Malware Analysis Report

2024-12-01 01:56

Sample ID 241110-bv9fjswjfs
Target 2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye
SHA256 bb2663c864ad205aa4b9cb2f4517b1d7818f6a3abd2c7a5b31e08651c83d6823
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bb2663c864ad205aa4b9cb2f4517b1d7818f6a3abd2c7a5b31e08651c83d6823

Threat Level: Likely malicious

The file 2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win7-20240903-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}\stubpath = "C:\\Windows\\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe" C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C673F55-A10C-452c-999C-BB0D79B21AC0}\stubpath = "C:\\Windows\\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B690BC0-24BC-4c42-94B0-CCD508592322} C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC} C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}\stubpath = "C:\\Windows\\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe" C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141ACE6-22C5-4e37-8022-64E015DEED58} C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B141ACE6-22C5-4e37-8022-64E015DEED58}\stubpath = "C:\\Windows\\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe" C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2} C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D85649-6923-4e03-9FA3-12C7F19D0431} C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D85649-6923-4e03-9FA3-12C7F19D0431}\stubpath = "C:\\Windows\\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe" C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B690BC0-24BC-4c42-94B0-CCD508592322}\stubpath = "C:\\Windows\\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe" C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55} C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}\stubpath = "C:\\Windows\\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe" C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AE86A4-AC23-48be-BD07-C7320683861A} C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FC378-9F41-4069-AEA0-D64B0E7B491E} C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C673F55-A10C-452c-999C-BB0D79B21AC0} C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FC378-9F41-4069-AEA0-D64B0E7B491E}\stubpath = "C:\\Windows\\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe" C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E93455C-A6A8-483f-A296-BB381EF56195} C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E93455C-A6A8-483f-A296-BB381EF56195}\stubpath = "C:\\Windows\\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe" C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5747448B-FAF3-40a5-84BA-38E84B4A3388} C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5747448B-FAF3-40a5-84BA-38E84B4A3388}\stubpath = "C:\\Windows\\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe" C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AE86A4-AC23-48be-BD07-C7320683861A}\stubpath = "C:\\Windows\\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe" C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe N/A
File created C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe N/A
File created C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe N/A
File created C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
File created C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe N/A
File created C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe N/A
File created C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe N/A
File created C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe N/A
File created C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe N/A
File created C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe N/A
File created C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
PID 2720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
PID 2720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
PID 2720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe
PID 2720 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2744 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
PID 2676 wrote to memory of 2744 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
PID 2676 wrote to memory of 2744 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
PID 2676 wrote to memory of 2744 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe
PID 2676 wrote to memory of 2848 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2848 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2848 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2848 N/A C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2008 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
PID 2744 wrote to memory of 2008 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
PID 2744 wrote to memory of 2008 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
PID 2744 wrote to memory of 2008 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe
PID 2744 wrote to memory of 2404 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2404 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2404 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2404 N/A C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3008 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
PID 2008 wrote to memory of 3008 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
PID 2008 wrote to memory of 3008 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
PID 2008 wrote to memory of 3008 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe
PID 2008 wrote to memory of 1584 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1584 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1584 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 1584 N/A C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2932 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
PID 3008 wrote to memory of 2932 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
PID 3008 wrote to memory of 2932 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
PID 3008 wrote to memory of 2932 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe
PID 3008 wrote to memory of 2916 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2916 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2916 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2916 N/A C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2892 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
PID 2932 wrote to memory of 2892 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
PID 2932 wrote to memory of 2892 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
PID 2932 wrote to memory of 2892 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe
PID 2932 wrote to memory of 588 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 588 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 588 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 588 N/A C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1988 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
PID 2892 wrote to memory of 1988 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
PID 2892 wrote to memory of 1988 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
PID 2892 wrote to memory of 1988 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe
PID 2892 wrote to memory of 1984 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1984 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1984 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1984 N/A C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2552 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
PID 1988 wrote to memory of 2552 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
PID 1988 wrote to memory of 2552 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
PID 1988 wrote to memory of 2552 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe
PID 1988 wrote to memory of 2064 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2064 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2064 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2064 N/A C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"

