Malware Analysis Report

2024-11-15 09:49

Sample ID 241110-b1gmqawglq
Target 2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye
SHA256 fcf50d8323df2abae64847060d2ecd29586bb32e027b17be2ea62ab1e6784bab
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fcf50d8323df2abae64847060d2ecd29586bb32e027b17be2ea62ab1e6784bab

Threat Level: Likely malicious

The file 2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:36

Reported

2024-11-10 01:39

Platform

win7-20241010-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDFC703-8B93-4a34-B68B-7C589C53E89E} C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}\stubpath = "C:\\Windows\\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe" C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}\stubpath = "C:\\Windows\\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe" C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B564B57-56F5-4b78-94F8-B7E44063413E} C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31887FCF-AA91-4039-BF04-CC833B36711E} C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDC27AF-40CE-4643-BFDA-48A17E134B96} C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31887FCF-AA91-4039-BF04-CC833B36711E}\stubpath = "C:\\Windows\\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe" C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}\stubpath = "C:\\Windows\\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe" C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F85938-7164-4ae9-A37A-C82540547E42} C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246} C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597F29D3-EF43-4d22-B83D-11559DF9BC53}\stubpath = "C:\\Windows\\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe" C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17AE1A9-2669-4d3e-845B-107822CBF469} C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3} C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088EC908-8403-4564-A575-241F2F4A6A89}\stubpath = "C:\\Windows\\{088EC908-8403-4564-A575-241F2F4A6A89}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597F29D3-EF43-4d22-B83D-11559DF9BC53} C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8} C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}\stubpath = "C:\\Windows\\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe" C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F85938-7164-4ae9-A37A-C82540547E42}\stubpath = "C:\\Windows\\{53F85938-7164-4ae9-A37A-C82540547E42}.exe" C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088EC908-8403-4564-A575-241F2F4A6A89} C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17AE1A9-2669-4d3e-845B-107822CBF469}\stubpath = "C:\\Windows\\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe" C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B564B57-56F5-4b78-94F8-B7E44063413E}\stubpath = "C:\\Windows\\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe" C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}\stubpath = "C:\\Windows\\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe" C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
File created C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe N/A
File created C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe N/A
File created C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe N/A
File created C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe N/A
File created C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe N/A
File created C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe N/A
File created C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe N/A
File created C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe N/A
File created C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe N/A
File created C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
PID 564 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
PID 564 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
PID 564 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe
PID 564 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2712 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
PID 2168 wrote to memory of 2712 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
PID 2168 wrote to memory of 2712 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
PID 2168 wrote to memory of 2712 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe
PID 2168 wrote to memory of 2764 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2764 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2764 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2764 N/A C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2676 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
PID 2712 wrote to memory of 2676 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
PID 2712 wrote to memory of 2676 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
PID 2712 wrote to memory of 2676 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe
PID 2712 wrote to memory of 2708 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2708 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2708 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2708 N/A C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2508 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
PID 2676 wrote to memory of 2508 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
PID 2676 wrote to memory of 2508 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
PID 2676 wrote to memory of 2508 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe
PID 2676 wrote to memory of 2020 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2020 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2020 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2020 N/A C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
PID 2508 wrote to memory of 2612 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe
PID 2508 wrote to memory of 1468 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1468 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1468 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1468 N/A C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe
PID 2612 wrote to memory of 3008 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3008 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3008 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3008 N/A C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
PID 2736 wrote to memory of 2776 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe
PID 2736 wrote to memory of 1280 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1280 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1280 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1280 N/A C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2948 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
PID 2776 wrote to memory of 2948 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
PID 2776 wrote to memory of 2948 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
PID 2776 wrote to memory of 2948 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe
PID 2776 wrote to memory of 588 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 588 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 588 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 588 N/A C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"

C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe

C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe

C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{088EC~1.EXE > nul

C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe

C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2FD~1.EXE > nul

C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe

C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{597F2~1.EXE > nul

C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe

C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E17AE~1.EXE > nul

C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe

C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B564~1.EXE > nul

C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe

C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1FB~1.EXE > nul

C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe

C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25D07~1.EXE > nul

C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe

C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31887~1.EXE > nul

C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe

C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DDC2~1.EXE > nul

C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe

C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53F85~1.EXE > nul

Network

N/A

Files

C:\Windows\{088EC908-8403-4564-A575-241F2F4A6A89}.exe

MD5 dc91a56093c7044adf0c70fb12a2a154
SHA1 0db3333bed8ee6dfe67f0c540bd1b53adeb97a3f
SHA256 6f7c8fa3da3889a4779b2527756ff7f117709e5e866eab1c6f35d34d90c6588c
SHA512 8734d3cac7ecfa0aeb4b5b889ab0a78de0dad41b2fe729e532870a1a5b47bf00bb0f5b303244dbdeff69909d64a025d320e4db081e1e5c0be3612647014277f6

