Malware Analysis Report

2024-12-01 02:52

Sample ID 241110-bs5pkswgna
Target 2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye
SHA256 267096d35bbf3c22791dc81f8b5f14822e51a097274da8d6cbd40557263ff0b6
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

267096d35bbf3c22791dc81f8b5f14822e51a097274da8d6cbd40557263ff0b6

Threat Level: Likely malicious

The file 2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:25

Reported

2024-11-10 01:27

Platform

win7-20240903-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C79C11-37B1-4c96-B602-61669A0FF19A}\stubpath = "C:\\Windows\\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe" C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}\stubpath = "C:\\Windows\\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019435A5-843D-401a-B567-53026A824141}\stubpath = "C:\\Windows\\{019435A5-843D-401a-B567-53026A824141}.exe" C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D723502-0E39-44af-A229-66CE79AD2600} C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D723502-0E39-44af-A229-66CE79AD2600}\stubpath = "C:\\Windows\\{5D723502-0E39-44af-A229-66CE79AD2600}.exe" C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}\stubpath = "C:\\Windows\\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe" C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2} C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C79C11-37B1-4c96-B602-61669A0FF19A} C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4771F2-3184-4694-A44E-13B9F3367BEC}\stubpath = "C:\\Windows\\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe" C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB174E0-36C4-4718-B777-5A633090AA2B}\stubpath = "C:\\Windows\\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe" C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}\stubpath = "C:\\Windows\\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe" C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5037658E-FFD7-41f9-B5C2-BA6441B59762}\stubpath = "C:\\Windows\\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe" C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AACBC01-97B7-46cc-9C67-B00B533A02B2} C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C01059-F848-478b-9234-BD620A1BCB40}\stubpath = "C:\\Windows\\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe" C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5262F2-3764-4c85-AED4-851B6DB67FA6} C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}\stubpath = "C:\\Windows\\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe" C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4771F2-3184-4694-A44E-13B9F3367BEC} C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{019435A5-843D-401a-B567-53026A824141} C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C01059-F848-478b-9234-BD620A1BCB40} C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AB174E0-36C4-4718-B777-5A633090AA2B} C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92} C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5037658E-FFD7-41f9-B5C2-BA6441B59762} C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe N/A
File created C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe N/A
File created C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe N/A
File created C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe N/A
File created C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe N/A
File created C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe N/A
File created C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe N/A
File created C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
File created C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe N/A
File created C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe N/A
File created C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
PID 2272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
PID 2272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
PID 2272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2780 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
PID 2888 wrote to memory of 2780 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
PID 2888 wrote to memory of 2780 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
PID 2888 wrote to memory of 2780 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe
PID 2888 wrote to memory of 1904 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1904 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1904 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1904 N/A C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2608 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
PID 2780 wrote to memory of 2608 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
PID 2780 wrote to memory of 2608 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
PID 2780 wrote to memory of 2608 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1880 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
PID 2608 wrote to memory of 1880 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
PID 2608 wrote to memory of 1880 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
PID 2608 wrote to memory of 1880 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe
PID 2608 wrote to memory of 1648 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1648 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1648 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1648 N/A C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2240 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
PID 1880 wrote to memory of 2240 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
PID 1880 wrote to memory of 2240 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
PID 1880 wrote to memory of 2240 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe
PID 1880 wrote to memory of 2196 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2196 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2196 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2196 N/A C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1288 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
PID 2240 wrote to memory of 1288 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
PID 2240 wrote to memory of 1288 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
PID 2240 wrote to memory of 1288 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe
PID 2240 wrote to memory of 1644 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1644 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1644 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1644 N/A C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 2304 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
PID 1288 wrote to memory of 2304 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
PID 1288 wrote to memory of 2304 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
PID 1288 wrote to memory of 2304 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe
PID 1288 wrote to memory of 1420 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 1420 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 1420 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 1420 N/A C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2216 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
PID 2304 wrote to memory of 2216 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
PID 2304 wrote to memory of 2216 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
PID 2304 wrote to memory of 2216 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe
PID 2304 wrote to memory of 600 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 600 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 600 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 600 N/A C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"

