Malware Analysis Report

2024-10-23 21:15

Sample ID 240125-v6gdpabgf5
Target 2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye
SHA256 f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7

Threat Level: Known bad

The file 2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:35

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:35

Reported

2024-01-25 17:38

Platform

win7-20231215-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B}\stubpath = "C:\\Windows\\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe" C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01} C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{329E35C2-01CD-4c34-BCF6-367B25508E01}\stubpath = "C:\\Windows\\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe" C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}\stubpath = "C:\\Windows\\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe" C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52} C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6} C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32} C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25} C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}\stubpath = "C:\\Windows\\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE}\stubpath = "C:\\Windows\\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe" C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671} C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}\stubpath = "C:\\Windows\\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe" C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{761F89AD-F076-440a-B48D-9FFD83B8661B} C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B} C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3} C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}\stubpath = "C:\\Windows\\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe" C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092} C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{119F057D-7EC6-429b-AA20-C793EBD77DA3}\stubpath = "C:\\Windows\\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe" C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FA2D8A0-7757-4493-9304-2D1A87818A32}\stubpath = "C:\\Windows\\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe" C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B19197-4ECE-4690-A06C-5A500C71B39B}\stubpath = "C:\\Windows\\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe" C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}\stubpath = "C:\\Windows\\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe" C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9C0E269-6C8E-41e3-864A-8171638F24AE} C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe N/A
File created C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe N/A
File created C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe N/A
File created C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe N/A
File created C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe N/A
File created C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe N/A
File created C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe N/A
File created C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe N/A
File created C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe N/A
File created C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe N/A
File created C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
PID 1932 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
PID 1932 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
PID 1932 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe
PID 1932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2072 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
PID 2712 wrote to memory of 2072 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
PID 2712 wrote to memory of 2072 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
PID 2712 wrote to memory of 2072 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe
PID 2712 wrote to memory of 2732 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2732 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2732 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2732 N/A C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
PID 2072 wrote to memory of 3056 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
PID 2072 wrote to memory of 3056 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
PID 2072 wrote to memory of 3056 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe
PID 2072 wrote to memory of 2008 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2008 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2008 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2008 N/A C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 336 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
PID 3056 wrote to memory of 336 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
PID 3056 wrote to memory of 336 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
PID 3056 wrote to memory of 336 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe
PID 3056 wrote to memory of 1000 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1000 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1000 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1000 N/A C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2828 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
PID 336 wrote to memory of 2828 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
PID 336 wrote to memory of 2828 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
PID 336 wrote to memory of 2828 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe
PID 336 wrote to memory of 2904 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2904 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2904 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 2904 N/A C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe
PID 2828 wrote to memory of 932 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 932 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 932 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 932 N/A C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 2236 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
PID 940 wrote to memory of 2236 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
PID 940 wrote to memory of 2236 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
PID 940 wrote to memory of 2236 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe
PID 940 wrote to memory of 1976 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1976 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1976 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1976 N/A C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2608 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
PID 2236 wrote to memory of 2608 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
PID 2236 wrote to memory of 2608 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
PID 2236 wrote to memory of 2608 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe
PID 2236 wrote to memory of 1672 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1672 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1672 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1672 N/A C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"

C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe

C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe

C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2203~1.EXE > nul

C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe

C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6D5~1.EXE > nul

C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe

C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74FD7~1.EXE > nul

C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe

C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C0E~1.EXE > nul

C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe

C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB5F~1.EXE > nul

C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe

C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA2D~1.EXE > nul

C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe

C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD6F~1.EXE > nul

C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe

C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{761F8~1.EXE > nul

C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{329E3~1.EXE > nul

C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B19~1.EXE > nul

Network

N/A

Files

C:\Windows\{C2203C90-D340-49ad-91EB-A6A4A2A8AD25}.exe

MD5 47ffb9d1a74fc3f6d8eee8a33a267085
SHA1 a593c59cc0a288ce55b079b341f34d0c82bbeba0
SHA256 890a73326fc6b57cf06df206cbdf87a41f8e37e07e34476ac9ff0ef7a02fb67c
SHA512 5ef78ea012f8c634b6b00f8c6b42ae13a9218e63e4df56ccb9defe94d16b8aa516f70e75a33bca58c2a3bff6d9d55ca564b48d8165176ea8e56d69c7757c6987