C:\Windows\{EC2FDAE3-0FB8-401f-99D1-4FDD14316246}.exe

MD5 bef4be638cf5166619f2fecf61ddb9cf
SHA1 ce0c32fc1e0ba88ed0b149ca0b90a4ba066a8162
SHA256 b43435cff57afdd371d8270af2152d86a825ad16aae8b585c427855303a2a16a
SHA512 720a53321cd0875f1ee52b004a2d17fa7dd797eb4394bfce20c6c4a9dc0130d66e844db7c0fde588c963e6a5dc1429c1f780418bd0fe42b1f3c59499b29061d9

C:\Windows\{597F29D3-EF43-4d22-B83D-11559DF9BC53}.exe

MD5 f09b6b26fa3e4068fd39ae700a9da571
SHA1 ff6d314ba68859ffea6b4e015834be15e570f72e
SHA256 94d16dd7f37c3e1ce68c6d300c1f0537e61498a18417d0cc471c654c578cf999
SHA512 85f0d2f284362630e18ce95a383a17c2f33b05007dceb0b54cf9ba0741bcaf6d4322244220396a12e765a8d151861b2d0b224927a6a27d88951d73178a9e6bdb

C:\Windows\{E17AE1A9-2669-4d3e-845B-107822CBF469}.exe

MD5 23aa6cf252f32aa2a8bcfe777c4b8f8a
SHA1 28639a1dc42b0e966a8583648854a8620d04ec9d
SHA256 120a44a83d08a77dc645d11ec90c8de3df9baaad894f01d12a9d6d3aa298e196
SHA512 481e64698f653aaaa4c9dd49213447111f60e4761358a974a9e519920b15f04c2fe7b891aa050b4b30a37388d36844de41e93ef787531b9e0e4f9b6a5099653b

C:\Windows\{0B564B57-56F5-4b78-94F8-B7E44063413E}.exe

MD5 e9c57b18070e1ecd6dd2d3af171d6ce9
SHA1 a7499740cb4940ef685e4c84381f93ea11ab8946
SHA256 04cc951543ab165b810b7a35d2567b43af9796668f5adbcf3613d300cebac78c
SHA512 219323564fb19f0a15333f38d5c2848855f13d6c98b8611924859badcfb811cf78a4bb6150875e9e9f42db520351ce0e1eeb2fc49818909b1ac2253ab3c26fba

C:\Windows\{5A1FB7A6-CD66-4f27-8375-5DC6CDD939B8}.exe

MD5 547539455f68f280e01e1afaf9b47b41
SHA1 5df9439af792623b4e2bebbbf890c48524450e48
SHA256 3a95e9b7716039658c0e3b25605894f8ffd1729507ae9b338c17dda5734eccaa
SHA512 c6596ddfaf01307a2de48896d1766c1232f64b42636f477e6fe94dc3e0ed5688926b0a5b2a26401bdd2de0d1ae60f75295f2784e676e05ebebf0ccb4990431eb

C:\Windows\{25D07BD7-84D3-49f5-AA5D-9AB79352DFC3}.exe

MD5 769463f559ae664a14b68ba8305fc0ee
SHA1 ef620d9e489f7346bd7a08fc555da8414fa32e60
SHA256 95047ae16e478208d11eef2a833f953c5014f9f859b224ceccf4c360dbfdea8d
SHA512 6ab415ca6d38167d279741f6ba574be2633fc226494a244ca686aa242f5f8b87b73b40b8469004291bd3d830a3b3ee1d79c49810e743a63fd8767e47d01c12b1

C:\Windows\{31887FCF-AA91-4039-BF04-CC833B36711E}.exe

MD5 58b3e58227d6d9fcbb5150945b453de5
SHA1 5b0e6fed311bdd8fd1358907655a91266ad25100
SHA256 32504b27fc5aba1d906d0ed6dcf7626800b89de513d8b0ddbe5c86c359e02584
SHA512 e42cfd307beabc48a0eaa88edf166c276d34c9b58c9919d352992070236d06635ef3d8a3b03064771f71341adda42d40dbb5c3f634ae1fc09c0ffdf53e114f46

