Analysis Overview
SHA256
7f8bc25627813bdb379a685e706ddc22708ca2c1386d00d9684a2ae56120c30e
Threat Level: Likely malicious
The file 2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:53
Platform
win7-20240704-en
Max time kernel
149s
Max time network
19s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}\stubpath = "C:\\Windows\\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe" | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}\stubpath = "C:\\Windows\\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe" | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17E2D23-D82F-479e-ACF5-5D70F3213312}\stubpath = "C:\\Windows\\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe" | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7434E942-418B-40d9-874E-83312DC57192}\stubpath = "C:\\Windows\\{7434E942-418B-40d9-874E-83312DC57192}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50786694-65A2-4176-9D90-1A178ADE49B7}\stubpath = "C:\\Windows\\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe" | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3} | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7434E942-418B-40d9-874E-83312DC57192} | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54} | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0DA63B-CD79-4815-A086-7D87ADBEF890} | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20} | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}\stubpath = "C:\\Windows\\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe" | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E55B693-8822-43c1-AACE-CDCF45953E6E} | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E598DC0A-41A5-4940-83D1-085464423D37}\stubpath = "C:\\Windows\\{E598DC0A-41A5-4940-83D1-085464423D37}.exe" | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2FA1E43-397A-4365-A30F-07F1572B066C} | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2FA1E43-397A-4365-A30F-07F1572B066C}\stubpath = "C:\\Windows\\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe" | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50786694-65A2-4176-9D90-1A178ADE49B7} | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}\stubpath = "C:\\Windows\\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe" | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E55B693-8822-43c1-AACE-CDCF45953E6E}\stubpath = "C:\\Windows\\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe" | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E598DC0A-41A5-4940-83D1-085464423D37} | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C} | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17E2D23-D82F-479e-ACF5-5D70F3213312} | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90A4CCC4-9B25-4e03-B422-10A3719FF527} | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90A4CCC4-9B25-4e03-B422-10A3719FF527}\stubpath = "C:\\Windows\\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe" | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}\stubpath = "C:\\Windows\\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe" | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | N/A |
| N/A | N/A | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | N/A |
| N/A | N/A | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | N/A |
| N/A | N/A | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | N/A |
| N/A | N/A | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | N/A |
| N/A | N/A | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | N/A |
| N/A | N/A | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | N/A |
| N/A | N/A | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | N/A |
| N/A | N/A | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | N/A |
| N/A | N/A | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | N/A |
| N/A | N/A | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | N/A |
| N/A | N/A | C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | N/A |
| File created | C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | N/A |
| File created | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| File created | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | N/A |
| File created | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | N/A |
