Malware Analysis Report

2024-10-23 21:15

Sample ID 240125-v6ymzabgg6
Target 2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye
SHA256 a0dc464d4cce80c660597babf8923ad92308d4a14fafaa54cdc7670e09dd7955
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0dc464d4cce80c660597babf8923ad92308d4a14fafaa54cdc7670e09dd7955

Threat Level: Known bad

The file 2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:36

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4256BE8D-89BF-470c-BF07-975D1302F613}\stubpath = "C:\\Windows\\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe" C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC04DF75-B70F-4349-BB4D-8527F1446938}\stubpath = "C:\\Windows\\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe" C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39524EA-A969-4896-BED0-AC9B3702A241} C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1} C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70F64A43-3318-4bcf-AAEC-786F8240203B}\stubpath = "C:\\Windows\\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe" C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{204046ED-4538-4740-B41C-0CEF24082813} C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{204046ED-4538-4740-B41C-0CEF24082813}\stubpath = "C:\\Windows\\{204046ED-4538-4740-B41C-0CEF24082813}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3C2157-0D30-4fb0-B373-5170F15179BB} C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53CE17B9-5D5F-4791-A413-4010C7ECF99F} C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39524EA-A969-4896-BED0-AC9B3702A241}\stubpath = "C:\\Windows\\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe" C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}\stubpath = "C:\\Windows\\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe" C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}\stubpath = "C:\\Windows\\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe" C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C06764-CF96-4c23-9BED-BA414C102AA9}\stubpath = "C:\\Windows\\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe" C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3C2157-0D30-4fb0-B373-5170F15179BB}\stubpath = "C:\\Windows\\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe" C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F} C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}\stubpath = "C:\\Windows\\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe" C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70F64A43-3318-4bcf-AAEC-786F8240203B} C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4256BE8D-89BF-470c-BF07-975D1302F613} C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC04DF75-B70F-4349-BB4D-8527F1446938} C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}\stubpath = "C:\\Windows\\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe" C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33C06764-CF96-4c23-9BED-BA414C102AA9} C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1} C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
File created C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe N/A
File created C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe N/A
File created C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe N/A
File created C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe N/A
File created C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe N/A
File created C:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe N/A
File created C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe N/A
File created C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe N/A
File created C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe N/A
File created C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe
PID 1080 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe
PID 1080 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe
PID 1080 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe
PID 1080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2568 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe
PID 1908 wrote to memory of 2568 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe
PID 1908 wrote to memory of 2568 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe
PID 1908 wrote to memory of 2568 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe
PID 1908 wrote to memory of 2816 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2816 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2816 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2816 N/A C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2680 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe
PID 2568 wrote to memory of 2680 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe
PID 2568 wrote to memory of 2680 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe
PID 2568 wrote to memory of 2680 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe
PID 2568 wrote to memory of 1212 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1212 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1212 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1212 N/A C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2908 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe
PID 2680 wrote to memory of 2908 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe
PID 2680 wrote to memory of 2908 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe
PID 2680 wrote to memory of 2908 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe
PID 2680 wrote to memory of 2944 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2944 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2944 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2944 N/A C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2380 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe
PID 2908 wrote to memory of 2380 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe
PID 2908 wrote to memory of 2380 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe
PID 2908 wrote to memory of 2380 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe
PID 2908 wrote to memory of 2548 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2548 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2548 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2548 N/A C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1724 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe
PID 2380 wrote to memory of 1724 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe
PID 2380 wrote to memory of 1724 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe
PID 2380 wrote to memory of 1724 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe
PID 2380 wrote to memory of 852 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 852 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 852 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 852 N/A C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 756 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe
PID 1724 wrote to memory of 756 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe
PID 1724 wrote to memory of 756 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe
PID 1724 wrote to memory of 756 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe
PID 1724 wrote to memory of 1164 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1164 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1164 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1164 N/A C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2748 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe
PID 756 wrote to memory of 2748 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe
PID 756 wrote to memory of 2748 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe
PID 756 wrote to memory of 2748 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe
PID 756 wrote to memory of 2808 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2808 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2808 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2808 N/A C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"

C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe

C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe

C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{20404~1.EXE > nul

C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe

C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33C06~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C3C2~1.EXE > nul