C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe

C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe

C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6AACB~1.EXE > nul

C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe

C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{01943~1.EXE > nul

C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe

C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C01~1.EXE > nul

C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe

C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7AB17~1.EXE > nul

C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe

C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D723~1.EXE > nul

C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe

C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FBF1B~1.EXE > nul

C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe

C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70416~1.EXE > nul

C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe

C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A526~1.EXE > nul

C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe

C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C79~1.EXE > nul

C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe

C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50376~1.EXE > nul

Network

N/A

Files

C:\Windows\{6AACBC01-97B7-46cc-9C67-B00B533A02B2}.exe

MD5 83752cf08041843928fd630b4a3e1573
SHA1 d905fb83e87133df4674330ab7372d36f233b287
SHA256 c238aa7064e05da1c14a75be359f186fd43d66d4e6a977788eb466937436349d
SHA512 ddc069af8f6ff5d2e4ac0205822f3a90170d78c1e5a5c039715178da7aafd839f8e8ec719693bc072ebabe2649a229a78ee51091c8b6472fbe5a409aa575e92b

C:\Windows\{019435A5-843D-401a-B567-53026A824141}.exe

MD5 d0d7d52b64bfc7ae5c5ccab43e286c45
SHA1 10d13c453582f8b80ff395c46f167d7b5037d80c
SHA256 8871649690474ac019da73eb132f2b1b356197fe5b202adcee6ef703db3aab11
SHA512 d3dd24794469f6d8f6b8d857144d8d6303ab872e0d6b9775029f33b45643ea4a15113c31af5d6126e4c46924df6376e0e3538705cd1c2e87a9470278f53e4499

C:\Windows\{E6C01059-F848-478b-9234-BD620A1BCB40}.exe

MD5 54d3e37ca024b2c147793d44d27feaaa
SHA1 2ea5c2237e37e01ca292b389950f10be4e2a7b3b
SHA256 b29bf3a19151ff26223ee41821f9ce006eb5903a558f14c942afb1d820b46ec9
SHA512 5697530448db4cd98d6c024a75eb96be3c5f437799932513f6d8ce94eac0bc8edc4d3879fa5aa30f868aa324975cb926520efd89466bead7de8ad87240c5dd6d

C:\Windows\{7AB174E0-36C4-4718-B777-5A633090AA2B}.exe

MD5 b0a1bf97d894a975f1368834b508ddc0
SHA1 2ff2d3545b8df87920cdce5d4bb8682b3f9f3eb6
SHA256 c2b29090318159bb96a4e2a3db0b30b7e35fa5de204c2ee2d485778705600dad
SHA512 ee2acb95d35ae533ebfe0a808560ddc24840a7d3de7dbb04d7d7c90b4ff9419e2cd10b76ff01e8a45d20825203f803a63b34591e17b267a3607458a521ea1ea7

C:\Windows\{5D723502-0E39-44af-A229-66CE79AD2600}.exe

MD5 743b1e308d8f3021a6da7253e52fc731
SHA1 bb9ef1350696cf6b60ca4e5594c0449036e2af16
SHA256 c261076e08b5952efc7ba2aa6e21b38f30ee7c626bc4f6c1ac7b182ced90920b
SHA512 48617ba223bfacca65f134d4b89693b27020612e51f47207171abd27147d111607771d5d43b53aac34471be6ee8986c6c64b099e5a1d73019db4ae1573f4759a

C:\Windows\{FBF1B841-C0B4-41b8-8778-4D5DEBB1FA92}.exe

MD5 d71d212e9e09346da853bc96db7108da
SHA1 858c65a2421d6b35f09c20e0dcba70f8ae44a513
SHA256 34a79700f48deedf350d5b5dab63cc54a268b8acc74ef17e1294b91f861a5f92
SHA512 379036980a9c23a7655d0187b38571793de50211f67826d0a6423e0bb974e39b053fdc286fc31bce9a784a5be229a2e2f0b7d67e5af31502a961b6d34ad9ca7f

C:\Windows\{70416C7B-1D49-489d-B9B6-EA01CC0DC0A2}.exe

MD5 1f6d0e5240cf62316ef238b20ae4b532
SHA1 c92ed7fcf3d3f5f3dc90c2a3b2c3d68a004c0181
SHA256 9e33b0d5569cc6da6dcb51ca278d93221c245c990099c522d4dc21a29bbdf777
SHA512 5431330b91eb105d8c800d8e94bfcc4b2a8a788cd64fe6812abf210cb1946e460fc0ff6595999c34ea4c0ed871f3a9070a716874a8ae32e0f87a5f02bb924371

