Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v9yr5sbhf2
Target 2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye
SHA256 973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb

Threat Level: Known bad

The file 2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:41

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:41

Reported

2024-01-25 17:44

Platform

win7-20231129-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}\stubpath = "C:\\Windows\\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BA1464-C80B-4041-B7B4-F454C420BF68}\stubpath = "C:\\Windows\\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe" C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C} C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{178BA2A0-7CEA-4450-BB83-0F8955817CE8} C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F35A1F1-7B34-4396-BBBE-314BD6644C91} C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}\stubpath = "C:\\Windows\\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe" C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}\stubpath = "C:\\Windows\\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe" C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC39135E-07C4-40bf-A28A-B24589363BB3} C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC39135E-07C4-40bf-A28A-B24589363BB3}\stubpath = "C:\\Windows\\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe" C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD9E00D-4487-4efa-B548-545B76B9C9E4} C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}\stubpath = "C:\\Windows\\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe" C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA} C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BA1464-C80B-4041-B7B4-F454C420BF68} C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787BF33-4841-4f5e-933A-41878E71260F} C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2315B05-732C-4bd4-9424-04DE0ACD2CED} C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}\stubpath = "C:\\Windows\\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe" C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}\stubpath = "C:\\Windows\\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe" C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220} C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}\stubpath = "C:\\Windows\\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe" C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D712A55-C5B8-48d2-B191-7D79D3E5936A} C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}\stubpath = "C:\\Windows\\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe" C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A787BF33-4841-4f5e-933A-41878E71260F}\stubpath = "C:\\Windows\\{A787BF33-4841-4f5e-933A-41878E71260F}.exe" C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe N/A
File created C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe N/A
File created C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe N/A
File created C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe N/A
File created C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe N/A
File created C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe N/A
File created C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe N/A
File created C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
File created C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe N/A
File created C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe N/A
File created C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe
PID 2412 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2708 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2708 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe
PID 2552 wrote to memory of 2848 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2848 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2848 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2848 N/A C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2684 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2684 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe
PID 2708 wrote to memory of 2692 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2692 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2692 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2692 N/A C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1980 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 1980 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe
PID 2684 wrote to memory of 2488 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2488 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2488 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2488 N/A C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1936 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1936 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe
PID 1980 wrote to memory of 1328 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1328 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1328 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1328 N/A C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2548 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2548 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe
PID 1936 wrote to memory of 2000 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2000 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2000 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2000 N/A C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1656 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1656 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe
PID 2548 wrote to memory of 1892 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1892 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1892 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1892 N/A C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"

C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe

C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe

C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{178BA~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A787B~1.EXE > nul

C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe

C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe

C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe

C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC391~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD9E~1.EXE > nul

C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe

C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4419D~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2315~1.EXE > nul

C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe

C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe

C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe

C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F35A~1.EXE > nul

C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe

C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E22C~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87BA1~1.EXE > nul

C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D76C3~1.EXE > nul

C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

Network

N/A

Files

C:\Windows\{178BA2A0-7CEA-4450-BB83-0F8955817CE8}.exe

MD5 b581318ff2a2b609cafbc70e3ab0fec9
SHA1 55c48b197bd34eca3d7a7a639cfd60372de536d3
SHA256 2e643b8a1f24b541f99b61d78b406d7d25a1e099ea2fdb75081191e900bd6d63
SHA512 e10ad317d7235f87063567f2c74c34a907f4f69f3d4fa1ea6ec366eb4a5f74907bfa1713d117e7e62016c6770aecda0c957478eccf7fb15431ad32c05cf9c4b4

C:\Windows\{A787BF33-4841-4f5e-933A-41878E71260F}.exe

MD5 658e73818fa257085447efb6be8bbe8c
SHA1 ff6ffc9ad4288dbf1ffaabf57d20edaa946d5469
SHA256 fe66356e51e23308e1a185785b3a69b1ab421734a376ad25a94f7c1c19bd2d83
SHA512 0cd72016451a3e04fc0afa905dda1a21d8e3a04a9dd477643e43f59647e617ff10db5fcfa685db29ded0849df68575a7d019c7881630a4ccd9bed55f8bc7f02f

