Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-1vmdfscb9v
Target 2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye
SHA256 9454d51978d5c52075bbda5623ed97a3a53a54f3bc3d098a2ae7ad1293d5ae15
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9454d51978d5c52075bbda5623ed97a3a53a54f3bc3d098a2ae7ad1293d5ae15

Threat Level: Known bad

The file 2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:58

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:58

Reported

2024-04-06 22:03

Platform

win10v2004-20240226-en

Max time kernel

218s

Max time network

275s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240DE9A-05E1-4618-870D-3F3478A6B13A}\stubpath = "C:\\Windows\\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe" C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF12BAA6-F456-4393-A502-429924DF3B88}\stubpath = "C:\\Windows\\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A} C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEDA601-FC6A-46db-8073-44660FFF28DB} C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54269115-FB73-4aff-B467-817B4147841A} C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54269115-FB73-4aff-B467-817B4147841A}\stubpath = "C:\\Windows\\{54269115-FB73-4aff-B467-817B4147841A}.exe" C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}\stubpath = "C:\\Windows\\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe" C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3} C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE} C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}\stubpath = "C:\\Windows\\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe" C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240DE9A-05E1-4618-870D-3F3478A6B13A} C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEDA601-FC6A-46db-8073-44660FFF28DB}\stubpath = "C:\\Windows\\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe" C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836} C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF12BAA6-F456-4393-A502-429924DF3B88} C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}\stubpath = "C:\\Windows\\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe" C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}\stubpath = "C:\\Windows\\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe" C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe N/A
File created C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe N/A
File created C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe N/A
File created C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe N/A
File created C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe N/A
File created C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe N/A
File created C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe N/A
File created C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
PID 4504 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
PID 4504 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
PID 4504 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 4524 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
PID 5076 wrote to memory of 4524 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
PID 5076 wrote to memory of 4524 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
PID 5076 wrote to memory of 4468 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 4468 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 4468 N/A C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4028 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
PID 4524 wrote to memory of 4028 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
PID 4524 wrote to memory of 4028 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
PID 4524 wrote to memory of 4272 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4272 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 4272 N/A C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 2044 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
PID 4028 wrote to memory of 2044 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
PID 4028 wrote to memory of 2044 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
PID 4028 wrote to memory of 3268 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3268 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3268 N/A C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 3448 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
PID 2044 wrote to memory of 3448 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
PID 2044 wrote to memory of 3448 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
PID 2044 wrote to memory of 4916 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 4916 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 4916 N/A C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4692 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
PID 3448 wrote to memory of 4692 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
PID 3448 wrote to memory of 4692 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
PID 3448 wrote to memory of 3020 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 3020 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 3020 N/A C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3560 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
PID 4692 wrote to memory of 3560 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
PID 4692 wrote to memory of 3560 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
PID 4692 wrote to memory of 3608 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3608 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3608 N/A C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 2904 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
PID 3560 wrote to memory of 2904 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
PID 3560 wrote to memory of 2904 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
PID 3560 wrote to memory of 3684 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3684 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3684 N/A C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"

C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe

C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe

C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF12B~1.EXE > nul

C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe

C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{80427~1.EXE > nul

C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe

C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DA5~1.EXE > nul

C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe

C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B85F~1.EXE > nul

C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe

C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E240D~1.EXE > nul

C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe

C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BCEDA~1.EXE > nul

C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe

C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54269~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp

Files

C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe

MD5 1d25e031ffc89a63f743f05743de5ea3
SHA1 e3123a3835a5826865ae29cf039b9a8cab060a63
SHA256 4694bd0c2cb428bd32071ee8b205e6f9617a5e98a0dc8d6e9d56b44871515d34
SHA512 130b17b0cd2beaa13f52bd0172ce5416c0e47c568822e2eeb71ecaa8da67fe1bc3d6317cd2e7fbb6fb81bab14bcb0a4a0bd554fee3ecd475367c7a079f00ace3

C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe

MD5 be782e842cd3a75c7c16526e3d3db4a0
SHA1 ef6d370ddc5f3c338cd19d09a6fc01be7704cccb
SHA256 3d9b096fad6174e2dc6446d307f6c23e39821ae6a92a2feedbbe8e79ae11c193
SHA512 27e68aaf61c7810996041bbd5079351641b9cc9c1b14f2c8f52e9638a3609c38bf9facbb73aa22f8e577122e8d4e46408ccfa7dc6db04fc92319ce2a20b74464

