Analysis Overview
SHA256
5a214470205aeea815fb0a21bb8de544f299150c44fb425b4afa6d8066103bca
Threat Level: Likely malicious
The file 2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Deletes itself
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71721942-19E4-4fdd-A95B-894A66A5C043} | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}\stubpath = "C:\\Windows\\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734CF85B-B961-484f-B832-A810E3639022} | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EB811A1-0395-439f-B523-D4526E67137C} | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE831CA-1793-4821-AA9E-7EA289C89793}\stubpath = "C:\\Windows\\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe" | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EAEB40B-A267-4a63-BF54-951F2F8774C2} | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A054440-934B-42e1-8743-D02B014D264A} | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8416CF-1280-4018-89AF-054DD5D87D3E}\stubpath = "C:\\Windows\\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe" | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD} | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600} | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}\stubpath = "C:\\Windows\\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe" | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71721942-19E4-4fdd-A95B-894A66A5C043}\stubpath = "C:\\Windows\\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe" | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9} | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734CF85B-B961-484f-B832-A810E3639022}\stubpath = "C:\\Windows\\{734CF85B-B961-484f-B832-A810E3639022}.exe" | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EB811A1-0395-439f-B523-D4526E67137C}\stubpath = "C:\\Windows\\{0EB811A1-0395-439f-B523-D4526E67137C}.exe" | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28AF19C-E659-434e-8CCF-F04735BD874B} | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8416CF-1280-4018-89AF-054DD5D87D3E} | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BE6052-67ED-470e-A7B7-4215332C44F5} | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BE6052-67ED-470e-A7B7-4215332C44F5}\stubpath = "C:\\Windows\\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe" | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28AF19C-E659-434e-8CCF-F04735BD874B}\stubpath = "C:\\Windows\\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe" | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A054440-934B-42e1-8743-D02B014D264A}\stubpath = "C:\\Windows\\{9A054440-934B-42e1-8743-D02B014D264A}.exe" | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}\stubpath = "C:\\Windows\\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe" | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE831CA-1793-4821-AA9E-7EA289C89793} | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}\stubpath = "C:\\Windows\\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe" | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | N/A |
| N/A | N/A | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | N/A |
| N/A | N/A | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | N/A |
| N/A | N/A | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | N/A |
| N/A | N/A | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | N/A |
| N/A | N/A | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | N/A |
| N/A | N/A | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | N/A |
| N/A | N/A | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | N/A |
| N/A | N/A | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | N/A |
| N/A | N/A | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | N/A |
| N/A | N/A | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | N/A |
| N/A | N/A | C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | N/A |
| File created | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | N/A |
| File created | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | N/A |
