Malware Analysis Report

2025-08-05 20:11

Sample ID 240302-3fx8hsac9s
Target 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye
SHA256 e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f

Threat Level: Known bad

The file 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:28

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:27

Reported

2024-03-02 23:30

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752}\stubpath = "C:\\Windows\\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe" C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF} C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}\stubpath = "C:\\Windows\\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe" C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E} C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70} C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9} C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}\stubpath = "C:\\Windows\\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe" C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB} C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0} C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}\stubpath = "C:\\Windows\\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe" C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B}\stubpath = "C:\\Windows\\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe" C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62}\stubpath = "C:\\Windows\\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe" C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752} C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF}\stubpath = "C:\\Windows\\{519F376A-387B-494b-A982-E828120E8DBF}.exe" C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}\stubpath = "C:\\Windows\\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe" C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49}\stubpath = "C:\\Windows\\{9620189A-815C-4339-A780-1A80A60BBE49}.exe" C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E}\stubpath = "C:\\Windows\\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe" C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B} C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62} C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3} C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}\stubpath = "C:\\Windows\\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49} C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe N/A
File created C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe N/A
File created C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe N/A
File created C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe N/A
File created C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
File created C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe N/A
File created C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe N/A
File created C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe N/A
File created C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe N/A
File created C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe N/A
File created C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
PID 2940 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
PID 2940 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
PID 2940 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2704 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
PID 2148 wrote to memory of 2704 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
PID 2148 wrote to memory of 2704 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
PID 2148 wrote to memory of 2704 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
PID 2148 wrote to memory of 2552 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2552 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2552 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2552 N/A C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2824 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
PID 2704 wrote to memory of 2824 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
PID 2704 wrote to memory of 2824 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
PID 2704 wrote to memory of 2824 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
PID 2704 wrote to memory of 2960 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2960 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2960 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2960 N/A C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2028 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
PID 2824 wrote to memory of 2028 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
PID 2824 wrote to memory of 2028 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
PID 2824 wrote to memory of 2028 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
PID 2824 wrote to memory of 2380 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2380 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2380 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2380 N/A C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2748 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
PID 2028 wrote to memory of 2748 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
PID 2028 wrote to memory of 2748 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
PID 2028 wrote to memory of 2748 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
PID 2028 wrote to memory of 1592 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1592 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1592 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1592 N/A C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1368 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
PID 2748 wrote to memory of 1368 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
PID 2748 wrote to memory of 1368 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
PID 2748 wrote to memory of 1368 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
PID 2748 wrote to memory of 1028 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1028 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1028 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1028 N/A C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 744 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
PID 1368 wrote to memory of 744 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
PID 1368 wrote to memory of 744 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
PID 1368 wrote to memory of 744 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
PID 1368 wrote to memory of 268 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 268 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 268 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 268 N/A C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 1180 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
PID 744 wrote to memory of 1180 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
PID 744 wrote to memory of 1180 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
PID 744 wrote to memory of 1180 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
PID 744 wrote to memory of 876 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 876 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 876 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 876 N/A C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"

C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe

C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe

C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDAD~1.EXE > nul

C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{96201~1.EXE > nul

C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe

C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{48A62~1.EXE > nul

C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe

C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59E02~1.EXE > nul

C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe

C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D026D~1.EXE > nul

C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe

C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11DE0~1.EXE > nul

C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe

C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDC3~1.EXE > nul

C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe

C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{519F3~1.EXE > nul

C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe

C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28066~1.EXE > nul

C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe

C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB35~1.EXE > nul

Network

N/A

Files

C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe

MD5 5963a98cba84b3ffaa652656e7ff3b36
SHA1 02a1ec5356b4be995a0bede0e080893a95a4ae2a
SHA256 6535d2cc4e2ffff6195fd1caffd6787f590543ab24fe3519ffba2d2702028ae0
SHA512 ff8299317111eed0f268e9db02e3cea6d2f6aa0fca5f156268e086544c522e4cea79f7078906226c4257780286f1ea406a3db71f732a9fea8b6f3470aa0f0417

