Malware Analysis Report

2024-10-19 08:29

Sample ID 240125-v83dyacgfq
Target 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye
SHA256 c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb

Threat Level: Known bad

The file 2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:40

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:40

Reported

2024-01-25 17:43

Platform

win7-20231215-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}\stubpath = "C:\\Windows\\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe" C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}\stubpath = "C:\\Windows\\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe" C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE465E0C-A716-40da-A7C2-FF81D046B430}\stubpath = "C:\\Windows\\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe" C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD045A06-0F31-4f80-846C-846174FAF3EA}\stubpath = "C:\\Windows\\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe" C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588} C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}\stubpath = "C:\\Windows\\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe" C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D726E3DB-1DFC-404f-BF80-78C2F3232C47} C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE8157B-DC36-4640-AA7F-10138D83644D} C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}\stubpath = "C:\\Windows\\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe" C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE465E0C-A716-40da-A7C2-FF81D046B430} C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{679C5439-0BBE-470e-98FA-C2E90739110C}\stubpath = "C:\\Windows\\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe" C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B} C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6} C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}\stubpath = "C:\\Windows\\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe" C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE8157B-DC36-4640-AA7F-10138D83644D}\stubpath = "C:\\Windows\\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe" C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0} C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}\stubpath = "C:\\Windows\\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0} C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}\stubpath = "C:\\Windows\\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe" C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A} C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{679C5439-0BBE-470e-98FA-C2E90739110C} C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD045A06-0F31-4f80-846C-846174FAF3EA} C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe N/A
File created C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe N/A
File created C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe N/A
File created C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe N/A
File created C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe N/A
File created C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe N/A
File created C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe N/A
File created C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe N/A
File created C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
File created C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe N/A
File created C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
PID 1568 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
PID 1568 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
PID 1568 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
PID 1568 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2796 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
PID 1608 wrote to memory of 2796 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
PID 1608 wrote to memory of 2796 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
PID 1608 wrote to memory of 2796 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
PID 1608 wrote to memory of 2652 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2652 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2652 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2652 N/A C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2984 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
PID 2796 wrote to memory of 2984 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
PID 2796 wrote to memory of 2984 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
PID 2796 wrote to memory of 2984 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
PID 2796 wrote to memory of 2584 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2584 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2584 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2584 N/A C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2808 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
PID 2984 wrote to memory of 2808 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
PID 2984 wrote to memory of 2808 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
PID 2984 wrote to memory of 2808 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
PID 2984 wrote to memory of 2284 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2284 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2284 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2284 N/A C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2960 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
PID 2808 wrote to memory of 2960 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
PID 2808 wrote to memory of 2960 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
PID 2808 wrote to memory of 2960 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
PID 2808 wrote to memory of 2092 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2092 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2092 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2092 N/A C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2864 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
PID 2960 wrote to memory of 2864 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
PID 2960 wrote to memory of 2864 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
PID 2960 wrote to memory of 2864 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
PID 2960 wrote to memory of 1544 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1544 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1544 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 1544 N/A C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1772 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
PID 2864 wrote to memory of 1772 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
PID 2864 wrote to memory of 1772 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
PID 2864 wrote to memory of 1772 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
PID 2864 wrote to memory of 1784 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1784 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1784 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1784 N/A C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2880 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
PID 1772 wrote to memory of 2880 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
PID 1772 wrote to memory of 2880 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
PID 1772 wrote to memory of 2880 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
PID 1772 wrote to memory of 2204 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2204 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2204 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2204 N/A C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"