C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe

C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe

C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C673~1.EXE > nul

C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe

C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71D85~1.EXE > nul

C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe

C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B690~1.EXE > nul

C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe

C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0548E~1.EXE > nul

C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe

C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E934~1.EXE > nul

C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe

C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C571D~1.EXE > nul

C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe

C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57474~1.EXE > nul

C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe

C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B141A~1.EXE > nul

C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe

C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{22AE8~1.EXE > nul

C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe

C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5DDC~1.EXE > nul

Network

N/A

Files

C:\Windows\{7C673F55-A10C-452c-999C-BB0D79B21AC0}.exe

MD5 00cae272425f4dbda931db6c99febaa9
SHA1 0ed6ef4eda0f87ae60444430189918c1d27b21fc
SHA256 6415c5a1508b3c1a849fcb99b6fa9f45e1563da4b670fe0f2d125c1515e6a1d9
SHA512 5fc18b6cf03271bb4f0ceb1256b7441e9ff74ea8b49c1cf56eecf995aa85d0b9f213a8a976490124714c084007f9c1793380d38855982a05ddc5833994bcca0b

C:\Windows\{71D85649-6923-4e03-9FA3-12C7F19D0431}.exe

MD5 98b0cec363f55793aa4a4ad42f92616b
SHA1 2c7e77c551dbf65a9141bb47706140603958e3d4
SHA256 9809d842ecfe8f36d96cb0da69317335242cd835af5e13e6210dbc7f62a234a8
SHA512 13bc37ecc03cd30cf802311eccfa515e56b8fd847dda4eae0aaf591255d0c2e98e224438d3ce8982e2a777f0c7af6a47d62bed33336ff2664b8286bd0a3c3266

C:\Windows\{6B690BC0-24BC-4c42-94B0-CCD508592322}.exe

MD5 5bc032009c1df9ddfdc7bed604b23eeb
SHA1 d2004cbbd35dba46050e7dd418db0c423b7263f9
SHA256 b68e04682bb84fb01ae2e0143e952449067a8c32ccfa1668a53573b8cf87e1f8
SHA512 56b99a787892b38ec3a5d8be53858dcbf64777935692433f88558f1bf7fa7a9557bfa0cf85f1f5d88ca9f645520946a0604ef512326cbebaa837815be5a1e735

C:\Windows\{0548EC3A-1AED-4f76-8E5B-9F67A38C6C55}.exe

MD5 b6fd6764af9057f5822fd4d91468c7a5
SHA1 6661172a25c410f2748dd1954a6401b7945ad73c
SHA256 9ab87bbaae0da0294ef7da5da2581f1ab8f14f7fd50336a81810a7d6c9e79a71
SHA512 3be502897279139a416f1c9d52ac268e6b9cea586f0983bd8e8bf11db5cdb8110a2e4cd1fd4f8bfc320093ff34dcde863a618e898c98d41224577b7ff1d462c1

C:\Windows\{8E93455C-A6A8-483f-A296-BB381EF56195}.exe

MD5 6d5babf88a03496af1e93ae0bc87a4e4
SHA1 73a4a42d948e489571834e124048a2ecf7eb157b
SHA256 b515b80cf1f31140aa46a16681de1b79107b7755fdcf1427a84ad9e3ae3adde3
SHA512 cdcd0f552a67855f745b49362f6b898256ed4f1f774172d824d7228accee86f923169b931fcc9c0fd2169aa7cd492074a4c996446607dbcdc7459b4bc697b49c

C:\Windows\{C571D5F6-4F31-4986-AC8A-9B7E24B312FC}.exe

MD5 ea440d13f88388d5f767c8afed57b00d
SHA1 32840340e1030744fe59a7fea3028f8e43e87b51
SHA256 2f498c76bf62b5922debd370aa5bed9ff4d9a1ce7e96d0e01dc80b856fe1108a
SHA512 5d16777a5f240406677fc544bb4f5a653aed143520e5e2baeafd6a6c89aa82e27b6599d60f8e5b727da4fe67651d5daa9170092e6c41f9b800a9849d42f35a5e

C:\Windows\{5747448B-FAF3-40a5-84BA-38E84B4A3388}.exe

MD5 2d81bc928a7bdf3a8a5216304f676fc3
SHA1 213c79c3d6e79972029ad1996d3f83f655200062
SHA256 273f226a6d345c1ab2130df9e49f14f9e440ff843166df34e1914eb4ea262eea
SHA512 afae4fd24dd350e1a8f6519498021f22c06f71b7cf6f7db2aecaa235ab253120b391ef8c1f1fdd8f42f531781fc868830165f0a842db969a5c2316294f841f4f