C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe

C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe

C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe

C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4256B~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC04D~1.EXE > nul

C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe

C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe

C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe

C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F66CF~1.EXE > nul

C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe

C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53CE1~1.EXE > nul

C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe

C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3952~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60396~1.EXE > nul

C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe

C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70F64~1.EXE > nul

C:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe

C:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe

Network

N/A

Files

C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe

MD5 d1681548f57a7e905544e3afdae41268
SHA1 196e3a097a9b264689a8251d0823b032c4c2cfb6
SHA256 8872317a370fc34ec1fb0f763f182878ce1fe9e7849e1ee381c18887d73ea704
SHA512 28b858da6065a6bc1bbe0007f6f9ab80b0bb6c37a66dbde3ac088c1a09ffb619a492bddaeb98abcf9a2a25c908a2cc8976c31d6e621229f311eb8c914f1cc8a4

C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe

MD5 7447b49fdb68a3dead993273d3ac4d5e
SHA1 03c9cf286a09c7829b42f09cf0a662629b34a504
SHA256 b6330b31457a1fa72bcbe748f53a5d4666eeb61694377b61dd3f507edc939c9c
SHA512 b047b154f0f72153fb45bda49f4f0a7fd5071142e284c6642928160fab4505295a5f704bf74eb8a48890ebab2b19e4a6d0f99ca6fb0e8286a4ff71d60fab6834

C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe

MD5 3c73f7af5954b80e0baf6023885bb4ef
SHA1 49abe7efb3d648e159b8ff83c3f2b19226eeda46
SHA256 8554c68dc2d2be61abd1260bff04aa48c1d9a9f13d8a5fec651caeb258d4f1be
SHA512 ce9b42e9e28e9ca6c734a89c3c50695d96245eb81d201565e692c67de78134adcfcc3d2a8f943d745108d7b3840dfc60b2102167761e6d742c4605ed445abee5

C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe

MD5 e3116d36623e3d88db9a38f11cfefc54
SHA1 335907a1fb60e0b75d8af476c2722673a8816d31
SHA256 996ad2583b2b438bde837543eaf84130c060ea5378fa21f7bee2cbc888546ca7
SHA512 aa1fc7507e677bf6530f3831fc02c80b35ccb51c7812b6f60ed43fdce6f4b5f4ad5f59cd26b846078164e9bb7bd4ae6e252ed7985d1cc9c2ac4581971725fe45

C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe

MD5 6911081714ca4053adc962909842572c
SHA1 daf2aadceace86d72ab4dcbe5908daaa3a907c77
SHA256 53a8a139020a18164d4cac5fbf9f9be70d43e7dce22145c4fc89772f5a28e94a
SHA512 4becf8961324a02aa12d6f4b3ebe43a53bbfd64d8de545560e74efc3db3543370a11919901e25a76af1e0a494089c1068743688744a899604d62501bc854ba6f

C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe

MD5 3da2d172f6b840cbfb992573a1c67fa0
SHA1 4269e1240d93746df18bbbffe2a19aaa596ccdde
SHA256 545370ecafadce51d3c2f99a9d9f8ab16e2a22f92e7b4fd98800644d7a5ad7ab
SHA512 20698fe5cd92f2ce9e71f8d79e0488c892551951d18cb8bb9af210c2ff44b9fe683f59ca52f672abeafac085386c640ddb54f978664e314aff6368f8e468ccca

C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe

MD5 c62d8296eacfdc087e9c00f09ef69169
SHA1 5508ff96abdf56037df49387e0a4ece85da10fd0
SHA256 871885ec5d39fd779809fbe204c8be31d588d694b111c3d261c3ccf7047ffbc1
SHA512 e07ff7eccb0667461a6d8c1eeef5e6c211b575812091bc77fead17ff4cd134492b275c5b49ed23e634703426aff56b1fd2d20bc222d71a3289b9c8a46f2b1570

C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe

MD5 e5c8cf745316728b5ae9cf9a5032ace4
SHA1 38dc4d46acd4e39257063086abf0f4685a078346
SHA256 5e14ea9f3faf41b4876454039cf9d26bc26cd4b2c48a8aa579185bb2290563d5
SHA512 ab38d9876927b84a00a992f704e9d3d43098bcadd72faffeff8899054b58acd77f791ccd788232a282466c5202fccff3899fef6b6c16a6dd48a063d9257f6f23