C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe

C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe

C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E860~1.EXE > nul

C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe

C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C4E2~1.EXE > nul

C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe

C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E427~1.EXE > nul

C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe

C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD045~1.EXE > nul

C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe

C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D726E~1.EXE > nul

C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe

C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFAC1~1.EXE > nul

C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe

C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE81~1.EXE > nul

C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe

C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6DD33~1.EXE > nul

C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe

C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4EDEA~1.EXE > nul

C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe

C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DE465~1.EXE > nul

Network

N/A

Files

C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe

MD5 b51aea40f7d4f7cfd9fb4a96e5f4a69f
SHA1 4c3711895d97638683dbdc244aa31b87543281a4
SHA256 2227ae2c69177d2d5a912e15ca1716be1f3a0bedb46f82b3c488a9d306c014c1
SHA512 8015105cb322c78d16d931077f1c34d7b145b97156dc67d33128cc19d93ecaff87b7b6f655221ab8683fdef65513c3fc83c53605e78cf9c21635d2db6def4478

C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe

MD5 907cbd884bc873547063f340cbf7085b
SHA1 5681e6add60981ce458d7a0c53963e99871cde23
SHA256 5f3a871e94ffdf58f4bb26b8ada1c05ab1418fa3772ef879fd8c31d3bd820d20
SHA512 90ca3b205ec1bc6f4c9ac88c767f925ec2b37eaa1883038e96fcd7b3f52359a5e277232e417ee927dd177e4963637eb8b3ffbc12ee64f109bb89c85472720c1f

C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe

MD5 895c9c4752089e4e752062c5b2a85306
SHA1 e018149c1e0bdaa676663c7d90a68d0f20be1ded
SHA256 505c2cd6059b38662ecac735ae80121c2deafd628719c1e8031bfd069b6c7d45
SHA512 521b0d2d9555bf45fda19e45153088bcdc388b851f0ce8fc17c33194a34fcb2004763833539b65e1ca712287f228cb38647ba441d0c764f5eb681d618e5dd893

C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe

MD5 066ae44410e5c09af80d9a848a988bdc
SHA1 b6beac6885ebb1dbdccf641db30078621668f20d
SHA256 5dc772493c7d6a208c4e05b4cc2d5a793f3ad8a97f5123562d50ebd68e7aa8d4
SHA512 92a361cb240b6adf94eae3d70ebb5b9f29aba87fdfca5b7a73075b89b67a3d3538735c2675e6dd708d82f02484d2607eb44024565b077cd769d0688ed68e8960

C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe

MD5 02f97f4aaaa777cd7477af57a3c034fd
SHA1 e5f49efebc0e3442c8a60dcd529baae22fc33a24
SHA256 309a3347a88cfedf87e3f393803d0c631edc82d962f29e6f7c398ed8d3741f8e
SHA512 5cada2e938cbad3e224aab08c8f44ae6a1788459e1bf60b42e2474fb2bb1049dd7ee3d184ccf154dfea5cfa4fcf53404755fbac57244e7f2928bb16aa106ee15

C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe

MD5 fd7a602c9b2ea63448c3da3802bd0300
SHA1 307d9667fa231077a5f15557007633e2fa08d7c6
SHA256 02fd3eb4f49d42c6da7e632233349970e72e2c744c64bee0f2411a5d12b4d98d
SHA512 610521f6e39170849b8d80ce8b3e2f5d071409f7786ea22b9eea013a11a8839dbec07910faffc8222dde195efd2e5a1c0b9f72d09514ede066de44811da121a8

C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe

MD5 b9738adc5d6ba50b1fd490a96c97dbce
SHA1 076578dc792b7aa995dff9ec0e181cfbdc095a2e
SHA256 12a44f9c0a4a8c80ab9c02c5ebbfe68f4d3d8499600ac50684931998f80da0ed
SHA512 172008ed79709f97669e5bd09a28e8b316d8bf008f3741a76c36020bea45883236969e293ac7d3bc7700e5d591226ef75cd4d7561338755ade1ee1d56e079bd9

C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe

MD5 466bd219fbf8077940dd6074fc49c7be
SHA1 83224ff0d483d1da73b306cbe2d843abbd7b3f06
SHA256 cab15fa1349fc97187b8c0ea6da18bd8b05867bf955eeaed079510cc69e4c011
SHA512 76594f3d59999ed6abf9172dfc561bc0cea39764c9ebb1abb2726c266aa7a9923b2964493fa12cfa7f5e0a5cc3051cbba273f326477e9164b3ccb0f21f436962