C:\Windows\{B141ACE6-22C5-4e37-8022-64E015DEED58}.exe

MD5 93530488918ac92833a6f1a834e1ecfb
SHA1 cc4bb45a13336c82b11f78bf0b49834d7332f079
SHA256 cb9a5b74db9d363ad54590b474829c194e5421b298a019024ee7215c6bb52d80
SHA512 552399ca72a7677668520987cbd7c5d1e1d42f409e1a8e43c607af1c05c04092bb42d1ee4065b0e0c5146bc0d085f4f97605da2c6cc567b33421a2469debee85

C:\Windows\{22AE86A4-AC23-48be-BD07-C7320683861A}.exe

MD5 8616375bbfd23545ee4e0b1e8d4fe3a8
SHA1 4089170b88e57f1ff318b651dd1ac476d73eeefa
SHA256 ee0e7b9bb7d68ed7088e6dda8aac443bf782a1c38a2ca8a41d3f42914fb4433b
SHA512 035877b81c9bb48f50f3e483843cbb2b93606d479ae4a953063481b43afbef4e2e9dca8e088b42839809af52455f559f825319dd4f7a70b02bd1647625bc5e97

C:\Windows\{C5DDCD9D-558D-40d0-AB67-A5B1B9493BF2}.exe

MD5 b6908335492a3c0d02cd629b8474e33d
SHA1 363d87ce820b8c631ac267f3c4a38f0005496653
SHA256 09439842876595c3d55bffcc16bf0f9ad7b29146c89e895b13898b2c12e7737b
SHA512 d9d70428367e88204ff53060aa81ddd0f5cb12886f7f3e8f0280707ae45954d58f1df767f601f0f6610340ca48872cb72e80c3f2cbfdbfcdb1899640c5cec2a5

C:\Windows\{973FC378-9F41-4069-AEA0-D64B0E7B491E}.exe

MD5 6d6cb59bbdd0310016093fca711fea37
SHA1 84073941e97161d024661adcd4645e964a92d87a
SHA256 107b07e6e49f9160be74165224973876729efe0a31830bf3ab5cc198ab8763f8
SHA512 d2a54c44c6805e8f241b352267db738edc5bd5cc1ccc051bec370b78d439fb7cb0e34cce2fb19fa9e2dfb0a6118acd5ff307bf98440bcfcf4fedc852486d525c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EE300B-EE47-4806-B675-BC62536611E3} C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD} C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}\stubpath = "C:\\Windows\\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe" C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57} C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}\stubpath = "C:\\Windows\\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe" C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56} C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}\stubpath = "C:\\Windows\\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe" C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C} C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}\stubpath = "C:\\Windows\\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe" C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E38E5F1-FAEC-495b-A902-16C335962968} C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B8BBAB-3102-4a12-B60F-157655ABC020} C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6} C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3} C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E38E5F1-FAEC-495b-A902-16C335962968}\stubpath = "C:\\Windows\\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe" C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B8BBAB-3102-4a12-B60F-157655ABC020}\stubpath = "C:\\Windows\\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe" C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEDE93B9-9359-4263-A4F1-D415D3544B78} C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}\stubpath = "C:\\Windows\\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe" C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEDE93B9-9359-4263-A4F1-D415D3544B78}\stubpath = "C:\\Windows\\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe" C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}\stubpath = "C:\\Windows\\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe" C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EE300B-EE47-4806-B675-BC62536611E3}\stubpath = "C:\\Windows\\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}\stubpath = "C:\\Windows\\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe" C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}\stubpath = "C:\\Windows\\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe" C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2} C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C891E89B-3B6E-4acd-BB98-3141AEA7346C} C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe N/A
File created C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe N/A
File created C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
File created C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe N/A
File created C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe N/A
File created C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe N/A
File created C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe N/A
File created C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe N/A
File created C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe N/A
File created C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe N/A
File created C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe N/A
File created C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
PID 4188 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
PID 4188 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe
PID 4188 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 4036 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
PID 924 wrote to memory of 4036 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
PID 924 wrote to memory of 4036 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe
PID 924 wrote to memory of 3548 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 3548 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 3548 N/A C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 3416 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
PID 4036 wrote to memory of 3416 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
PID 4036 wrote to memory of 3416 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe
PID 4036 wrote to memory of 4940 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4940 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4940 N/A C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 1748 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
PID 3416 wrote to memory of 1748 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
PID 3416 wrote to memory of 1748 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe
PID 3416 wrote to memory of 3808 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3808 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3808 N/A C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4828 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
PID 1748 wrote to memory of 4828 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
PID 1748 wrote to memory of 4828 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe
PID 1748 wrote to memory of 4368 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4368 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4368 N/A C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 4540 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
PID 4828 wrote to memory of 4540 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
PID 4828 wrote to memory of 4540 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe
PID 4828 wrote to memory of 1528 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 1528 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 1528 N/A C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4844 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
PID 4540 wrote to memory of 4844 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
PID 4540 wrote to memory of 4844 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe
PID 4540 wrote to memory of 1472 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 1472 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 1472 N/A C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 5024 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
PID 4844 wrote to memory of 5024 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
PID 4844 wrote to memory of 5024 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe
PID 4844 wrote to memory of 2156 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2156 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2156 N/A C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 2160 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
PID 5024 wrote to memory of 2160 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
PID 5024 wrote to memory of 2160 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe
PID 5024 wrote to memory of 1400 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1400 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1400 N/A C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 5088 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
PID 2160 wrote to memory of 5088 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
PID 2160 wrote to memory of 5088 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe
PID 2160 wrote to memory of 2908 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2908 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2908 N/A C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 880 N/A C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
PID 5088 wrote to memory of 880 N/A C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
PID 5088 wrote to memory of 880 N/A C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe
PID 5088 wrote to memory of 1460 N/A C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e4f29c359c889ef43910378523c444d_goldeneye.exe"

