Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-px1s3sspgk
Target 2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye
SHA256 40507eb7b0a1f356c0ec6ba2c1f929a532372056521de7225b2a15492b345954
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

40507eb7b0a1f356c0ec6ba2c1f929a532372056521de7225b2a15492b345954

Threat Level: Likely malicious

The file 2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:43

Reported

2024-11-11 12:45

Platform

win7-20241010-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0331152C-DC56-4c09-A85D-F529CE6208C6}\stubpath = "C:\\Windows\\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe" C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58919C5-A991-4ae5-AE4B-6A43954DAC36} C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}\stubpath = "C:\\Windows\\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe" C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA346E0A-5652-475c-9E65-8742861CB8EE}\stubpath = "C:\\Windows\\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe" C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497E3998-64CD-4587-9AA8-EC72A6BEB98B} C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B91B28F-F964-49d4-8404-B1F323EB372C}\stubpath = "C:\\Windows\\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0331152C-DC56-4c09-A85D-F529CE6208C6} C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446} C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}\stubpath = "C:\\Windows\\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe" C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90} C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}\stubpath = "C:\\Windows\\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe" C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B91B28F-F964-49d4-8404-B1F323EB372C} C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EC927-37ED-41df-9878-CB2B79422A7F}\stubpath = "C:\\Windows\\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe" C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA346E0A-5652-475c-9E65-8742861CB8EE} C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}\stubpath = "C:\\Windows\\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe" C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25} C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}\stubpath = "C:\\Windows\\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe" C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EC927-37ED-41df-9878-CB2B79422A7F} C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}\stubpath = "C:\\Windows\\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe" C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321} C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}\stubpath = "C:\\Windows\\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe" C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6} C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe N/A
File created C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe N/A
File created C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe N/A
File created C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe N/A
File created C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe N/A
File created C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe N/A
File created C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe N/A
File created C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe N/A
File created C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe N/A
File created C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe N/A
File created C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
PID 1996 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
PID 1996 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
PID 1996 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe
PID 1996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 3044 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
PID 320 wrote to memory of 3044 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
PID 320 wrote to memory of 3044 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
PID 320 wrote to memory of 3044 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe
PID 320 wrote to memory of 1908 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1908 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1908 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1908 N/A C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2356 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
PID 3044 wrote to memory of 2356 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
PID 3044 wrote to memory of 2356 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
PID 3044 wrote to memory of 2356 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe
PID 3044 wrote to memory of 2880 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2880 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2880 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2880 N/A C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2876 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
PID 2356 wrote to memory of 2876 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
PID 2356 wrote to memory of 2876 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
PID 2356 wrote to memory of 2876 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe
PID 2356 wrote to memory of 2724 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2724 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2724 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2724 N/A C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe
PID 2876 wrote to memory of 2916 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2916 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2916 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2916 N/A C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2352 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
PID 2144 wrote to memory of 2352 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
PID 2144 wrote to memory of 2352 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
PID 2144 wrote to memory of 2352 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe
PID 2144 wrote to memory of 1112 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 1112 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 1112 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 1112 N/A C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 3032 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
PID 2352 wrote to memory of 3032 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
PID 2352 wrote to memory of 3032 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
PID 2352 wrote to memory of 3032 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe
PID 2352 wrote to memory of 2176 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2176 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2176 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2176 N/A C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1500 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
PID 3032 wrote to memory of 1500 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
PID 3032 wrote to memory of 1500 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
PID 3032 wrote to memory of 1500 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe
PID 3032 wrote to memory of 1028 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1028 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1028 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1028 N/A C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"

C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe

C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe

C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7B91B~1.EXE > nul

C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe

C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F66AF~1.EXE > nul

C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe

C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{572EC~1.EXE > nul

C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe

C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{03311~1.EXE > nul

C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe

C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40DA1~1.EXE > nul

C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe

C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5891~1.EXE > nul

C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe

C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FA346~1.EXE > nul

C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe

C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE5E2~1.EXE > nul

C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe

C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F13~1.EXE > nul

C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe

C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D55~1.EXE > nul

Network

N/A

Files

C:\Windows\{7B91B28F-F964-49d4-8404-B1F323EB372C}.exe

MD5 04ec101e38f8fec701eb0bdcc9413f41
SHA1 d49d98e3246e1c7e76ccb2ddee4fb5be26bba295
SHA256 e576a81cfbbbe6c5795e914320566e26a80b54dd239dfcc01528d597842a050a
SHA512 cec7a6c911c17290e5911de4a3e0da182aa30173ea68f6a0f8f0f6eab770b6b1936475a00f0b74240014be321e48e6391f59b1e8fa389eba4fe0e2c9b0d6993c