C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe

MD5 2d3d34d59943f301cbaf0929bf7a33ff
SHA1 197d3dde2a59a3285f9886d408e53bbb279b70c8
SHA256 b8f0f89d4bbb1f440caff44ce1458408cf831b969e80e9ea54bd2a16fda7b1c0
SHA512 f06fad1ba31a0ba1448cd799459e2a6f7feaa68fdcdbcabe4dcd82b27eee481cd35c742917e569828986d3da6c2e28e71cb5bd936d8ebac38a95c0e2bf84fdbe

C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

MD5 78bcb17a5b8d448dad01d472c3a1b316
SHA1 8b05e812bf6d767040b260f523056274c445cd0e
SHA256 93b9e37516556b52907555ba4ce660ec1aaa9fecade5c7b05878537eeb601923
SHA512 1e0cbe90c6cf156958af8c732503dd9c2437f452806930df56388ce1f3f3768e3554ffd8d6bc0ad0016c32d60a101c794e50ccc01bd8e95eeabfd39ad2f53d4d

C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

MD5 ce885b255b68d43e4d2f5b4bff54092a
SHA1 b70d044e341957b9ca2b8a2d2c24632bd17e10f8
SHA256 9d63eb3d1f85ce76a31eb296acefb3e83c03e18f2eab97ca4cebf86ed7d930e6
SHA512 19eed145dd3a240dab5dc48df7ccd201c6e0945e602ffaff9c4f1fa5049746b31e3f825fa967cf73c67f4e2ff3ea04c7b3f5425b2e303c8e6a1ba1aee5f01d0b

C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe

MD5 d73b9ff44106e9fa946359d23322770c
SHA1 fc411966f148a5afdbdedde6c3ba8d72d7d836f6
SHA256 e3b13eaae672131948ead3a84715a80263810bcae8cf222aab0381a930af07fd
SHA512 ded1dec3babb863513517800b4a0d79993c1b0dd5e00e73d8bac631f511e06e908da36732b7f4d853c07c74007ea059994f71f28e6389d16c9aa4667ce98c22a

C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe

MD5 56772c9b8a787db82e43c44a52342ef1
SHA1 743f3f1cace888e90b782b423341ef71648e9920
SHA256 c69d49b8cfb5922f7be62b51931122f0f22c10d7f71bf5311bbf6c65c6a72541
SHA512 e126a765f64d47d769aaf77a4d102a31845d0074b2ab0b318d49f2756acca73a0efdc073d8ca8958bd19575f0194580399ec2b680d767d0f2100fe02494f99c1

C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe

MD5 18fdba0988a5dd2de9eb98bbb572ea9c
SHA1 0887fdd173e6ae1f9b037162010d1cbf0200cc9d
SHA256 91f6dd0bd869389b0c9e229752f865fdee6c4e79cc43eff0f781bfb04f0308fb
SHA512 1a4441a9e1d3ae75e8a2ba0ca1a5dd0261879708024aba4ab2c21f1261c5645f69863247f9c078b34f3ddc30dbe3d015b2b1100f998d3d13a5f4a000179730c6

C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe

MD5 07bb153b34b0a38a304cb57f69080589
SHA1 9652b4d8d70634df20aa843455dfa24e0d8a80a4
SHA256 934f6f27bff80d8fa16df5fa1168ac0c8fec2e910fc9f5126ab2fbbde394257e
SHA512 98a160c1f374446d50fe11f59a8dff15ba41ceb6ea4067bd9073b355da756a418f178cb3e224311a994bee6cb1901127811d104aa06ef160c96f771ad3156b77

C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe

MD5 d8ce69150ce05a24cccf6e64cf5c44c4
SHA1 448330ebd731b9beb328328417c475b5fcd45dd3
SHA256 ead9fad789778163a2f94efc4cc3cc09ff8763cf91db5742fc9a617c75ce01c5
SHA512 6e76fa4cd38c26fa1fce8ea2252ae97cb77fe6e0ea9e808350a6197cc6b6c36c206eb8ff9e01756610630fcc8d1a0f5d7ffe483ab35fae9a5015b70fd59f25d7

C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe

MD5 fe4a6d0c22c44068f7803dcab3a96568
SHA1 c9745466e18b269a0e38d2a576e71b52e13a6782
SHA256 07b9c3187a4b47caec0394a4df5204414e593ed9b58559c32f78286aa2a40410
SHA512 8005f1b56d9c0285f739fc3cfd6260746d9e67463eeb931ab375b5679135b633621023a3d4520168c417c69a682c5fab930e399b0f9f07cc780f61b2da6ba459