C:\Windows\{0B6D5E61-DB9B-4f42-A780-604AFD8DB2D6}.exe

MD5 5121560d9c7b27bd1f6bd1343285b3c7
SHA1 2eca5b200b0d294b8ef7ad51fc63d755dabb9dde
SHA256 310cd477aad24dbccc318d82474d90fc527ebaccad535fa3569c66c59297c769
SHA512 3bed528af8b976bf322692d97e1d2012d22ca3c5da8444d90ed12c8246fa9f94ca13e64bccacfd573bd734b766c6948f4d3d56d92f596de39bd24c7acf805d18

C:\Windows\{74FD77C3-943F-4e5e-8994-8F6CEA06D092}.exe

MD5 3d1a8cc9a22323c8b5bd4856afeb97ef
SHA1 a137948c84026f774ddfd5bf407160cfe0266dce
SHA256 49ff13c5015fd582c7d76b0eeaa80fda4a8b962df402306c34385ce71ff81760
SHA512 fbd963026e20d8ea4292ebdbd0d8991ebe6d325f6eb0a1947e4feae14b5921d40d9f27695cf5292078c016cb498637a741d8a0ca26be82cc7b9072263e0c44ae

C:\Windows\{C9C0E269-6C8E-41e3-864A-8171638F24AE}.exe

MD5 7b16cb8525808061c27d5af2a80f4a9d
SHA1 05a4823c9c8b7308c515ad6421138c52da1b3541
SHA256 57faa34f1f88192a32754325ac24412397179140673a996ddbd782ea57936383
SHA512 eb4b71c2b9ddb38387fec77b8feada41d5bef7fc6cb299b75f34642cfd9c6a403b58791c03509424c54d44c3446d810fed7985eea763b552bdd42fb19ae88350

C:\Windows\{4BB5FAA7-C17E-4c46-A6A5-F967458F3671}.exe

MD5 19e8f65c7bd46c08d1f9195bf135b7c5
SHA1 1d73cf8d23d00d7d5d44c699930986ab8616c4ef
SHA256 2aa839190bd3c9a618a6e3f04cf2e416ba5b930f5cdac28bc4491c1cce3cfc27
SHA512 362b2275f6c0a9d099990ba07e95ad1c1b914d0042c1584174481d1570c82557a42d70ae5346fcb2804ee8384ce20e4b3b33c60a7cb9a593427ac1eaf55c5a92

C:\Windows\{9FA2D8A0-7757-4493-9304-2D1A87818A32}.exe

MD5 d040805ee8e2997a065268c8465ef8fb
SHA1 b801c312e1398dca896dca2ce007518b39841051
SHA256 26d3216cf07554d352cc3f9888722eba56063fea2571289412460cf4885ea2ed
SHA512 6875479b37f785e606d5f8e13582024f31cef44afca5270772ce754289694bfc3080c8288ed2accdf019762667141f0ea5cc7de49e637ba79ec674421e18eb84

C:\Windows\{1CD6FD2C-6A03-4c52-AD6D-F6CD9E396A52}.exe

MD5 789a2daed7f46f8245848477d39387b8
SHA1 b0df7fd30f965459dfddde25810c6764ead3ca0c
SHA256 a60a9a1ab03f054a85d56e41b96bf8036103b37f400c2bda0d5e4425eed027de
SHA512 c641ff6a3fa10409f4b462152ea9393c31d44e66f4666bda4d17f713b5298b1f0d9ac1218026e8036958415ac5f2d1935023caa554dac993153ee9ce0cc3221e