C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe

MD5 31b278a20e9ecedb384f4eebc7682a75
SHA1 bc32d83cb4888a1b8c012361a5a84de7485e08dc
SHA256 20c136c9e50639b8aca25fc95d67ab638710fb82cf795ebf2e383f24e5f96815
SHA512 19a87e35d8e9feee55ed3383e9ebf2a2bd16264f82946c173ed816b0124ccb70d01b680439194d5a86fd50c0e2f1adf0bb7fabeb54842dbf1a890bd8fa85aa63

C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe

MD5 4c904275d25b37bbf6bcf9b21fb71a67
SHA1 fb2e3d47731b2857642bdda3e6c40ea13dff4c26
SHA256 ab2abb7fcf81923d2952cdefe469c2eacfe029a4ed41f3c6984d77b9f55827ab
SHA512 d85301f50814801b0b51fcfada613d3eef04151110666789da17c25abe6d7fab5a931d857a9e2b5463715525bf47a69e83a8a91712dbdef9c7abbe79459dc637

C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe

MD5 3038fb7c19fceda124d3c05426c88dfc
SHA1 e69b67c96eb9477be7af3387fdc1f2953e8754fd
SHA256 766e04f159096a745b6fa1fafe935639c28e7027fe906b7f87f037aba56b368a
SHA512 5b1557d73e38b7ee83b4d8cfe38222934e2369e7564180abbc57a938657c6e8da0cf2c20b572ebc207c9a8c31be866fbcecb8c31809d0d72eb9e3d441555a85d

C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe

MD5 792837a8562dbaa82126dd1776286765
SHA1 93b8152d3a91e539e2b516baaf4a420022bb588d
SHA256 e38bb3d3b19df72fe7c65f2213acad60399822355f26c564763111309781d143
SHA512 a2a6afaace2e5aa0cefd02881af0a188d9e810ee5ffc00c185bf2033058fa9408999ea0c4b262ecb7d05b1b67233ad717910d65ef596517d72049f896092f92f

C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe

MD5 8f516284d6f619731a8bdb211522af1a
SHA1 95717a31c31e390333c06e3559500d38e3f3fe0f
SHA256 dfc7d9b5ddcb2be596c57200523cf13cadfc447f524fabd7654c677417ee49d7
SHA512 1bcd51bced192f85ddc1bd0112a9ca9930c1fb2146ea4fd4aa60867957b09185df553d24a697b8fee01700ec37fb95f35a669d26f092cf84351c9c2e58fea413

C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe

MD5 faeb26951d6982f4d43e14aaea15b9ea
SHA1 8984e0555821718bc8d90e29c28da4c3a72676d1
SHA256 fb122f130548f359f73646a5923963114e7b7ba25629ff829b8ec1a7010c0028
SHA512 bc5d74987015c7a6a3180ce03680925917298c8845ca04a3bbb84de23117b891c2d1c96268f7c1f6fce894fdf97acb77902f1ea2c5d9b7ea746c1d0eb7e37ff1