C:\Windows\{3DDC27AF-40CE-4643-BFDA-48A17E134B96}.exe

MD5 e008a950d4e88a19ceb91b5f8e6443a2
SHA1 68c5a58faf73c6d90a34954d1d9fd802e3a026fc
SHA256 2b3855a0c8d952d8b01a6c585f68108353e80283919491d5d8edeabce95a643d
SHA512 c4157fe586e37553a61bdc8661e34290056ddf7dbf1bb7ca5f370ef37de025dc6ff9316fb22549d18f9fa5e555b7b8fc066b607c88d6139f4db2490d791243cf

C:\Windows\{53F85938-7164-4ae9-A37A-C82540547E42}.exe

MD5 feaf22510d91d6a7d86a9af72054f1e1
SHA1 9b61058b55276b8c80ae061f02c303f57651ba24
SHA256 75443d4fe4d50cf2b69b10d62251397fb195c87027443ce51c688403ba739de1
SHA512 ab72c7e615d9372385946b0ca23c3b96f17bf55e533f59b4ff1394981c267bfe800ae02c4d9383fb9a2e89d27ccef4de95b3c30cd76569a76dd9e5912f693dea

C:\Windows\{4EDFC703-8B93-4a34-B68B-7C589C53E89E}.exe

MD5 ce3bac0013f415eaf320ca7094358e65
SHA1 62b68a652ab3170d47d423b95e7aa17f281dbe9c
SHA256 8da81880332a5641063be05395d6322b4b61ffdebc5bda92ea364335f088d68a
SHA512 62d8847a64cdb45307298b954ac565ded5d859272313436adb4d3d76cf3a3fd792cee5266beb56bd01c83191ad2a693dbf8f59e0b90322f9b7afcb5822681072

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:36

Reported

2024-11-10 01:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EB1228-5A73-4404-BDAC-55483150AE2D} C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67} C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996CB105-957C-4650-9F52-DB5E9480F381} C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E584E0AA-9DD2-47b7-94EF-C06521884945} C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E584E0AA-9DD2-47b7-94EF-C06521884945}\stubpath = "C:\\Windows\\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe" C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3470D9EA-A5FB-456f-95C2-6924277C4A32} C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE5105E-3922-4174-9ED1-23E568DDC139} C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE5105E-3922-4174-9ED1-23E568DDC139}\stubpath = "C:\\Windows\\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe" C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926B61EC-77DF-48d7-AEAF-1F6F173A841C} C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}\stubpath = "C:\\Windows\\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe" C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6} C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FA080B-0E8E-43f5-9031-9FC153E5AD25} C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}\stubpath = "C:\\Windows\\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe" C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}\stubpath = "C:\\Windows\\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe" C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3470D9EA-A5FB-456f-95C2-6924277C4A32}\stubpath = "C:\\Windows\\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe" C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}\stubpath = "C:\\Windows\\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe" C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4} C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EB1228-5A73-4404-BDAC-55483150AE2D}\stubpath = "C:\\Windows\\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe" C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E8A749-E635-41a3-A9F6-56043D1FCBD5} C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}\stubpath = "C:\\Windows\\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E40A9B04-A923-4921-87AF-CFF9753419CB} C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E40A9B04-A923-4921-87AF-CFF9753419CB}\stubpath = "C:\\Windows\\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe" C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}\stubpath = "C:\\Windows\\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe" C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996CB105-957C-4650-9F52-DB5E9480F381}\stubpath = "C:\\Windows\\{996CB105-957C-4650-9F52-DB5E9480F381}.exe" C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe N/A
File created C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe N/A
File created C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
File created C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe N/A
File created C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe N/A
File created C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe N/A
File created C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe N/A
File created C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe N/A
File created C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe N/A
File created C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe N/A
File created C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe N/A
File created C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
PID 2292 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
PID 2292 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe
PID 2292 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 876 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
PID 388 wrote to memory of 876 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
PID 388 wrote to memory of 876 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe
PID 388 wrote to memory of 1020 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 1020 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 1020 N/A C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 4512 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
PID 876 wrote to memory of 4512 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
PID 876 wrote to memory of 4512 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe
PID 876 wrote to memory of 1892 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 1892 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 1892 N/A C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4724 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
PID 4512 wrote to memory of 4724 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
PID 4512 wrote to memory of 4724 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe
PID 4512 wrote to memory of 4564 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4564 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4564 N/A C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4356 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
PID 4724 wrote to memory of 4356 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
PID 4724 wrote to memory of 4356 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe
PID 4724 wrote to memory of 1300 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1300 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1300 N/A C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 2064 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
PID 4356 wrote to memory of 2064 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
PID 4356 wrote to memory of 2064 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe
PID 4356 wrote to memory of 4424 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4424 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4424 N/A C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4784 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
PID 2064 wrote to memory of 4784 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
PID 2064 wrote to memory of 4784 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1820 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
PID 4784 wrote to memory of 1820 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
PID 4784 wrote to memory of 1820 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe
PID 4784 wrote to memory of 1856 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1856 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1856 N/A C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2224 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
PID 1820 wrote to memory of 2224 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
PID 1820 wrote to memory of 2224 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe
PID 1820 wrote to memory of 2512 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2512 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2512 N/A C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3984 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
PID 2224 wrote to memory of 3984 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
PID 2224 wrote to memory of 3984 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe
PID 2224 wrote to memory of 3672 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3672 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 3672 N/A C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4300 N/A C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
PID 3984 wrote to memory of 4300 N/A C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
PID 3984 wrote to memory of 4300 N/A C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe
PID 3984 wrote to memory of 3964 N/A C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_a7ab35bc6393eecffb150a940a443906_goldeneye.exe"

