Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-pxwt5aspfq
Target 2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye
SHA256 f711cdf4fc3db9a50331351e83f1d438c3b079b9c760b8dc6519e864ec46b336
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f711cdf4fc3db9a50331351e83f1d438c3b079b9c760b8dc6519e864ec46b336

Threat Level: Likely malicious

The file 2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:43

Reported

2024-11-11 12:45

Platform

win7-20241023-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}\stubpath = "C:\\Windows\\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe" C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31ECB143-D330-49a9-9FBB-BE3F696A4C39} C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}\stubpath = "C:\\Windows\\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe" C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B} C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C95BE21-6B74-4fc8-A591-927B7F7E9689} C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}\stubpath = "C:\\Windows\\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe" C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}\stubpath = "C:\\Windows\\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe" C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}\stubpath = "C:\\Windows\\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe" C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F21DD83-522C-4ac2-B750-A1787D7FC107}\stubpath = "C:\\Windows\\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe" C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}\stubpath = "C:\\Windows\\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe" C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58} C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20} C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}\stubpath = "C:\\Windows\\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}\stubpath = "C:\\Windows\\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe" C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA} C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EBDF79-BA35-4253-B978-BC8ADBF552E9} C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B} C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}\stubpath = "C:\\Windows\\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe" C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}\stubpath = "C:\\Windows\\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe" C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F21DD83-522C-4ac2-B750-A1787D7FC107} C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F} C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03} C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
File created C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe N/A
File created C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe N/A
File created C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe N/A
File created C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe N/A
File created C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe N/A
File created C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe N/A
File created C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe N/A
File created C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe N/A
File created C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe N/A
File created C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
PID 2412 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
PID 2412 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
PID 2412 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe
PID 2412 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2908 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
PID 2372 wrote to memory of 2908 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
PID 2372 wrote to memory of 2908 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
PID 2372 wrote to memory of 2908 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2904 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
PID 2908 wrote to memory of 2904 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
PID 2908 wrote to memory of 2904 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
PID 2908 wrote to memory of 2904 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe
PID 2908 wrote to memory of 3060 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3060 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3060 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 3060 N/A C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1276 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
PID 2904 wrote to memory of 1276 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
PID 2904 wrote to memory of 1276 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
PID 2904 wrote to memory of 1276 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe
PID 2904 wrote to memory of 2684 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2684 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2684 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2684 N/A C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2328 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
PID 1276 wrote to memory of 2328 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
PID 1276 wrote to memory of 2328 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
PID 1276 wrote to memory of 2328 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe
PID 1276 wrote to memory of 1720 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1720 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1720 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1720 N/A C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3016 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
PID 2328 wrote to memory of 3016 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
PID 2328 wrote to memory of 3016 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
PID 2328 wrote to memory of 3016 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe
PID 2328 wrote to memory of 3044 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3044 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3044 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3044 N/A C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2952 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
PID 3016 wrote to memory of 2952 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
PID 3016 wrote to memory of 2952 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
PID 3016 wrote to memory of 2952 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe
PID 3016 wrote to memory of 1704 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1704 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1704 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1704 N/A C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 588 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
PID 2952 wrote to memory of 588 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
PID 2952 wrote to memory of 588 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
PID 2952 wrote to memory of 588 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe
PID 2952 wrote to memory of 1628 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1628 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1628 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1628 N/A C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"

C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe

C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe

C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF38D~1.EXE > nul

C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe

C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31ECB~1.EXE > nul

C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe

C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AA4CC~1.EXE > nul

C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe

C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2C95B~1.EXE > nul

C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe

C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{510C9~1.EXE > nul

C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe

C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38EBD~1.EXE > nul

C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe

C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F21D~1.EXE > nul

C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe

C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC68C~1.EXE > nul

C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe

C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFF7~1.EXE > nul

C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe

C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D1AFA~1.EXE > nul

Network

N/A

Files

C:\Windows\{AF38DAC2-DEAE-425f-9810-9DE38AA3CE20}.exe

MD5 c85a3dada99e8921b643a5ca449b3340
SHA1 5427425ebebe617a5f42c18802bc3fd0c72fc1b9
SHA256 d9694d46aa896ca12fb864dfff0cdbf2c81c7f7a7b2a4197c11e935feaedf559
SHA512 3464c7115a5a84205417628c62567af542c9475a3afb75b008143eeb84d48dab8f35ae10cb7a3042f49424bb1cdb3e1f90e4c8d874705368f547ebd8920ec426