| File created | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | N/A |
| File created | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | N/A |
| File created | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | N/A |
| File created | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | N/A |
| File created | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | N/A |
| File created | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | N/A |
| File created | C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | N/A |
| File created | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| File created | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe"
C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe
C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe
C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F6CD~1.EXE > nul
C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe
C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{734CF~1.EXE > nul
C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe
C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0EB81~1.EXE > nul
C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe
C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E28AF~1.EXE > nul
C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe
C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A054~1.EXE > nul
C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe
C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E841~1.EXE > nul
C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe
C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5DA~1.EXE > nul
C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe
C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{44B0E~1.EXE > nul
C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe
C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE83~1.EXE > nul
C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe
C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EAEB~1.EXE > nul
C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe
C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71721~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\{9F6CD5D8-37FD-4cb4-9B46-D67868CCFFD9}.exe
| MD5 | 403768ed5f54077363cd4b6b926134ca |
| SHA1 | 9201a8afcbdad8ad7981340c56b7643593886b3f |
| SHA256 | e66ce02ffc11d9a31dea2e03f2c6605a524eb71159a4cf6ab38b6d277f80fb82 |
| SHA512 | fe41a05ac6c3fbd4e8ffe4a21bf779040f41fd50e54f4f54d300f1e5bc024306e98019a009903c91baffaac9fec6eba6899310d3c30e1a93702383edb171c5b0 |
C:\Windows\{734CF85B-B961-484f-B832-A810E3639022}.exe
| MD5 | 1a5a55c183ea1eafa8d741bbc72fc866 |
| SHA1 | dcec6499262d5ab47c7cccce644d0cd5d8377e01 |
| SHA256 | 440fd5ff7e59bcac21d94dfc267d1194dd6922b14c4c792a1e584bf933f3d57e |
| SHA512 | b99034ce315fc18328b419ff7196a1b4e1ddf52b885a72abd15ebca86ef514743606330bd53e12141520a8dbeb6c9b6c491910263e0fa6235ef0610ffddfdc0f |
C:\Windows\{0EB811A1-0395-439f-B523-D4526E67137C}.exe
| MD5 | da2c85e29cbdfd780dd60b53fa2b6f6b |
| SHA1 | d150d94263c90923ed2f4da28a7f260a166751ee |
| SHA256 | 11f144e7308d19d7381589e8efe744e61ffa40476b814488372dc61bd67c1306 |
| SHA512 | 53b6ee567b83752fd8203ab8e4fbd9376976f09b11588e58ee70fc560a2d9066c1c1dc2c69eddd59ff757b9c0a3c0638ac548a5f948451b9831c2616d4a45e87 |
C:\Windows\{E28AF19C-E659-434e-8CCF-F04735BD874B}.exe
| MD5 | 05572a6a030b47e251ad13adafc9681e |
| SHA1 | d92b4ffa8dcd84c3e06372cecbe159c414b66367 |
| SHA256 | 03199379a5fa5b0849318c400267ec256c25e77b81a504acb87c848fc0e13911 |
| SHA512 | 4fe5dd2f1b8c6446adb4ec83a7dbc1b507bca43ef109e745d1163d298669a1743b997480454cca95a4153f2ea80cfa37eaf47ea284009067fc2904b22cee49ab |
C:\Windows\{9A054440-934B-42e1-8743-D02B014D264A}.exe
| MD5 | f5948174d409b376790aa024aff4ff08 |
| SHA1 | 5412eca4cd5b984f6151a3578817155a7705ae44 |
| SHA256 | 2bae4db973d7ab04fe3e1a84f9f67918c899e9a61c421448f8da5694f1154556 |
| SHA512 | eef0a9c8790afdb3f338b1f60293c96b8e743ac3c4292dc50f2f97571f34317316786b819e9a4eaddcfca03761b570c5ad9d85f447c4db1d44bc9688546e9b03 |
C:\Windows\{1E8416CF-1280-4018-89AF-054DD5D87D3E}.exe
