Analysis Overview
SHA256
e51233abbf9a61c6d16640bf659111a42fee16b8d03bab2b2f95040219fdbec5
Threat Level: Known bad
The file 2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:59
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:59
Reported
2024-04-06 22:03
Platform
win7-20240221-en
Max time kernel
206s
Max time network
150s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872} | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}\stubpath = "C:\\Windows\\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe" | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802DFB4B-A23C-40ef-A21A-930376204765} | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}\stubpath = "C:\\Windows\\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe" | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9} | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}\stubpath = "C:\\Windows\\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe" | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}\stubpath = "C:\\Windows\\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe" | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01} | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}\stubpath = "C:\\Windows\\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe" | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}\stubpath = "C:\\Windows\\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe" | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66} | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}\stubpath = "C:\\Windows\\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA} | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CCF282-2223-49c1-87F9-46B541955D87}\stubpath = "C:\\Windows\\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe" | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CCF282-2223-49c1-87F9-46B541955D87} | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF} | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802DFB4B-A23C-40ef-A21A-930376204765}\stubpath = "C:\\Windows\\{802DFB4B-A23C-40ef-A21A-930376204765}.exe" | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | N/A |
| N/A | N/A | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | N/A |
| N/A | N/A | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | N/A |
| N/A | N/A | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | N/A |
| N/A | N/A | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | N/A |
| N/A | N/A | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | N/A |
| N/A | N/A | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | N/A |
| N/A | N/A | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | N/A |
| N/A | N/A | C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | N/A |
| File created | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | N/A |
| File created | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | N/A |
| File created | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | N/A |
| File created | C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | N/A |
| File created | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | N/A |
| File created | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | N/A |
| File created | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | N/A |
| File created | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"
C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1A3B7~1.EXE > nul
C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDD9~1.EXE > nul
C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D8433~1.EXE > nul
C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB99D~1.EXE > nul
C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F7CCF~1.EXE > nul
C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBAB8~1.EXE > nul
C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F361C~1.EXE > nul
C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe
C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{802DF~1.EXE > nul
Network
Files
C:\Windows\{1A3B7C58-98A5-4e7b-B138-B1DFB886877F}.exe
| MD5 | f77db84c6affc8cde84882facb85b2d7 |
| SHA1 | a6dd5f2dbe5b8388bde536c19393c1db0d189136 |
| SHA256 | 0594bd5aea7e963650cff512f3b2f47f030f7fe42a29a67c3a58f1edfddff511 |
| SHA512 | 6372a520fb085db417b6b84179af14a29bec7642aafc7a56adbc1d9bf8263bf7be75e1ea9e572d494f18760bf54f6ef9ad58057467882823e313c105a3518f33 |
C:\Windows\{6DDD92D9-3C40-4966-8C1B-15CEE4695D01}.exe
| MD5 | 9dde26783347866923ebda2c61d0986a |