C:\Windows\{31ECB143-D330-49a9-9FBB-BE3F696A4C39}.exe

MD5 4c727bcbbc47dbdc39dfae9da51424db
SHA1 24466598da4748424d5a04a9978b00291c41140a
SHA256 96ba8da68a9f04552323403b1237b478cf46709ecd6e03725c740829f3727fba
SHA512 b3c843dd303b860c195da2930e737750dde768ffea79c0ea8cdaa21c1c608b2dabf3b1e56d598be89d0c5202aeb538c2bce19c858bb3c460c4f8335467062e31

C:\Windows\{AA4CC5C2-077C-4fb2-BFFB-2E5E8FEB948B}.exe

MD5 ea6231bcd3dd0a9f04ffe953533adf6d
SHA1 eb70bee521f0159a92c2d1d10d9c7f85a83d394b
SHA256 d86fe5ad44fc1f1ad01f46d8ffa4ab11a0a5e52022ec9b5cc9ad4075632d669b
SHA512 f519a213908b3fea8655a11bcd8013c8e1bf4d55ea56d3fc5ad9a9eedcc4875ae93dac119a592e7408ac25b68d73ecb8ab0924c238909b413da78c8f5e4fe654

C:\Windows\{2C95BE21-6B74-4fc8-A591-927B7F7E9689}.exe

MD5 7fe08b46dc5cacc221e3f9153bd61a12
SHA1 97a8d409a0be3801149235de3a0e695cc55e3c2c
SHA256 42138d716456810ba12e926376ad0dd9eda9c388528b7b11822056ab9faa0f07
SHA512 dc05d3e41c23aa30cb787e89c3d99cdbe6a451f11f77249df04ca12eb23ea2b271ada26e206e9d1d9f342aa2eda56ed40eb7ba1213095e9dc990e7a84a2aa1f6

C:\Windows\{510C96FC-A7FD-45bd-BC66-1B4C476FEFFA}.exe

MD5 4396980222310da34f3413edd0a3c4db
SHA1 f504a201f36375bbb993086e611021bfc588c897
SHA256 e77b7c8f5d6ecb8e6f5db5dd3ccc8069b62cbf19eeff03f3e47f1634a378ecb2
SHA512 fbf26afaffc9f6d3fae0150f733191cf098984f5da4ee4070e835bc11e277f8d5c59221a88fcf30023fc456bb1b1f8c07890a3193266ab22167f60f46003d9d9

C:\Windows\{38EBDF79-BA35-4253-B978-BC8ADBF552E9}.exe

MD5 597baf289fdd68cfa93afe905520979a
SHA1 19636d1be5a1def8b8bfb0f30343fd32e36d4201
SHA256 1a2f70f5ecc08f6bcf3b9ff3968c3839f47f026c45b59b91800fef01dc038dfe
SHA512 76e5e49c4d7d241b7fa18d679f122b595cf82b0bf78f6362883b43824fca3e9edb9d64eb6e903bd024e0bde9a6ed08fc8612c085855428ebe57b77ae60b8df7b

C:\Windows\{4F21DD83-522C-4ac2-B750-A1787D7FC107}.exe

MD5 7aaeee498c07a4aa7a9dfdd6d5c19e80
SHA1 33442c4052b2d9e19af2987d2658c5831f1881da
SHA256 2d590f2b629c0abea1908bb441b90645d78260d38114fa1194e8299fd674550a
SHA512 9e28f296c52b3958aaacf2c84c0f999710017c27e81d3975a89d3d02e835f3a05c834a9f9a9c2e3dc35c685dfae4bfab443bf4de64cbe6d76de514d6a56010ed

C:\Windows\{EC68CA5A-744A-4711-BCCF-2B2C8C531A6F}.exe

MD5 801647ec5470f469ecb3a96a3c544054
SHA1 0e13f809e2b73d8589013fa3f74f134ca1d7ee53
SHA256 c5ea27b1dc37cc09ec573b44fdef3e19e11149601ad6906f9bb063b984c764ca
SHA512 691580307a25667c163e2ea8e01bec09538758e6fad7e6f9f79b84155d2c2438c23c8d716ee3a4d62187c6d8b016a67fe970c71e93775e63de5dc305c153d99f