C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe

MD5 4da6c58211f1f4d34d3e99dc9a650eb3
SHA1 f1f9ad71c6b263608ced44271217b16e08089c64
SHA256 f88542cdca85621d4d532ce478913f76b712933b5475da4af0c5e70b89c4a50e
SHA512 59c31466891fb6e9cf37855108b7ec3b2f34454652d3f449493794d5ca83a3e80b4cbe2581bea889cc793c78fd8e8f7922008dedeb87ae309eee2c4dcc9482e7

C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe

MD5 04063d1dad94043fa83f9badfea491e0
SHA1 ec644ab0cb485cb0d236b43ba21f8b7edd7e5a70
SHA256 cb39be57be9a042d9430c4575d3a5be58d5e9a2b1f330bfc86fd7f2aae7c6302
SHA512 c1c04956c4bc06db7cdd4b26b0f9a64995b9490cae6db72a4f50013b45d584d27cdc588f7e407c711cce2759547432414e6fb93f617795948009da019a2f384a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:27

Reported

2024-03-02 23:31

Platform

win10v2004-20240226-en

Max time kernel

178s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051} C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}\stubpath = "C:\\Windows\\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe" C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D}\stubpath = "C:\\Windows\\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe" C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5} C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}\stubpath = "C:\\Windows\\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe" C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF} C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F} C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F}\stubpath = "C:\\Windows\\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787}\stubpath = "C:\\Windows\\{FB3535E9-8060-499d-85FD-985CB9624787}.exe" C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F} C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}\stubpath = "C:\\Windows\\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe" C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2} C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}\stubpath = "C:\\Windows\\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe" C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33} C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33}\stubpath = "C:\\Windows\\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe" C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D} C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787} C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}\stubpath = "C:\\Windows\\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe" C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe N/A
File created C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe N/A
File created C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
File created C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe N/A
File created C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe N/A
File created C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe N/A
File created C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe N/A
File created C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe N/A
File created C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
PID 3748 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
PID 3748 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
PID 3748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3088 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
PID 4436 wrote to memory of 3088 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
PID 4436 wrote to memory of 3088 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
PID 4436 wrote to memory of 4380 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 4380 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 4380 N/A C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 224 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
PID 3088 wrote to memory of 224 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
PID 3088 wrote to memory of 224 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
PID 3088 wrote to memory of 4992 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 4992 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 4992 N/A C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3548 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
PID 224 wrote to memory of 3548 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
PID 224 wrote to memory of 3548 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
PID 224 wrote to memory of 4192 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4192 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4192 N/A C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2656 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
PID 3548 wrote to memory of 2656 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
PID 3548 wrote to memory of 2656 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
PID 3548 wrote to memory of 3916 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 3916 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 3916 N/A C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4324 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
PID 2656 wrote to memory of 4324 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
PID 2656 wrote to memory of 4324 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
PID 2656 wrote to memory of 4432 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4432 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4432 N/A C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 3884 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
PID 4324 wrote to memory of 3884 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
PID 4324 wrote to memory of 3884 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 5000 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
PID 3884 wrote to memory of 5000 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
PID 3884 wrote to memory of 5000 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
PID 3884 wrote to memory of 2404 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2404 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2404 N/A C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1324 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
PID 5000 wrote to memory of 1324 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
PID 5000 wrote to memory of 1324 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
PID 5000 wrote to memory of 3440 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 3440 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 3440 N/A C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"

C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe

C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe

C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27AB6~1.EXE > nul

C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe

C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{858AB~1.EXE > nul

C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe

C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C3E~1.EXE > nul

C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe

C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F37E~1.EXE > nul

C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe

C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FB353~1.EXE > nul

C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe

C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E8A5E~1.EXE > nul

C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe

C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC88~1.EXE > nul

C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe

C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36223~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe

MD5 80b0abcb082d91d4bc9b758185f5a7fc
SHA1 619d17c84eedfb4e260c284fb2f0b6777db4cc80
SHA256 cd4a6d297c643207782ade5e00319cf394bc43acd34dcf197ea6c65c67f8925b
SHA512 fe16615944c8cfefd207674fe453693fb38a6f4b5b8a3446769c2456caef321f9a912eb95017a0aae561fde3539e34d09a1a19f20fc45632ee6a6a0b1fc490d4