| MD5 | 1cfb892ad078aae33382e2f2c459b652 |
| SHA1 | b84b2443812d6d13f7a848ed884d6bcb2b2b824b |
| SHA256 | e6c37096bb474f86424a6ae7665a04176fe3df7401ded643dcaada3d68d86fe9 |
| SHA512 | 870f82aa30669a3aba250a05e1bed02fda457358a2f8fb82cfb761adeb44baa9860ab0438070f61d9030e260188e1c8b1224968ec03fb2187fd1f4604251e7d4 |
C:\Windows\{CF5DAAA4-6B33-4808-9ABB-66532D6B6600}.exe
| MD5 | 042135abb2789cdf413192ac67530691 |
| SHA1 | 74fadca3cf6f77ff68d9fab1de1f221d3123f2ab |
| SHA256 | 519bbe37d069f4624634990e99f34c6e70456fdcbf28d1e6eb2ebff5b26cb7ed |
| SHA512 | 78a007e4acefa00f0f88000e30e3382cc9f0751c246deef4d1011a9212ee76c6f479a8b72fdf9086ee6223ba45804e8c32f18b8442c6298d4876e47c6a393c3d |
C:\Windows\{44B0EEFC-F7A6-4a2e-8F70-8CD8F96A83DD}.exe
| MD5 | 7d101ff86e1f32d416b912a6dbc28487 |
| SHA1 | 8155997dc675bac72028773518bcfa33785fa8e8 |
| SHA256 | 7f8e401957838b101058d684f4243d3cb92cb0068fcfb072f95f64fc1cd89b74 |
| SHA512 | 8575fdbb01e49c20312282e58b14aebfec472c00d1ea55ce0ab6f9be693cb2dc131b718c0f2d79608d76616d8aa2816d8033e75d2d1c3a40c8fc3d0d52e57b29 |
C:\Windows\{ADE831CA-1793-4821-AA9E-7EA289C89793}.exe
| MD5 | c82d8c12e74f2d30b3739fa46b3c1361 |
| SHA1 | a16c125e9a036b549480cd2da11f0e433ada96aa |
| SHA256 | 1b77232d44d23c1a30b4baefa96e8afb6352f2dca53a70afd52f1a3be3a38bf6 |
| SHA512 | 104b9af294c184613475696d993a28762385f3eaecc63dd5a721e8942843e74b5711c0c54abfce64f53515dfcd939f3a1161e1dd10bcc96afbac6ce0adaf77d1 |
C:\Windows\{1EAEB40B-A267-4a63-BF54-951F2F8774C2}.exe
| MD5 | 989aee1ccdbdfe5862e5f07af51ee674 |
| SHA1 | 5bf35fa7f57d91a16f0f24b935df1e6324859e23 |
| SHA256 | 4298883223fe854180b8922ed3e8ee379f2d7f83be427bc71df5f30fa204bfce |
| SHA512 | e5e579b8b037ce9f4a020a4fab439e9f521e50b24f3870135e1d77b4b387ed3a888760e5a28daa023389e5ea475820537f941466320cfff18a913732de3cda85 |
C:\Windows\{71721942-19E4-4fdd-A95B-894A66A5C043}.exe
| MD5 | ccb24e04409c4e3830da579844c3700f |
| SHA1 | 0f22616d3becbf044b03bb2d1a7a9db384044d6b |
| SHA256 | b685d6843d1be0707e998c9208dc6b23cc02278cd72823849e4dedf0a4433eaf |
| SHA512 | 0fb9acd22cf49494feb484e9d223082f8793133a4ca188a3674e2cd5fe5b890e4a5193ea3ec99e141c1725ef442dde5831e7cc26bdcc87b97b67fddea1060201 |
C:\Windows\{03BE6052-67ED-470e-A7B7-4215332C44F5}.exe
| MD5 | e98b86ddeb79cf952b34be96953a5d26 |
| SHA1 | 9708c43ba4d2abc7fcb421278c1f8424b2308685 |
| SHA256 | 996fe0a35b1b72af24d5baae041c6224b4eb13b1751eaf5c4a0483ff50ebff20 |
| SHA512 | 8698f96f3b13372966542da4570e8203344147903744408dea9396ce5170759ed0df9d29919826e46c3a668daaae6b91d46fc974f9cee0fa73ca8d279c8bf22c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:53
Platform
win7-20240704-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D11668D-B929-43d4-B0BF-659CCCBE9137} | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A8181F-3D03-477d-B157-BB20680D0607} | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5642FE11-F980-408b-8B40-CEF1BDD4D221}\stubpath = "C:\\Windows\\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe" | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5286C03-828E-4183-8831-CD298DE6D11F}\stubpath = "C:\\Windows\\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe" | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61ADACC-0CBC-451c-A385-CB04B89ED708}\stubpath = "C:\\Windows\\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe" | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F01B82-702E-4890-8B5F-8D592473D039} | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F01B82-702E-4890-8B5F-8D592473D039}\stubpath = "C:\\Windows\\{73F01B82-702E-4890-8B5F-8D592473D039}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}\stubpath = "C:\\Windows\\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe" | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5642FE11-F980-408b-8B40-CEF1BDD4D221} | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61ADACC-0CBC-451c-A385-CB04B89ED708} | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7622BE90-0ED4-4227-AC95-652D191CA4E5} | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D} | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D11668D-B929-43d4-B0BF-659CCCBE9137}\stubpath = "C:\\Windows\\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe" | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A8181F-3D03-477d-B157-BB20680D0607}\stubpath = "C:\\Windows\\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe" | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}\stubpath = "C:\\Windows\\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe" | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7622BE90-0ED4-4227-AC95-652D191CA4E5}\stubpath = "C:\\Windows\\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe" | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D} | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}\stubpath = "C:\\Windows\\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe" | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5286C03-828E-4183-8831-CD298DE6D11F} | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889} | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}\stubpath = "C:\\Windows\\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe" | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44} | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | N/A |
| N/A | N/A | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | N/A |
| N/A | N/A | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | N/A |
| N/A | N/A | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | N/A |
| N/A | N/A | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | N/A |
| N/A | N/A | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | N/A |
| N/A | N/A | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | N/A |
| N/A | N/A | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | N/A |
| N/A | N/A | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | N/A |
| N/A | N/A | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | N/A |
| N/A | N/A | C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | N/A |
| File created | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | N/A |
| File created | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | N/A |
| File created | C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | N/A |
| File created | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| File created | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | N/A |
| File created | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | N/A |
| File created | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | N/A |
| File created | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | N/A |
| File created | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | N/A |
| File created | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_806559ecd6678cdc7e9b5281ab8cffbd_goldeneye.exe"
C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe
C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe
C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{73F01~1.EXE > nul
C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe
C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7622B~1.EXE > nul
C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe
C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC8B~1.EXE > nul
C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe
C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86DC7~1.EXE > nul
C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe
C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD3A~1.EXE > nul
C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe
C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D116~1.EXE > nul
C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe
C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A81~1.EXE > nul
C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe
C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC2E~1.EXE > nul
C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe
C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5642F~1.EXE > nul
C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe
C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5286~1.EXE > nul
Network