C:\Windows\{F66AF006-DA2F-4ed5-AC3A-25E4ADD065F6}.exe

MD5 69f1782d69c43874b836106256580d8d
SHA1 36b6ca7c5fb52fc41a52d0d72f0f463cd30e9c8a
SHA256 84225a5a7c5be128faa3f9711769263ed3ed0fa329c65433c3a13f246ce260f1
SHA512 5c73a9f7d4db4fa61ca7a60cb3282a506117fcc463a1d6ac9903437fdb13fee4e72ab51f7397d7dab408cdc2d7c230b90274f6abac5993d55e2dac5fc0bdaff4

C:\Windows\{572EC927-37ED-41df-9878-CB2B79422A7F}.exe

MD5 766d81870b1ee78ecd99f4aae9f51baf
SHA1 da9d2850769ee6b053760ce6332f53f3efd3efeb
SHA256 24c31eeafa6074b222571bfa8bdb77fcc563fee383787d001cb7c6482b06a705
SHA512 03f06d48aabeb2ccadd33ab96fcee001d3760bc1781fac82dfd8107b83c069e27c1832a20a181289f6b5ff35d833be59c739f2a820ce964976e95b4a5e63fb88

C:\Windows\{0331152C-DC56-4c09-A85D-F529CE6208C6}.exe

MD5 cb5b27210a17f1538254f799656f3acb
SHA1 213ab9e72238990602a3ada9ca0d78eb28f843c1
SHA256 5c16661c0115f6b313709d5bfa316325b2ed15bcfc7e347c8718021df49a7c23
SHA512 9d6f9700138edd8ade3f14950a342cced606a2bc2f109bd165d8ac31507156d80bfe00307d7b5744eafe7125fff20f75da6e17031c464ec74cafb71a72d23e8c

C:\Windows\{40DA1A3C-7F54-4dca-8B18-0EA14F3E0446}.exe

MD5 1e9778b6139115dedffbd092659c39a6
SHA1 9c987d09cb6f4e97aeb72ea45153c1c6cafa1177
SHA256 fe11101b9ed157bcdc73f3a83ae4a8b65fd05d003eddbace207a7e99b60df798
SHA512 4fb8de359448e228a72dd865d816afca6eb45bd96a615bbb9e95074a522c3cd78d377329aca6b0147a8a32491ecd76eab020f9daee24c95115588e4416a545b5

C:\Windows\{C58919C5-A991-4ae5-AE4B-6A43954DAC36}.exe

MD5 41de478c4dad2bcad326620909ad985d
SHA1 3c188ec8f40ca96b03a22fae3b038f30806bbeaa
SHA256 81eb614f09cf0ecd869e227c25284749e219ff182caa708b127c415732a05b6c
SHA512 f35d87636f0e3e1760a8399a3816bd658239a9130d7f836c1810a42999c06cc31a5bdb68763b9b466b509881ede6d36602c6778bc81fdb0cd31bb00755451ce0

C:\Windows\{FA346E0A-5652-475c-9E65-8742861CB8EE}.exe

MD5 8b71e3b87e186294341ef851c503a013
SHA1 08e77dde06db7c85b7f3758ca92d20f1cbcfce42
SHA256 b77bed368a19b357b2aaca0d2e25b6d38823d34e875a4e1400dbc0d2fe39a504
SHA512 e6a13185db70e95ca91b7a9b644e32d8032784e5125945ff58c0bd1a71d1e9af118dff57d468eea4ff4c59f9fcf1c621c67215670bd7a137f207ba4dfc0641ad

C:\Windows\{AE5E2C16-568E-4735-BC3E-81ECDCB7A321}.exe

MD5 e547944a4eeb5ee8230079eb4ab0fb4f
SHA1 618e8ff49d8f88361963d819a828a905b83ddd31
SHA256 526b472ac0f4fe8cf54fc971f4aff726cb11d42d0b37eca43dd5e8a304909f26
SHA512 299a7664d95669635312716b2afddb9da631fa41606d645f1cb5b61f7e4bd53ee682d5a666431450a22031d8aeb9ef76facf9e5701c6200ff82373d1372b895f

