Malware Analysis Report

2025-08-05 11:30

Sample ID 241111-pxbh7aspfk
Target 2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye
SHA256 4a48929724328ee8677fc684521ac46170736cc5709b8ed8c93639b63b7a3221
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4a48929724328ee8677fc684521ac46170736cc5709b8ed8c93639b63b7a3221

Threat Level: Likely malicious

The file 2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:42

Reported

2024-11-11 12:44

Platform

win7-20240708-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}\stubpath = "C:\\Windows\\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe" C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF65B684-6575-4140-9B89-F9A9BC5327A0} C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF65B684-6575-4140-9B89-F9A9BC5327A0}\stubpath = "C:\\Windows\\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe" C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}\stubpath = "C:\\Windows\\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe" C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3FF16B-1BED-41e1-AC05-E9325467928F} C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B256B3-1282-4591-90BF-DC5B25B43566}\stubpath = "C:\\Windows\\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe" C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AE92257-FA3F-4587-A077-4DABB37890C6}\stubpath = "C:\\Windows\\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}\stubpath = "C:\\Windows\\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe" C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14377D86-DB16-4a6e-AD30-65A69AB09080}\stubpath = "C:\\Windows\\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe" C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B256B3-1282-4591-90BF-DC5B25B43566} C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F290B57B-7618-47ae-8A2F-CF68503A6C5A} C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33} C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AE92257-FA3F-4587-A077-4DABB37890C6} C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B} C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796C8D47-9B19-4119-924E-227694DAB253} C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606FC2D7-1A81-4339-9AD7-C86A005FACC5} C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94F053A-B870-41bd-87CE-2619A3ACF841} C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94F053A-B870-41bd-87CE-2619A3ACF841}\stubpath = "C:\\Windows\\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe" C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{796C8D47-9B19-4119-924E-227694DAB253}\stubpath = "C:\\Windows\\{796C8D47-9B19-4119-924E-227694DAB253}.exe" C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14377D86-DB16-4a6e-AD30-65A69AB09080} C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D3FF16B-1BED-41e1-AC05-E9325467928F}\stubpath = "C:\\Windows\\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe" C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}\stubpath = "C:\\Windows\\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe" C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe N/A
File created C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe N/A
File created C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe N/A
File created C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe N/A
File created C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe N/A
File created C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe N/A
File created C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
File created C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe N/A
File created C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe N/A
File created C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe N/A
File created C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
PID 620 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
PID 620 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
PID 620 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe
PID 620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe
PID 1240 wrote to memory of 2804 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2804 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2804 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2804 N/A C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 3012 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
PID 2820 wrote to memory of 3012 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
PID 2820 wrote to memory of 3012 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
PID 2820 wrote to memory of 3012 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe
PID 2820 wrote to memory of 2784 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2784 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2784 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2784 N/A C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1984 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
PID 3012 wrote to memory of 1984 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
PID 3012 wrote to memory of 1984 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
PID 3012 wrote to memory of 1984 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2640 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
PID 1984 wrote to memory of 2640 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
PID 1984 wrote to memory of 2640 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
PID 1984 wrote to memory of 2640 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe
PID 1984 wrote to memory of 2160 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2160 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2160 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2160 N/A C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2996 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
PID 2640 wrote to memory of 2996 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
PID 2640 wrote to memory of 2996 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
PID 2640 wrote to memory of 2996 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe
PID 2640 wrote to memory of 2840 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2840 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2840 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2840 N/A C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe
PID 2996 wrote to memory of 2988 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2988 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2988 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2988 N/A C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1648 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
PID 536 wrote to memory of 1648 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
PID 536 wrote to memory of 1648 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
PID 536 wrote to memory of 1648 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe
PID 536 wrote to memory of 348 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 348 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 348 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 348 N/A C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"

C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe

C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe

C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE92~1.EXE > nul

C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe

C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB9C~1.EXE > nul

C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe

C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{796C8~1.EXE > nul

C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe

C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14377~1.EXE > nul

C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe

C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF65B~1.EXE > nul

C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe

C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{606FC~1.EXE > nul

C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe

C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55B25~1.EXE > nul

C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe

C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3FF~1.EXE > nul

C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe

C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F290B~1.EXE > nul

C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe

C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DB9~1.EXE > nul

Network

N/A

Files

C:\Windows\{5AE92257-FA3F-4587-A077-4DABB37890C6}.exe

MD5 bca09a04488c9095bcf81346238c6448
SHA1 271b0346908efc6d7ca23484e761d9d8b2575ff6
SHA256 ae049c09ca770905c40984c3023b7a067f85d0550b0f230ee71b6b3149ae1d0e
SHA512 eefb59c21930d60408ff38531298c87118564a2a91388790e2c5a5c6439b15234745b5b2c6c4dd79ec7728d36201560e8c8cc4a906cedb10c89952717c199db0