C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe

MD5 3b18815df039bffde436a31c04991c0f
SHA1 26f4de68e522cea93ad5efae7739e0ede137d979
SHA256 fb3df338585fdd8c1bd559e942bd53b606a5ac96abeda28f620d886ad4820649
SHA512 29b029fe1b13cd518806151a841848044ce6727905738e0a2d606ec39375c0a0740b80fadf0fd159c5d79846610e30efed76a8f83019a7cc56bc035322fb9290

C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe

MD5 2da380725c265b17b0360128fa811e1c
SHA1 c3918750ca56efb7fb1b5201cc9a450dc8affe2c
SHA256 e106325e3cc84662d636d73531eb3fadda65d5683d26a4f3b141076e35d7685d
SHA512 24b7bf8a04a35151239c52cfc594785cc3f96b8a11c689fb3e7fe0df13db81a986d6737fd19f3066c4797aa8e7b7f3e0561c39f49628bb0f83bcd3b78c6f7323

C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe

MD5 c82363d45350ffc565e77e4dde1981d2
SHA1 09225c83b39e742492ba10fdd9cd514e93e0cc32
SHA256 fc65257a93df557dbfa3004031eb702ed9406af5b89250869ac175ece506d508
SHA512 8572f9656f0529ae1bd3c11065ed5d39a0fda939b2a2e770d028020606cdcf5951378f4534a4bc3385e717e43db75d07b16c614f20ab789ffb110d2484a3e07d

C:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe

MD5 239d82296c8c6485c0913f12d97a4032
SHA1 d83f67736731947c3025fcd4d7ac8f5bbdac4b05
SHA256 09d744b070bec3d52d3a821096df789de8dab8002b317c5f7c6078dcea135916
SHA512 e2ed9fe45fd236d54a96e56b13ee12a907718a1607235284056753307dd614be68a03165959ca11c157deccd6f1895d886ab091677bd448cb398e8be3c18c87c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}\stubpath = "C:\\Windows\\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe" C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24} C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}\stubpath = "C:\\Windows\\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe" C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26002FD4-506F-4c36-8D6F-5EAF6055645E} C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72980CFE-CB37-40b6-9963-A224BAC4BB16} C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}\stubpath = "C:\\Windows\\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe" C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{687CE137-DE99-4efc-BED3-8623A85FCF29} C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26002FD4-506F-4c36-8D6F-5EAF6055645E}\stubpath = "C:\\Windows\\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe" C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}\stubpath = "C:\\Windows\\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe" C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F97DB11-74EE-4363-97E6-0374FBC59718} C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D83283C-F091-4629-82A2-D8E726D4E244} C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3} C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D83283C-F091-4629-82A2-D8E726D4E244}\stubpath = "C:\\Windows\\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe" C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F1EA7A-2F1B-4efa-B788-AC2990267966} C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}\stubpath = "C:\\Windows\\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}\stubpath = "C:\\Windows\\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe" C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8551C881-BBDE-4ced-9E91-39DF7869C7E0} C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{687CE137-DE99-4efc-BED3-8623A85FCF29}\stubpath = "C:\\Windows\\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe" C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{255AEA71-27D5-465e-B041-DAB523135730}\stubpath = "C:\\Windows\\{255AEA71-27D5-465e-B041-DAB523135730}.exe" C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D} C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{255AEA71-27D5-465e-B041-DAB523135730} C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F97DB11-74EE-4363-97E6-0374FBC59718}\stubpath = "C:\\Windows\\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe" C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72980CFE-CB37-40b6-9963-A224BAC4BB16}\stubpath = "C:\\Windows\\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe" C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5} C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe N/A
File created C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe N/A
File created C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe N/A
File created C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe N/A
File created C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe N/A
File created C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe N/A
File created C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe N/A
File created C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe N/A
File created C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe N/A
File created C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe N/A
File created C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
File created C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
PID 2568 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
PID 2568 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
PID 2568 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 3368 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
PID 3800 wrote to memory of 3368 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
PID 3800 wrote to memory of 3368 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
PID 3800 wrote to memory of 3376 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 3376 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 3376 N/A C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2716 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
PID 3368 wrote to memory of 2716 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
PID 3368 wrote to memory of 2716 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
PID 3368 wrote to memory of 2560 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2560 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 2560 N/A C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 4104 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
PID 2716 wrote to memory of 4104 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
PID 2716 wrote to memory of 4104 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
PID 2716 wrote to memory of 3700 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3700 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3700 N/A C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 3280 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
PID 4104 wrote to memory of 3280 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
PID 4104 wrote to memory of 3280 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
PID 4104 wrote to memory of 464 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 464 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 464 N/A C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 4412 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
PID 3280 wrote to memory of 4412 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
PID 3280 wrote to memory of 4412 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
PID 3280 wrote to memory of 3660 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3660 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3660 N/A C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 2300 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
PID 4412 wrote to memory of 2300 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
PID 4412 wrote to memory of 2300 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
PID 4412 wrote to memory of 720 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 720 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 720 N/A C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2160 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
PID 2300 wrote to memory of 2160 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
PID 2300 wrote to memory of 2160 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
PID 2300 wrote to memory of 2752 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2752 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2752 N/A C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 220 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
PID 2160 wrote to memory of 220 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
PID 2160 wrote to memory of 220 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
PID 2160 wrote to memory of 864 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 864 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 864 N/A C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 3756 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
PID 220 wrote to memory of 3756 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
PID 220 wrote to memory of 3756 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
PID 220 wrote to memory of 5044 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 5044 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 5044 N/A C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3848 N/A C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
PID 3756 wrote to memory of 3848 N/A C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
PID 3756 wrote to memory of 3848 N/A C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
PID 3756 wrote to memory of 4952 N/A C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"