| File created | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | N/A |
| File created | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | N/A |
| File created | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | N/A |
| File created | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | N/A |
| File created | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | N/A |
| File created | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | N/A |
| File created | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe"
C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe
C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe
C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7434E~1.EXE > nul
C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe
C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90A4C~1.EXE > nul
C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe
C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A2FA1~1.EXE > nul
C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe
C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50786~1.EXE > nul
C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe
C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0DA~1.EXE > nul
C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe
C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E2D~1.EXE > nul
C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe
C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DCACE~1.EXE > nul
C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe
C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD49~1.EXE > nul
C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe
C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2E55B~1.EXE > nul
C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe
C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E598D~1.EXE > nul
C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe
C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5AD0~1.EXE > nul
Network
Files
C:\Windows\{7434E942-418B-40d9-874E-83312DC57192}.exe
| MD5 | 8aab58bc03b69f18b12b6a07b5392fe6 |
| SHA1 | 3a509f5603110cc67a019668e3b19b8d5b03fac4 |
| SHA256 | 38e0bad0c6fe7814bfb381eadd2fc192d4c8a5c564a44377f533fd41e4effc9f |
| SHA512 | 487663ffab83e41dfca6176f0ccb3a0922598acb124774025771609483b00abfa108be771f1994f647bad8165d2f7586f6fe52a326614d69aa42e53b3a7f7e69 |
C:\Windows\{90A4CCC4-9B25-4e03-B422-10A3719FF527}.exe
| MD5 | bff1f0f87af50bb3644625c908966b7a |
| SHA1 | b86e36886d923435f8d248274c33f9ec6e18ec3d |
| SHA256 | 15b87726bc0133539bb16037660ac19fe47d0a035e4a1a829eebd17a705b6220 |
| SHA512 | 45d81dae58cb5f0b77271e0654663572b88b985002deba3ca14881d8f8bdebf7f652721dc88140fa8d373a26d90a80f2b4dcc8d47e33f6e665aa0ab87dd52b74 |
C:\Windows\{A2FA1E43-397A-4365-A30F-07F1572B066C}.exe
| MD5 | 2f135c8b2e8f52ead6bcb6e2c03f029d |
| SHA1 | 1a6c4aa94623ee78fe4b35eb0701a576f2d363bd |
| SHA256 | 6f9f84622e79654ce95d82c9790ad562067dafe4ab2bb750bfbee5574fa69a40 |
| SHA512 | d108cd697a86c12c1159b77ff937fa800661519d7dd4fe8bbbe093de48ca42350a6f3db183f93263e5d3048449bb9bb7205e3bd098c05609d51ce763f289d9ad |
C:\Windows\{50786694-65A2-4176-9D90-1A178ADE49B7}.exe
| MD5 | 2472aace9ccfb6f92f02f4c9dd3023d2 |
| SHA1 | 749f0a2bfead54152357a53e7cfa9776a9800264 |
| SHA256 | aeca0ef403750e4912bc9beac29936b89c52510a111fed69bd8f1a49eea07004 |
| SHA512 | 3ee34594f7d615adb8a316e01220250f171da171378bf8f0d079c9d3865573a43a7d4768237e1ba63b92ca50ed019b2f99c87bb18ae8b114b32ba6186743c9e1 |
C:\Windows\{DC0DA63B-CD79-4815-A086-7D87ADBEF890}.exe
| MD5 | b3ce05916cdc6966f7e0a70b386aa1e6 |
| SHA1 | cbd182f14989b44a56ee2fdcf8d80c0e056bcba1 |
| SHA256 | 045b8338f4055e7bc97361decd07a016e9cb456281e62b3a528fa8e2751f066d |
| SHA512 | 411dde4e8cad659b24c1aaf6974feff019947c3051960fba16dee6e5e20d2d5a894edad654f21aff0e9be77e540b14a3383ac795e405be5024cc22c71d9d099c |
C:\Windows\{C6E2DEA7-D776-4e8f-98EE-3F936192EBC3}.exe
| MD5 | dd57ef35b662dd914113251f6b947aec |
| SHA1 | 0be16cbe522eb16101b44c87abdec0741c25529a |
| SHA256 | 9c945283a7a99a0db3d25a86122f97aaebcac534c7db1407ebbaa30b11a969e8 |
| SHA512 | 64871b45805aa8b1ba72b92286bc594c2e72d040be4dee4f9e352af6ae4faac5a6340e2ed013bfcaae90a7af62cb69cbb383a9a1c0ee6ad76931bcf8c3cd1a62 |
