Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-pymmvaylfs
Target 2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye
SHA256 0a7fd7d4db8d19b08a916c56f7755c038326b81a36bd3d57c4820eab7290152e
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0a7fd7d4db8d19b08a916c56f7755c038326b81a36bd3d57c4820eab7290152e

Threat Level: Likely malicious

The file 2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:44

Reported

2024-11-11 12:46

Platform

win7-20241023-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E} C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA} C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F} C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44F4381-E16F-429d-954B-EFACD477F163} C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF} C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED} C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4219FC8E-0FA2-403c-975A-F031DE8B1850}\stubpath = "C:\\Windows\\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe" C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{127A214D-EAAC-4c7f-9109-06196004527A} C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}\stubpath = "C:\\Windows\\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe" C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4219FC8E-0FA2-403c-975A-F031DE8B1850} C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}\stubpath = "C:\\Windows\\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe" C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}\stubpath = "C:\\Windows\\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe" C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F201B4-631C-4073-B395-51D2F8BE7B3C} C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}\stubpath = "C:\\Windows\\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe" C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889} C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}\stubpath = "C:\\Windows\\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe" C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}\stubpath = "C:\\Windows\\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2630E3-38CA-408e-A710-8A58E6D4A609} C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2630E3-38CA-408e-A710-8A58E6D4A609}\stubpath = "C:\\Windows\\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe" C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44F4381-E16F-429d-954B-EFACD477F163}\stubpath = "C:\\Windows\\{D44F4381-E16F-429d-954B-EFACD477F163}.exe" C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{127A214D-EAAC-4c7f-9109-06196004527A}\stubpath = "C:\\Windows\\{127A214D-EAAC-4c7f-9109-06196004527A}.exe" C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F201B4-631C-4073-B395-51D2F8BE7B3C}\stubpath = "C:\\Windows\\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe" C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe N/A
File created C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
File created C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe N/A
File created C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe N/A
File created C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe N/A
File created C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe N/A
File created C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe N/A
File created C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe N/A
File created C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe N/A
File created C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe N/A
File created C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
PID 2344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
PID 2344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
PID 2344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe
PID 2344 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2808 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
PID 2368 wrote to memory of 2808 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
PID 2368 wrote to memory of 2808 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
PID 2368 wrote to memory of 2808 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe
PID 2368 wrote to memory of 2884 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2884 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2884 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2884 N/A C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2820 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
PID 2808 wrote to memory of 2820 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
PID 2808 wrote to memory of 2820 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
PID 2808 wrote to memory of 2820 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
PID 2820 wrote to memory of 2828 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe
PID 2820 wrote to memory of 2660 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2660 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2660 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2660 N/A C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2204 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
PID 2828 wrote to memory of 2204 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
PID 2828 wrote to memory of 2204 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
PID 2828 wrote to memory of 2204 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe
PID 2828 wrote to memory of 2148 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2148 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2148 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2148 N/A C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1992 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
PID 2204 wrote to memory of 1992 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
PID 2204 wrote to memory of 1992 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
PID 2204 wrote to memory of 1992 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe
PID 2204 wrote to memory of 2728 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2728 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2728 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2728 N/A C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe
PID 1992 wrote to memory of 2556 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2556 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2556 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2556 N/A C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 620 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
PID 1656 wrote to memory of 620 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
PID 1656 wrote to memory of 620 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
PID 1656 wrote to memory of 620 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe
PID 1656 wrote to memory of 1172 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1172 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1172 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1172 N/A C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"

C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe

C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe

C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28E24~1.EXE > nul

C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe

C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4219F~1.EXE > nul

C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe

C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BA263~1.EXE > nul

C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe

C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9DC~1.EXE > nul

C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe

C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9EFB9~1.EXE > nul

C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe

C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D44F4~1.EXE > nul

C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe

C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{127A2~1.EXE > nul

C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe

C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36F20~1.EXE > nul

C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe

C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3FEBC~1.EXE > nul

C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe

C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D18BC~1.EXE > nul

Network

N/A

Files

C:\Windows\{28E24E8C-1DB2-486c-98AE-AAE03845AF0E}.exe

MD5 0f1fd8e96e2092f63f7c0c5bf4031146
SHA1 2c5866bb594734ca6ba1108b5be18fa4c20a383f
SHA256 b5ea92793230d457ff383bfb23c35d168ddd080b207bd04bfb0fb981868a8180
SHA512 021e6dfe1531918484414bab2273e8e8c1349ed093a0214d8fc176cb49f5d7e4dbf80542cca22f7af4c2ed8f5e8d401de2aa4fd06e1922b059be3055de7a7e2d