C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe

C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe

C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul

C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe

C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E40A9~1.EXE > nul

C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe

C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3470D~1.EXE > nul

C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe

C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A0C6C~1.EXE > nul

C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe

C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE51~1.EXE > nul

C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe

C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17FA0~1.EXE > nul

C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe

C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF24C~1.EXE > nul

C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe

C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02EB1~1.EXE > nul

C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe

C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{926B6~1.EXE > nul

C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe

C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9B2~1.EXE > nul

C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe

C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{996CB~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp

Files

C:\Windows\{52E8A749-E635-41a3-A9F6-56043D1FCBD5}.exe

MD5 ba097ca5f08b21791ef385a1d735ab0e
SHA1 158b0c5420cb126de14f26ab630d4e48277d47c1
SHA256 b335b9dc859a5e1578e14d87a0d50d152de3e649c5f9008a0069877e209e591c
SHA512 a3f75671d909de0982f473ac6d2c657d39f09152514013575391ce6cdd879e34d459412d24d9ad5b5cf6074ee6a6f605a9effb4b3a1ea4c7921fd2305bf9fa06

C:\Windows\{E40A9B04-A923-4921-87AF-CFF9753419CB}.exe

MD5 dfe75b6cda62e132f9c930e21cf7478e
SHA1 1b4d06877559a707ddd9e630832914bc25ea3084
SHA256 311592616f930e9f984ec642c39a1b581a6f3aeb733b2d597d778a72507c6659
SHA512 477e2dbf585f16b6e50698bc0303cfd8ed71336d6d559271ada29098266235ec0f765190bf4e9aa3073019e95a44558e9c87c552397ab4ea1ce68ea7b38acfd9

C:\Windows\{3470D9EA-A5FB-456f-95C2-6924277C4A32}.exe

MD5 d849bc5026bc84611006e4cb7ea99076
SHA1 851ced9c0c9199b115448defe53efe56fdbc892a
SHA256 9ec0a6563397fd537bfee1cb34bc36b936189d8506ec8afb227350391d16e8fe
SHA512 abe143bb59c86030d85074c787f4591c5e70dcb29e4c516f72eeec13417204dbbc25e67e50a3ac364858b7428c39c2de90b0fd21db32ba831c27fe6d12fbffa0

C:\Windows\{A0C6CFF9-0F91-4b1a-A20E-52641F1EBCD6}.exe

MD5 38b650eb006ac8cec5ca7d25b6816f09
SHA1 ca1a72bdf67df32f0a5b5a779277a4537527b01c
SHA256 75fcb09878fbcdbb00d1781a6e8216c771a4267f89eaba464e687a6e7408ce3d
SHA512 6978140eda550a8703b3b53752e60973dec4d78b1d7ed7c2b886915551e302de3e312d00cfa9100a6c4154418d3fe018a3d563632fad4fa0d7b0b8444412b425