C:\Windows\{DCACECFA-EC76-4ec4-AA25-F1216FA72F20}.exe
| MD5 | e751ff5a767831666440e9a0f53d985d |
| SHA1 | 604bd7ec496f92729c5d2ec1dcfb10c04ab39bf5 |
| SHA256 | 54b6ec3f0ef6a23026808b229d95d1017281e7a688787b2bd45f93f845b2e3da |
| SHA512 | 529d90595deac068b4095f4d455794f16a542f1c46d7b91c53c17c6e0fc06543f8b92a66e1686df1101be78c2c954566524347bd7d2495f67dbdf376ab9b82a7 |
C:\Windows\{EAD4922F-39D9-46f5-A576-E5F9FEC16F54}.exe
| MD5 | c2bb8e6d5ce5b14276ca70763205598b |
| SHA1 | e5b99202592c153025dcd4e71f9c717f5e49a351 |
| SHA256 | b45b7f1ffaf9a650b849d545b08d6f513a36983472964f86a4e1c5d545682c98 |
| SHA512 | 38b80f6e0841369ab9cc7a9ae07c23f268836a381424d584977fd7447a720f735dccdd6cf9a406fcb0bf8dabd703ec9e0c202655c9a509f7e84bce5179b3b48c |
C:\Windows\{2E55B693-8822-43c1-AACE-CDCF45953E6E}.exe
| MD5 | 57d64bcc7858fe926cf42815a6c642ca |
| SHA1 | 51496b6a0351091fb3b3b643839f725ad8cff702 |
| SHA256 | d65b33d14aeaab8e1b6dcb8f73239dc59989255b408da87371cbc4241971a506 |
| SHA512 | 4ec45dd5288a53e2655b79b358c8654aecd53d4796c57d6640dd01a26814ea7824b61db55b0f8688020db588b436d999b8e924f933b070089ea4dec234448c88 |
C:\Windows\{E598DC0A-41A5-4940-83D1-085464423D37}.exe
| MD5 | 93ed641c65de1d60b2bb433427a681cf |
| SHA1 | 6289f860a485499e5d80a6716b333897d95b0472 |
| SHA256 | 8cfd14e04f3fafe7f7e5735bdce7dd9fddf51ac6492738daaefa33e5440a9758 |
| SHA512 | 27867465579efafaaec3fc180ae982fa6dc487b6277bca7d27f27f82a70463c568635662837cd2fa602fd5b223d1854bcfb99c25348cffe6272af2676dc1274b |
C:\Windows\{A5AD0326-ECC0-45ca-BB5A-37FEB4DC5D8C}.exe
| MD5 | e217449767efe8ae38d3e522febee474 |
| SHA1 | c828fc66f33793e3390eeb29052071bcb48f4e09 |
| SHA256 | a608952bb0033b92b0f22a21f7515656288079f6048a5fb1a457b5cb2bd3b7e1 |
| SHA512 | 4c86b100c6d0f684743186c1a5c7ae19e5e43b670202feaad093069840c6ae0feae0a317668211c81203346e52285675c419c8a62582f0bb398922ee6445818f |
C:\Windows\{B17E2D23-D82F-479e-ACF5-5D70F3213312}.exe
| MD5 | c86b5b5f9f6fef2f9b5f29489c682942 |
| SHA1 | e05e231c45b7125743f01b23b440e1e44e26cdf5 |
| SHA256 | de849273c02850c134c512209c4b1c0ad4da1e27e0dfaebbe8070d723ea2a838 |
| SHA512 | 2bc8400abf506ea8829842d35f99bb8e5c433de4a90c68d80b1d746b526a8faed281421380ae74eb761bffe058df30d23f1d9a5743b369a91f9014923ca7e210 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BDF810-2278-4047-9FF6-EFC49AF31F7C} | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF99BE74-44F1-46b3-9059-87F079620350} | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}\stubpath = "C:\\Windows\\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe" | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}\stubpath = "C:\\Windows\\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe" | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80} | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7814A7-D51F-4023-BD86-3E949474E6C2} | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7814A7-D51F-4023-BD86-3E949474E6C2}\stubpath = "C:\\Windows\\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe" | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}\stubpath = "C:\\Windows\\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe" | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28} | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}\stubpath = "C:\\Windows\\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe" | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2601094-D303-4f64-8280-66A56EAB3E2B} | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2601094-D303-4f64-8280-66A56EAB3E2B}\stubpath = "C:\\Windows\\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF99BE74-44F1-46b3-9059-87F079620350}\stubpath = "C:\\Windows\\{FF99BE74-44F1-46b3-9059-87F079620350}.exe" | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCE895D6-1314-42ae-9C04-7D8168BCC33B} | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB62BD6A-C328-419c-992C-BBEF6F543B5B} | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D2EC1A-4694-453f-B571-65DF207B3616}\stubpath = "C:\\Windows\\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe" | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C9749CD-F658-49d5-A75B-EE74EEB04C45} | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52654244-9530-4384-B038-7CFEC0AF0872} | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}\stubpath = "C:\\Windows\\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe" | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}\stubpath = "C:\\Windows\\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe" | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}\stubpath = "C:\\Windows\\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe" | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D2EC1A-4694-453f-B571-65DF207B3616} | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52654244-9530-4384-B038-7CFEC0AF0872}\stubpath = "C:\\Windows\\{52654244-9530-4384-B038-7CFEC0AF0872}.exe" | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9} | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | N/A |
| N/A | N/A | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | N/A |
| N/A | N/A | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | N/A |
| N/A | N/A | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | N/A |
| N/A | N/A | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | N/A |
| N/A | N/A | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | N/A |
| N/A | N/A | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | N/A |
| N/A | N/A | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | N/A |
| N/A | N/A | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | N/A |
| N/A | N/A | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | N/A |
| N/A | N/A | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | N/A |
| N/A | N/A | C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | N/A |
| File created | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | N/A |
| File created | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| File created | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | N/A |
| File created | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | N/A |
| File created | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | N/A |
| File created | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | N/A |
| File created | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | N/A |
| File created | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | N/A |
| File created | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | N/A |
| File created | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | N/A |
| File created | C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_7e06e4fd205d864a057ae7b488804567_goldeneye.exe"
C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe
C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe
C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2601~1.EXE > nul
C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe
C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33BDF~1.EXE > nul
C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe
C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF99B~1.EXE > nul
C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe
C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB01~1.EXE > nul
C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe
C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCE89~1.EXE > nul
C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe
C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB62B~1.EXE > nul
C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe
C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE4C~1.EXE > nul
C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe
C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1D2E~1.EXE > nul
C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe
C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A781~1.EXE > nul
C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe
C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2C974~1.EXE > nul
C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe
C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52654~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Windows\{B2601094-D303-4f64-8280-66A56EAB3E2B}.exe
| MD5 | f00216c565684c8fedd778f720be1407 |
| SHA1 | 60b190905041cee3fe3b359eb6ae1c97b181dce7 |
| SHA256 | f35646f91805109fea02501a30382943110e10b21aa852bea33adfb70ca07281 |