C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe

MD5 f314fb6dcc91d777e9f8fdabdc8b41fb
SHA1 f22d8ebad4319da351818f5112525327647f2fec
SHA256 9c628763541afdba653b5302f097187ed23942da3b9085e4044e7ab6388b1eb9
SHA512 48b1a64ec9c9cd228edde66017c509b2ea9e52e00b68b485d62dc6455a9167c32a158fb9c8915715acca22741510314d0ef70b5d8c00e21bfa20f873a60cd3fe

C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe

MD5 b0b002113bfbe3e1bebea22b10b8876d
SHA1 608ef026db226b020c30449a4dc111f93bb63784
SHA256 8fa543302070d433acf18b172bc70670d16ec83dd118731049ca95574558dbc1
SHA512 d9f8c8d080ea7320d2f77793f82d1cd3bce7d6bd8b56b7385dffbe1e72c3e9aea641613f558bc40ae6fd8b339b49da27d7507f9a4f259774edaf827489dea233

C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe

MD5 fb032d75e69fc91738a0a970e10ca438
SHA1 6f45843e2ebd65c7eb4be9c8431e47a6fc8b1ef7
SHA256 b80b48b7374811a235a0d377508f0b8a09a9ec094d2f9f0ea6646230a9620acc
SHA512 6cb2925fe4bb3b61a2bbf2b131b9070b60e496009836361c081d1aeaf52730e54361d08a8a02ff9e69a402028f5324764b505ac6ac2b6ff54ee8f4f6ec8ac4e9

C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe

MD5 7f920956bf055810e088a31f7f2895c3
SHA1 1a53a8abe8d2042df2016a5c53904149e24822b2
SHA256 8326b89edca6f74dcf05e5140feb8ed4c3304ff517b77f4aa6f557d626a64a9b
SHA512 6e0ee78416bad0c95de67c51ccb99d9237a02ce15b542590d8f476c7ea4435b2dfd5fc8201cebc3121562ebffa80187fff2e965ae7926c68b3a1cce634be9e20

C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe

MD5 910eb6415da30ed7947fcab3fc9bb58e
SHA1 b99bdbf53bc9c01c1634e9ebc503f8d24a64f1cd
SHA256 7c9fc572758e6f28bd6c195e674fdad65b545771c6f8321cb87b1fd22673d75f
SHA512 fe4cbb6beb0401315123936dbe9f92da8bcc524dc4e96471fed59e55765b1a9a7d7ca67dd66ba45e7f6b78e540d4e312bef804a9d7c2f569694db44ddf2d7e1d

C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe

MD5 d58b02f5a70aa36ba0e722076458c5a3
SHA1 46449b00de722ce5e6965652aef10d0ffdef0deb
SHA256 0b39b3b13ab872cbe3f46aa869f46f443bd9d2d5be33da914df1a31be8c51190
SHA512 bf27746c0f2a27b91532ad01c590f702aa97cad8029c9cd7f35f127cf28982a212e31742882aff9db5af77ff76773344e2ad847ee4c04b288fbdd9a2261ee90c

C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe

MD5 bb9bb0787d340588e4321717d25f4448
SHA1 dfc0ffc7a44c40098709c612ae20e8ca28ff62a8
SHA256 833693c5faa31cddd7c1a7f58c3e23ac324bbab86a44fecc40c2e1c67e7a74e0
SHA512 346e3e48942d280ebf1e54647ce8bd45350613292c34a110aa28ed86d0e8e33bf94449960aaaba16b0038289b4f0de6de7fcfde1c34e7ba76e4cd17fee384b62

C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe

MD5 8ff9766b1bc7e0685489c01d2455732b
SHA1 aa6ada078fd92fa806be71dddb8442ffdbbef046
SHA256 bf4ba5671c5917dc44c5f979eaf048fafb0c4d4f86a3beae6bea34f6f41eda0b
SHA512 0bc3483e0e75cdb10e8c44ce7996e75b1a65533609621619a7db423af023f693b4349c2b362b43db18fd273bddae03fb2b8ea79ba953af5430dcc78e740e95d7