| SHA1 | 6031c324227d36188739be112a25f4f1dfefa21d |
| SHA256 | f6ea4b3667388b2328a94a1753c234e8fe47973f3e85ea2f1f88e9d8dbdb61f2 |
| SHA512 | 2e4fbb9e8d1c91f7c1bcaf4acf8080c993b64631284f2f936f98ba85955f3cda2be59ea0f1ed60362e23ca501aba4f810c78965555a956f1701d3791a45a6f7c |
C:\Windows\{D843346D-5FFE-4528-BFE3-C8EDE6A230EA}.exe
| MD5 | d6cd2ce1767082f5bea9e9d1e6f3906e |
| SHA1 | 965fbe3692d030715d3d9cd2ee03d4129381ed97 |
| SHA256 | e38ee3d2156c0431bef8fe65e253fec57b6b35cf9ba25ac1b00b779f4f3c1400 |
| SHA512 | 36cc61ec8739935a2b84b35aefce2df067b2ba0b1a02db159353371fc519d0f7ea12ed83f98233faad1c82ace11dd631d9cf9f180a5bb2f5e3664e7706dd17d5 |
C:\Windows\{BB99DF75-27D9-4bc0-908D-0E8F4FB334D9}.exe
| MD5 | 5621d6e259bfa23aeb21df3de2252830 |
| SHA1 | 2bd438e4eed63702e79f799eb3a8bc7f935e0df7 |
| SHA256 | e867e199fd18936b9fa5196f316c3c9c185d996df7b733294914446ccf2bbd63 |
| SHA512 | 68cc64f6fe86ff7a0c7ddf2da49218899649f71e5a44984cfef76d3c74a6f42b31d1cdf1fa5f05a3229524e98d70ee7a5771b7e7b7fa66f605d5a5d94fadd04c |
C:\Windows\{F7CCF282-2223-49c1-87F9-46B541955D87}.exe
| MD5 | 97d5be818199cade03d6551bca609257 |
| SHA1 | d80ac3cb2481401502857e79042fdb0e15773c8d |
| SHA256 | b025c49c7ecef0009fb10c68f803263d212deb0bd247f97320cb0caccb302ff9 |
| SHA512 | ac755bc707782a07130eb838643dc7f37e13dd5c9e06d0b9fdca821d8db9e4c995fcc8d68410c6ff16177ff81beed14fbb563e5e94e7d26fe10318842f9869f3 |
C:\Windows\{FBAB822D-AD8A-4f98-9C06-570E9FF281CF}.exe
| MD5 | 1e7d0661decbd2e6a04171c955361169 |
| SHA1 | 5b4c063510c0c611a9f1ff1fa5771c838cd6046c |
| SHA256 | 336af3d5c40511c52d6049864f960b2cece4d7ac9197c3afba2026e7aed602fb |
| SHA512 | e6715464f8a6e3e68368ee37430f907e8e58e709aa6a2e20ccb1fee9cad1de5417fffaf53ef25ad39767cdf6e021a3034985c1ec0f2f097ffcb9697308e189c7 |
C:\Windows\{F361C3C9-0549-4a75-B0B4-C1AF26EFC872}.exe
| MD5 | 5143117233961fa211e6ddc9f86195df |
| SHA1 | 1aacf6a968eaae6921c00c2b4ebcb803b8af1233 |
| SHA256 | d24d0b46b1a1f2bd831ca985e92cd5c433a978f08e3a93398a0dc8f695d36149 |
| SHA512 | 72dc80c5bbadc33fcb2944abf27438d6781146d9bc85b24cfcde3b773e80e83a3eb1b4f62154ed8e1c3c5980d37be90d760433d04cec910fc2bd18373b0c38fc |
C:\Windows\{802DFB4B-A23C-40ef-A21A-930376204765}.exe
| MD5 | 6c60e977be50a03faa51007a41bedec7 |
| SHA1 | 8ebe6bdc11990ae5f912d6c34eae78435283c0f1 |
| SHA256 | 4937d6bcff49d83695d6448062c4671b5f2f84ed59e10859568e0e90541fb19a |
| SHA512 | 1aa5b651e3456adae59653b30fdf09e8dfffc480cc849a78de24e958f6abbf9501751efca1a397cdf068a748e54490d51f121bced92c82fa3cee6e8b347b693c |
C:\Windows\{E666E54F-D6F0-49f6-AC8E-4D284C73BA66}.exe
| MD5 | ed5d6790ef143428896d710f9f9cd344 |
| SHA1 | 2cbda1e315723d6ea663e8cb1a159036af6b051f |
| SHA256 | 28df8cdf27329ceb9dd144f09004ef52852c301d5d0a61ca49db2db8a6a63ec5 |
| SHA512 | 36add895c967441e6d65ca5fcffdf679841ab7799c5444cb187e157abbf466793a12bf1dd05aae09b13253c610eeefa4b739a1521bd29ca770a0ce1667c1fe2d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:59
Reported
2024-04-06 22:01
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA92C02-2129-4ea3-86D3-931400F1CFC7} | C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58BD934-EC29-4359-A99D-B25FAB580E97} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F58BD934-EC29-4359-A99D-B25FAB580E97}\stubpath = "C:\\Windows\\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EB06D6-3041-43ae-9C53-D9E9B1193260} | C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}\stubpath = "C:\\Windows\\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe" | C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A407B36-B070-4a75-B97D-AC4399E1AC39}\stubpath = "C:\\Windows\\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe" | C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}\stubpath = "C:\\Windows\\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe" | C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}\stubpath = "C:\\Windows\\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe" | C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216262-B433-4700-A827-537F374632BD} | C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216262-B433-4700-A827-537F374632BD}\stubpath = "C:\\Windows\\{0B216262-B433-4700-A827-537F374632BD}.exe" | C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AABBC2-20CA-4f21-BCF2-53B060E5B017} | C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271DD18-F0EF-4ff6-A941-D085FAFEA726} | C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}\stubpath = "C:\\Windows\\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe" | C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}\stubpath = "C:\\Windows\\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe" | C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CE1281-6831-4243-987A-AD7FDB420AB6} | C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477642EA-6674-44d4-8922-CF42977E1062}\stubpath = "C:\\Windows\\{477642EA-6674-44d4-8922-CF42977E1062}.exe" | C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}\stubpath = "C:\\Windows\\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe" | C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F} | C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299} | C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CE1281-6831-4243-987A-AD7FDB420AB6}\stubpath = "C:\\Windows\\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe" | C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A407B36-B070-4a75-B97D-AC4399E1AC39} | C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48} | C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}\stubpath = "C:\\Windows\\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe" | C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477642EA-6674-44d4-8922-CF42977E1062} | C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe | N/A |
| N/A | N/A | C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe | N/A |
| N/A | N/A | C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe | N/A |
| N/A | N/A | C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe | N/A |
| N/A | N/A | C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe | N/A |
| N/A | N/A | C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe | N/A |
| N/A | N/A | C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe | N/A |
| N/A | N/A | C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe | N/A |
| N/A | N/A | C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe | N/A |
| N/A | N/A | C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe | N/A |
| N/A | N/A | C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe | N/A |
| N/A | N/A | C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe | C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe | N/A |
| File created | C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe | C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe | N/A |
| File created | C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe | N/A |
| File created | C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe | C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe | N/A |
| File created | C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe | C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe | N/A |
| File created | C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe | C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe | N/A |
| File created | C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe | C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe | N/A |
| File created | C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe | C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe | N/A |
| File created | C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe | C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe | N/A |
| File created | C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe | C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe | N/A |
| File created | C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe | C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe | N/A |
| File created | C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe | C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fac866490cbbd6ab8e51babb01496bf0_goldeneye.exe"
C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F58BD~1.EXE > nul
C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1EB0~1.EXE > nul
C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7271D~1.EXE > nul
C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A407~1.EXE > nul
C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0995A~1.EXE > nul
C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BA8~1.EXE > nul
C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA5C~1.EXE > nul
C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA92~1.EXE > nul
C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B216~1.EXE > nul
C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F5CE1~1.EXE > nul
C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe
C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{11AAB~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\{F58BD934-EC29-4359-A99D-B25FAB580E97}.exe
| MD5 | eee03050c1ee8ccc6caa203059c46de8 |
| SHA1 | 2e0ff1c860fe7f2b55d399839ab30b74f80ab850 |
| SHA256 | b7d51756d416d8f15fc5f381f063cb18dd8dfdd71890344be74a3f5c81c21a53 |
| SHA512 | 78c3b54758c0feeebebda754134bae95ef9c574f6351099cdb45f7cae4b998bdfb76acae1a1eeac52746a82a64e1c1e9962034db2f32bcc9ad49460187f3e942 |
C:\Windows\{A1EB06D6-3041-43ae-9C53-D9E9B1193260}.exe
| MD5 | 2ae792f35e894f0ce228a2388a42f498 |
| SHA1 | 5aab681d3351d2f001a7c3d7fea1a5cb85a66c90 |
| SHA256 | f284a96bbd3628ffcbd4407c2632e1418d2378fc48419223c0fb5f393efef769 |
| SHA512 | 8a63d8b029417a1da55c9d7d6341fd8cbd5a1f32ac04683387db5f96fcd8c28d490463b8fde52d211d3e38aa08a58cf2560ed191ed6a61d7e42e3902f1f4edb4 |
C:\Windows\{7271DD18-F0EF-4ff6-A941-D085FAFEA726}.exe
| MD5 | 7ca4283f86237bead2075d387ac86284 |
| SHA1 | fd4c17dce1b8fbc4cc517e30beaa22fac5403d22 |
| SHA256 | ed7daa93599fdf22d187769c84400ca3517aa180c8f29d1fef5b98892d8ed353 |
| SHA512 | f33767d525280c365abc413b4d9a36270579d9a8ea616a3ae6c5183bee568b352bbd060c36c8001b446546e332f892a27848255814172702595e575d6829b804 |
C:\Windows\{2A407B36-B070-4a75-B97D-AC4399E1AC39}.exe
| MD5 | 5db9bd5d1388ae1f2fcdab06c3b530c8 |
| SHA1 | 8359590dea2ef476685f7dabd5406f0d7e1db3ab |
| SHA256 | d15f800b2ea9037d32d6883155aff18596a988ae6f647e22230cd4d57f5fc6fd |
| SHA512 | 696c259d161a45c7fb979dd75168f6845ec436c27048220703252bd0c9a636bc57015ca14dc616b80e9533e1861c9bb29937f33d782a9599faf02e01fea82b0c |
C:\Windows\{0995A7E6-F4C5-40b1-877B-FC0F48D2051F}.exe
| MD5 | 5e81c8f54b58a8ea899069f45f0e5a51 |
| SHA1 | acb33d1c1e342aa4794c316ae8e1adf96840a568 |
| SHA256 | 97497a180805aefd2cc9f720f05390b1dbdf9e94808ce032cac7a1191e0a00d1 |
| SHA512 | c305effcb270cfadb2bb2b1dd73767a93f8bbc2e181c6530a191c4ac8cbc95c5af75bd23e56d555769ec8430f17a6830ac4da7fe3539f4b348fcfb1991c3d3df |
C:\Windows\{C4BA8901-E460-4bc2-B02D-FF1082AE1A48}.exe
| MD5 | a7429aa9e6ae02c75a937caadc4909d4 |
| SHA1 | 9942b87b88035e32501f0d75f338a1e4c15bac48 |
| SHA256 | 80808c854aa46760277a39aa636288c9af55a31f5ae931f090cf0664abba3f4c |
| SHA512 | 4b35f482de69b166f375e7197829837346b8ff5d64aa89c39d667b5c3b8d87e0ac6e14e4fd2fac92b7035dd6c385eff32e89688d79f8f18ab4dd4ccf43e54bd8 |
C:\Windows\{6BA5CEAE-C1E8-4636-AA0A-6602EF349299}.exe
| MD5 | fe63c857831fecce80894d06d5090eb5 |
| SHA1 | 1e91934f3d09dab11aff84b244cc8902f31efb64 |
| SHA256 | a7e70dc3faa9130e0078a46ad6912a3b26d360fddb2c5f03a0033683d03b658c |
| SHA512 | b3bf5b96df5576644977aceb2bc082a7fb3a08dc993a923170f6a8dccd8285ca622780d90f3011ba9375608514054c8f94167ecc2430eed00b4cb9a75c05719d |
C:\Windows\{8EA92C02-2129-4ea3-86D3-931400F1CFC7}.exe
| MD5 | 3ad9b1a42f971966600025d5026ec6a8 |
| SHA1 | 53835a0d4ba011b8e178899ef953bd19440af040 |
| SHA256 | de9c3840075e0acf7c536e57d2407c07e27244372b5300286df11b080ac48951 |
| SHA512 | 4489d137ac459b8386ba31cec6862343a71d9ce79477370de40192cdcc92f186ae6352bd93a2622e9b14e8074a917aa8bf942142f0cd2b8442b5e32329e676fa |
C:\Windows\{0B216262-B433-4700-A827-537F374632BD}.exe
| MD5 | d661c580495a79f2fdaf48c91abe4983 |
| SHA1 | db4cd8b4aefb9782c112380a1941544e57e1f3c3 |
| SHA256 | 37cdd937010e7299ace7391dcd53b2dc56a769c946328e13560dd60e5fd3de56 |
| SHA512 | 8377ad22b1323d5ab4e5ad0b236d345cc8cdd79335459cbeba041287b0197e4a42aed1534d9b354dbc765690b15e598e1b5f48a0a48e8d4cb59f22af03d46268 |
C:\Windows\{F5CE1281-6831-4243-987A-AD7FDB420AB6}.exe
| MD5 | 9be53b44bfbb300598fc7aff0849fa4d |
| SHA1 | 888b2c1178eecd9273227f4a68cf436144dc3e20 |
| SHA256 | 290db80bc1d07c65b329c3e8639c7ee400b4ed4846a61ed4be21a98fe017067a |
| SHA512 | ee1952431b828e69be8e67712abd10ae527fbc3535117988d6b921d4a53fc9b0b658eeab02bba242222637b29ad2e3df7372fd46a1afbbd32554adb8174a614c |
C:\Windows\{11AABBC2-20CA-4f21-BCF2-53B060E5B017}.exe
| MD5 | 86d05b550d93229a4af5995eb19569bf |
| SHA1 | b34ff43a0628a3178154e5fcf99aa00d5bad107a |
| SHA256 | cab7ca5a9aa73a6ae837096973ef610d2d61e8019484af87c66b2a3f896984f6 |
| SHA512 | bcd02fcda9aeecea69008fbf5fc5c444f1e18997369529278d235364f3881b21cf5e8cd4dab5a765f7457f80ac3bd304528b4535331520e1b34da67831a58196 |
C:\Windows\{477642EA-6674-44d4-8922-CF42977E1062}.exe
| MD5 | a229ebdf1476170002447f76f1410d40 |
| SHA1 | 3162472904b8b29ac32fec19698010dfe4efcacb |
| SHA256 | 73ff511eca2969e012f8a5fbc5d53e5ce6da0a2240ae815d10a38328f973e30d |
| SHA512 | b48f7f243ccd7a76b60d532480df3544dd8d3011355f56e5ea586cd156bf77c6292dc5a9c67e5723657886ab8e9964a84ea35e7347f1e87e4af8c115494f4f87 |