C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe

C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe

C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F1E~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DAD82~1.EXE > nul

C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe

C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe

C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe

C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8551C~1.EXE > nul

C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe

C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBCCA~1.EXE > nul

C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe

C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{687CE~1.EXE > nul

C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe

C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26002~1.EXE > nul

C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe

C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{255AE~1.EXE > nul

C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe

C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31A19~1.EXE > nul

C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe

C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F97D~1.EXE > nul

C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe

C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D832~1.EXE > nul

C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe

C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72980~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe

MD5 3f2c8847ba1bb9983a21e2a618b340eb
SHA1 c1eaa587ec107df27b11de37b9d20eaddaef5a99
SHA256 f2fdd9b736294e72966c2ab1a8175d82565ec965135e9eac053f67744f843a3b
SHA512 416c231ef17236c2c779df6309a796a4c7098d5ec1911d53f1084aab26a1a05de6f58d8e5289d2105dd91f82bd63778f3cc8dd62c95e6e98dd8f60d9f4504562

C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe

MD5 3ad93555b272340ce1c232a8f6e90636
SHA1 c31bcd7ea04d78e5aa27d44bbeffb2809ee72b03
SHA256 bb169600d6a69eebef5f748d13b3a74de68bd54f732456aaa26096c61402ef9f
SHA512 29f855402656acc2529153c0fc35809ea71e7319682444d16fd16a2acb32ab5a11d55a3c2c9ab885b89f67ae5fb238e23f379eb00ff1377b9e78d1597e4844fa

C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe

MD5 c6d99bca47238adca0caa6f6c8cb5224
SHA1 1efd167492fc97c2ce82b033dbb6e3a72135af20
SHA256 6abd9c9eed6f609b22cb67eb8979bfc515733af26995b309ee63af0022e2a72b
SHA512 eb8ff37dadeab539b323ad421debf7b5cb9c6ea579d36dc836575f84dccb00e441365e64143b451bba94ac5f2afa2242930f2f9adc1d6984d8e70f01a8f66528

C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe

MD5 d78716954c68dbd11f79d23d871628b7
SHA1 9528d6680e522804b965ac27a13122278ce3f27b
SHA256 045a754c7e47a503c1d331d914a4f3eddc4ec627b2d09f87fc7c7a0d6230667c
SHA512 5f95d490edd55176b15c6fd851bd3c90170661e6554a600f484bef0587e66eecebe890ef2bce3dc9c72373c0ea9441e105ad8233e0690dea761ab953293f60dc