Files
C:\Windows\{73F01B82-702E-4890-8B5F-8D592473D039}.exe
| MD5 | 00e7a41847a6b4c4697ad917ca3cbbc1 |
| SHA1 | dbbd02e5c9828355f30e99b6a8632592aa9620b5 |
| SHA256 | 8168df4e83873ed040f39ef3be1e125c6ad57d28574c7e7c3418d27a262ac8a8 |
| SHA512 | 4f5d072c733386278274e330983a3b13843c388411b75b7da5cf9311f91381221444481748a714148f25ec352d6b739a9ab8f3ef0b82cea237157018a68a5cfc |
C:\Windows\{7622BE90-0ED4-4227-AC95-652D191CA4E5}.exe
| MD5 | 145b07df45b1a7d98a3005b5e7555f7b |
| SHA1 | d65471c72c96eded72501d8c07c6d8f9f7f0d1f4 |
| SHA256 | 475d71224cba83c6e37d013f8cb452d9d1bbd4de1ae11787acec4d63337ac18f |
| SHA512 | 2cfdc621eaed8b9c389c57e8acf5316efa1a4f3c4478f45d1ae96b8c93bc18c7ab21688db6fdd48dd67cac8f06074394c51fbcfb34c1327f23a2b99ae013cbee |
C:\Windows\{0EC8B8BA-DA12-4efe-AA9A-EF736A888889}.exe
| MD5 | eb2ee23590dc143fb888765d74cf9733 |
| SHA1 | 4d414f7166a84f0ffaa6934a5c1629bb4471864b |
| SHA256 | 3387a67d25edf89d9b6f82885c726b4477e4826c505d43417836e5f7c661e8fb |
| SHA512 | 0c79d483c84fb5971e5d9a2ef4ef72e67e186b83dc941b7a6925c4cad89cf5155af67533fec2bad1bec6f66e2364dccf33b05e6cf147be08a192782a3e2acef6 |
C:\Windows\{86DC7629-0E13-40ab-8EE4-5FDB7EF9904D}.exe
| MD5 | c817d983d97df67eecf7ae594a197b77 |
| SHA1 | afa8af62a1a4eac477dd7c1cb74ad7db6146e06f |
| SHA256 | 7dedaf3b894d76f1d52ba8d73abf124c26c1b8a86e5a046721c92cf3d4e94f7a |
| SHA512 | e85b9e1c234479dd0ef50e1404537c20646418e523b11cb9634c50f74b63699f5f428920f97d545cc0854ab502323d1eb9b1e658d0d261cd0eb85f6431205381 |
C:\Windows\{8CD3A700-F667-4f5d-8EE1-B805D0DBD00D}.exe
| MD5 | 18e7cd6ad43ae4f3b5dfcfe8939bc107 |
| SHA1 | c4108f74114a1bbfb2b48ce367b31ba5cfce438a |
| SHA256 | 4f54e6af80d7abf6f3cf269b9899aa6598719eebe4e0114a638321135071aea8 |
| SHA512 | 6c4cc9e632ced81d892147bfa671c502d9253751d96f44313cde8f0ed260a1b98900ca2180cb1c421e930ab40c274ef65860e62da94d72182b06ed6f3ec4f625 |
C:\Windows\{1D11668D-B929-43d4-B0BF-659CCCBE9137}.exe
| MD5 | 36995c87b94e5121b9aca58676389a34 |
| SHA1 | e66bfd2dfac6c2c34063790a94eccac2bd5a5f62 |
| SHA256 | 0b819cb5c9ae65814c38499015f9b0a5f97f1dc654a94444b3c74dd5f40a5cec |
| SHA512 | a9b24c9a33da96b20ebfa0291a03367d9aedfc7b62553def107137c98507b04faabeb04968f85029f0c8155296a6e1b904a8b8bbbfd6cb98f6049c6d6fc303ee |
C:\Windows\{B1A8181F-3D03-477d-B157-BB20680D0607}.exe
| MD5 | 929558e3e20930b6e38c2817623f08a5 |
| SHA1 | 0fb7fe22ebc4ab7fca8bf252e6a40255e265c6bd |
| SHA256 | f596dbb519194532ea68af82c8e01ae9c5970ab392a223845fd21693439bd02d |
| SHA512 | 638eab6d12e0e49410e803a8277ad221bb977d7e6bb4fd9139fde8d4d29fd69c68f99e4827bb5bc4d7b35bf84a66916580e9670d671b42bcd2d8beda8082c480 |
C:\Windows\{4CC2E25A-5A74-438d-BBD9-5F5B7EB5CE44}.exe
| MD5 | 8ac76cb82c07fbc44d311b50ee1556d8 |
| SHA1 | dee510995725c446632597906416894a3fde6647 |
| SHA256 | 96a789b3d6043c23914ceffd705a3555ff88d8e56c3ac735fdfbf6035c2b5bce |
| SHA512 | a57e5bcc1373a776708077948126efcd13b68e4d6c6221124a39ea2e7f3f344b11fb0a9b8fbc8e6053298d0a753f8b6f39692d7ae0de18107a1c033f2b7d3922 |
C:\Windows\{5642FE11-F980-408b-8B40-CEF1BDD4D221}.exe
| MD5 | 0c084c0fa7f5f1d2e98cd3c4543c2c1c |
| SHA1 | 4f4f9173041bc8d9eb24b7396632a8383c171c4a |
| SHA256 | 1692f717356e8d720de12f70f1693f67b4dc23f603f604d590ed548efd85c849 |
| SHA512 | 7209e7e943bafccee6726a6157801f499a1225ce6f35cef542c9aa2a1eb57b655341268ac78b7c1dc547a75b55c3f46da4b3506b0f06c584eacbe4d3537c306b |
C:\Windows\{D5286C03-828E-4183-8831-CD298DE6D11F}.exe
| MD5 | 29285af9f48ba77a1a37d823ce927a2c |
| SHA1 | aed8548242fbb0bbba0cf9a85bdb929866e883f6 |
| SHA256 | 2beb255f6b5a860eb3819698aced8ad7630d45b0462c9cd4f39d096f6c50798b |
| SHA512 | 7ef8bb4dddbac2a70ab6d714bf8afc0e6656a341c43adb5bb57ee8e7e934ec229fcbcc8489dd711c5d9ab7f453b1760cc4992808fefef138685453467aa9d866 |
C:\Windows\{B61ADACC-0CBC-451c-A385-CB04B89ED708}.exe
| MD5 | 27af65c47e24a8cd211df32d2dbdad11 |
| SHA1 | 5916c4ce4f5648ae47308f095563f428c4379dec |
| SHA256 | 0b161cc90f64a2a37b9904ca24fedb29552870d449f1a85166499033a7e24c3d |
| SHA512 | 7e1554f3d2c4b7f3edbe13ceb45b6e88fcb53ad0eac4baa4edbf5de8aa079754c735cf763b496ee357aea0cfcbd0e65b6664988f0fc5c8b6bf9696c749a7aa81 |