C:\Windows\{B5F13B15-8A1B-4946-97C2-E03AA9F56E25}.exe

MD5 0e9d673d21f198e687658f44fd2cbb2c
SHA1 d722e28c69abe82d2726fecd1db9fa190c6ce694
SHA256 19f04c2ffec3630985d428846459f191a28c5550eb552718869ed9863a924ed0
SHA512 5cbfb7d2b03e52652deb8a41110407186f7433ab0f7a89f94fda34f0632109f6a5d4c836466ef504ba37af99aeb4f687a49fc59928ce124aab90a1a58151bb84

C:\Windows\{B9D55E3B-520B-4507-B4CE-8C6D0B053B90}.exe

MD5 91a3328dca484d5875d1f106a7dfff68
SHA1 9efeb1b9d96dc8fa1afa560318f534b7750cce42
SHA256 72b3969f1c47b8f0ae945950aa5e984250394598863f3b69996a474a0d86f77a
SHA512 d7b54d98b39436b7336fd168a017d35184837c7e137f87bc34ed701edd904664fa0d046de05d6e54c3069f66f79cacb537f7a26fccc553f4a0ccb2e0ea51cd91

C:\Windows\{497E3998-64CD-4587-9AA8-EC72A6BEB98B}.exe

MD5 f5317eb339d41efaab4eb172af7f6f0f
SHA1 84c4cae1aae26132844eed869d86ca4e36fb6ee5
SHA256 a9f0230d0a065fe2a156541564164e24f5f185fb7f717ec0b08534d32411165a
SHA512 ac120edced0f0215ef0c01ff8e75d8ad3599cb3781c078d6a503f1c17e0ef2aeedf4b02a24f3b697290cdb491c2be002bc8cc14329ef5a41392ca73f46491ff1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:43

Reported

2024-11-11 12:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291} C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879} C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868374E0-B72B-46f6-AD1A-6EE92E2F1576} C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}\stubpath = "C:\\Windows\\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe" C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039} C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0046C1-BF71-4c5e-A3C9-628C2D945324} C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}\stubpath = "C:\\Windows\\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe" C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD} C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}\stubpath = "C:\\Windows\\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe" C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}\stubpath = "C:\\Windows\\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe" C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878BE408-F760-4d67-8C0F-3A330BCECFF4} C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}\stubpath = "C:\\Windows\\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe" C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9311B3F2-18B6-47f3-BCE6-BC77702D1474} C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F10C79F-D8B0-4766-9908-F422407669E0} C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}\stubpath = "C:\\Windows\\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe" C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C42456DF-92E3-43d5-82A2-4A566729012E}\stubpath = "C:\\Windows\\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe" C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8} C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}\stubpath = "C:\\Windows\\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe" C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49FA3E5-76FB-43e1-A484-926FAE2654C4} C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}\stubpath = "C:\\Windows\\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe" C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}\stubpath = "C:\\Windows\\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C42456DF-92E3-43d5-82A2-4A566729012E} C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878BE408-F760-4d67-8C0F-3A330BCECFF4}\stubpath = "C:\\Windows\\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe" C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F10C79F-D8B0-4766-9908-F422407669E0}\stubpath = "C:\\Windows\\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe" C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe N/A
File created C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe N/A
File created C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe N/A
File created C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe N/A
File created C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe N/A
File created C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe N/A
File created C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe N/A
File created C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe N/A
File created C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe N/A
File created C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe N/A
File created C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe N/A
File created C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
PID 4820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
PID 4820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe
PID 4820 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 4728 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
PID 2892 wrote to memory of 4728 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
PID 2892 wrote to memory of 4728 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe
PID 2892 wrote to memory of 4964 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 4964 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 4964 N/A C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3816 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
PID 4728 wrote to memory of 3816 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
PID 4728 wrote to memory of 3816 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe
PID 4728 wrote to memory of 4868 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 4868 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 4868 N/A C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 448 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
PID 3816 wrote to memory of 448 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
PID 3816 wrote to memory of 448 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe
PID 3816 wrote to memory of 2968 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 2968 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 2968 N/A C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 4412 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
PID 448 wrote to memory of 4412 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
PID 448 wrote to memory of 4412 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe
PID 448 wrote to memory of 3848 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 3848 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 3848 N/A C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 1816 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
PID 4412 wrote to memory of 1816 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
PID 4412 wrote to memory of 1816 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe
PID 4412 wrote to memory of 808 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 808 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 808 N/A C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 4332 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
PID 1816 wrote to memory of 4332 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
PID 1816 wrote to memory of 4332 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe
PID 1816 wrote to memory of 464 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 464 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 464 N/A C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2136 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
PID 4332 wrote to memory of 2136 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
PID 4332 wrote to memory of 2136 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe
PID 4332 wrote to memory of 3548 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 3548 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 3548 N/A C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2428 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
PID 2136 wrote to memory of 2428 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
PID 2136 wrote to memory of 2428 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1352 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
PID 2428 wrote to memory of 1352 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
PID 2428 wrote to memory of 1352 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe
PID 2428 wrote to memory of 4800 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4800 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 4800 N/A C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4616 N/A C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
PID 1352 wrote to memory of 4616 N/A C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
PID 1352 wrote to memory of 4616 N/A C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe
PID 1352 wrote to memory of 3492 N/A C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_5d79744cf98e0a9972a7a8e32debbde3_goldeneye.exe"