C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe

MD5 5e6180a158e5f5c4151abfc05d58fdca
SHA1 5a9be92a2116bf99e3f4ad5279bcc7e33a401d3c
SHA256 6c73d50b6556fb111be7e43d605461c817d9f017d81919f4fbbef4bd22856075
SHA512 e0947cb7c153fc041b768ab8f27c53991223334862e275d4d6ce22aa791e60323feee9c497e98b85c6a371ffc88b244a60dcd6d5c9d6dd5092bbeeae1ddce432

C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe

MD5 efa1329c5eba06b2c094aa76c7bd84f9
SHA1 32a88fddc69939f42b39aeaaec86644bba8a7331
SHA256 21e29fa2596cfd4ae9d5d613d063d13c32e2b255964f63d50cfc81f82dce95ca
SHA512 121c0b9169f5d9800da7e21592412db08661005e67b50724b250a2a7b3d9275319823624dcb53bc94846794bf4daa14f351d74280fb5835b2f69ec44658b6027

C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe

MD5 b14cbcdfe47025f626967e9509f194c6
SHA1 dd25222056ee90edb108cae942c7860f9e7aaa2c
SHA256 b58bdf24c5c0b74e39c60ef7d658da3c6f94510357ec31eb80736ce7214b83f6
SHA512 d1ddb4875678254370b02d333b0c46f08e1107c87594f3302bdcaabf135634538cc95f2f78b5ac5ae4f45cdacc82536503708d2e6af0ad6c2589b4ebef4ce1ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:40

Reported

2024-01-25 17:43

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}\stubpath = "C:\\Windows\\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe" C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A} C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E} C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}\stubpath = "C:\\Windows\\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB} C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845210B9-9A38-4f4f-B9A4-5027D11BD20C} C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1} C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C06FFD2-A139-4540-A1D0-2D97DF06C012} C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D99E92-FED3-43b6-8616-677561A561B2}\stubpath = "C:\\Windows\\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe" C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5E049A-A142-43d5-80BB-67C5706BBB63}\stubpath = "C:\\Windows\\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe" C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7006D6-8C57-4004-A8E4-815C877D61D9} C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7006D6-8C57-4004-A8E4-815C877D61D9}\stubpath = "C:\\Windows\\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe" C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}\stubpath = "C:\\Windows\\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe" C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03BBB33-E183-4926-A8DA-6484885E98AE}\stubpath = "C:\\Windows\\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe" C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D99E92-FED3-43b6-8616-677561A561B2} C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}\stubpath = "C:\\Windows\\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe" C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2C4B19-502B-4995-82D3-F9FC0983D38C} C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03BBB33-E183-4926-A8DA-6484885E98AE} C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5E049A-A142-43d5-80BB-67C5706BBB63} C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}\stubpath = "C:\\Windows\\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe" C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}\stubpath = "C:\\Windows\\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe" C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}\stubpath = "C:\\Windows\\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe" C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619F19CC-DE83-47b7-8E85-0AF074336A87} C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619F19CC-DE83-47b7-8E85-0AF074336A87}\stubpath = "C:\\Windows\\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe" C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
File created C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe N/A
File created C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe N/A
File created C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe N/A
File created C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe N/A
File created C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe N/A
File created C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe N/A
File created C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe N/A
File created C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe N/A
File created C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe N/A
File created C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe N/A
File created C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe
PID 2092 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe
PID 2092 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe
PID 2092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3064 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe
PID 4944 wrote to memory of 3064 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe
PID 4944 wrote to memory of 3064 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe
PID 4944 wrote to memory of 4492 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4492 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4492 N/A C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1152 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe
PID 3064 wrote to memory of 1152 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe
PID 3064 wrote to memory of 1152 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe
PID 3064 wrote to memory of 1944 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1944 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1944 N/A C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3968 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe
PID 1152 wrote to memory of 3968 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe
PID 1152 wrote to memory of 3968 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe
PID 1152 wrote to memory of 1512 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1512 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1512 N/A C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 2680 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe
PID 3968 wrote to memory of 2680 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe
PID 3968 wrote to memory of 2680 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe
PID 3968 wrote to memory of 980 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 980 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 980 N/A C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 4100 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe
PID 2680 wrote to memory of 4100 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe
PID 2680 wrote to memory of 4100 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe
PID 2680 wrote to memory of 2800 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2800 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2800 N/A C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3408 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe
PID 4100 wrote to memory of 3408 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe
PID 4100 wrote to memory of 3408 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe
PID 4100 wrote to memory of 3636 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3636 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3636 N/A C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe
PID 3408 wrote to memory of 4052 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe
PID 3408 wrote to memory of 1096 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 1096 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 1096 N/A C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 4500 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe
PID 4052 wrote to memory of 4500 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe
PID 4052 wrote to memory of 4500 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe
PID 4052 wrote to memory of 640 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 640 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 640 N/A C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1520 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe
PID 4500 wrote to memory of 1520 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe
PID 4500 wrote to memory of 1520 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe
PID 4500 wrote to memory of 2328 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2328 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2328 N/A C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 4648 N/A C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe
PID 1520 wrote to memory of 4648 N/A C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe
PID 1520 wrote to memory of 4648 N/A C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe
PID 1520 wrote to memory of 1608 N/A C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"