C:\Windows\{4AB9CA72-6664-4d68-B37F-2F1736AF9F9B}.exe

MD5 5416d13828c44f8e133da27552325c5f
SHA1 4c37f35b749313aaa44eda861a9bcd9faf600dc5
SHA256 52b79c619630519a4dbeff9795ec1fc7fda9449f103e0d62bcebb07d4a27e035
SHA512 c7dd3b7f15773e780d097a4fcfe0e4edcb83d40a5cc48caa1946923ac5a9ad09bc2dd14737715df25ac1191a7f3ce5e37697286dbf17bbe7bc3848cc06fa9ef1

C:\Windows\{796C8D47-9B19-4119-924E-227694DAB253}.exe

MD5 1f93b1bf643fc8e0e96a4cec4383cbba
SHA1 78c67c388c4fd0dae076f71ad7222bc0d675006b
SHA256 5ceab7eb11e6ed19722720b68baee53684ea7f3d77fdedb013ab01b31c72bae8
SHA512 0fd2ab2a197087ba5d6d25f1fabe2612f04b63f3c4388c9e13acb2d410020dc0a16c59fa0f9c291bfca42efdc00984be21aa1a1effe82ccaf98dbd32c594f9de

C:\Windows\{14377D86-DB16-4a6e-AD30-65A69AB09080}.exe

MD5 1403d6aed1dcbac9f30862f1a970f830
SHA1 b28e3d698712a7c07b4503247b8c183d2d9cbecd
SHA256 958e51b8e4ec236976b146fbdbe346e3c10454b11b39975beda297e2487bfb7a
SHA512 2bdc9fa7ab728ed8a9c0ecf5ee2a2b24f65117d3e5469566758b654f3c93f2ff82080c0ad387d5ad4e6abb17a7579a8f05fbe8f5ab2c92dd3ffae3806d209a14

C:\Windows\{BF65B684-6575-4140-9B89-F9A9BC5327A0}.exe

MD5 49cc8444c9123809c1e883c4bc98d35f
SHA1 7598c67f632105c21448ec67d26de6cdf6e303d3
SHA256 9bb111a0f7b57139803e1f24dfe5f261237bf59be35b9ed1f76ffe9079bcd03b
SHA512 3864f3ce816d4c40bdfd09706f7047080c5e960c777b2de48caa303489d070e7f6d486f9a5c662a5aa4a6ba4b332225df0823a67a364fc432c2d713053ee8ba2

C:\Windows\{606FC2D7-1A81-4339-9AD7-C86A005FACC5}.exe

MD5 70143e7d65f3bb665b9f7846effb7465
SHA1 b308b13aed7d8bc501f9cce2ced1a631d3114ce0
SHA256 a01ad3801c7609199defce3ff2f53ae065c71a2a74896ca8eefbb1f563c4d88b
SHA512 39ad95bffdece4e90a0a3743eec6e03888df18ada4a1411010cc25aca550a5ddc854751cb3f5331c69c43adc929cf602cb6126f179537db021fd3dc4563533c0

C:\Windows\{55B256B3-1282-4591-90BF-DC5B25B43566}.exe

MD5 bcac83820bc73c1545a451ae82521b97
SHA1 7853c4c5cbd3a4f59dbc4f825ab5925f969826d9
SHA256 56e619336549d5c39ac59e36df1821d35ab35aca831c4d0f176c6c7b9c136fb2
SHA512 db9ee101bef3106289f069df86f037812bd88fedc29e661f2bb60c005e1e31cad206915e0c89721f2e7c602974c5937257df4e57906169cb02107756b0520689

C:\Windows\{8D3FF16B-1BED-41e1-AC05-E9325467928F}.exe

MD5 21d9cd09165e0349848705c8f2987b66
SHA1 b86d6047a6c05b55a68d851352f8c1812c5c54d6
SHA256 6ab0b53a95837771a3baf7b469f28bf2f71d6226f002a810f9c8456f6f4b8c89
SHA512 8191193cb939514deddaac8f08f0f66eb109cd9f4d7bffb91361c328e9bffbb9ef4df1bc2faa8d9d6f4b782448e8f400c054799b01809f0e5d51bf7da183449b

