Malware Analysis Report

2024-12-01 01:50

Sample ID 241110-bv1hmsyrgk
Target 2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye
SHA256 8c6af0eaa3419f5ebf7eed3fc1b2749d2dd47a38a8a31e06cc2dfd73439aceff
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8c6af0eaa3419f5ebf7eed3fc1b2749d2dd47a38a8a31e06cc2dfd73439aceff

Threat Level: Likely malicious

The file 2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:31

Platform

win7-20241023-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}\stubpath = "C:\\Windows\\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe" C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B} C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}\stubpath = "C:\\Windows\\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe" C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56} C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D405E3E0-1AA3-4918-A35B-DD6F515587ED} C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}\stubpath = "C:\\Windows\\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe" C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33AC05B9-B46E-4a25-84A8-E8444011E5A8} C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303} C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}\stubpath = "C:\\Windows\\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe" C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}\stubpath = "C:\\Windows\\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD441906-2B5A-45d1-83FE-DC9D720E2258} C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD441906-2B5A-45d1-83FE-DC9D720E2258}\stubpath = "C:\\Windows\\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe" C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}\stubpath = "C:\\Windows\\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe" C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}\stubpath = "C:\\Windows\\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe" C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD35FAAF-B71E-446c-8A42-7A684103C3D1} C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}\stubpath = "C:\\Windows\\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe" C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E3BC9D-7540-4324-BD2A-32333B3C44FE} C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}\stubpath = "C:\\Windows\\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe" C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}\stubpath = "C:\\Windows\\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe" C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2} C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63} C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7} C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe N/A
File created C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe N/A
File created C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe N/A
File created C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe N/A
File created C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
File created C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe N/A
File created C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe N/A
File created C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe N/A
File created C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe N/A
File created C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe N/A
File created C:\Windows\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe
PID 2580 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe
PID 2580 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe
PID 2580 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe
PID 2580 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe
PID 3068 wrote to memory of 2360 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2804 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe
PID 2360 wrote to memory of 2804 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe
PID 2360 wrote to memory of 2804 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe
PID 2360 wrote to memory of 2804 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe
PID 2360 wrote to memory of 2912 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2912 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2912 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2912 N/A C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2780 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe
PID 2804 wrote to memory of 2780 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe
PID 2804 wrote to memory of 2780 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe
PID 2804 wrote to memory of 2780 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2852 N/A C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2756 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe
PID 2780 wrote to memory of 2756 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe
PID 2780 wrote to memory of 2756 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe
PID 2780 wrote to memory of 2756 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2336 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe
PID 2756 wrote to memory of 2336 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe
PID 2756 wrote to memory of 2336 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe
PID 2756 wrote to memory of 2336 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe
PID 2756 wrote to memory of 1992 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1992 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1992 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1992 N/A C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1616 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe
PID 2336 wrote to memory of 1616 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe
PID 2336 wrote to memory of 1616 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe
PID 2336 wrote to memory of 1616 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe
PID 2336 wrote to memory of 2328 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2328 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2328 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2328 N/A C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1668 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe
PID 1616 wrote to memory of 1668 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe
PID 1616 wrote to memory of 1668 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe
PID 1616 wrote to memory of 1668 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe
PID 1616 wrote to memory of 396 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 396 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 396 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 396 N/A C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe"

C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe

C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe

C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7CCBC~1.EXE > nul

C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe

C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD441~1.EXE > nul

C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe

C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F1EC6~1.EXE > nul

C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe

C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{30D03~1.EXE > nul

C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe

C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA47~1.EXE > nul

C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe

C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47E3B~1.EXE > nul

C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe

C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BC1~1.EXE > nul

C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe

C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33AC0~1.EXE > nul

C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe

C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A79~1.EXE > nul

C:\Windows\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe

C:\Windows\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D405E~1.EXE > nul

Network

N/A

Files

C:\Windows\{7CCBC164-04C8-4b4e-A91D-3C14F05E85B2}.exe

MD5 49d9ca9cbb93b5d44b29720ba10279e0
SHA1 c9887a4d4e4528b09ffae91ceab47d50012c7f69
SHA256 01168818ba5ee6ab00587a3237b8688d9be4242b312937e726574f151fe80bf1
SHA512 50f143b2f58e899186b4d60cd9a31845469d3789b542cc71c89c32ef8f7356364cc9fe8c6deb3264d45d09a4f07313fc9f196096da40f0e69b84fb73db3428c5