C:\Windows\{7DE5105E-3922-4174-9ED1-23E568DDC139}.exe

MD5 3a22df310a2b8cd39613c625a65d1bc9
SHA1 6d5a64169803a1be3b854d3dae6ca2ecc3f73a22
SHA256 239a5b9805cd1553a7af0e48e8dbadf292e1d252573962a39203681fb96cd73d
SHA512 080cd059736f531f5cc54bc0882e6db2b7b636aadc3be505339dccf3b8f7b2f25dfa74194d0887392c9ee2a7367bbb8f95ea758efd354de757407a23ca0a1e9b

C:\Windows\{17FA080B-0E8E-43f5-9031-9FC153E5AD25}.exe

MD5 dc9eca1ba736056cb7a1df0de4a8ce78
SHA1 a4b9f6ac7553ad457cf5afeb526d8afa7bd1c695
SHA256 9184669bc513a0a6d781aa3c274fb196c7000ab94b95c950d8a1d31f6893f442
SHA512 1c37765c07fddb67b4d522a00c7cdcdb4fb7215f3b0484eb4cc9483336eaab8e22127c49362d20d2be645e48bc7191544c594a77217d712cf186099931c20188

C:\Windows\{AF24C07E-89E4-4f2a-B2CC-11A4671769E4}.exe

MD5 610dad415f538f1c9e59bce14e7944f8
SHA1 70510037437c494bc7be9d37677533b736d56aff
SHA256 6921e68833811377281f702b455c4cd783d5ebea7ddffde9b6bcae47f65b1293
SHA512 932a59bac3b02d112710e5d76dc86f361141d81747841d782e721929c7f66bdb578a04fc0ff0d2409c61a71d2bc979446c15d944f943f83e632339e96259f466

C:\Windows\{02EB1228-5A73-4404-BDAC-55483150AE2D}.exe

MD5 ec1e564765c4eaf70d23ec2537ba2632
SHA1 ea6868cf36d6cf438ec13a945a34572cdaffd511
SHA256 9ed99028f200b6de61fe8ee94e3cb522fd5a9851b205b4509e1a3b37fec22ac9
SHA512 2641569660697031a1ef8eaf7c9339643b547118ca5f20ee4ff93e772ad705a47047b2ad89ca544eb76a51e66569e2f9f2835a6f3e41eb5d4c7b59583e9c1846

C:\Windows\{926B61EC-77DF-48d7-AEAF-1F6F173A841C}.exe

MD5 bb61a56d67b46d98cc8deaf1ad00abcd
SHA1 163eb529d907d9dbb46e81fb3720a41e49873fac
SHA256 4a784f2ec4afb061e49c478c8784daadd73366305c3c8d4dce19f6f319eac249
SHA512 8931ee898429bfe1c385499a58947d1f88a6cd9b211c6c1ee924130d6a07e3d083aa5213b465c36fad058af7557fe48f54a891c0198328d2e93efaec8d567e33

C:\Windows\{6E9B2B3A-9A38-40e6-96C3-B510AC34DF67}.exe

MD5 f14dd6a9a606fe392808996c1f4e9698
SHA1 30ffb79e715baac78ab74aaabe3a00a70ab51f71
SHA256 3c3075c477906182f6d5f2f813cbefd0a61d7c843901a33de92be3cc3efa01c5
SHA512 450673646a6030843647f898378a6695c62fc2cde1a30fd2a361ca67ab92bb2b1d7d59b29c77484ca2dacde63e8808d53ba96b5fc49842522283e4082dd00dc6

C:\Windows\{996CB105-957C-4650-9F52-DB5E9480F381}.exe

MD5 bd1de5f394063d02fca62d053fe88bcd
SHA1 f582d9ca5f8ad42dc6f7ecdd79c2bf68fab3a13c
SHA256 e7177770eda8cc50f3c0566a3a94a804bbb1c1b3e1e86c88b8f84db969ba9d70
SHA512 c58d7f4d835b34de91251154c6b6fe6cd6fb49b7664cf96352c58eeccea27a24d94f4a01c43550b00a42c741f650350e3294f8dc318450ab6d6de152d910c73a

C:\Windows\{E584E0AA-9DD2-47b7-94EF-C06521884945}.exe

MD5 5efe79e0edf42338961b63cd058f188c
SHA1 222251515e24421ca905100216ede5cc92c0e862
SHA256 c5df3e9c531c546674d4155fdbe026d772657ca8e7974931c1ab50b329a3d723
SHA512 18f541544636dff22465f5a54bc7bc23ad0a6c1aecdb276b894a1dba5799da5d632c855f3d1307c97098f38aa4037d41527ce683ced891773b8ca4a3051afbce