c85f2f0c7eb4fc227c0
SHA512 f0f4aba4f854e863355a1d42bfc817d47fbec9c2a81749ea51f61a3727c75c444f316d0d66aa9113aa6fb04e5fb6957d4300b1ed2f2fe77f75fd65a2a156677f

C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe

MD5 296ed0340ba14ff991d342dd933b4e1f
SHA1 eccbb2a734839a79ad25fe83a62d3fe8071475af
SHA256 ede5fc8d5c583c9870d9e7bd335a4778872949c061aa2ecb8b4fd2390e996035
SHA512 a9f153b7fdd7a133a68617007a7ef78857d5f047f884941ecf4deb260dfa58b8a8d827d0fb60d8af2a7aea5a1f8fdd256b524aeffdef21b7db22a6d7020e5777

C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

MD5 9c0189b6fdadd7b6d51c2d74f7a02648
SHA1 c79ae3b32dd46bb01420697406d80daf2215160b
SHA256 5eb3140d9f420d736ee309b74e6ef848838d81767601058a2baac65bf7452c0c
SHA512 ab21119c44eb20b8aa6bd13f1b3846c23fb50ac306e4f09fddfbf79c4d7f10b1959fcbc880a3a82d71b8ae0c972ac8b182c2e2cc488e46b9757462039b8a31f9

C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe

MD5 0c7dd4473744c6ff7cade67a334ffdad
SHA1 1d015f424c4957510e98286df3bd511832cb16a5
SHA256 a686575c57fbb4cae369415ac88351b22b8e0eb4b6851888a98802da958eb606
SHA512 b514bf3f3e61288e39c0090c43d9dd3c38eed00cede22a5dabf69def77141e862d49d2639e3ead2a550887b3f2e922281247792137cb264f9ad52cd26130fa21

C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe

MD5 93a94bb56336c24d3576d8419d6cb5b9
SHA1 00f299788752363f2da5af8f99c2fe85b056b5e0
SHA256 ef063e7127e1b1e881fe2e143504e3facad312205afde650a6f42ed5dc8a969b
SHA512 03c2083fbca8fa099deff99b732ead1dc5c5e13213d9c7a3329d2d674df5b627c0ddc527cb9e11a0946c38cd10a03b4278c92b37772eea3fd2820dbc45c50668

C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe

MD5 0da60c59bcf98d48b3da20889df95eba
SHA1 80e637bfecba573a4617d2b304a0014ecd616d90
SHA256 c140a85f10fb40f9bae747686fdbd01de82f3a7ecf6adb0f95d79f8f8514e4c4
SHA512 784c1e22600c2d316408c28ed05fb12c136274b19df00a0c924a7297d164652a0e2576d25fc3338d2ec28311c7986445bda7522c54100095c67fbd8e880aa95f

C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe

MD5 f00a1b5da2a72a8906497ac192f2126d
SHA1 6bb1a8c49646ace37c42b1f0b639e729b2a698e3
SHA256 629dce38daed1e6ec1a83e7f64de992ca8199f882cf79c814047679e17b84f97
SHA512 a1a3aa556d32e6f4071e0f32ef0e62263325dcff078966a730dcb71b7953e800ee1e6b1ae54be646bbcc7ee2420cff14099f465518e200add8c8b4c1cc2ebe1c

C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe

MD5 d12244ab0b732477bf4d99e465cc672e
SHA1 757f0091489154699fe0fa4f75169de074357623
SHA256 91198cd4606f299bbac5f57d04a12d225175d95545ccb5365c280216d66662cf
SHA512 cc65536fa38f7177a8e56a1dc78d8d2e2019d9abe5ece7e4056bd2c4121aa38d98f9edbf6cdd67c9a36d7d6c3cd2109aca15da7f5c8ef5037d44c566e68b417e

C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

MD5 c598a79b03182a3a806eec04d467cecb
SHA1 1b94bdf992054194b660038dae0f1a025a01dc87
SHA256 ea690e33899bc973dd1cbc9fa2121db0e281b6763cca03c7111449ea2f81d7f9
SHA512 475111bab9ea85c7b5cdd239e0657d679e71370e020a564302717ee043a5773d54e75ba2cfe9043cb0686b2aa0da50d70d08d1a64b4dd1fa2f959af1b80d349f

C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

MD5 91a9c1a8af8f5220b14c03a97b1ce6d0
SHA1 fab379ff06ab67f7fabdaa9bd8fa6f6e696f41d5
SHA256 8e8fda1a9bdea89bc292a996d959c6a0a376c4fea204e131eb57665917e76480
SHA512 7d7ef0ddc2dde9a4e79c94b2131e756e782470c32b7ec3adc5c77d86bd23c3a9335863e6f9005f1625f52b9c8c64bf5dc0b57632d25591f0ffa46dc9ff5dfd03