C:\Windows\{BD441906-2B5A-45d1-83FE-DC9D720E2258}.exe

MD5 f48c7c3d7f9f4fa429dc0685fd7dc770
SHA1 ccd03d2f6da0692a073ae834b3f3b095d666d87c
SHA256 8a4104c8cd6f4229c57481fd724342702a83e496fc1e60ec02e5a01ada003220
SHA512 596bfdc686a99227445883ca78e103f397fbb3ff458f610e316f15615bd70284c84162bf6fe2af6fcf98d0159af4ba227bd302cd4bde36401e9f10edce53b2a9

C:\Windows\{F1EC64E6-CCFA-4777-A3FF-CCBE2F4F941B}.exe

MD5 f80cf75fcce4632e5b581501c6783611
SHA1 f8c3274258ed68672aa02a3c25faf203aab437e9
SHA256 0aaeb22096822829880354bccf38c1bb84b9ccaa6b798b2593eb40d6c3fd908a
SHA512 afb5f3a3fd56acb1b6b306b6f9fb9299d487283fecca2dc461c7c985d405c42c33b96002fb256a03004f6ceac62f9c088109f471d5ed2e9571a674e590dd313c

C:\Windows\{30D03B4A-6CD7-4ab0-BB19-8F17997BFE63}.exe

MD5 43c913bb0db65b95582b732c69a70e38
SHA1 39885d9da8bf1d005da76425e93798ad761047ac
SHA256 d32e87d0ba5d4a2f6eeecd4dd1514dcb6c2b293c1449b304c725657d4d357d37
SHA512 08aafc8a5a3584c8bf69902b0b0b9dba6f4bc2e9369c45fb50cb3c0ef0526b1b4c08b75f8b2b64fcd3d76fcdceb808f2d9bd852e6aa6674a0c24c486df6a6891

C:\Windows\{0DA47A35-5143-4d4a-8F4C-FE9DF05C16C7}.exe

MD5 8af697c0a96160fd5ac8d7b0d69fdb6b
SHA1 fb9654a0c459cf7da71a228f94028aedf9fda62b
SHA256 3ef43897dff81079a0b08e7f1538c9128cdce7f06612d66de3b1cf0785a4bdc9
SHA512 fba2b9e2bb55066d5434952382ac824066cf2d018e89f3c61859035c59964f846f25602a930facf8e141c7efca311345a5a8e14c06782406e50ddc2175cddf0b

C:\Windows\{47E3BC9D-7540-4324-BD2A-32333B3C44FE}.exe

MD5 bfaf846535019b87169a2710f53406a7
SHA1 59ab9cd9bd2cb56cdcbeb03c988339cf620f2268
SHA256 a31b46cc85cb0ba38e95c770188d5170ab55bd25b73bd72e02bf34a6c583d81d
SHA512 76def9581deb671d39f7b923c553af9bbf0a445f48dbc6db03509268688812d2b1e5a2fa6836a2ca94fc99a825c2c0fdbedfed1d47b27d8bea0422f5618fd6f8

C:\Windows\{A5BC1A03-5AC5-4e7b-BB1E-752B41100E56}.exe

MD5 695b61d02bb3f9122d2c6b90d4e53e73
SHA1 dbcdd03342a4cca454f68c7fbfb1ced05be06356
SHA256 249fc47bc3f0846c0c5f42eb91e5f4093c2565a34415d65fe9c462e87508a5a5
SHA512 65ef9dc932bfa1d1c39289d80fe0f39d25b7727a2d0fedfb5af01c31e3910900662d4989ec9c4cd06f06ee278d8d2968652a6a4bc2fe8ae317f8253db34da806

C:\Windows\{33AC05B9-B46E-4a25-84A8-E8444011E5A8}.exe

MD5 c6615fa1358579fecd4c6fd297b9a412
SHA1 334fb469725cf67fb20613bfe1b5a1a7e7b0a0e5
SHA256 90f1bc8e42efebf414787a63f25b287cf08dddb60dac5eb09dd9320918def837
SHA512 d6d43bbe58e017c4b03631d76a39087673576855140285e6d5ef9660b4eba46d9c5c5673e3909eb9bbb850a21479e7354c8ef3975aa3d3103bbd36b68ff13bb5