C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe

C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe

C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD79~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5E0~1.EXE > nul

C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe

C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe

C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe

C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BB700~1.EXE > nul

C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe

C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD51~1.EXE > nul

C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe

C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{84521~1.EXE > nul

C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe

C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D36D6~1.EXE > nul

C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe

C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C06F~1.EXE > nul

C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe

C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{728F5~1.EXE > nul

C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe

C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC2C4~1.EXE > nul

C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe

C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C03BB~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{619F1~1.EXE > nul

C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe

C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe

MD5 1f166d88e5592cb46191c816e0f6f827
SHA1 c664f0f56914c73b5da806b928d6db87b33e146d
SHA256 bb1f5d6fea4a67135fe3b0be175adc383ace03519f4f8da8037c06ba5f5212c2
SHA512 eb79bc3945cda700b2faf2fc59f5ecc1727bcfccdca94b1ffbbeef97bcb36daa97160912a30b1917436daa233b08de8db86003bad89aa147f4abeda672ad501c

C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe

MD5 d66120a96c303c6ba40873016d900fdd
SHA1 833776a5c8ac74178e70a79b0512dbf07d5fb2c2
SHA256 f928d791f24a40b88dae28c667748804eeee6451fe4607dfe9af6d5ae1a24338
SHA512 f6ea52e6b9ab8fbbc5834ab57516a41d025a4e17b53270684b135a6689b02af70a48e1bee27570f7462dc3f91b33cafeca2fe3d6484aa731226b886c043447ec

C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe

MD5 f49f736b4876a1a48938a68096e259c7
SHA1 144fa21d28e5afd2eeb14ec372c3f08f4f9a4751
SHA256 695c7a790230b3925dab56e2589f42f0e0ae574eafa541321449aed7dedca8d2
SHA512 edebdaf91d925190fc9d51e6e0d57548c8a174e156f96d7cbf091f074b8a757be7317bb162494a28d98df94f77039b3900eeee32723a11d36a326c657e9c734b

C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe

MD5 c2ab2233c82c53e02619d31f23abc401
SHA1 d69cffc5f18efd3f3ed15c237f608717234ddf90
SHA256 6f57e9ebd49558844061280b21f1d5289a5b1b5329cc3cead82ba93337d0c25f
SHA512 1d7c5804ea3199b08d2e3c034774ea0a6c42765d3d56983ce4883436a327a3a1223bbfa90cdb77e9d28006e8034c0f18a8cfa552b7f10fa820bb320031c82d79