C:\Windows\{5A5262F2-3764-4c85-AED4-851B6DB67FA6}.exe

MD5 a361ea83c2448ef556125d6840aadb4f
SHA1 79701dd0a7ef32828d1d770208fff31c3f7e50fd
SHA256 a453a27b4e246c8c4f5ce494c8ee420174ead910098340e408047d3d57b23b92
SHA512 991ac5d42666db3e4e733f9a4a0977d19f276c2365f1853d0099d08ac4955a18c4bfdad229d2c80416a87f70ab090aed2f0dfc711bf3c9445f78d745f1258ef1

C:\Windows\{D1C79C11-37B1-4c96-B602-61669A0FF19A}.exe

MD5 9bc0e41f5f5babbe5a90c616a492ea29
SHA1 6980115f84d7a4a464ea609e84acdd69bed8727b
SHA256 8b05791c5786d35ac326295ec8b029aa6ea72014d8e566c696203cf3e31005ee
SHA512 78656822063ad7ca84d30a7c32dfb85564a6e11811dfe21774feec50b774ad3928f0e81ea35e2b122d4c073daf38c2edcd0587cacbc7a61b674b69f18a8068a9

C:\Windows\{5037658E-FFD7-41f9-B5C2-BA6441B59762}.exe

MD5 71e157601c5690665229232603afcca8
SHA1 dea8f27ae828ea7604d3816978f082cf6f53576d
SHA256 2940bacdeccfe2624a231bd0b2786ce19e1b67e3ad675ae007671e2c5e1aa3b8
SHA512 7709677d82d00720c0c262a1d9bda10f386fcfa0cc25c33fb1555bd633f8076b2e8ddb3b50b06ed900f7738c8acade1fc97314d38622b3f138887007226df16e

C:\Windows\{CB4771F2-3184-4694-A44E-13B9F3367BEC}.exe

MD5 30bba1d4b63d6cad33570216f4c03608
SHA1 a3e72dc1de2a62df242f2fcfcdc39bd04d918a7e
SHA256 1627a7ecdb2ee8fce0a87eedf1063a6f6987da929b7ba37ee16f45b626a10dc8
SHA512 ea07c6241375e626933913db293103039e976449c7161f0705e1ebb5560533e805011107c6c4c97157f66766c029e84fc49bb18f35262bc565dad8b6a7aed6f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:25

Reported

2024-11-10 01:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81} C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}\stubpath = "C:\\Windows\\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe" C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8D1543-7099-4f94-86B9-46D2F5B65B48} C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}\stubpath = "C:\\Windows\\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe" C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4AC0A6-DD95-468a-AE56-0109345EF882} C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}\stubpath = "C:\\Windows\\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe" C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951925AA-24F0-4c61-A9DA-74637C254A75}\stubpath = "C:\\Windows\\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe" C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C797AA8-05FB-4913-B375-54389C06EF6F} C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E} C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C797AA8-05FB-4913-B375-54389C06EF6F}\stubpath = "C:\\Windows\\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe" C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A} C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35DB112-5284-4ba9-A83C-F2C7075D43EC} C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF} C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}\stubpath = "C:\\Windows\\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe" C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF095EB8-6201-4740-94AB-510C15F0C1C1} C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B} C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}\stubpath = "C:\\Windows\\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe" C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}\stubpath = "C:\\Windows\\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe" C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4AC0A6-DD95-468a-AE56-0109345EF882}\stubpath = "C:\\Windows\\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe" C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951925AA-24F0-4c61-A9DA-74637C254A75} C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF095EB8-6201-4740-94AB-510C15F0C1C1}\stubpath = "C:\\Windows\\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3} C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}\stubpath = "C:\\Windows\\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe" C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}\stubpath = "C:\\Windows\\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe" C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe N/A
File created C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe N/A
File created C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe N/A
File created C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe N/A
File created C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe N/A
File created C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe N/A
File created C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe N/A
File created C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe N/A
File created C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe N/A
File created C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
File created C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe N/A
File created C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
PID 4728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
PID 4728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe
PID 4728 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 4300 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
PID 920 wrote to memory of 4300 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
PID 920 wrote to memory of 4300 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe
PID 920 wrote to memory of 1004 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1004 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1004 N/A C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2600 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
PID 4300 wrote to memory of 2600 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
PID 4300 wrote to memory of 2600 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe
PID 4300 wrote to memory of 2236 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2236 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2236 N/A C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe
PID 2600 wrote to memory of 2324 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2324 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2324 N/A C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4368 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
PID 2340 wrote to memory of 4368 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
PID 2340 wrote to memory of 4368 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe
PID 2340 wrote to memory of 4400 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4400 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4400 N/A C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 216 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
PID 4368 wrote to memory of 216 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
PID 4368 wrote to memory of 216 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe
PID 4368 wrote to memory of 4536 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 4536 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 4536 N/A C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 1420 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
PID 216 wrote to memory of 1420 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
PID 216 wrote to memory of 1420 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe
PID 216 wrote to memory of 768 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 768 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 768 N/A C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 1812 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
PID 1420 wrote to memory of 1812 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
PID 1420 wrote to memory of 1812 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe
PID 1420 wrote to memory of 3280 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3280 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3280 N/A C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 5080 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
PID 1812 wrote to memory of 5080 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
PID 1812 wrote to memory of 5080 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe
PID 1812 wrote to memory of 452 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 452 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 452 N/A C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2088 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
PID 5080 wrote to memory of 2088 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
PID 5080 wrote to memory of 2088 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe
PID 5080 wrote to memory of 3984 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3984 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3984 N/A C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 620 N/A C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
PID 2088 wrote to memory of 620 N/A C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
PID 2088 wrote to memory of 620 N/A C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe
PID 2088 wrote to memory of 752 N/A C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_08901063ae637c0e7c30cab119810df4_goldeneye.exe"