C:\Windows\{D8A79EC0-C15F-4198-8E2E-ADB6950EB303}.exe

MD5 8d4ac669fc94af2b47dd03c5644135aa
SHA1 a076ec8b5514c23e7717c644cb25deaaa19e833c
SHA256 6a096b781275d29864dd8cd2c52b7bb59bf10f155cf27f71731866870d27f455
SHA512 c07e92910a190bd221d247f1a4b4570cecc57f9fd98f78fac0ca6271f44232e935f53896ec8ca8c90122b4cde182758842c532a97b3075a7402df4fa274e6b3e

C:\Windows\{D405E3E0-1AA3-4918-A35B-DD6F515587ED}.exe

MD5 5e3a66b09454b7be96ca0997bb3f929c
SHA1 7112605e632998c3d557b3cee678a790704843d5
SHA256 09db090afa2e7cbdb5cf6a2fbb5338eb2abd9af9a951dcc7cd0d04b190b104c2
SHA512 5ed76bb197ba8fc7a4ed972e3d8a84daf44e13ef511bb206a63d04969d2cfc77b716f05a7fdf127559649c6767ea0eb04bf28ad942310605bfc2c8775c9df018

C:\Windows\{AD35FAAF-B71E-446c-8A42-7A684103C3D1}.exe

MD5 70e03bb3b15969d7ae76ee35885f69e3
SHA1 df04bd3df10a9c0d725377eb409051b04cd19572
SHA256 5cd0f9c1ee42ba329a4607c4fa3c2c8582b21555cb320417ce3ff1649642c75e
SHA512 29731956fcf3fec3a578fec34391ce38baeafeab790aab65d9f73a9b7832c9bde97a385246b259b78134a56be4b4118f8e2b65ecfe09e8ba20cbd35a4575b80c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}\stubpath = "C:\\Windows\\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe" C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BF7499-096B-453f-8B51-1C13FD459E58} C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC7CB17D-2B83-4858-8A92-6D60325E075A} C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90} C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C11F09-5FCE-443e-985C-B01DE4B752CF} C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}\stubpath = "C:\\Windows\\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe" C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096781BA-BDC5-4242-8AF2-7D8C88A3A964} C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1657E2C-A984-4a60-B2FA-577AD613F7DF} C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}\stubpath = "C:\\Windows\\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe" C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6399D64-FCD8-4211-8D1A-091118C95EBA}\stubpath = "C:\\Windows\\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe" C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6230EFDF-3042-4b26-AC49-D065A5090367}\stubpath = "C:\\Windows\\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe" C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB} C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388} C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BF7499-096B-453f-8B51-1C13FD459E58}\stubpath = "C:\\Windows\\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe" C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC7CB17D-2B83-4858-8A92-6D60325E075A}\stubpath = "C:\\Windows\\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe" C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}\stubpath = "C:\\Windows\\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4} C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}\stubpath = "C:\\Windows\\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe" C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}\stubpath = "C:\\Windows\\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe" C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6230EFDF-3042-4b26-AC49-D065A5090367} C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46} C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}\stubpath = "C:\\Windows\\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe" C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}\stubpath = "C:\\Windows\\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe" C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6399D64-FCD8-4211-8D1A-091118C95EBA} C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe N/A
File created C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
File created C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe N/A
File created C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe N/A
File created C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe N/A
File created C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe N/A
File created C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe N/A
File created C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe N/A
File created C:\Windows\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe N/A
File created C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe N/A
File created C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe N/A
File created C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe
PID 3512 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe
PID 3512 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe
PID 3512 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 456 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe
PID 3848 wrote to memory of 456 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe
PID 3848 wrote to memory of 456 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe
PID 3848 wrote to memory of 4088 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 4088 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3848 wrote to memory of 4088 N/A C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4684 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe
PID 456 wrote to memory of 4684 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe
PID 456 wrote to memory of 4684 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe
PID 456 wrote to memory of 3308 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 3308 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 3308 N/A C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3500 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe
PID 4684 wrote to memory of 3500 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe
PID 4684 wrote to memory of 3500 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe
PID 4684 wrote to memory of 1652 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1652 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1652 N/A C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 4164 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe
PID 3500 wrote to memory of 4164 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe
PID 3500 wrote to memory of 4164 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe
PID 3500 wrote to memory of 3460 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 3460 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 3460 N/A C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1836 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe
PID 4164 wrote to memory of 1836 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe
PID 4164 wrote to memory of 1836 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe
PID 4164 wrote to memory of 2600 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 2600 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 2600 N/A C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe
PID 1836 wrote to memory of 920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe
PID 1836 wrote to memory of 920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe
PID 1836 wrote to memory of 2920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2920 N/A C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2328 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe
PID 920 wrote to memory of 2328 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe
PID 920 wrote to memory of 2328 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe
PID 920 wrote to memory of 5036 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 5036 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 5036 N/A C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 4108 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe
PID 2328 wrote to memory of 4108 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe
PID 2328 wrote to memory of 4108 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe
PID 2328 wrote to memory of 3024 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3024 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3024 N/A C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4252 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe
PID 4108 wrote to memory of 4252 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe
PID 4108 wrote to memory of 4252 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe
PID 4108 wrote to memory of 4008 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4008 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4008 N/A C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 2096 N/A C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe
PID 4252 wrote to memory of 2096 N/A C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe
PID 4252 wrote to memory of 2096 N/A C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe
PID 4252 wrote to memory of 1496 N/A C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_46f1e3685e57fa9a11347bcbe5fe0f2f_goldeneye.exe"