C:\Windows\{761F89AD-F076-440a-B48D-9FFD83B8661B}.exe

MD5 f0d3d67f6e118a2c48da4dd583b830b7
SHA1 0d82d2e86aef0c7c80afe775c30905cbbef6f788
SHA256 28198ae310fb3dca0f7bae2301d061ca94d123f5ea6dd75cdbd753e7c2fa306f
SHA512 84dd07e7b388db1cc54ae6e77e9abe52e2757bf1aca53ad4897e9a02d829fb06b77bac3db39bc954c1bdef8fd13da7e3247cfb0b6c04747558d05229b27d1c63

C:\Windows\{329E35C2-01CD-4c34-BCF6-367B25508E01}.exe

MD5 525cc651d1bb22f20ff19838ed6cb213
SHA1 87356727da1de0f862ee507ecc8d06cb671263bd
SHA256 21e72d61c2730f3c8bb128898a2afcd193b101f3adf287a70b846d2e3f4ab079
SHA512 bf05c04511e2a7d47880a7238e8d483090abc2fc6776c397c1d110e3cd19951e7b9c311a0f1e203e39a41acc32c72956aa1471cb4d1f0c7dd5ffa458113135ea

C:\Windows\{C2B19197-4ECE-4690-A06C-5A500C71B39B}.exe

MD5 7384dadd21bc33db21c3f2d1acfd1510
SHA1 5fb8804f387e7b310db17bb555ca97a3d3b630eb
SHA256 3d1bfc113c620c2e314388f8c753e01db5d169ef328dcf68e3cfccca1180e1f2
SHA512 8ba57ec77dc7359b0d1348a601a89047229e01bca48f2fbe9389d393790da80614d102da93775f1ad248ddd66fb61b341292862ee741d4fd3fa85e77896ae01b

C:\Windows\{119F057D-7EC6-429b-AA20-C793EBD77DA3}.exe

MD5 09478b1b0b60a04ccc19eb96f2c7639d
SHA1 d6ef3078c522e0b78850f3988e2ae3d29b1fe40e
SHA256 9738555394d63d8d0eb3b3dc895ce394ab496914aa47af71c84c917aca67a4fd
SHA512 3178691e75822ce93c3a0c09d7665d9cf00c08b85f05fa5f1373dc231bbf2df90bed6d5d24620984847b2b39b61023fb326b17b4dd50bdd7f4c23438d9b73db6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:35

Reported

2024-01-25 17:38

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402}\stubpath = "C:\\Windows\\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7} C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F} C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}\stubpath = "C:\\Windows\\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe" C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861} C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402} C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}\stubpath = "C:\\Windows\\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe" C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}\stubpath = "C:\\Windows\\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe" C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1} C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A} C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861}\stubpath = "C:\\Windows\\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe" C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02} C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}\stubpath = "C:\\Windows\\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe" C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A}\stubpath = "C:\\Windows\\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe" C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874} C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E}\stubpath = "C:\\Windows\\{F4455941-3769-4acc-8800-12209B85342E}.exe" C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC} C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2} C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}\stubpath = "C:\\Windows\\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe" C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1}\stubpath = "C:\\Windows\\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe" C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E} C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}\stubpath = "C:\\Windows\\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe" C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}\stubpath = "C:\\Windows\\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe" C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E} C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe N/A
File created C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe N/A
File created C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe N/A
File created C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe N/A
File created C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
File created C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe N/A
File created C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe N/A
File created C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe N/A
File created C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe N/A
File created C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe N/A
File created C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe N/A
File created C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
PID 4644 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
PID 4644 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
PID 4644 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 4476 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
PID 3616 wrote to memory of 4476 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
PID 3616 wrote to memory of 4476 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
PID 3616 wrote to memory of 3672 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 3672 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 3672 N/A C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3196 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
PID 4476 wrote to memory of 3196 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
PID 4476 wrote to memory of 3196 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
PID 4476 wrote to memory of 1040 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1040 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1040 N/A C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2692 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
PID 3196 wrote to memory of 2692 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
PID 3196 wrote to memory of 2692 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
PID 3196 wrote to memory of 2376 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2376 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2376 N/A C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1572 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
PID 2692 wrote to memory of 1572 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
PID 2692 wrote to memory of 1572 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
PID 2692 wrote to memory of 2920 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2920 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2920 N/A C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 2160 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
PID 1572 wrote to memory of 2160 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
PID 1572 wrote to memory of 2160 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
PID 1572 wrote to memory of 4912 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 4912 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 4912 N/A C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2984 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
PID 2160 wrote to memory of 2984 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
PID 2160 wrote to memory of 2984 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
PID 2160 wrote to memory of 4248 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 4248 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 4248 N/A C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3480 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
PID 2984 wrote to memory of 3480 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
PID 2984 wrote to memory of 3480 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
PID 2984 wrote to memory of 2580 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2580 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2580 N/A C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 3536 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
PID 3480 wrote to memory of 3536 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
PID 3480 wrote to memory of 3536 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
PID 3480 wrote to memory of 4736 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4736 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4736 N/A C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 4100 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
PID 3536 wrote to memory of 4100 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
PID 3536 wrote to memory of 4100 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
PID 3536 wrote to memory of 5004 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 5004 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 5004 N/A C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1224 N/A C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
PID 4100 wrote to memory of 1224 N/A C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
PID 4100 wrote to memory of 1224 N/A C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
PID 4100 wrote to memory of 4892 N/A C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"