C:\Windows\{5CFF7A29-8BA3-4e00-88EB-8FAF6D22DB58}.exe

MD5 1ec4227e3b6ec722e163f904c27f0254
SHA1 21d8887c5b20698853939c07c8a00211b2c17217
SHA256 e56a5247df994a8569d7df62fc55220cbf71ebeab2e5ece863b8c98fb314a392
SHA512 7c6626087f2065ebdec34e35c7fc95d2fd3ec6735459af13121e20c06c3fb2d72f7fe6327b70051583e8530cc40f5642a0785f1324327931347e759b6d03244d

C:\Windows\{D1AFA6B3-CF08-404f-A2EA-D0AEDC87CD03}.exe

MD5 6cf95bd69ca99003c1295a67f390075a
SHA1 16baa9dc0f4ee96bb1d1c4866da319c6b791e69b
SHA256 f9aaafe72d2d6eff64ebf057922e715d54a2c326046d682114f08d364a7ae865
SHA512 c21085b2b1f283f45824555b3e9b41bc9d6daa0e6aef4be072673cff82a4816f15d35dff3f0455c9b51c162d9b83f6e1e8abcfca179b7ccd289385afb5dd1d8a

C:\Windows\{F713455B-0F1D-4a29-BD1B-AFB897EFDD7B}.exe

MD5 81addc9035ca5064815a28f5a31b0098
SHA1 e27182d53f3c0fea9e0053ca91542118985d9039
SHA256 60de1f97429ae8d214be6fe4ec2e484da3c20e1f7cfdc9b955761659a3006f8d
SHA512 1faa5dccf511f91f7f974a6e34c18f24b919a51dd108887f3a12d184236c42c367011dc5af991888aeea950bd98e56e7b2db0011ce0f7c8ffedb5372675f4f21

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:43

Reported

2024-11-11 12:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4} C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B435D10-597F-41de-808F-737E03450630} C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC319AB4-3585-4d24-A17A-29A4043B283D}\stubpath = "C:\\Windows\\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe" C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE} C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}\stubpath = "C:\\Windows\\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe" C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977} C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}\stubpath = "C:\\Windows\\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe" C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EA515-D7B7-4306-9E84-167A57BEFCEC} C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}\stubpath = "C:\\Windows\\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe" C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6111A5C8-C18E-4b18-93EB-CCB8509E2420} C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{402B78B7-13E2-4e1f-8484-2AB388AC4618} C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{402B78B7-13E2-4e1f-8484-2AB388AC4618}\stubpath = "C:\\Windows\\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC539198-109A-47dd-B4B2-05062F4E33BB} C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC539198-109A-47dd-B4B2-05062F4E33BB}\stubpath = "C:\\Windows\\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe" C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}\stubpath = "C:\\Windows\\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe" C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B435D10-597F-41de-808F-737E03450630}\stubpath = "C:\\Windows\\{3B435D10-597F-41de-808F-737E03450630}.exe" C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC319AB4-3585-4d24-A17A-29A4043B283D} C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}\stubpath = "C:\\Windows\\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe" C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{344804A8-35F5-4360-9A01-9FD696AA0CBC} C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}\stubpath = "C:\\Windows\\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe" C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8} C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}\stubpath = "C:\\Windows\\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe" C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8} C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{344804A8-35F5-4360-9A01-9FD696AA0CBC}\stubpath = "C:\\Windows\\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe" C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
File created C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe N/A
File created C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe N/A
File created C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe N/A
File created C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe N/A
File created C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe N/A
File created C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe N/A
File created C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe N/A
File created C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe N/A
File created C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe N/A
File created C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe N/A
File created C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
PID 2980 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
PID 2980 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe
PID 2980 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3132 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
PID 3580 wrote to memory of 3132 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
PID 3580 wrote to memory of 3132 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe
PID 3580 wrote to memory of 2760 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2760 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2760 N/A C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 1400 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
PID 3132 wrote to memory of 1400 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
PID 3132 wrote to memory of 1400 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe
PID 3132 wrote to memory of 4576 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4576 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4576 N/A C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1264 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
PID 1400 wrote to memory of 1264 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
PID 1400 wrote to memory of 1264 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe
PID 1400 wrote to memory of 5088 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 5088 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 5088 N/A C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 3264 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
PID 1264 wrote to memory of 3264 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
PID 1264 wrote to memory of 3264 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe
PID 1264 wrote to memory of 4672 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 4672 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 4672 N/A C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 1716 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
PID 3264 wrote to memory of 1716 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
PID 3264 wrote to memory of 1716 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe
PID 3264 wrote to memory of 4984 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 4984 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 4984 N/A C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 4568 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
PID 1716 wrote to memory of 4568 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
PID 1716 wrote to memory of 4568 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe
PID 1716 wrote to memory of 3816 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 3816 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 3816 N/A C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2332 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
PID 4568 wrote to memory of 2332 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
PID 4568 wrote to memory of 2332 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe
PID 4568 wrote to memory of 4680 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4680 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4680 N/A C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2092 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
PID 2332 wrote to memory of 2092 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
PID 2332 wrote to memory of 2092 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe
PID 2332 wrote to memory of 4476 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4476 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 4476 N/A C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3836 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
PID 2092 wrote to memory of 3836 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
PID 2092 wrote to memory of 3836 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe
PID 2092 wrote to memory of 744 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 744 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 744 N/A C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 2452 N/A C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
PID 3836 wrote to memory of 2452 N/A C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
PID 3836 wrote to memory of 2452 N/A C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe
PID 3836 wrote to memory of 3336 N/A C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_3f7db079a3996bc0c8526cae4d6497fa_goldeneye.exe"