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:58

Reported

2024-04-06 22:00

Platform

win7-20240215-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6} C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E4F77C-7BB8-4779-8041-68B714170AC5} C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E4F77C-7BB8-4779-8041-68B714170AC5}\stubpath = "C:\\Windows\\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe" C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A9503A-08E4-4833-9E5F-CFD6D577A568} C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6} C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}\stubpath = "C:\\Windows\\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe" C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0442944C-8774-410c-91A8-62B387803DB4} C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A9503A-08E4-4833-9E5F-CFD6D577A568}\stubpath = "C:\\Windows\\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe" C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0442944C-8774-410c-91A8-62B387803DB4}\stubpath = "C:\\Windows\\{0442944C-8774-410c-91A8-62B387803DB4}.exe" C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53695457-D5D5-41e5-9CB8-342513202B80} C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE02FFA-E3E8-478e-9481-64E9937D181A} C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9} C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}\stubpath = "C:\\Windows\\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe" C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1} C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}\stubpath = "C:\\Windows\\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE02B52-5836-4997-96D8-73037DF192C1}\stubpath = "C:\\Windows\\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe" C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43} C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}\stubpath = "C:\\Windows\\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe" C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53695457-D5D5-41e5-9CB8-342513202B80}\stubpath = "C:\\Windows\\{53695457-D5D5-41e5-9CB8-342513202B80}.exe" C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE02FFA-E3E8-478e-9481-64E9937D181A}\stubpath = "C:\\Windows\\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe" C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE02B52-5836-4997-96D8-73037DF192C1} C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}\stubpath = "C:\\Windows\\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe" C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe N/A
File created C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
File created C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe N/A
File created C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe N/A
File created C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe N/A
File created C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe N/A
File created C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe N/A
File created C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe N/A
File created C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe N/A
File created C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe N/A
File created C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
PID 2404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
PID 2404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
PID 2404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
PID 2404 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2724 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
PID 1744 wrote to memory of 2724 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
PID 1744 wrote to memory of 2724 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
PID 1744 wrote to memory of 2724 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
PID 1744 wrote to memory of 2576 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2576 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2576 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2576 N/A C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2744 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
PID 2724 wrote to memory of 2744 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
PID 2724 wrote to memory of 2744 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
PID 2724 wrote to memory of 2744 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
PID 2724 wrote to memory of 2896 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2896 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2896 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2896 N/A C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 3024 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
PID 2744 wrote to memory of 3024 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
PID 2744 wrote to memory of 3024 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
PID 2744 wrote to memory of 3024 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
PID 2744 wrote to memory of 1836 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1836 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1836 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1836 N/A C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2828 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
PID 3024 wrote to memory of 2828 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
PID 3024 wrote to memory of 2828 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
PID 3024 wrote to memory of 2828 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
PID 3024 wrote to memory of 2884 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2884 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2884 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2884 N/A C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2696 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
PID 2828 wrote to memory of 2696 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
PID 2828 wrote to memory of 2696 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
PID 2828 wrote to memory of 2696 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
PID 2828 wrote to memory of 2000 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2000 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2000 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2000 N/A C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 700 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
PID 2696 wrote to memory of 700 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
PID 2696 wrote to memory of 700 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
PID 2696 wrote to memory of 700 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
PID 2696 wrote to memory of 620 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 620 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 620 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 620 N/A C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 2824 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
PID 700 wrote to memory of 2824 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
PID 700 wrote to memory of 2824 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
PID 700 wrote to memory of 2824 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
PID 700 wrote to memory of 1608 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 1608 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 1608 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 1608 N/A C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"

C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe

C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul

C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe

C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B02A~1.EXE > nul

C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe

C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{79E4F~1.EXE > nul

C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe

C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00A95~1.EXE > nul

C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe

C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36F92~1.EXE > nul

C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe

C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04429~1.EXE > nul

C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe

C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68018~1.EXE > nul

C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe

C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53695~1.EXE > nul

C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe

C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE02~1.EXE > nul

C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe

C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE02~1.EXE > nul

C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe

C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB7A~1.EXE > nul

Network

N/A

Files

C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe

MD5 5a0f6c5c8db006ede1b0c50ce883ed76
SHA1 cc85698a58af7be153affa5e380339ae9684aaa9
SHA256 3541ef8ee4b30b570e62cc843e33ee645292a2cc3464bf3cfd74f59b83694ac9
SHA512 151daefb692e22bae41424ae5c534b1be0b9505a972e8b0f2d802c684fd0140c5a8f1e73258af7a6a8a73523d744bb58df50a99a281e6f304c396001c22d55f3

C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe

MD5 2ec6f91f58764bf48b6c4eb5ae1ecc33
SHA1 4b1a4353d2b6b0c63ed4abd10b56f6a31a09827d
SHA256 a9331979277cc27dda5bef5698815e98ce10895075197f89a312df66f57916c8
SHA512 7db0b2bb30e135c99dd9f5b13a6c890ee8c3c55efca7f3bd2d73f4801c731ed4b13c5c352b0877c7e41b20901adf40cfe05f041adff84c6b05dfa9409d318091

C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe

MD5 820fb574e0353235705a07b5466f1c94
SHA1 017583a7b3753f9bfde7f3b8d538cb39796ecf48
SHA256 25bacb2f3ebed5bcb9897c79a2ed3b838f5374a8deb2ace7398ea6652845eea1
SHA512 34164c3dcec8498587d167670b63e1197f344f2256badd94ddf4ec606bf98fffa9d7895e258c1fd8e8b5642101962f56e8cf5242dec0ee95c4c8f11971190d97