| SHA512 | 9af92e8f42448048f48a5a781b3d155c6d7ce54be64dae6ff434f5ca199fac1383480a83a434b3ff8240024d92cf70a5939b99bb99be2dd51e8796d17f9a1d89 |
C:\Windows\{33BDF810-2278-4047-9FF6-EFC49AF31F7C}.exe
| MD5 | 949df496735e3340c63954aadb19fbd7 |
| SHA1 | 1fd6226dfcfb18bbebcc3cc1815a747ca422853c |
| SHA256 | 57969b91ddf39672c6ee7475039fe216e1897c36c4ca4bfc1dd60327bd65a1b6 |
| SHA512 | 484424051772410e80ac7c1a0b787835b4f45238a75e9d0313d8346dc53f20d347f260ea82c42de1421c3d2e1b1c9de9e396539e698a67b464274baeb632abac |
C:\Windows\{FF99BE74-44F1-46b3-9059-87F079620350}.exe
| MD5 | 766b49e343c089a1a3b9ae7821177d1b |
| SHA1 | a7ef9f3cb58697cb8fb25fba138b76248e30eb40 |
| SHA256 | 6b4bd99e915da2721c3a66b3ae3e53fc244490c8779d2c094f175597e193412e |
| SHA512 | b1d4fc1ff733cf69ea4874346aa2d400bba04e76a8576847984bdf51025f1928c933e9f256d5aaa88bb4134fdfe0fc17d24b81b80ebe945da21d506f47859e9a |
C:\Windows\{ECB01A3B-D385-4888-9ADA-A8FD6412EE28}.exe
| MD5 | a166cc1e7534b81821c463c0122d8fe0 |
| SHA1 | 326ba2a4c62649527e58661bd2b9a2ea181ff6cc |
| SHA256 | 460d256026895a4913c926d8d917c978a32587db6f0f043839523ea5f8bb8cdb |
| SHA512 | bc63a104c74445a356adf94c8da4846988dc5fee2ae6099abb0b55f0783234c1d30411f0ef5b7dc935a5a745150199f150370b2f6e42fb09c2affba146f331ef |
C:\Windows\{BCE895D6-1314-42ae-9C04-7D8168BCC33B}.exe
| MD5 | a580465f5232e6613849f6ae0d672483 |
| SHA1 | cd08e0e5ab379e8b20a5daa20c29ea5e8a44b081 |
| SHA256 | 969db087c6f5edbefef429f2f7b576c041521401edabe81cee8bd6678d59f885 |
| SHA512 | 1cf2f8953b3cd5630cd6774ec385c1b842fe7986e5f00bb3c51c059080c5413118599cc05e4316a6637239b63291758d8d5ef758a4d5ab2863e5e847470336cf |
C:\Windows\{FB62BD6A-C328-419c-992C-BBEF6F543B5B}.exe
| MD5 | 04fb3b96896def421abbcfd02b812b87 |
| SHA1 | 69731a3c1453053381a7b5527133e3549754ca16 |
| SHA256 | eb58165a308a51addd46edf9cb2631c85fb35c675f9522e0e407e89da38ed97a |
| SHA512 | 7294c317ab991b98238777639b8b92e198c877fbc8300ba7d66ff7ae529497b70d99d3ba8353342b56ff71bf5bb223f9ec7e37d03b10ad66af0f7f3ef7c7c4a9 |
C:\Windows\{CEE4CF3F-24C1-46df-BD1B-43B09CEE6E80}.exe
| MD5 | 861484fd31eb4922bbe4c27fe788b36c |
| SHA1 | e24897da27b3f0021e155a19e30be0baed39dcca |
| SHA256 | 4ec6dffe3c7a84df9e5f604452e240844cff4291ff93404039d0ebc19208b79c |
| SHA512 | bf2ccb1dc846cdca67ad04cf144cf8473430426e31518183979177302f8cdcc4316db0b5345ef1aa7e0dab8c8c7999d6624f9ac893f1bb92a864d8af3a1e6702 |
C:\Windows\{B1D2EC1A-4694-453f-B571-65DF207B3616}.exe
| MD5 | 27f69c459ee1427c9e235b9b5971f1af |
| SHA1 | bc5084b7e91c7a096affa84bb7edcb26b826a108 |
| SHA256 | 0dd36f1e8c6d01e19e5f09d6ffd61691d6b5e20a5d32f765307a842170f827bb |
| SHA512 | 9cd6613f200d636febd8ab2dfc7ab959c918d77baa10d6031c85a72c0028e3d70475586270c75d6da9ccfbb4cf5a6a90a2ba6b198406593263260a951f710758 |
C:\Windows\{9A7814A7-D51F-4023-BD86-3E949474E6C2}.exe
| MD5 | 9175a6bf7c105c2302bd5616e3647aa1 |
| SHA1 | e2cfd15352c528764488b7d284b0b691fe7c50a7 |
| SHA256 | d45eddd997271952c8883e2cab791dc923d2bfa7f5d51aff38bc286b4a39fa29 |
| SHA512 | afd9c7a4417ffd4f5e9f9a8299563395cfad0b7cd5134e4d3d726c05f9feb54a477e3d392442988e3563690a2bb6e31c49aaa3f09aef72186d36f9de149e4f1d |
C:\Windows\{2C9749CD-F658-49d5-A75B-EE74EEB04C45}.exe
| MD5 | 04f331d6b1a1533c18a2529a3e16a8f4 |
| SHA1 | 4acd79223768aee83e68352711ab9bca9bfab7e5 |
| SHA256 | c290e35e0913d532f67c33b114d3f0cb77fdca97b15c81c335b59887855a3676 |
| SHA512 | 7926cd389ce6ea17133cd96b2e09978bdc93bcca292aeb812c935c6a3848c4603ef4dea4fa6aaa84adc3581079c77c2b162fe8d36641ea2af64b08f1cbb85e6e |
C:\Windows\{52654244-9530-4384-B038-7CFEC0AF0872}.exe
| MD5 | 2e98810c063bdc98501dc0adaf90d707 |
| SHA1 | 1844284c048c51ebb412d576543b0b85610de006 |
| SHA256 | 87e3699b577c352fd8d4bda7f9f19ffb6d017131a39c15ee4725bd5a3134a9ab |
| SHA512 | db4172cf1775b4e2620cd87acae517bad6dd16db0878751d3c5c9d20d93373cdd1a1dc21ba55947d22d7acb5cf9bb64ef7cd8bd95f5f01b42ecc518af8b43ea8 |
C:\Windows\{1F0E1925-319E-439b-B4C7-C7D03B71CAC9}.exe
| MD5 | 6a12d70b2bf9681f5d521cd35a53c214 |
| SHA1 | 2ef5a6a65ee0b22ffddd6e42a4bbcbf20e6ccd2f |
| SHA256 | 04077472fc1823f7406cecc94ab1ea14ae17c0115636a274528fa68df0ecbee5 |
| SHA512 | dabadaa15842f30c63dbbb11850549806f391ccc4668bc22b351c381c2878915d63336bb44c164b2de8715b44edac9347b1cd5bf47040f6923e8206155f82b31 |