C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe

C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe

C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1EE3~1.EXE > nul

C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe

C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA81~1.EXE > nul

C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe

C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16561~1.EXE > nul

C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe

C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81BAF~1.EXE > nul

C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe

C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23B7E~1.EXE > nul

C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe

C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6DE~1.EXE > nul

C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe

C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CA83C~1.EXE > nul

C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe

C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1E38E~1.EXE > nul

C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe

C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C891E~1.EXE > nul

C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe

C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85B8B~1.EXE > nul

C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe

C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EEDE9~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\{A1EE300B-EE47-4806-B675-BC62536611E3}.exe

MD5 5e5c2eda16db47ed337d1bd9d47342b1
SHA1 97395b9bcaf0268121108499ab604f73156398c2
SHA256 bd65e3bcced758bd8d2d6553a6aa9f9781ef0c0e67bd1c16cc84584fef2a6b9f
SHA512 7ce69583e59ae5c8eb19a858030bd4a26a2c96c33555f59d682506cd668f8dd5295259628e17ccf82c74884f19023cecfa32b45e8d04231356f310c6d4a932ea

C:\Windows\{DAA815BC-1CA2-491e-A567-4CC82BEF7BA6}.exe

MD5 c2405b087ce718f5cee4916d467ffd63
SHA1 9dd00959f2ec976de114b11c1422d78654a73035
SHA256 a6a5aeb043d6fb373150e71937a730bc6612939aa371577e108f50f443ace812
SHA512 b227246a06bf3ad8060cb987a2b8d16a5830b9b1c0ffb4360ac76cd3323fdaf3d4e6bfc766952b7a71359280670268e56733f266aafd344f588958bc1acf09c9

C:\Windows\{16561BAF-21DC-4f44-A4E7-2B959F5DDDFD}.exe

MD5 26354ec8c8cca613c5e77aaa7e549d67
SHA1 6f16d2ba65816b08a15c325b54ea9f9f91fec778
SHA256 6706f608f5559b398a91ce9fd53276e1c42baf031e12c7b1ba2597381c17de22
SHA512 013b957c8d15a87e004746c1c5d8975444026d08f0e7bf283f5213400fe3721efaeb134885d36fc23569eb0246e61c79ce64e756e651ea106c4d3d5d44b9a659

C:\Windows\{81BAFEA5-90A9-42fa-94EA-2C86ABF80DF2}.exe

MD5 0cee2b8be6e5ace16cec1f802a98142e
SHA1 a40de7aa9f10138e1f6667318b53950771642b64
SHA256 c88bb7bcf8ca04d8d46a9642026a49aa9b3e82ff6ccf9d1237146787224f3580
SHA512 207cabaf40f5f225b5bbbd3780525662ad68626847ae27442f6c819423e0f7d5c5ff4134116eb74ca1c281db7a7b0b0c790f6f503dc1e8ad9d40e3868f33ac33