C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe

MD5 3543c85483a79c53f8916cdeffcd1db2
SHA1 f272a7d28099a9fa38d0f9d70ad6342d0017b7d0
SHA256 889a62e951cb3912ca8bc89e43ee867e494acd4e6f967d55a48ce801ebefa55c
SHA512 91c7be2518c7d4b78eeeb1bcf0bf28f2dddeedd5930bc69ad6fbf164277f81e412060fbc34e0d23713940bcb10417a4ffc7ff734ff3bc1c3c7063facdc9ddf4c

C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe

MD5 1a6f7f46287918d373d2601912665650
SHA1 5a70744ea4c1137b12df1f21b7111dbdc52e03d0
SHA256 5ef0b9f9d6b5522171b2a1de17e83607c8e37703443b8d81e4bb0dd26e66ea3e
SHA512 0e89816b5d6b8297b08d39564376bd46c14c2a0943abf0ceee226c17c9434293c7c118b20f86c4d89f06f9ae2ed072f42dca10ae22d54debd5318d87fb98b50d

C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe

MD5 2b5fd954b0ab2a3f5576b5889105a902
SHA1 0cdd47854cb8c809ee0f76c35d84771ceb3752b7
SHA256 0aba647d6943c8832491a816d6baf5eed5edbc4fa15023d8c4762a9a5a9c6fe4
SHA512 69ecc50dfae6223d39a6aae3fda30d25c87d5a565e38b12b94019cd1070b4e1d0906900a8b9efb33448db0e84a49851c3ea2ace758fbbc6724412088ad99add7

C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe

MD5 f880468121c3099e1e5f28241aa13cb8
SHA1 f13cef84c29f10c296fe0e4e5330c8e1e253b279
SHA256 2f8d54d2e5dd9c0d99c94105e14ee45f65dab068b253af6b76f0e98f02178c14
SHA512 9cc382f6abc84166c24c58f65ee837fa1d927801c6ecdb296c9a1cf56942d5ff0f291335d8d6e523d43feb58033cb41b7fecc6f7c878a35dade7c648c33e4a34

C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe

MD5 482b736909ae7a1a558193d6ad59a1b5
SHA1 9286988db104ec8c985fcd02714b16c47bd9a39b
SHA256 7eb49b1458e0bb865d68b908aebcf1f41d91ca05dea84d3a40af66c8e80cc2a8
SHA512 dffa2998f4d8f148c71c25e956651460a0d33cff14f69d1b7a4391409d9c88bc3e6f2dda05ce0f5e17d66c561ca6d292adf1943a292a3c4b851858b3b3ddc33f

C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe

MD5 f16a1ffc1886363af0b777ce7c430149
SHA1 f34ed8e40e1825a1aea4bac5270dcca29fcaaf42
SHA256 04fcd30ae40503e35d8bd2d2fc6a63418e17cbcddf92e1a0ba8309eacb336f73
SHA512 55b0370b411508a266628f42015a4bb00d94dde0afb43e748ed40f1f001c1e1bb56f42920afb2ac5341faf75454d4d953ce76050f3809be23d5f278b37bf56e1

C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe

MD5 928eac2efb0d97a65ffd1efa5cee8904
SHA1 16a781ced4cc48034e6d778c89c7f84d9ef25dd8
SHA256 9b387826aa866180f79db6bf22cb7a1139b6dd84af1a54688fed80a6924f23dd
SHA512 90a9e3e4f16d62e8654331a2ca90251ad1edfadbab95db21c29e3bc47618616eae98a5dc5a7e2b2ee738872d70cb8ba929a31fef291413138b76ee7f01cf4fd9

C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe

MD5 75500983d267881e6840cb83dfacd93b
SHA1 a8deb2f1780d3eca7561f83ffe1ab9b3aa78a83d
SHA256 14714cc2ba02513ff5d7745b11ebd09e8fbaa6a9e164cbaeff401dbf293fe63b
SHA512 c8e3e2fc4978d7aed1423fa6d8ca673dc2f534a9314c995c733ff5807468f0db89ac8285ac0b5b3cc7846b64cad4b83aa33b13e80018476dd01caf1dfee0b62b