C:\Windows\{EC39135E-07C4-40bf-A28A-B24589363BB3}.exe

MD5 d272bd0a63cadad99b3fc437618a3b72
SHA1 b0fbdbc820c3857f1488c90bd238c985cf355b0c
SHA256 fd105441604d8f1b0830eb72ae0673f7d80281e914df56ae9989afdf435e93ce
SHA512 caf03b484b0870600cf0f2dfd24582a98e98046d152ce76e1ed2d25d18c7711e380ff068d4729c34273a5b78b9aabeb4248c75889bebed95e26402f9fb852f10

C:\Windows\{3CD9E00D-4487-4efa-B548-545B76B9C9E4}.exe

MD5 d85d8279b5cfdfeda54eb5e71dfe1f6d
SHA1 758f64f777dd813626a06eba714473dba277a0ef
SHA256 5e5db6983e8967f333daa8d7ecee81a37c9b837afe47b97a52bcd84928bcc7cb
SHA512 712b98c6f84d27a2f141cd7178a68b7643591944444e5a8b6e076b5ed1494f6762333dfa55aeaca1b0730cf5e3dde99a1893f26c42ee0a9b5d3364668580c292

C:\Windows\{4419D595-D895-4bdd-8EE0-57D3FDC7A4CA}.exe

MD5 43e430f247121a13078d0c65c5d3ba60
SHA1 90b2c2c9a04f181e5ec241ecf1446810b8661d34
SHA256 2a1f852b0fa81fa29451c6641035e77893d67a1e275d2f2a844e28dfcb4c66f5
SHA512 a522e66454d206a65a2abe29df5780c8782b734bdf039376aff51187a7066d9b5646a43ce0e05416a97ccb843409fc8df98efd2854e15cfe7dffcd2a5d804383

C:\Windows\{F2315B05-732C-4bd4-9424-04DE0ACD2CED}.exe

MD5 d28959937b3d7d986eab52b4b011a016
SHA1 323180fec625fc3cf153f02876cc1fc1612362de
SHA256 3327d42681cc5c25a5d7369816acaee6e26011612d4b828512c8aeab407617d3
SHA512 d0af11cab8aeb87e2c4125c0bac370869032a2c54c8aa680e990e28a3d08847da9bc338f33b3e2be704c927f42a9393bde35f44b6eaaa8c4deebdc432f6c2211

C:\Windows\{5F35A1F1-7B34-4396-BBBE-314BD6644C91}.exe

MD5 0da250d6cfb44b0da4c5a71b82d9770b
SHA1 e46f29a8a3151b15cb3f09359487c4ac00e3662c
SHA256 d8167402f13a1840cd630a66e9753a3c7821c58e96fd14941e45350f006bac5d
SHA512 6725f719ba6872230c18dd88cb2726d29b36d779a93d9217de5ae6e6507ad70f01b2b0f58daeaa612fb87a64bbfb45ce57e3f4a453fb05362dce7f77afa28e03

C:\Windows\{1E22CFDE-DDC7-416a-B54C-0CEDBD3ED220}.exe

MD5 c29380d15b0f43e82154ff0a53c2b04b
SHA1 636ac2312bc15a04babaebb13553ffa745119c2f
SHA256 163f151c8e9278f932c4448ea53d35a1ee01e299f11219283f2110be3e6c6595
SHA512 2c8b29ccd05a39621c5df9cdc298cb8487f089dd79686605c69ad1acd54f6611c49f97533778ee94d04d54883a149a2605d08a1c5f97f55592509d1051341682

C:\Windows\{87BA1464-C80B-4041-B7B4-F454C420BF68}.exe

MD5 b85784477f7ed347251fffb10417161c
SHA1 5a21ec2b4788cd0d1e90bfa6230bcfa554df5c66
SHA256 8cb752a54a614341b7711a32892b11981991706bf726061d25a35067df404d92
SHA512 cab9bc965bf62e545769206f3908673a7d07959236e75dd673100b81a94e1115f37f1dcd878aa6fc129d325fb24d8b8646b6e444a22c7fdd894c661359ba9045