C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe

C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF5C~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{802E5~1.EXE > nul

C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe

C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe

C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe

C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5C1~1.EXE > nul

C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe

C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FAC~1.EXE > nul

C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe

C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{74E51~1.EXE > nul

C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe

C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16687~1.EXE > nul

C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe

C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{919E2~1.EXE > nul

C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe

C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF6B~1.EXE > nul

C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe

C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4C0~1.EXE > nul

C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4455~1.EXE > nul

C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FB097~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

MD5 20b6b1eb5c60693ec200d49c7b46d39a
SHA1 8723cefd3c7376bd1f62c62b879da53adb67fb68
SHA256 05ed682bf304f42891eee86d41194013309c95dd5032bc0415d0226382e1348f
SHA512 f8c5e3cd75c667246335a23021310785dd32c1b6dcdcd091ac0b23c48e4837429c307a9bd8e666eae41fc67cdc796e626e684c8330a21fc4b94b7b9939131480

C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe

MD5 4cf52c253e2438515a9aa31357c3d025
SHA1 602a80c58468dfa76f5ab65f79dc4d9734070678
SHA256 070436da7c3288b12d4a081398cd51c0b1055b213e173a24b8d63f1396ed9513
SHA512 5f1c159d6546e372173c4220a00b2c583a42c2e087a2316308851c09b21bccfd97bed06d6400e7f5ac8bf6cdf47ea565f8f54bf6dbea5befa5fb8909fe79fc79

C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe

MD5 11f6c73f081b3a0036e9c163c208cdef
SHA1 71c37f7887658c128ba264d021efc34738fe735d
SHA256 7fe8b6a9294f129ea2c08f92f45acb7277cefd1f5694543075d4c04897eb3bc9
SHA512 6bf74d6d3bdf1387ddcc9418ebc405fcbecebdca15a2ff09f0615ccfbd00a6d9f5e002b42dbe186d86b5c4c035b0757ff535e2a741702a876e627862ab181dc3

C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe

MD5 c7cc37cf8157663c74a2b7429629605f
SHA1 481f83c0f6923e43070a8cecc9523d3e4e8bb1f7
SHA256 5205ae9d05e5d504d88a57bde57796aeadcb221aca22e0094292e4b5805171b8
SHA512 79cd4b1a34f66c9ff32ab40d59218b6217f6292b84f502928dccdd20c7ef1ede43c5331d6b0984107a4cd3a5e472ff5a3a69cb2529847f0419f59995892d51ec