C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe

MD5 2f9de40965eaa1f04679fa3b86b41e42
SHA1 74442d5c6a5b5a94f517e70860eb1628d4278202
SHA256 2500fa0707570997c2397d8562b3aca6e9ec573c1ecd052a323221bdbcf494e1
SHA512 e2445bfc1886cc33b09b3a56cf1310abb864d8759d23133f9d85713d6c455d1294e29d8a59724b87f5a17d4ea67f889bc0158d76740ae57161ab0044ccccc779

C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe

MD5 d60d062cc485e375ba2ad9cda175ced9
SHA1 144120e50323979917ddedbd72c49ac11e0802ec
SHA256 f0c25b0909bb1a23513e7e0dac60f9e3fa9278e2f18db111f2326e34046a5fb7
SHA512 71bd8c206d5793c95f2e3ef6501ccf46d1f9fc958d8540bda7b4f67aa4273a9807a8c0328949fe7624d207c4a778e00173be0e59a238a896116d5dabe3d4cf7b

C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe

MD5 d160ea73dc890acf1245521155bf6a48
SHA1 89139413275bbb67d4c4a939d262b5585b03be3b
SHA256 6013169d6982817f32312926f38291ac21a4a7e544f83223a5e311f8bdebf5d1
SHA512 5c2d6ca02a77bc6f319cd72b090ebd9b8bc62cea1d351eb864ca0e1965b37f5366de5738ff9284979f1cd98cc243958db11d04523aef139c1314ba2504de45cd

C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe

MD5 e3547d30411c2e30d3a4174a6195cc3a
SHA1 a7c1a725a99d9ee4148d5daee50a0ee820f0ae80
SHA256 34ef292f1c40b6207386e04f5d82599d62894b688f865e369a5e5e846ed4d4fc
SHA512 9c829c0aa971a35db5ee00adee66f46ca8d2530735b1bc0ca591bf51d3f357793b3d825435f061d113d8dc71a7e7a99e84f49258e44e653c75ef2dc0dd11f98a

C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe

MD5 1c6c74ee0d04faa923a568d63c572f08
SHA1 22dc23ee26b8725c040fef1e32830ccc54d5183e
SHA256 a53fa27a6f9cbd5ad4ad58a1742ed74c3ef7037c5a2b78c60bd2d0c83c22342c
SHA512 80a4aef67625aad40398c89ab987806b305bbf28ad3e29789d246517fbab1aa6aae8fde2e5c7cec6aac58aea0df8de8ff0c78c92ff3484a92f48a1ff935bb93f

C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe

MD5 319047231fc6b8b37797b25610084c5c
SHA1 eacf06566d10b615488506fc6ced14d760d5f97e
SHA256 945c1022d3aa74a9d84a53e025292d20ff7cbbf884ac611a4bd5042ed42bf3ef
SHA512 76bc7c52ae0e8ff3ce96b800e8b49e68ba8817b545a99c1d572ac70149e980b9a8646606e099194aa01202380ca9591980c98791bae8dfbcf1575b57e9a79570

C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe

MD5 3f6ab3fae6a914c5136b267790288391
SHA1 6d1d9535f7ecc53e441aa4801c6d69636b443b89
SHA256 605cfbdf4946f9360fdbc9e5d13cd1a34240ed9990dd65ab286d89a919b50e6e
SHA512 18a36faae95cefcf4e4f380f52edf888f2c44707d58dd59cde4f571772c0531d32cb2edae1913cd4d718dc37fe5a728640b170729ff017b8553d4d9d3f7f8549

C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe

MD5 06afa3ebb3b5a8927b4b33a65407d62a
SHA1 04e33eaaa56b0aa4fa68a2c8ee26fa347ba41396
SHA256 8eaa31fe0505c2933b1c719a18bb8bd2dc8bbcb723dd79377d6b40f4caccad13
SHA512 e74fc7e6a54804c0ca0020f1787a5e4d5537585311ce3db519239276e3dc8975e627ef1b0f4edb1b00172ceb9b29e4b5b10def2ef32ae63dda6f1d8fc4308050