C:\Windows\{F290B57B-7618-47ae-8A2F-CF68503A6C5A}.exe

MD5 00d0bc8a0ebc4f0d36885812ad6ce852
SHA1 b7adeb5fe6b1541539710a399f470e4b1c70e8c5
SHA256 e1615d06ece6464761409bc40a1c6e719ca96324e739337d5bb56a88c45b6ea7
SHA512 7dea87ab27612d1b60c5d1b7dc9ee17f1f6e8b0eb08861b68c2342535efdb2ccb69ac404c7f0293b78f3b53300748bdbe5fff0809da4ba2228da607eed0c36b5

C:\Windows\{A7DB9A8D-BDC3-41de-B976-400D1EB40B33}.exe

MD5 fa613e81f22ca4bc250b67c8f507b170
SHA1 8869802ae36dc9a2bf5dde5bd30189d43d6d781e
SHA256 95ca8acf6622f92cfee8a20544063b7fd9c35f8cae0b84e1dd666c50bd352159
SHA512 3012f9c5e2054de169ff096ee486401f7dc5eea2ec7aa517484bb4f9bca538002b78bb055515f1c2cd20cba18dfa1bfe585c91896188b679b01f6ee36764f19c

C:\Windows\{D94F053A-B870-41bd-87CE-2619A3ACF841}.exe

MD5 c392e3a717c8d4684cad4a365112f391
SHA1 ebb558053aa1deccc2445e0df85fb55e1f1d2243
SHA256 2bc6c6c2077668db32808b77f02bfe6bacbd18870af1890fc19aa786b7478eb1
SHA512 cff7ca76ed93af6690defd2a135895470a02dc54aa2dfffa5acf44e3adc90840212d00b2225f258fde43062807bfd877d40578365d7523bc3316a64c0cedb9f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:42

Reported

2024-11-11 12:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7200C66A-9611-4fd4-92AC-D6F953068154} C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5FFF31-0489-4464-ABC8-14BE941605B0} C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584552A-6947-4112-9F02-51B30C3BF7F4} C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}\stubpath = "C:\\Windows\\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe" C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D584552A-6947-4112-9F02-51B30C3BF7F4}\stubpath = "C:\\Windows\\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe" C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BF5C3-B2EE-4721-9B31-5D2F25435377} C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7200C66A-9611-4fd4-92AC-D6F953068154}\stubpath = "C:\\Windows\\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe" C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5FFF31-0489-4464-ABC8-14BE941605B0}\stubpath = "C:\\Windows\\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe" C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}\stubpath = "C:\\Windows\\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe" C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2386F7A9-CAE8-463e-95E4-6939A73B9B56} C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0D8C0D5-8651-4675-A480-BA42DB925116} C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134BF5C3-B2EE-4721-9B31-5D2F25435377}\stubpath = "C:\\Windows\\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe" C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}\stubpath = "C:\\Windows\\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe" C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1414401-1A74-4741-A46E-16BF2C9340CC} C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E8E9FA-8F87-45df-8F09-E3647D191255} C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E8E9FA-8F87-45df-8F09-E3647D191255}\stubpath = "C:\\Windows\\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe" C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6636970E-D32D-4f62-A14C-D6AF0AF45887} C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6636970E-D32D-4f62-A14C-D6AF0AF45887}\stubpath = "C:\\Windows\\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe" C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0D8C0D5-8651-4675-A480-BA42DB925116}\stubpath = "C:\\Windows\\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe" C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15AED68C-706F-4642-985A-421C499C0CF0} C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15AED68C-706F-4642-985A-421C499C0CF0}\stubpath = "C:\\Windows\\{15AED68C-706F-4642-985A-421C499C0CF0}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D8646B-E52D-4e65-8F01-63D7B19A28AD} C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1414401-1A74-4741-A46E-16BF2C9340CC}\stubpath = "C:\\Windows\\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe" C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3} C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
File created C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe N/A
File created C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe N/A
File created C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe N/A
File created C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe N/A
File created C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe N/A
File created C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe N/A
File created C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe N/A
File created C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe N/A
File created C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe N/A
File created C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe N/A
File created C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
PID 4072 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
PID 4072 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe
PID 4072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 3288 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
PID 3212 wrote to memory of 3288 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
PID 3212 wrote to memory of 3288 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe
PID 3212 wrote to memory of 516 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 516 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 516 N/A C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 4304 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
PID 3288 wrote to memory of 4304 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
PID 3288 wrote to memory of 4304 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe
PID 3288 wrote to memory of 4396 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 4396 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 4396 N/A C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4312 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
PID 4304 wrote to memory of 4312 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
PID 4304 wrote to memory of 4312 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe
PID 4304 wrote to memory of 1196 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 1196 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 1196 N/A C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 1844 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
PID 4312 wrote to memory of 1844 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
PID 4312 wrote to memory of 1844 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe
PID 4312 wrote to memory of 3580 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 3580 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 3580 N/A C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4420 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
PID 1844 wrote to memory of 4420 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
PID 1844 wrote to memory of 4420 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe
PID 1844 wrote to memory of 3160 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3160 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3160 N/A C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2040 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
PID 4420 wrote to memory of 2040 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
PID 4420 wrote to memory of 2040 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe
PID 4420 wrote to memory of 664 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 664 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 664 N/A C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3388 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
PID 2040 wrote to memory of 3388 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
PID 2040 wrote to memory of 3388 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe
PID 2040 wrote to memory of 3104 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3104 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3104 N/A C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 5028 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
PID 3388 wrote to memory of 5028 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
PID 3388 wrote to memory of 5028 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe
PID 3388 wrote to memory of 3184 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 3184 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 3184 N/A C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 2940 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
PID 5028 wrote to memory of 2940 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
PID 5028 wrote to memory of 2940 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe
PID 5028 wrote to memory of 1924 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 1924 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 1924 N/A C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3232 N/A C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
PID 2940 wrote to memory of 3232 N/A C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
PID 2940 wrote to memory of 3232 N/A C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe
PID 2940 wrote to memory of 1556 N/A C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_2e30881cec45805dd847a371a3fd962d_goldeneye.exe"