C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe

C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe

C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{402B7~1.EXE > nul

C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe

C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC539~1.EXE > nul

C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe

C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2538~1.EXE > nul

C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe

C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4877~1.EXE > nul

C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe

C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D15EA~1.EXE > nul

C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe

C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6111A~1.EXE > nul

C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe

C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B435~1.EXE > nul

C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe

C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC319~1.EXE > nul

C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe

C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC72~1.EXE > nul

C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe

C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC34~1.EXE > nul

C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe

C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85285~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\{402B78B7-13E2-4e1f-8484-2AB388AC4618}.exe

MD5 1d863cafdeb51ea13aa969db906fc33b
SHA1 d6027a57016c05ab9cd7c8693050fec90908afb1
SHA256 4b17d98e850d03bce897418e4a0480bbe8c62d10fce211e2aea655e4868af716
SHA512 e23edb70c7766a5af2878a0868dda245239cfb03539f290513e2d717af950fe4c1f2096395835c347845b1bb78216084bd6d5f304fbd32bb2271fd28332230b0

C:\Windows\{CC539198-109A-47dd-B4B2-05062F4E33BB}.exe

MD5 3ade4803cc43d9c0a25a2ccc22268393
SHA1 42cb1cef3acd55a58653e89885e38120e8ce4d10
SHA256 b268f9e16f423bb6c203f661a3fdba7853a7eeba55ad4de4c1a84f5fcdffb645
SHA512 2434d033f24c457ad481035b5e3168eed5b133c59034815559da3a5e7efb56ea1f7f9bca5278acd6c67dff133b45019457d3564f7bf85b6e3c8306bb2fecc00c

C:\Windows\{B2538BAE-C7FE-4b6c-B183-A0A0A515E977}.exe

MD5 d4cc2fdc073accabd2ed854bf9cfd375
SHA1 78540a7a2d16c86c17d88ddeeba151504b37910c
SHA256 d5456b048c3dcb9a84fd1de0b273ff3b2a1704199d490e5ca9ab683225b54d72
SHA512 a80823436f80c18fd4f01b1b301765518e42ab434941521980fbc8f28104cb8f3a6bedf8a8397afad958ea016664652558cd88e7f9ca803ce774aebadf486128

C:\Windows\{D487729C-BA0A-41c7-8DBD-0B781DDACBD4}.exe

MD5 96b25bfbca3850c1656c3a340a9fe239
SHA1 dcc36db98bdb0e070f0aafdff3878dce2ee48e23
SHA256 9c5fe6ea9be1f9346b109e9d3115c7c37b48410a29c7ebe413c2873c12beadef
SHA512 2bb4d480c6c51720b30d41260c25de318a52212be6c6f821e03bd0c40e7e62b5ee42a845238ac184e02e8fcf74d5ebd074dbc3785b204e8f8194b2580fb9e8e9

C:\Windows\{D15EA515-D7B7-4306-9E84-167A57BEFCEC}.exe

MD5 c5908290269d9a78b8fed53d8a622c6a
SHA1 efd962729852b079e641279c60b0667f5496def6
SHA256 bae224d632b5dece3ae82ab3a537ef2f319b10277251b92fc500d49cc2facc91
SHA512 de95666d4ea5f3768ccf33cc03e0ea8524ae899ccb29ada3fbba7a05877077ba8fe4369d226201cbff665ef5514481d6a45cbc2808e07a561a0c966f697b2916