C:\Windows\{4219FC8E-0FA2-403c-975A-F031DE8B1850}.exe

MD5 9c8f120f112088d2c4bee6d8a13a0b88
SHA1 6b1f7b771e8c9324d23dcaebc1c381c3f895ff2e
SHA256 55bf4d30b76aeca2d5c02805fb0249a1c244f075ba48f3ae132ade1e2a89bed2
SHA512 0f95cc7086289a6cf697c38bc664fb1b99b5abe37ccad7a12506a45d957cdab59de2346775bd5de756d2adea0bf4ed3eec8b2e4a1dd23de7ae9b58f85940220f

C:\Windows\{BA2630E3-38CA-408e-A710-8A58E6D4A609}.exe

MD5 613283e55c518e4f22a995a0e3160368
SHA1 398db62de7d7189f494aecc581274c2a0218e5cd
SHA256 c7a3debc68b8eebe8d64f93cc9c4fd73545bc56a86116d7ec619ae6bf9a3c28d
SHA512 48c169db66c2cb66792bc5d0b56ec1d6c42557d08f5a81e6e14b228fb7428d60ef94c3dbf3249360a51bb8add7b49a4375a0a80e5593400ae5e1ffbf984b368e

C:\Windows\{DF9DC7CB-97E6-4ad3-8CF2-42B33511E0CA}.exe

MD5 34f54cfc4fc52b7a31c248d25a16b729
SHA1 e7a31aeeb4afb90ca5f9c285420fb1734a2f8d75
SHA256 472004f75d9de4a090e405c83dbbd2d34fedf17326b82590cf2fd72c0869831a
SHA512 c28683e905c7bb5dfe123ad987f885cb4d30be0aaf20e1704540f652de94e5110ba2ea553a8263f4d21084aea009bd3e3fab41108c4d4a0a0463783113adf3f8

C:\Windows\{9EFB9901-4DD5-48a9-96D7-9E14CAB9476F}.exe

MD5 2b93e28ea5fe463c17af243fdf1b9204
SHA1 d1dfaaf8da3377b515c5a6fc74994aa96ae1b194
SHA256 f8f83bb47bfb64982b95eb77f91ef566a45f2695b887c459d6c7cdd20643f397
SHA512 c47038b74b4be1e3619e2058c06c7f7b59783e56a5284c97548f70999642fcc9e12705a17a3696d15bcb7e579bd1d76e14cb35f31c0e5c528452ff8edafd81d2

C:\Windows\{D44F4381-E16F-429d-954B-EFACD477F163}.exe

MD5 7eea045f8a8b21bb2fa0536d94fddb08
SHA1 94c1fa5e779cc2572702fa899941344a54417cca
SHA256 f9b9bd7b6ea886f5e5b0d94c332210af29948a61f47cc9e215cd3fd2cd40763c
SHA512 315d38b2c65a9efef8185f7f78c0723c2f4205e77c78599052f9fe59ce6f8b838b80b1dc99a603c9ce613a97f5ffb45deb9ed4d6a41b85517cd5c646336d50ec

C:\Windows\{127A214D-EAAC-4c7f-9109-06196004527A}.exe

MD5 02e84f0f2c5567fe72695c78675379f3
SHA1 d0759e4a4024766e570460f0c2820141bfcdb3d5
SHA256 ee80558a2f451730d0c93fcc166b31c56ef4f0a85246545c4e02e61eacc56031
SHA512 2cb554f378c8c1c86c8ed5d790a6927230e8cf7d618f2eb2bca2a0602c4b86b2578fc6d7ed9ca6cf392cf8b630206ca5ef93a083dc6902e2e76be66fbd4ec26e

C:\Windows\{36F201B4-631C-4073-B395-51D2F8BE7B3C}.exe

MD5 dc5179fa1a205991bd615e9427e8ca70
SHA1 135380e755dd8d4e259336581bd19f0e773e8546
SHA256 f029c65db2ec9c9a6d37314926f683936ec73eea151d675e5da6b6d73977c984
SHA512 89b5bcfe00792ccac44a39c917a062f9a26ca9e00d50bd25a4daf01b533a1477cd6722f06971e66b85321c5960a39c292593d816e192bf5b1b7ae7be5c06af42