C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe

C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe

C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15AED~1.EXE > nul

C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe

C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{134BF~1.EXE > nul

C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe

C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04D86~1.EXE > nul

C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe

C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1414~1.EXE > nul

C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe

C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E8E~1.EXE > nul

C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe

C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7200C~1.EXE > nul

C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe

C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F5FF~1.EXE > nul

C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe

C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2386F~1.EXE > nul

C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe

C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{66369~1.EXE > nul

C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe

C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D5845~1.EXE > nul

C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe

C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D8C~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Windows\{15AED68C-706F-4642-985A-421C499C0CF0}.exe

MD5 dc2f6595c2db3711dfe7159849a7a754
SHA1 618ed178fddd7969e4b14e2490975ee12719b426
SHA256 265f13d29e3012ea815f8921f252801687f95cf5d5664c2ad2460ac66e6b310b
SHA512 62233032d06916d889b7fd503f52616e4e753575714f94b79e93354bae3f4b99c1e84b2cde176b2c658de0173b2f045fefc941b405612f406823c8a2d99336c5

C:\Windows\{134BF5C3-B2EE-4721-9B31-5D2F25435377}.exe

MD5 6ca3b3bfaaad3e73dabfaed83026ce8d
SHA1 cc15943fcbc79d6beb7919278053eaf6fbe27ad5
SHA256 ebb92a7e60d47bef14f18def7736bc45072e694ce815f3b065af1da4dc5f265e
SHA512 c44fb0a6d5c56e8bcb6a5eb0c0ad2f75236a7ffc44f994eb91fb5f83805897091e6044aff84bf0345d410c9f6b85288aa9c1ba561642984bc3ad6f0706df63c2

C:\Windows\{04D8646B-E52D-4e65-8F01-63D7B19A28AD}.exe

MD5 9e7bc48d5b4e9326cea37f6d9a7998b2
SHA1 bf00098ca4a11f8d86a9c6a38602fa389cea0154
SHA256 9fcd1baa419fb21dd393525b6210bbf18eb729b9f0bd90a574737a7ad164218b
SHA512 1a5f5e60d6ba411117924257b3f28bb415f4750c154fa87678eda77cf0f2de0421bbe37d669f1a3887c653a87ddf9a6bc15e5bc1b33e44a0e59c0ca34902d909

C:\Windows\{A1414401-1A74-4741-A46E-16BF2C9340CC}.exe

MD5 d698fbf3eaf027dc30843f3078255ad4
SHA1 04475b6edfd9b5ad32828a6f98a6139ea9160ffb
SHA256 8a1b5569276a4f0d4b90b6e68e80694271a53ace54a366206cdf0dd4652a8bb9
SHA512 1e04f2d5ac704b43ecb671e5ea4823a1fbfb10d364aec3da7ecff7c52b5e8c8999cad2ee4c675b461694ecf4a9152e61256f60021236b470cf20e2e25cfeb2f4