C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe

C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe

C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF095~1.EXE > nul

C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe

C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{478C6~1.EXE > nul

C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe

C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E13~1.EXE > nul

C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe

C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F4FB~1.EXE > nul

C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe

C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B35DB~1.EXE > nul

C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe

C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DE4AC~1.EXE > nul

C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe

C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C384~1.EXE > nul

C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe

C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35D0E~1.EXE > nul

C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe

C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95192~1.EXE > nul

C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe

C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8C797~1.EXE > nul

C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe

C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AB9B7~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\{AF095EB8-6201-4740-94AB-510C15F0C1C1}.exe

MD5 b28893fe7b2ec13f4c59e3b4938b4117
SHA1 c04d997927d592582ff2b0a18a6a50c19404af1a
SHA256 27b8854a9b257293b8ad6e18b28a016b1dd95cdf00f67aead07840e43dac92e5
SHA512 7454c0396798790c3675ea470d9f659295c74e64c8ba0ddaec5f99b20ce38ecfa8b79b2f9810057058b230645de4f43bf11deb45cd91a5dd2cda9db450de2af5

C:\Windows\{478C65AA-1D1E-400e-ABD2-AEE4E5BEE36B}.exe

MD5 0db539c6728f01cad5f7a5b5a96dedca
SHA1 bf97250bcddea367077a405f422fccf1dbb3b179
SHA256 83073dd8cf595980c6218c1291e2e851a2b628cd4c2737402134cccbbd820755
SHA512 813310fc693dca66b3c65b90a81ea8876859e67d4aa53a3ef6bc1490144e9f70ab09e05d36fa48cc4fd5809506f87ccf272092cf5c2bac226712c48ed8aaf336

C:\Windows\{F7E13B97-E5AC-4bc9-BF01-4DDD928FABA3}.exe

MD5 568f13568ef0dc496f7bc35691f20962
SHA1 dcc3b9d9614ca427c27ccbb7a153042d2ec9c06b
SHA256 eddc8044d64b9778d6182216d258809ba25195115f071cee17e80b2f20b426fb
SHA512 144363c4a48cfdd2dac56466825295ea83893816dc86886c4953c8ed67498a40848f0caf77ecc2ea23eaf05dcf6d571a67d91e13f632a1569c5691e249d8479f

C:\Windows\{8F4FB94D-BB1A-4cbe-A85D-850F9952372A}.exe

MD5 18fb039563a8ee5ad3cb2879d9e095ea
SHA1 079069d220c2e8b3328c8ef4abf116bda8a11f03
SHA256 504ead76725523cde12522903934b88a827aebfe0efa6b5027a2b46f0ecdb6d3
SHA512 bad81d18f49cdde113ede38b53a4bc1bee162815ff8fc0c2bf097dc0b686ae8c4d8b3a11d815f66718458932e3597e7988970c109874c69ff3a3c00bc5ba1d92

C:\Windows\{B35DB112-5284-4ba9-A83C-F2C7075D43EC}.exe

MD5 4e129f01c1eaa1e43737155e7c43e090
SHA1 7fcd9cfda7034c83fe3d66dc7908b8f40dc665c6
SHA256 a122877309d587474a85ee0dfe7ab28afdd2f219d358fd3eabd911a8c4b5459b
SHA512 0e5bb8b2d1a339fef7dfe3475f3eebff13306c8cc26ffd86bd71e2fb4e51583306fdcfb7f31ba962923390abae0ea727fd93b0a85bb0d7acc5dde277b50344b6