C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe

C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe

C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53A25~1.EXE > nul

C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe

C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86837~1.EXE > nul

C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe

C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{244F5~1.EXE > nul

C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe

C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF004~1.EXE > nul

C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe

C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4245~1.EXE > nul

C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe

C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{13D14~1.EXE > nul

C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe

C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA976~1.EXE > nul

C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe

C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA9FC~1.EXE > nul

C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe

C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{878BE~1.EXE > nul

C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe

C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E49FA~1.EXE > nul

C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe

C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9311B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Windows\{53A255CA-F35E-456f-B6E7-2ED2BEE8D879}.exe

MD5 a5fe928a6fa1487aa488e4dd644b9146
SHA1 c722f17ce960305889c3db0f80ec58680ff45c9e
SHA256 22bbaea91c1ff0134219e088e9ef55a22f2a101726aad73ac1a1e5a0801e7311
SHA512 d1694d3a8652cc35a93474a653a86da75df391e618bbaeab869ad5d478a6159b66c15220127bc72c8b754f1a9028a71e12fd130fc943dc98cab4b51d44492dd6

C:\Windows\{868374E0-B72B-46f6-AD1A-6EE92E2F1576}.exe

MD5 b79f1c1a15e4cadfe88671af90e2596d
SHA1 e0a42c56785b1c11fa40d7ba960bbeaf52c7de40
SHA256 648c3426bf79600526c04b7a59d5987cb6a23e79a63653302241935f808ab09f
SHA512 06e949c23063c556bd3037cf2963df7e639724a8607aa4379acf11c42882b880e1eb34a174ea8ab00828011fc5118b30e1b50e7bf1d6073141ee12789fb1c15d

C:\Windows\{244F57CF-B4FD-41aa-9CA1-0E600FFA9039}.exe

MD5 cc669b43bcb572c9a403ded9877ec536
SHA1 d30e60f41683ded4acfd9b0c3b45872990e6b4a5
SHA256 a29467c0e1621bd1013e7a757063ba07b6e4873af17e7dc87fddc5145143ff45
SHA512 6d2bcd07993416de7eead03ea464d874e60b994067329650affb10653c33e2cfa1794937ee0f42045a6fa52cce83ea3cb995d553fd7c565b7b3c478314dcf2e4

C:\Windows\{CF0046C1-BF71-4c5e-A3C9-628C2D945324}.exe

MD5 f661c9b8c099218b9337765eb14e4b5d
SHA1 c627229ae03460c4b2af026621e06aeb82b1328b
SHA256 48673a59963fa487614bc123a120cd0482bf88034ae07589314dc2123184b12d
SHA512 beed715656cc1173c0778e39b56305e46114d88db599a231ff2bddeb12a74ea9bcf465177e2b117c6836cbd0b601428a9305ac292f12a73907debabf1ce44b83

C:\Windows\{C42456DF-92E3-43d5-82A2-4A566729012E}.exe

MD5 43a7abd1b1a81720976aa2fbcf0241f3
SHA1 96e9bac0d4c5534025f13f4afc82d832358e4ac5
SHA256 b81944ec6e13d313cbe96a3388c5d4c50b0bad7ec97fdda700622e883cb6b4e1
SHA512 dc3e827ad928d9a6761ef1dfbc191fddda2994b342305f093fa7413f28dc529f0d977388bd381da1ef3668d105b5df5a6519bf3fcb14ed6fafe2af8096832560