C:\Windows\{3FEBC73D-3E06-4644-BCC2-10FEA06DB8AF}.exe

MD5 1f55822d91b8326711e60677228e2a56
SHA1 8d7984c83705dee346d89025e9896e33a79ae413
SHA256 fae440155b3d739574c153d51d8390278856b17945396faf2212add26ae7f634
SHA512 aa92baa8c47f1f494479e6c14bddc97e26c9a2cfcf46afc621f377df7b6f3fdba0a9bbd9068cdd74f4309c7b1a3ac3a3e480657143c6238141719cf4bee8e82b

C:\Windows\{D18BC6E1-3961-483f-9F7F-9EFC61EA6889}.exe

MD5 e60ec8414268feeb9dc4b4262faf8c1d
SHA1 5df145633a45f99ff60a1b268e7412bfd538e404
SHA256 64d364a240f03405c3161b8ab632f5135904eacbe8700de098178a39d50933d3
SHA512 8dd1ab4cf8703eec0bf01b7ce958c89978767e51e389c70493afe87b07f4a5776eea64502fb6a9dd11bcd4a795bcf101ab54cec32787d22a2291899e23643fe1

C:\Windows\{CB2745CC-7A75-447e-A4E5-F15AB808A1ED}.exe

MD5 b5044def7b7185604f8b14badeba610b
SHA1 46dbcb886df117f46ddacb2a8acc3e4125b4a216
SHA256 99505938388336d8dcd1140e7c18a5270f0b34bc804d6d6766ed269a58b9ea46
SHA512 8693aa1ab4efa22307a73d323294b9815b0ac4a19adb409340a4d503c275c01ac8857eec4765e98fd10fcd844b17fb18ea40b7bcbe879cfa11cd90b99c73fa7a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:44

Reported

2024-11-11 12:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6422C7E-D845-4f29-9B77-7C3036E91134} C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6422C7E-D845-4f29-9B77-7C3036E91134}\stubpath = "C:\\Windows\\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}\stubpath = "C:\\Windows\\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe" C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215B48D5-70A1-4445-97B8-A9D82CCD6612} C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}\stubpath = "C:\\Windows\\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe" C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDEF0400-A825-4c50-8301-2DF83E4E77B0} C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215B48D5-70A1-4445-97B8-A9D82CCD6612}\stubpath = "C:\\Windows\\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe" C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B} C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}\stubpath = "C:\\Windows\\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe" C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F} C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AA52106-E65D-41ba-B581-4C74B1F1A120}\stubpath = "C:\\Windows\\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe" C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2} C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26ACEAA3-9330-43ab-A19E-A413363C1C38}\stubpath = "C:\\Windows\\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe" C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D6325A-1C26-4b1a-A702-47F21348F87C}\stubpath = "C:\\Windows\\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe" C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}\stubpath = "C:\\Windows\\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe" C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3026C878-2D0F-497b-87CB-3142AEB1075C} C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8D3353-D033-4e4b-95FF-9379B77007A9}\stubpath = "C:\\Windows\\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe" C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AA52106-E65D-41ba-B581-4C74B1F1A120} C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26ACEAA3-9330-43ab-A19E-A413363C1C38} C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D6325A-1C26-4b1a-A702-47F21348F87C} C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A75B699-D789-4bcf-AFC8-0D4196ECD069} C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3026C878-2D0F-497b-87CB-3142AEB1075C}\stubpath = "C:\\Windows\\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe" C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8D3353-D033-4e4b-95FF-9379B77007A9} C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}\stubpath = "C:\\Windows\\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe" C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe N/A
File created C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe N/A
File created C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe N/A
File created C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe N/A
File created C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe N/A
File created C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe N/A
File created C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe N/A
File created C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
File created C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe N/A
File created C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe N/A
File created C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe N/A
File created C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe
PID 924 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe
PID 924 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe
PID 924 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 3204 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe
PID 920 wrote to memory of 3204 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe
PID 920 wrote to memory of 3204 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe
PID 920 wrote to memory of 1740 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1740 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1740 N/A C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3296 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe
PID 3204 wrote to memory of 3296 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe
PID 3204 wrote to memory of 3296 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe
PID 3204 wrote to memory of 3660 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3660 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3660 N/A C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 396 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe
PID 3296 wrote to memory of 396 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe
PID 3296 wrote to memory of 396 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe
PID 3296 wrote to memory of 2724 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 2724 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 2724 N/A C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 5056 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe
PID 396 wrote to memory of 5056 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe
PID 396 wrote to memory of 5056 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe
PID 396 wrote to memory of 3156 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3156 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3156 N/A C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4404 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe
PID 5056 wrote to memory of 4404 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe
PID 5056 wrote to memory of 4404 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe
PID 5056 wrote to memory of 4384 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4384 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4384 N/A C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3536 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe
PID 4404 wrote to memory of 3536 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe
PID 4404 wrote to memory of 3536 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe
PID 4404 wrote to memory of 3188 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3188 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3188 N/A C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 4124 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe
PID 3536 wrote to memory of 4124 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe
PID 3536 wrote to memory of 4124 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe
PID 3536 wrote to memory of 1416 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 1416 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 1416 N/A C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2448 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe
PID 4124 wrote to memory of 2448 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe
PID 4124 wrote to memory of 2448 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe
PID 4124 wrote to memory of 2908 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2908 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 2908 N/A C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4304 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe
PID 2448 wrote to memory of 4304 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe
PID 2448 wrote to memory of 4304 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe
PID 2448 wrote to memory of 4988 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4988 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4988 N/A C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3096 N/A C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe
PID 4304 wrote to memory of 3096 N/A C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe
PID 4304 wrote to memory of 3096 N/A C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe
PID 4304 wrote to memory of 4760 N/A C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9664f913b60ac3ddebaf133e19dfce2_goldeneye.exe"