C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe

MD5 1c622e73dd1ed14f920eb2fc6966f1d8
SHA1 fd44eb1bc32243a5aaf209137d7f4d716b753119
SHA256 760584b27dde312b867eb77363220489b2cbea8c44d542e90d335b25e02f07e2
SHA512 36a10bec646bae4d980fcdb56b49157a6025b6073b636849e6c5d1eb57fd72cc417429e9660b91889a75798ddcf71c06d58075e73b460c8809d365799d6a12d8

C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe

MD5 ba3a8a9852bf1efc8f57b00c365cd744
SHA1 dcbeed06b7d34175155de5d3aa63c6024972a621
SHA256 509abdd2297784a4d9f4e6c801136247fe209c425184415b7dbbf3853d674cca
SHA512 b64f054b576e66271ab81fe61797db903b10b94a90e0517b44f846c26e231de2c798934ddb56c97f3b26d986a805a571fea878941fdcce1bbbcd3b4d4cb527f0

C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe

MD5 42c4962ce22f7ad87443e6e099e6a838
SHA1 58d68adcf0617b749112b9cbd4654c3e4e0184e5
SHA256 64bef5a4671bc2dce468391f62e8ebe6192b8a36681758dc5587993d4d9a2f0e
SHA512 3f1b8753d1102132d0ea9bf01988719db3178a5e212838d5cb15bb9830fab9aa913e4b637605ff998662e7f50c4dd087900c50e62d4257178900fcc6ada01dd4

C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe

MD5 73091a021f6771c9da54f14d294b83d4
SHA1 d200f7a36e620271ab178a308bf86b58cbe9c58f
SHA256 c6d8a5e5940cd828152a69b6c0adf21e69523385fab15efb9c9abb8b7dc9f27d
SHA512 6ffab31d2e57a282aade3104803988d77b59b375ca178999a105c50da4ce080bb508ada1b8178b4c26eb716bd6f9a634c5778a16723ed9c26dd37bdccaece6bc

C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe

MD5 18f54dc3262e8cc5ec56ef6e5eb9fa9a
SHA1 9ae30aa10b344956366ba50cce4e74af9a1ae0fb
SHA256 faf2e704d98a222f46140f2b7305985c815dfe63c8a3dfbd067e8784ee8d7170
SHA512 9f41412100e390627632167ccac047c65a2784c97ee541afbbee426f3c9c7349bc242ef6528648dc5466e226607eef9eaa220d303654092b79455b5d6113d4e9

C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe

MD5 4b5e2996a1c41bf05ceb523cc735f7f9
SHA1 6345e6ff54628109d8b23cb19981536ca57d28d6
SHA256 2b2fa5a5f9a7129ea5c3c1a4f17e8cf45cadc1f29919a2f80ce5517fcf1d6911
SHA512 8563873aac7d67e2e6ba28d3621e36337ecd4e4b4e73fa0be568312987482b99cb774ab219687af423b2edeed86b28b4d0e78558a3ec0fb250f0db10bef12988

C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

MD5 875c820a35b6fba7d71fa19f7b43a781
SHA1 82ba243ae785cc84ad4ce827e0a38678baf78560
SHA256 dad860e597b58dbefdf64ae78770c0b8d626ac1a2a16b4f5e00becf435a147cd
SHA512 e74f64fb4ced272a12ba91a607cbd84c8a2e575fbac1ac5b65d3bd2915eb6036a5fa17a6010e923dbe605025f103ce4e34bacef5e15aed1dd1ca7a2d95eb97dd

C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

MD5 d070d08fe8d5a1835e7ab685993ed67e
SHA1 cd0a83285fc82b219a1ca923f97dfd99a408d59c
SHA256 34acbccebb394464b3f9d8bb5f160439d543890ee1e35351924b929d1bc228df
SHA512 900b217de59c5a00e55653c7b2daffa23a15744eb599874fbaed1c949a877847dd8e653d33b99af0289eeb4ed83e80846b4f843fe1307684b39e22c8f6041209