C:\Windows\{13D14F0F-A120-4f1d-8D6D-8F904523D1D8}.exe

MD5 10b67c62ede82145a594c3488327c850
SHA1 8bb4de283c6fc9ae00a10749e98fbdf91453877d
SHA256 ffd249e4465ad68088f2dbce99956cec7bc29130e22e321c48c6d75d268882e9
SHA512 37bb15662c5c725990a8c0825f4f8f5787c2ae7745c483404b022230fc926c07db3702882e0dc3671fe9f7ffde4923a51c1aab35c2941a6bf51e18f1965bff4d

C:\Windows\{EA97671B-6CC0-4f93-9DA9-9698BDFE67CD}.exe

MD5 763f70ea3e1997963929fcfadcc6521f
SHA1 05202142747344fc0cc7e7e348ea91f052699d20
SHA256 96b4053930a224b2c4060b58236efa626fc5cbb999d14fdc379f021f443836a7
SHA512 5beb960f515dcc4bbc8a4450e7a7a0b7eff4d5ed50b77a73f68b8f8f5ccccd4388ee3eff41dbc75fc8a055f1adf8f7ad7d9e7d7ba5d81e584f060c681914b6b7

C:\Windows\{EA9FC8AF-BEBE-482d-AFDA-97EA82492291}.exe

MD5 efea0f72b95e9c4f795ac6a1b53bb1f6
SHA1 65aef5e637b82945be99a35edec5dda6f6a023b5
SHA256 7acc5b12d0f2d29922bfdd889598b879d3fb7d1b879cc58fdf24952f5465f041
SHA512 c0f2e75ea45ca9862502501be1a1644aff9ad26a381a441f3c2b619a4f001136d2b819743f35d4b02fe613899f8af4d444c3f63688d1ed913c27d81fed4b1ee1

C:\Windows\{878BE408-F760-4d67-8C0F-3A330BCECFF4}.exe

MD5 a0be458fe550dde8af658dcb18232754
SHA1 316fc24b49353d3e75f958ebb900d61105f5432f
SHA256 baa3809a11fae278ca090e41db4a7dfb036c7d759e0ce5d77a82841319987903
SHA512 2f3a3bb4a37a1ef696612745536c1d759aa7f250a8220e26c3438911021ff33c43fb3510d29efd3db9fb2a61e2128fc8341d36e223b8f66b093ef489d98d01ca

C:\Windows\{E49FA3E5-76FB-43e1-A484-926FAE2654C4}.exe

MD5 994f6459a8f3dffdd93e53e67452e224
SHA1 8fc67c284651f2a3d43f5028c016cb230699315d
SHA256 08608ccad2214aba8bbfd883b4520b390f497ed5846187a2306a422e2e7402b1
SHA512 b01c6ab89f99d8604c428bd88eb0602f60c90db3dbde65d8bbdc54e717608a570901727823ca2e2e89ffd437fc3264c9c0d5e86ce74a8474b503c8f18680476a

C:\Windows\{9311B3F2-18B6-47f3-BCE6-BC77702D1474}.exe

MD5 65a84e765ebdffbcd1dc81b93e0885ca
SHA1 44a066fdfa2350e4767f3fd9a9a720e061891c40
SHA256 600a8265c0d5aa8efe7041c0f8eaef27a10bb75c90abfb5a743efa9c2dd0546b
SHA512 9edff44e8547ab2a6ea6d8bba1e4be52c60f12f3e0ab7a05665cacc3731b01e2378626dfa796eddc2e44ade3cf164c2b0372e935fba392453356035a062ae6ed

C:\Windows\{0F10C79F-D8B0-4766-9908-F422407669E0}.exe

MD5 c509ab48268e9e24c59708b0c0ea509b
SHA1 d32c8518655ca2d4b8c0420cf1e871f128378fbe
SHA256 2a0c362f203aa6971b4b93d27d9815e180baf79413f6cb00298e72bed59b0e57
SHA512 255bff85bd075bf5802c41f837267cfbbac7dd03784706a048da92f964275547cdaceeb3dd03727c365cbd74cda0a0c2981d3b70f0a467221cde94c89f0e9656