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{091054B8-A24B-4dfa-9722-476D36DB45BD}\stubpath = "C:\\Windows\\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe" C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}\stubpath = "C:\\Windows\\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe" C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3} C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82DA2784-60BB-4bb0-A286-739E44BEBAFD} C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F0D33B6-5551-4c13-9635-5425D2A43105}\stubpath = "C:\\Windows\\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe" C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{091054B8-A24B-4dfa-9722-476D36DB45BD} C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}\stubpath = "C:\\Windows\\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe" C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}\stubpath = "C:\\Windows\\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe" C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944E64F9-B23A-41cb-9BFD-9400684FABD2}\stubpath = "C:\\Windows\\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe" C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}\stubpath = "C:\\Windows\\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe" C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D387698B-8EDF-4061-ADAA-87EAC3799323} C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9305F353-6F59-4b0e-983B-B45D45E74475}\stubpath = "C:\\Windows\\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe" C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{747283BC-7AEC-453f-A2B9-4892E17C643A} C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3} C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}\stubpath = "C:\\Windows\\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe" C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848} C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406} C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944E64F9-B23A-41cb-9BFD-9400684FABD2} C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{747283BC-7AEC-453f-A2B9-4892E17C643A}\stubpath = "C:\\Windows\\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe" C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F0D33B6-5551-4c13-9635-5425D2A43105} C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D387698B-8EDF-4061-ADAA-87EAC3799323}\stubpath = "C:\\Windows\\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9305F353-6F59-4b0e-983B-B45D45E74475} C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe N/A
File created C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe N/A
File created C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
File created C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe N/A
File created C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe N/A
File created C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe N/A
File created C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe N/A
File created C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe N/A
File created C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe N/A
File created C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe N/A
File created C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
PID 2912 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
PID 2912 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
PID 2912 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2704 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
PID 2668 wrote to memory of 2704 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
PID 2668 wrote to memory of 2704 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
PID 2668 wrote to memory of 2704 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe
PID 2668 wrote to memory of 2740 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2740 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2740 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2740 N/A C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3008 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
PID 2704 wrote to memory of 3008 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
PID 2704 wrote to memory of 3008 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
PID 2704 wrote to memory of 3008 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe
PID 2704 wrote to memory of 2324 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2324 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2324 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2324 N/A C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 960 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
PID 3008 wrote to memory of 960 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
PID 3008 wrote to memory of 960 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
PID 3008 wrote to memory of 960 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe
PID 3008 wrote to memory of 1932 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1932 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1932 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1932 N/A C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 900 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
PID 960 wrote to memory of 900 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
PID 960 wrote to memory of 900 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
PID 960 wrote to memory of 900 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe
PID 960 wrote to memory of 2876 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2876 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2876 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2876 N/A C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2780 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
PID 900 wrote to memory of 2780 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
PID 900 wrote to memory of 2780 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
PID 900 wrote to memory of 2780 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe
PID 900 wrote to memory of 2984 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2984 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2984 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2984 N/A C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 944 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
PID 2780 wrote to memory of 944 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
PID 2780 wrote to memory of 944 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
PID 2780 wrote to memory of 944 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe
PID 2780 wrote to memory of 1096 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1096 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1096 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1096 N/A C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1700 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
PID 944 wrote to memory of 1700 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
PID 944 wrote to memory of 1700 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
PID 944 wrote to memory of 1700 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe
PID 944 wrote to memory of 1680 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1680 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1680 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1680 N/A C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"

C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe

C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe

C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3876~1.EXE > nul

C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe

C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09105~1.EXE > nul

C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe

C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{596FB~1.EXE > nul

C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe

C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{963F5~1.EXE > nul

C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe

C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8063E~1.EXE > nul

C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe

C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FBFC1~1.EXE > nul

C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe

C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{944E6~1.EXE > nul

C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe

C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74728~1.EXE > nul

C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe

C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{82DA2~1.EXE > nul

C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe

C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F0D3~1.EXE > nul

Network

N/A

Files

C:\Windows\{D387698B-8EDF-4061-ADAA-87EAC3799323}.exe

MD5 f254fedc1944966f8e0e790b1c9013ef
SHA1 9b79492b72d84aa98b9012639d00862c65795cc3
SHA256 099c286e710a813606d688604e695c045c14b350a43274161fc3aad40f29ed0a
SHA512 4e256489c741d96f4fa62006c5b54cfdb772877110433ad0484cdf8b9759b437298a968b1cac61a5605e9afe3e85819c3b10166c302cc3746f25b70f91141788

C:\Windows\{091054B8-A24B-4dfa-9722-476D36DB45BD}.exe

MD5 9d074c679c3b93decff1a1b493e35eb4
SHA1 9c4cde8a037a14945a835b79d1da123de8335dff
SHA256 5280c97f40d2456b6abddd57fec898cdde4d31b11b692de6dd6dc42baecc39b3
SHA512 f9f4301c5aaddcba717f8f3d6aa502d6989ed20c9174e49d501a5dde7f4548a22cc4ceadbdcebb20845551d8efc84441d3c4e71c2da01b35ff24ad587a41be65