C:\Windows\{DE4AC0A6-DD95-468a-AE56-0109345EF882}.exe

MD5 ecb161da552e1cd98bba61c688efb5ad
SHA1 b5a4a2f2a54e825d78bb69902a334aeb8ce51454
SHA256 c9471709880d914529440363c85ec98375d93375013acfc62406c631264699e0
SHA512 fc55937b9b5ec2feb50cab12c4e4810264a2693f4f7d3c3235e28ee511c2007d61d92ee6b4a2bb473693120ee001a6060af9abad3ecb49aa0f7e69c3e012010b

C:\Windows\{5C3848DA-90FF-48c4-8167-B82AE0E30D6E}.exe

MD5 3f1d95e2b7cb9412f29f2c3138b63ad4
SHA1 f805c4aed8c3689e126621ba11a369d080fa5557
SHA256 5690dda085290e91bd3138fd6f2a0d900b3f61fd5bbe75ff516ad3b76e206c31
SHA512 cc1172722d3ddb12d5683d9a43182cc2731cd3c9dd68c5683a7d74bffc012e5cc1a2edbb6ece9e17214ccc6cfaa43297967ad80eebd95f98ddefb089373088b1

C:\Windows\{35D0E098-4A05-45ff-A9D9-3C61EE765BDF}.exe

MD5 987afe78802d706eeff5545046ca3dfa
SHA1 54cd0d6d4d3c9689e6572eb562c7a0d341f3785c
SHA256 8f8e8e5694aba3abcaac85c8fdf18047108ca77fbfb8a4ed4fccf7b53f7c94e6
SHA512 2ab05545c9ea737935816837f4642b7c806e2e49435912a86f49c1b996beec6738e7f09ab63084d82674fdc411cc103cfe2dc4e2228c1264ee06b2ad0571e5b1

C:\Windows\{951925AA-24F0-4c61-A9DA-74637C254A75}.exe

MD5 17f2d0cca70158714ef84bb08b81ba96
SHA1 f83922215c28f65b3772879a4b36a3617c60dbe3
SHA256 83b5b3b580213856db06ca429a1bfa26c92b5a24e21a9c86f7aea74d02ee0b94
SHA512 61e98dae647a186e4bd65f3e67d71b5ba767dc6d036d5aa57009e5406ce453bc4aa66eb6766db26b2b9f2a23f091f8d98a53baf5b19218295cd6666dc418682b

C:\Windows\{8C797AA8-05FB-4913-B375-54389C06EF6F}.exe

MD5 45441d4f29d7a3ec47abd39b759479f0
SHA1 6881f87ddd6290dd4f3e0475efb37ebfe6afa6c2
SHA256 855730d4006a4db6003fe31cd6ebe46979b29b9ccbc3f30f183af16c4d738f13
SHA512 2c577394e4e6159ca029329041be4d4cf07e340a394b1ace724a2423731538e16d7c0fa4865f2798c73afd3bd2b531807c4f91225cbc7dba13b429bd204c8f6e

C:\Windows\{AB9B7659-B4D2-410a-A5ED-56CCD201CB81}.exe

MD5 8d16bbb4aa57a8d28f596d1c921a26ec
SHA1 b567685ca0b00f0f497497bbb13ea2a7da9f1f2a
SHA256 7bcf83a7e5e50a4fe7d25506403bc782f56f4e0b7d9c8ed7903b21af32851e20
SHA512 aeafd353baffaddacc45ae71e1c467a8b22a0ddd99e9311a1c2ce63bcbb31a6081d0fe014afd48cca8cf042898e3d90ea74c1209c5dbbb490e6dae611e4b3bbc

C:\Windows\{AF8D1543-7099-4f94-86B9-46D2F5B65B48}.exe

MD5 0c328c48151a8d13c70c2d82b5b053c2
SHA1 13d8d55c86c8d8f8dde13f1c3ea3177f76ef8fd2
SHA256 6a772eb0af8e2aea49b1db6707004b6f4454a0f1173c8538907e464c445b7ec9
SHA512 ae54d80df9d5edef5817822ff0ce4564509aaf210a64103b7748c384ce7193a9596e9462070f3b8054d66e8d3c17d466128aa693e5047913c337d649ac0ab943