C:\Windows\{B8E8E9FA-8F87-45df-8F09-E3647D191255}.exe

MD5 0b42727e029e3888bbdcf7c65439a4cd
SHA1 6001d901b4ad1c457fb9f9e2c87f93198704b130
SHA256 0a6e8233ba8ef9af3fc0c0efda3b93398bde67c44351d08415cf745d1a0c2157
SHA512 b026aa3c6a9cc33bc185bcf0bcf79bcc92e9c261e8aa1e74b1b1e7966bf155393b4a9ceb973a5cd1d871235863d1333268987f715f3383ef65844f7a04997107

C:\Windows\{7200C66A-9611-4fd4-92AC-D6F953068154}.exe

MD5 f68802c0bf898ae3b5eca5c4d7602036
SHA1 d6187d452f8c6bec091800977527dc97f89051f0
SHA256 c8108e29d1311a0c4d775a11c56a05761e2fad62da748eb94a1a3b2c571c986e
SHA512 5a1c20b547827cba7ad3ed0d01162edfd5992574a64b0833079fb0ab4c45e1d0ed0b9fe85e1299de51019656cc289a44ecd13069cf6e115fefaf1d39a7b1e1cb

C:\Windows\{4F5FFF31-0489-4464-ABC8-14BE941605B0}.exe

MD5 ac52a568817dc0817f5037759ffd159e
SHA1 669645029ce83d79f2ed82bc1bf93a94cc34f651
SHA256 a3a31b55bf8a9dc5a55fca61aa54e2d5645246adeb38e1e3e13321b75a093687
SHA512 9e7f7d56df5c2ad4a7bf1e5011727f7b0ddcb4e11cc5ec6b22cc264af2c0b2a6c6ca307079662bad3cfc1ff6bca7d7850226fe14647333a1e5b52ad30daf654e

C:\Windows\{2386F7A9-CAE8-463e-95E4-6939A73B9B56}.exe

MD5 ed2cec9513b1511dab66ae979f9f0a23
SHA1 7629b25baef5a5c6d226a77b0a5d568884341f99
SHA256 ee816043538cd03107e0f535db19c8f7cb460cea4da186cd224508471ee7d9bc
SHA512 d9f4cfafadc7a99c16a61bfd751c48c8de2f13995414139ea2bf173f7e7ca1f863a3c1577608458c2371b846b1f7e252c0235bdb40647f5a055a29c789b5a6eb

C:\Windows\{6636970E-D32D-4f62-A14C-D6AF0AF45887}.exe

MD5 432c886ca8fdd602325536a7d9bd84fc
SHA1 977ac8303a4a3c8c760f27ebd8d5882c4be50f9d
SHA256 a982ff23066622738ce662b73cfa60987823001e79de77969c26110f00f06684
SHA512 882bebbef8092111ec748bf1e79974aeb4084b0a3434d429e2659fd53eff7986f43aae8656ee3d13cd6e99e1dc6493c143627a05a52f0a83c41473a0768b4b57

C:\Windows\{D584552A-6947-4112-9F02-51B30C3BF7F4}.exe

MD5 74cbddc0780f773c694bbbdacb525710
SHA1 c5003e2da13bd864e93ac324e9a3c412f0148033
SHA256 6b78723dacff327c897aa908197265e72f445bd39d4cbf21cfc3c2abf8327e84
SHA512 631acb516bb201ab81290f8a23149f550082057d779ade3512d7783cf645387e83c86bc048fc3474a15724f30a2bd7b495391dbfb3de3eaec282e50d769abfad

C:\Windows\{E0D8C0D5-8651-4675-A480-BA42DB925116}.exe

MD5 263228e1ca7d0bffb609e0c9921011f4
SHA1 81795f93f18914c460169e08d816ef1e3ba41259
SHA256 ee52174130f713f18afe0a05fa317cb59bad4cdba80a8a7bd299b33b578e19e0
SHA512 1403830a6583a5d18731c3b179625972c09d79c754a2f41983df1113dded1917dafadaae65e9d40abadfec94ca5fe6d41a7184ee38c70d8330da88e0f830a2ee

C:\Windows\{BB9DB78D-732E-4890-97C7-21D6FD8B4CA3}.exe

MD5 9a96e31d57bd6166b88ef0435d13405f
SHA1 57e67f318a315ef24196ab353a17a471483723d4
SHA256 ee7a0d4e6e03fbbd8979ebfbb50c0e85451de5b0fe7f383b7a7e49ec9bde74d3
SHA512 7d9d44414eb469f09b32971c3ef395a7c5d2ac59cdc05cdb2da0c39747e138be7ffd462d9b9d813673a989d67f05cd8285a87c9b718728f3d8562ca0e2faeda5