C:\Windows\{D76C30D9-4866-4ad2-8A33-4008C14CEE2C}.exe

MD5 a9d447bdddfd1c6067b9bb0f81dc00f6
SHA1 c151877a78141ce242c88899010d6c9a43d880f1
SHA256 51f75d94884b5c313396428ea3732c91f96fb9935dffdba21a5c38ea6bb286c9
SHA512 6db93645c7b4c0c13fef6a78fe5c8a0250e9fa0fd2fcee8e8d40d68f6de6993305408ee28b94ef112e3b56910ec6d2a03907b14f328561683d4afbaf311cf0a8

C:\Windows\{2D712A55-C5B8-48d2-B191-7D79D3E5936A}.exe

MD5 85082190fc3a980c0b22342460bcf739
SHA1 2953bb942431eb06ec8b41a8b2ce725d922bd411
SHA256 576036f2449797164209418df6d2222180d3f724524955ccf165d286aba9258e
SHA512 2239f3f7183aef8ee5fd1a496557884e80f7ce17cb9e9c683aa7e3cc1c88625c63a13597e491620f707c50c3eb35a717c4e732848557ede45c641e12eab099d0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:41

Reported

2024-01-25 17:44

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"

Signatures

Kinsing

loader kinsing

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E29C99-CC0C-4882-9226-C8A561819249} C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E29C99-CC0C-4882-9226-C8A561819249}\stubpath = "C:\\Windows\\{93E29C99-CC0C-4882-9226-C8A561819249}.exe" C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AE7BF5-9E86-47fa-9436-F183785D88C8} C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6} C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00703033-7E5C-438d-BAE6-2EB773242E4F}\stubpath = "C:\\Windows\\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe" C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CBB889-4433-471c-95C7-FD14DDE58C40} C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}\stubpath = "C:\\Windows\\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe" C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}\stubpath = "C:\\Windows\\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}\stubpath = "C:\\Windows\\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe" C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}\stubpath = "C:\\Windows\\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe" C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}\stubpath = "C:\\Windows\\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe" C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4} C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}\stubpath = "C:\\Windows\\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe" C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E} C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}\stubpath = "C:\\Windows\\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe" C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61} C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920681ED-41F9-4cb3-AE19-F8DD42C6E182} C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00703033-7E5C-438d-BAE6-2EB773242E4F} C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A} C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD471ABE-5972-4376-ACCE-89CCA4A1646E} C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}\stubpath = "C:\\Windows\\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe" C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F9285C-F801-49be-AC3A-9042749D7EEF} C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F9285C-F801-49be-AC3A-9042749D7EEF}\stubpath = "C:\\Windows\\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe" C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CBB889-4433-471c-95C7-FD14DDE58C40}\stubpath = "C:\\Windows\\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe" C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe N/A
File created C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe N/A
File created C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe N/A
File created C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe N/A
File created C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe N/A
File created C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe N/A
File created C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
File created C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe N/A
File created C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe N/A
File created C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe N/A
File created C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe N/A
File created C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
PID 1032 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
PID 1032 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
PID 1032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4736 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
PID 4620 wrote to memory of 4736 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
PID 4620 wrote to memory of 4736 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
PID 4620 wrote to memory of 1900 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1900 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1900 N/A C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3516 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
PID 4736 wrote to memory of 3516 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
PID 4736 wrote to memory of 3516 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
PID 4736 wrote to memory of 2780 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2780 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2780 N/A C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 3948 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
PID 3516 wrote to memory of 3948 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
PID 3516 wrote to memory of 3948 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
PID 3516 wrote to memory of 4916 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4916 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4916 N/A C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
PID 3948 wrote to memory of 528 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 528 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 528 N/A C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3652 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
PID 5036 wrote to memory of 3652 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
PID 5036 wrote to memory of 3652 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
PID 5036 wrote to memory of 1584 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 1584 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 1584 N/A C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 5068 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
PID 3652 wrote to memory of 5068 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
PID 3652 wrote to memory of 5068 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
PID 3652 wrote to memory of 4556 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4556 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4556 N/A C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1452 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
PID 5068 wrote to memory of 1452 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
PID 5068 wrote to memory of 1452 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
PID 5068 wrote to memory of 3388 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3388 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3388 N/A C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 5048 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
PID 1452 wrote to memory of 5048 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
PID 1452 wrote to memory of 5048 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
PID 1452 wrote to memory of 3144 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 3144 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 3144 N/A C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 1608 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
PID 5048 wrote to memory of 1608 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
PID 5048 wrote to memory of 1608 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
PID 5048 wrote to memory of 4640 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4640 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4640 N/A C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 740 N/A C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
PID 1608 wrote to memory of 740 N/A C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
PID 1608 wrote to memory of 740 N/A C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
PID 1608 wrote to memory of 4140 N/A C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"