C:\Windows\{6111A5C8-C18E-4b18-93EB-CCB8509E2420}.exe

MD5 8a8a0da1a36d15c6962af4cc34459669
SHA1 558967cf3eefca94c9cd5c3adc784fab988180fa
SHA256 591ab84b20549d394e898d11c6174d06fd55684c6aaedee5f3a4eab440d3ece2
SHA512 85964431f521e5a3377e19cb2a4f8e2db06d019e4f87e4f514d537a8a6650408c2ebbc19564c1a26f7f49337f0365be7676d22901a19393a55d615691525e42b

C:\Windows\{3B435D10-597F-41de-808F-737E03450630}.exe

MD5 aae55b43b6ab447d23833cdf7cbfc8da
SHA1 2ca5c9786926a0be4a902065fb8c07f5939ff4cb
SHA256 4ed07d94129acdd77359fc7f5d385202aa1be897656a9eb882562bd0cd0690d3
SHA512 36d4794295150b05c50c43c5a189037541b88aa2eaad7d1833f23ceb4bf8b742e232c5539bea4f47ae665b95a7ded4d004367fb6906039ea9978e9f495d863da

C:\Windows\{AC319AB4-3585-4d24-A17A-29A4043B283D}.exe

MD5 16f1cc8949e37efedaa4315435ff72b9
SHA1 cb9e8082ddf8f41552c92dc100095343fdef6f07
SHA256 4b671eca279f9ae53c424cd03e2b11d353d690be01ce3815675fe694d605fe37
SHA512 7cd32b9e8cf464879156fc75b3a2ddb45243d89bd66b3f98eea24a26982282e3d3fa8919b18406eb99a2a4641cc4b91e46dcd50f5a2d885c2c3cccf6122758ae

C:\Windows\{1AC72429-0A28-44d9-9C93-AA345C7DA6EE}.exe

MD5 cf3a8b2c05668fb5cb4a9cbd37ce8a98
SHA1 42827ef4b0c6c931fe8133d0e4a5e9962cae732f
SHA256 4abb211cf0b473ec16d7bfca1fe0d001c5bc74222bb3be02c83c0dd9eb7c8a9e
SHA512 4786f255fa12d970d0eb1411c6d8b18f81bef1e39590b19ace2d33602a2b3e5c14c3c83768a464e74f28b640ed663ef4b960bf4ac8c4f1ec2c29a046d6bb68b3

C:\Windows\{4AC34A98-C7E9-4e56-8D2A-5A5808C6F1B8}.exe

MD5 febad1e3dc4f2a3df740cc9fdc8b7677
SHA1 f37760d320eef647be6795bbf40ff213a2893d94
SHA256 fbf9375188994fc0e555f17c17ae08d16832fa1859faeb3c255ac922f8f88630
SHA512 8ffbce959afd66fd848c8ea95a504965a101f3def5d5beac3b544f6d78d46049d83fbb0deaf313a85b4f1bd81c074717e6ddc4963ca7dc6767623bd3d7c06279

C:\Windows\{85285F8E-DFF3-4c8e-9D98-9A9FCE1924D8}.exe

MD5 11b495905085ec582c1f740d1a02879a
SHA1 0f5ae7cf27ff27760f57e30b73d849cdf413a31c
SHA256 90d575b8014e9272a0d06e893e86d5296c4cf29dfc135b12a0cc7ba7c477838d
SHA512 cd5fa7db1cb10341d243cd23798175750b3c3be0cf4672de67c88b07ab34083e566c923c9fa067be3f0929d381c7b75efb2e74768a08faf08b8fcab4f59b2e6b

C:\Windows\{344804A8-35F5-4360-9A01-9FD696AA0CBC}.exe

MD5 234b8c7fdbf2a28783abed3fdb7f320c
SHA1 30d34222d028fb5ad540a023099bb67e621c6d63
SHA256 2af4fc5d69e8bb9e08820291cd798498dbc5696a97c540f3d217c4846307d4a8
SHA512 465b5b45353322a6b93b8ff2213e8c119d2d86c793e61b3a7a6f58ec14f064efdcbad3c0d27dc26b8c42757004dcdf399e8120522f9d06b3926f5f9271e875d6