C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe

C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe

C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1657~1.EXE > nul

C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe

C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF42~1.EXE > nul

C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe

C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC9F~1.EXE > nul

C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe

C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49308~1.EXE > nul

C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe

C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD5A9~1.EXE > nul

C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe

C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C8EB~1.EXE > nul

C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe

C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C11~1.EXE > nul

C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe

C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09678~1.EXE > nul

C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe

C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6399~1.EXE > nul

C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe

C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6230E~1.EXE > nul

C:\Windows\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe

C:\Windows\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50BF7~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\{B1657E2C-A984-4a60-B2FA-577AD613F7DF}.exe

MD5 de50cf3c9c4a1c0592f84086d05c835e
SHA1 9a1fc1d973c7f5dd3b715b559d7fa8bddbb19634
SHA256 d77bee1a322d23e6d1accb7b87b3684fbddb1d3a24862ec5ffd4d8dd65db4abf
SHA512 dc04d85216f6dc250454b1bdd9cfe2b11b36001a7ec475b240f2f0fb041b98af302b4592606e315f2a047880f3aca56a26f0d1d2613ad9eb7c372c0a685db2d4

C:\Windows\{9DF429BB-56D1-41e4-8268-E1E68DEF1AF4}.exe

MD5 a0984e57c657b30de8d87ac2ad2ddc0b
SHA1 2fa5b816ef2f6abdcb7aab0bee0d7118bfd2431a
SHA256 f2202d4d0f8f0f6540d8ee855231ff21c7044ae7b279c16552d86394f144d894
SHA512 88ad0edf06f900735c106ad9f674b49ce30991c6e6c18002048766bb8edfc0551200a46f836a5322ffe66272129db583784c13792761d94ad85bc484c707f482

C:\Windows\{5CC9FF0B-AD78-45e4-A757-7E526C5F6D46}.exe

MD5 7b48051bc20d51492951c5642a55468f
SHA1 27ed3b1deed07d8d904e82562f67da5983c36a63
SHA256 cdc98e761ab3bc2a4f8a54a7e27d7fe3a71fee547a91c21f98973f8abc497b59
SHA512 04cfc73948134be1a71e50db3da269f502a3da7134517acc196952f2af497c4efabe4b376a56e25aa29c09929f8c25cd6903a96025406a2a71451b945292b2cd

C:\Windows\{49308CC4-4F83-4d41-A0C5-4BB6AA048F90}.exe

MD5 44f8e1fc5054e0e5d5b5ba1157efb12d
SHA1 49062d1897ec1ee97651af349e9dcdfb20c46fab
SHA256 1acc068db4a6bc36076c8f905c97e981257cc7ae309a131e843d66e02be868de
SHA512 cfdf8db45fa4142126f1283563a3a0e268584584ad2986d9d9203f5c3dcfe4ad581dd77c99a65b8464062bbfa5c9cfbbb98323ed5a5ab4b9d53ecca73351da97

C:\Windows\{AD5A95F3-D497-458b-AFCD-27ECD6E390CB}.exe

MD5 42056108cb0e8f5021b466792fb0ddda
SHA1 73ee483e4b54a3a910691b74ec273b36a1f26480
SHA256 971c0d4b379ff295cdfa308ee2096574abaed4e339c65dd33976ca8e28dcc305
SHA512 800898a9c48ce33a456a227d63700555c8d5b6d008d421e83e0f2d718b1097784f27556a8257036de1d15e5f358a7c8ffe58d0480ea716840a982f4a7f67c25c