C:\Windows\{596FB18B-A57E-448a-BE1C-5C6CDC5471F3}.exe

MD5 41014937101cb8860dfabd3a519175e0
SHA1 3b64321ccca9d3c11f176d6a3f9fb35de607cb5f
SHA256 97123f0d6d006e942acf3494833922ea3c9a7b2cfa526006326e048233e881f8
SHA512 16266a4b912132ac71b1d8b3f4246223625e353d46cf3edbeb463e0a993769a76f851fafea4ce4cdf51eb863f64676a507cb8e4e6978175228b7b41d9cb1764a

C:\Windows\{963F5CF8-1C6D-4aa6-B9AB-3804B3C57848}.exe

MD5 f02190989bbd61de888b51d8b24ddf85
SHA1 2cf6534542af401c98219ccd51cf41ce97b313f6
SHA256 b12e73bfc4b379b9e3e9934d0a948f5245d74a2366ea9584e78ddf7bf11f2c7e
SHA512 8366716ff7c91c78c80f7a8433765be710e1d6d00c43f5dff005d0d8a9c6e96aee230a9b2acc878096d3f861c5460e28a2716116282f02088c2d500231a87503

C:\Windows\{8063E80F-AC3E-4e6f-ABCA-A49FCB3F9406}.exe

MD5 27f00389a06d1e3a2b415a03646c7bbf
SHA1 27de08411b2cd3f9c9c8309d6c7972f4756f8274
SHA256 bdaad67c179f9879de3b6d97a55573d398fb95fc29aa49fb670ce71d23084744
SHA512 c78c92137b1fc4722135aba562416c640e160b260d47e690213aa74352767e5c8373ac3f40a42ae8af7a1553638677d6bad1385e2d608394052d1785471d2a3e

C:\Windows\{FBFC1D14-EB2F-44ed-8E5E-63A9E42346C3}.exe

MD5 6eec6578deaf6c799a7e8b62661ccb54
SHA1 16cbb51cd4cf05ee3947905bcca6be0dd784890c
SHA256 8eb27d7ef7f5147706952bfb0df7452999857f498d0cc29e560a2fe38f1c99f2
SHA512 74987796ce4d434dab01b118ccb1fd304f9481bda77e76f4352c85d6c22ad9942b3c3833d6ef97cb1da901953e9cc768b908ae8f9c0282c3177f90a3039458e9

C:\Windows\{944E64F9-B23A-41cb-9BFD-9400684FABD2}.exe

MD5 c1437bc11acef734c2706be1d74bc227
SHA1 5b6fb3179f8ac1f79ba71578bb554a71ad729b00
SHA256 501415c2f2cd259c61e53d7df05f65f8de808ca2c75a9ef0c23797417734dd25
SHA512 8668559f8e2941713673ad5d16cf5ae657e1a145e2e282227c0728c7f239526da51cacbc5fbde05ca2567320a127e7b8314bc65ccda1ebd41e3e604fd7a453fc

C:\Windows\{747283BC-7AEC-453f-A2B9-4892E17C643A}.exe

MD5 e4ff5f29e0510b5212cd7f75ed02cfa7
SHA1 c8cdd392d9b882ac56bd335c70d9aadc93abd39d
SHA256 f044753b87b2d1b2ec9e21f9a5e7218b60f960e256c9eca18b268d384bf8ab20
SHA512 26d9bff71a935c4755c5f2c11167f15f17b107d76366397e1d34cf0bc92de691fda40aef474c91737b96fd62ae77c77686e2f85d74869a110f964e01a97acec1

C:\Windows\{82DA2784-60BB-4bb0-A286-739E44BEBAFD}.exe

MD5 977080317d066a4e13af20e9d738089f
SHA1 0a0eaed64514b7d744b2cc57947055cf15b336e5
SHA256 3391634d7aa442649b999d0ee1635e9e07fcbd8728be5a33df6dae789903a110
SHA512 53cd641b0299f015dffa745d3fde1171fe04d95632ff13a061afb499d48c977ac29af81d93f5e8bba9db0cd0c1e6c5389ed5c812eb861bdd799e3a4bb5b574ff

C:\Windows\{5F0D33B6-5551-4c13-9635-5425D2A43105}.exe

MD5 523584efc9444be30880c137cbbefc67
SHA1 ed3049c7e83b9074ff203dde438d7fcdf5639118
SHA256 a3cb515785121bfeeae533aed14ac60e301dbd18a65a999a0966e117242fd977
SHA512 1180df0dd3b70de67ea61d235658177c4444366b003d9e47d66ccddd1d3f158e9b5092a4b354a43d99531fb75ee0feb16f736bc424ec6f914cb39d15ec82ba10

C:\Windows\{9305F353-6F59-4b0e-983B-B45D45E74475}.exe

MD5 de37f7849f1d72e652187564c1ba0f3d
SHA1 0728a17beef4a9d43ff8f33ae84670728d94f4da
SHA256 f2327f255780cc9607baf6bfc69fd0208af6b6c7f5ff4b10c5216af471dffc3f
SHA512 ed463e8c981aa098810c11a3be461fc935062fac06c18c916e37acc408a2309e633867d6dc53f4a160601e2677d3f66cd550577652382afd8f026e7d6aa69c85