C:\Windows\{23B7EF71-330D-43ec-80D1-25DCB95B8BE3}.exe

MD5 62da053b7a35394c01726498d2c35fec
SHA1 1915df10b269e6b57a555a0d176cb66d0405e00a
SHA256 56e10bb9e924d89061ffcbd2acd1db1ef71ad3bf133fb011a32545c28e2f6660
SHA512 593cc7a7d0e5d7c2ee010cf0159b51848f818a572eef980cca850b9fb7448d1c1f913ab827ed6b572364d2fc5c01dc4b88df7f4156841f18a9fc31b944237b33

C:\Windows\{9E6DE8AC-D12A-4105-BAFF-12C5E03BCC57}.exe

MD5 0eaa9f37f8a50bbcc81cf280b63869c8
SHA1 625564520529fe464ed72672f172728b5055aa75
SHA256 be0412273a75c04bffdd1dd43e983ea6801cd969e71c77f6bdaccefb39f2187b
SHA512 1253e84d09edab7e13d463dad320a09f0c949685ba1a556e315df6dad133658e7598f370eb4585cf677c74e9039f72dc73cc3577e2317149d32880018251cbc8

C:\Windows\{CA83C4F7-B8F4-48b2-9498-0AD51908B28C}.exe

MD5 9ddd28cd816832f3f90b7856a1672ffe
SHA1 2d8aa10299e9bc54a980b1a08e4ae3d87c84b9fc
SHA256 64705ba679dba47b75249850610294adc8524614519a4b5c37b3e05a0e2ee75c
SHA512 4773f415ff87b047ef7b0db8f3ec989ca9c1748301a1fadc9576030b4de329432893ea2b16904cf0dbdf094e1258381d64545bcb57a79d33ac4e5f3f9e1f7696

C:\Windows\{1E38E5F1-FAEC-495b-A902-16C335962968}.exe

MD5 2fda627352c3b20cfd0e85989be5d215
SHA1 c6a6d1f8ef9c46761a3018a6c3d43c8ff29a2c78
SHA256 cb13ee890d2d67d39d3e6d51dde04770b980db1f662c52066dde2db04e4c3988
SHA512 048cf11f45ac2b78ae5f4c05886d7e9470ad5b50e13db26d5e2013f0fb47dd2797ebb4d37afe9977267b3d4e7a03861145d2402151e28f184945dd7497720788

C:\Windows\{C891E89B-3B6E-4acd-BB98-3141AEA7346C}.exe

MD5 5976d733af4fcb1a4d55f6fbeb0134a4
SHA1 680997ad241f8bb6bfcd6c4741fc21db40a65d9c
SHA256 c582c40c83d345268a40c7ab8a1e6e313a94ce09c4e4a9e24f6d7a967d1a5382
SHA512 af9cc1b8532c695fccb339fd384c37819fe0b61f55dd19824f3241693e7ad11f6e374a8e43434254073440548dc9fb68b19254f501f8ec66a8f880908aa82241

C:\Windows\{85B8BBAB-3102-4a12-B60F-157655ABC020}.exe

MD5 64390b795b49857f7af27a84bc7731b2
SHA1 a2de108d2b9a6358a2d174fd90ffdda1c4f0180a
SHA256 6df4f45435d028ff9e7bb7cfe3e9b581bcf900d2ca9ec110f1841ffd9f0d9c0b
SHA512 51c6fd6871c60f15b70d0e6fea3dd8c68d667cbc089c35e57c57adebbf1877b8331cf18b8d931d2417d9fdff1453149fcfd4e266eea345db8d6e95fae4544d38

C:\Windows\{EEDE93B9-9359-4263-A4F1-D415D3544B78}.exe

MD5 0aa94086acfd833eb0d1fb8e215a371e
SHA1 db62fa396ceafe67d43d7ff827919805fab92941
SHA256 39c78c4388c9eda5ebb27f3467b99694145f0a73e7675fa8c671297c7f805319
SHA512 44d967fd6809e1f899990c1b0f8276eabe1f8a2654df75445aeeadd7c257d3bc043d67cd9cc28869de9b37e00d99cadcc4ac1127760b82e39778b8701efde236

C:\Windows\{3D4113ED-9B81-4aa3-BCDA-9ED8C4FEFA56}.exe

MD5 2989202d973449763d2e21c06c4cc11d
SHA1 af9a3cb0acf8cc689e760df07c1961324db59111
SHA256 70dce1f14b455f586469e1b45570103ad00b40129a39472bae65aa5afcda4a35
SHA512 1bf52ae9c587ebeed7b42d9ff636a1df2060ad75dabb371ffd6aa128a015de0391749e2153e03331df03472864b84a88fcf438d588406cf5ab0255e235986c99