C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe

MD5 30cd6270d7bf28f9bdd585880e6722ee
SHA1 82f70423c8e76529759bc7be2936da41b9aef372
SHA256 8b4eea4ec6f46c265e1d1689d4b7fe1f1e69ebe2112703da6604185eaf82125a
SHA512 d3e8ec8324407f9fdbc4860bc21fce3b3b1291cd2ba63a7fb05552114fb9cd03f426abb41ba560950a6a28c3c2082bcdfb2ac79314b6b044b2d441a6914d0b80

C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe

MD5 49e4fdaa19dd2e52e0e62a9c4fc97562
SHA1 0757e881796cc981e62f67a83b6fa4a9d142ffe2
SHA256 8282b37ef1da576de7fa5d2d7876e35058695ea8594bcc54dffbc3424458006b
SHA512 a3fcd43a825115964a0c73bd724c42511b07f1c43461e93464e592c389243455c7af0322b1c0d4f26a4c1290ed2c51442b8969fe4b4dfbdf33dd23e271abdaa6

C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe

MD5 c3312dbb56ec9b3ac0be4012dc542baa
SHA1 b576c6ff082eedb1bd73741b6feec82c1b743445
SHA256 2e60c86a53283b1486628114e133ba104eea486b9a2b5a604a9e635d9032f489
SHA512 e6cae4b059d6ce2496cbca2449d4e8d7e9f83a7deb2a8e801074c7e305d6fcee79e6b0b0a7975e46600d1e0b33787b42c6be7fd65798c53f8603f9257f8c77d5

C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe

MD5 3a747f05b3e002d4d30020cd3e6da5f1
SHA1 11ff2c0ee625282b56697caf7deb6abc32499d51
SHA256 b8fef9f4dbeb60dd20a8b4a6e1605412f7a6df28c1c27dacbf68375c076f273d
SHA512 94c18b0c01f98a3d6ac046fceb0a8d84f2db3b0b52463fd0823ab827b95c15e94e339797281cd214f055b33396c94ee35ab4bd2924a79106cd09aaa5429555dc

C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe

MD5 915d4d3e73db87dff943c0d99cc20cb4
SHA1 77d75cd127c691faff90a7eae9d5ea81f19150ba
SHA256 31aa6b3473f6a0beefedfc2fbc39c863ce7150720f5580ef24ec05113c7831fa
SHA512 af7ee4007fd1f4872cf8b362c41295fa6a3ba2435294698e81d7935a2b4883f09d80684aeb67d1ba9f5cd2d282e9d746eca1979d4d6525a4907c083d7407fb3c

C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe

MD5 22a577addfee447b22bfb4c139a45662
SHA1 02ab8c4d0b5fc926d92c443f1550b8291e6e54c7
SHA256 bf5a8b69f3b92957aaea29b1c02e2ad0969bb5821d969f10f4b77c8c675c8617
SHA512 421b0b7cfe9c707f445ac2e7958d7fd67819984a78b7c86dfcabc20d064d520ed8e541a1423aa75102808beda6ac2b66b13860f46b934de05741ab188659d1d1

C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe

MD5 cd138347a3eb63cc65eacf12f6c17905
SHA1 08a3173b724e7c7bae88371892b987d697146bac
SHA256 6bab3ac21dfdce76898bca0a9a3d1e479d3e63626834f32699f7e8c4f5762f4d
SHA512 3507499209ebc30c8714c15bc18ea437b7775a4426f45710812f4b6747133b07b92c8b1a21f5a2d8ea603b332a2269dc9c949dadd6bf06750bb844f916ede6b9

C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe

MD5 2b8a5cbf17cb1cccae6221d238f7297a
SHA1 48f7dd63d48aff3669fe9015063d3cecfc710207
SHA256 6ce7d0fc8f5e8d1ad548402c0276762d1f3f8142d707acf1fa507f1a5817efdf
SHA512 c03598036a074b012cb34a9949e27c1cc581957c36887d6b7f062d95b7c6cfa7ac80ea40b84be30a24e8c7a3107ba10a243f3f61582b4804c197be13271db958