C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe

C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe

C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{065A1~1.EXE > nul

C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe

C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD471~1.EXE > nul

C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe

C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FABD5~1.EXE > nul

C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe

C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81F92~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AE7~1.EXE > nul

C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe

C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEE7~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28E2C~1.EXE > nul

C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe

C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92068~1.EXE > nul

C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe

C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00703~1.EXE > nul

C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe

C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{183FB~1.EXE > nul

C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe

C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4CBB~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe

MD5 4a3ee0055f2362239d6ad09ac58ed64b
SHA1 94c04530a8f93289df8882b79a80a546fffa7295
SHA256 ebbcd9d2790c55fc6bf3f99a09df7230721aac75906f065b53497bb957cfbcc2
SHA512 a004516dbf3efb1365f5738471d2f7362092144bd7516192bcaee11fdf55fa66c94bea46d26aef5f6c69d1e12cd0e4339b883e54dc2bca21288ca5712c7dd104

C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe

MD5 aa033ff65407c2d3c64d68264df23d37
SHA1 9ebe41e4ac3fc654d35d5185b5a4b93a5464406f
SHA256 7436a0c3ca311136fb5565402105593b798b580a366ffccf87ae11b278ac0f5c
SHA512 d597e8f0680917220a1d732db8e249d1e0afc83abe54b6a4d785c50852dab24c9bd6073d7bcc08164de73e597c3f2c35b16252b70dd2bd7dc0dd2abd711a6d16

C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe

MD5 61fc8f269c210e6d18998af84564ae14
SHA1 32a8bad0d96cc7f2e3b0bda157cdd193b811ee52
SHA256 3b6a22cff13100c025a0cbd8fd29f5a9da23639605e277787783099c16e58395
SHA512 e07e63b79102b54c63cfc61764ef1d59edbe01c8fb34d131a033850378fe3ee62843abe463449a2e965b67414be3cefa9dfdd25c9d71affaa0b68eef33fc2968

C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe

MD5 4720368083a5d5591b1de5e9d4827249
SHA1 0151f789a5c768971e733a28c4e62a977a445892
SHA256 3b33a78293d9622d8f9f05f856012a2ebc4e50d28fe46f60bb42e1877e439acf
SHA512 fce80234e1d7fa037576a1880aaf064a7c4c5ab3379bac740c84bbec2dd4fc87aad4c94d4032e8be337fe90b0a9075a5b268b3cff32e12f572f79aaca6f18228

C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe

MD5 c4ea2773de53806fa3285843f344fb35
SHA1 8493aa93bdb4f6a0500fe459fe69d0b056dcbcc4
SHA256 5f3016f9740f61b9f10c0908311ca470797636befaa709b32ad49a258eae42a8
SHA512 3dff82e9249d8966896434423bca7c2731078c57647697148bdd7b1daf54f86ec8099b61d01b4ea2227fb00c3c01105edc3b9b1c99d2f5235806de5f016fcaaf

C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

MD5 b06460a92205e06ec0f669a656ba539c
SHA1 6907efa54a21947adebae8291dd69c0e1e1d2b48
SHA256 3a852daa5d4e96c821742d5b7a85134628005bcb5cb9e55fa592eb97deb00e86
SHA512 b733a784b3f5ed9bd54e4a5839e6735c58e0d1463ba7d9f0a221541d984b9528d26544749c06fd33a166876215c8a96b32c7d4c400d1a6ff13ecd88504a43c27