C:\Windows\{5C8EB76B-DC2A-4fed-98BA-06E9F88BA388}.exe

MD5 3e3fa06168bb1d97d63f1aaa500a74c0
SHA1 f20be7bc2da9cf20b6240d194f96138d3a1a1404
SHA256 aa551c95a181dc048efd525551ef3c72b325cc7f1e773920203606a772e8a521
SHA512 3ad6894be83a14d3f43535a1e86ade41cb0c1d009c8e5ee8e3f808700cf2b452b775f530f7b72ef2772460a98391d7d1e7c6af79450c6fd46b12c402ba2ce6b3

C:\Windows\{A6C11F09-5FCE-443e-985C-B01DE4B752CF}.exe

MD5 06a5cd8c911ed402e68bdbab953c3c27
SHA1 a2527d2a05d504334925ae1e18a65489f45030d9
SHA256 e3e22415102c8fae705eb4dc014f028cd39d2905b83110090acc2616ffd53e62
SHA512 c5bd11231f7df64e4508749cb92102c309c6e00fc618ae4188b24f4f6fda52eaa6ad1f2c1f4fa7a1f29d7e99ae04e1f129df2474d2ac8bc21e6b3067bcb1b27e

C:\Windows\{096781BA-BDC5-4242-8AF2-7D8C88A3A964}.exe

MD5 c069ffa13fba211f548e5191960d49d9
SHA1 0f138401857e5aeca05ed0b325b2bc8f1a20473f
SHA256 7efb43f003e483c1128f0d8e8de19276bc5e535f577eec95c5ecaefc6d6b4d9c
SHA512 9653c61daf1dc6761143d22367b1e7406dc852290c9b9e6b8ef28783319fe0a800710bfdadde8747d10a162ea4649ea363606b1ce7712106c8b9625468d81f07

C:\Windows\{F6399D64-FCD8-4211-8D1A-091118C95EBA}.exe

MD5 f93f134f9bfbffbdfd530fcac7023ec2
SHA1 e5ad59198d82a6e76230773eccf9decdfb5c4627
SHA256 14086022c671e05e2d3a66fe4e2603a1d9db4dec754fb736b1127b06859a718e
SHA512 511b6dc42b0aae7fd85bd96eb5e37d5c0fc5429838ff5dae3bb2245d92e0a7a0207581c4b9394a44a298da0d1b4518381b52e1026afbddf3d322c3a9648d889a

C:\Windows\{6230EFDF-3042-4b26-AC49-D065A5090367}.exe

MD5 752afa15225cce1c6ef3dc4a4e4d6a2a
SHA1 58a983ac5eb30333ec9ea1afa458d5ca9c0a2487
SHA256 a7c9639a25fb5a79f2181fd30db005b9966ddb85e2b11e76ef7c6f5ee4a798f5
SHA512 c4f62f42333858f29672175dbd1a4d828196567e35c0cf449c1849fbff8ac8ba67f3f7c16cc82127dba2c1c0adbdaa0a07e5c8fd8f908b0f14a01da8ce927fd5

C:\Windows\{50BF7499-096B-453f-8B51-1C13FD459E58}.exe

MD5 7e314fd7336c4c81431a6e7c2ad4a5ba
SHA1 30f996e7211aa84b643fb67bd2fdce51060c9981
SHA256 74faf44c77df8c629eed3cf149373873ef82d92e65750f64ff1a229005e1d245
SHA512 e3b9e31f8ad249d6d675e2b62a9c3116d9c19a06dcd714b26794dce2c4ab1068120181041eeea43ab7f1fadc2cb609e580c8f97f8c5158e80723b8c7b9205da9

C:\Windows\{EC7CB17D-2B83-4858-8A92-6D60325E075A}.exe

MD5 947c22c044681aed05bc545a7c6c2dd5
SHA1 8eb1b5abce862468b04fc72c4b880d90f525c54b
SHA256 9d0fb8333e3abe07807e102675f260f1a4faac4598c4934425039226301075a7
SHA512 48c9c30c80ad28f1b4e2d18a1bfa1f03634ab01683cea080febf22a050f110222175d9e2eea866034b14369c67940105a3b47c600e56ecc369d545ed0af0b943