C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

MD5 e2efe6049ab30ffc576bc1b9da25e27a
SHA1 d01bca096f2198c52275c0610bc5c811547dc3aa
SHA256 fdf493c1b32938197a9abde692ef2a3967af75f5490da089e3fedc7fc4d746af
SHA512 2806ab0328122053dc22e7188d5a98d38cbf50b49d26f1a3230fe034d6eb580b276c140a54042d3d9f667c9b9bca75bd5d9feceb88df688285c0d56ed14acf9e

C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe

MD5 b431706c8217d008bd767bed4f6ce37b
SHA1 653dc19d89cde4895064a0acb8d3f02d363da62e
SHA256 752f279219055ec6bec46636b5af0d1ec683f3e18222184f625a963f8baf3082
SHA512 0d4a918a01b3ca7a05b19d3426a02830cc76a225035597cce9bf033465df4d71c030b5de6ccefb7a20c4c79c80a6859bbb6053186cbc74c486330f24affbac8f

C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

MD5 89fa8bb025318fc33ee0ed6e0c074ee1
SHA1 a991e0f6c34281419bdb38fe51d25e7b4ffdbc71
SHA256 70d989d2b28ab2cf7972ac76449d760b2d81c69e9229ce95c55b93fac571e98f
SHA512 b5a292c6979ed215c808b90d8ddd706239e5a6e85db094629be6c06c7c67d09c256b88e5eac46fc8ca187106782feecfa94d780160f4a429114798a7359f66f5

C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

MD5 0cc5b8825c3c0f78aaa30cd983c8ab62
SHA1 f399b7ebdf1c18a58847e5cdb10e86fc830a3169
SHA256 fed0fff0121ae2f0c337efbb0cadc7849d78ec5f39809ba75814bf3053f5641a
SHA512 2247bf4431246622472f54865d7a34dc65ccb36f24d9d348ec15cce7516afc25e4c7d7fa7cef52a72dd625a9c752e8a19a2e8696c37bb51cb08f1aeee385a5c3

C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe

MD5 ca44decdd150aed6a116586ac7f29d75
SHA1 0bb83ae686f5b699a02ff00d566afad6b95e2168
SHA256 7cfa90b4a1b4424ff53403cfb4cde594c694133e18c34b9baa82db272b9175db
SHA512 dc7c623f48f919e7f6ba3cdd9381f766057a277e9e7004e43d3fe0c01d86b55374af3a22cb7d470b43e25975469c4b1ac361c3ed3728320d7b1376ec1df7bf24

C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe

MD5 4c39ffa8ee16a301c7c34284319d3096
SHA1 608692d083e8923d79bb4deed4f5c2e32541ae5f
SHA256 fd46a93bca1ec5092a2d8283c86278ea54977377327d104c79571fa0d6902a6b
SHA512 d2c6cb5d0526bafe33ce450e1956db223ec5e040da19056443fa3caf11cef202d57edb9f9a39f16c7289f36fe567e383d26754bbee5b0b07941e2ccbced814de

C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe

MD5 c0c0d74515135c0de97f9fc0bd9e36e7
SHA1 29a5646f710f7374e6e7713f00adfbfe1a93e4f3
SHA256 c387eabbdeb4a2b6f1342e5cfbd479f47454c3998fc718920b61fb199a0e93e1
SHA512 f0072496151525c7e613256aca59f76650665fd7b22866678c55b0853e5a4a9388a90bb781c79b1ceda72861f929c2aea91165886ff665e7da31c341b592264d

C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe

MD5 d5ea2d3a0a3862ada4b0de4abb519431
SHA1 c3448ce6745895a8e4370eb735ee2bc2b7d41b8e
SHA256 6e6cab4872e90d4f7bdf1f2bc6b411e03789b0fb822da1a0593c70a73d6c5314
SHA512 4b94eb8d3fa3ba5d5d4749855fb9dd22ce1b6b7fdb6412ecadfe0535c372a4fa9feadfb52214af587a3eeebb1aea7935dbcc947273c418054da9cb5515cc5edc