C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe

C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe

C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D6422~1.EXE > nul

C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe

C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BDEF0~1.EXE > nul

C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe

C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{26ACE~1.EXE > nul

C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe

C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{215B4~1.EXE > nul

C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe

C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D63~1.EXE > nul

C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe

C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5A75B~1.EXE > nul

C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe

C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3026C~1.EXE > nul

C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe

C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A8D3~1.EXE > nul

C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe

C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41FBE~1.EXE > nul

C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe

C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC005~1.EXE > nul

C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe

C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6AA52~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\{D6422C7E-D845-4f29-9B77-7C3036E91134}.exe

MD5 7833043a824129cb07e340e7a591a954
SHA1 ed49e276dd71c171f450ab0a0084cfe8e679169d
SHA256 19372ae4508929ba9c1775274c9b8e122bd16990d8cb1d7b30c5874007d2cf35
SHA512 b0eae4bbee12d4dd7c4805d7e80c38f37ff1851df6964df1260172d978001764843e99b424e2b6a4cdd6879db880f71ab3f985d2c3e384634db4af1e52998fbf

C:\Windows\{BDEF0400-A825-4c50-8301-2DF83E4E77B0}.exe

MD5 cd163e89db4ef581075dd5974b086b40
SHA1 3de79d0c70f0e83c97ceb3e05ac7eba1c5d657ca
SHA256 b9d251771392426cf8e817a519ccd4b1d06448725777bdc87405266195b54d86
SHA512 cb591ecff79f4e029d4a55ddbdd2daf3ee5ca321e25c724d57db2402e005f0818a0827f610f3f5cc72cdbba44d02a4f3cc67b138b837cefb44218c8cbbf76196

C:\Windows\{26ACEAA3-9330-43ab-A19E-A413363C1C38}.exe

MD5 dd1a9a951404d652ae548b85c58de3d2
SHA1 abbb06f11fc22e7fb0bbec65bc4a0fe0cb875087
SHA256 449386cfeee787acd83f7f7dd54e35a5b4cfe0e44950f3945d1680cff05b8b27
SHA512 781fe157d389740951687e259a0093b9df9d9e13aedd5e6eb06ad220fbb988e94ce6ffaca245290a9b77488ac12be4931ed7d173ad565595cd6676089842f57b

C:\Windows\{215B48D5-70A1-4445-97B8-A9D82CCD6612}.exe

MD5 aa0253988390563036f51660b2987566
SHA1 9a45dd405ebafc76e7dbb0a7fd6b71914780cbb1
SHA256 51051a8331fd1b35162a274ef49edf8d6da3a23afa4913641845f32a20e482bf
SHA512 9bb72b45f2070bf778993a30bd9e0a7f372ec97d32b3e5eeb3f1a6f6ebf7b63cdec6929f23128b26d3aca47d8a0f4b42ee11340bf585f7e40e7fa735e04facc0

C:\Windows\{B4D6325A-1C26-4b1a-A702-47F21348F87C}.exe

MD5 372032475bc6c857abbbaf93c56189ba
SHA1 c82e53769bf9647dfabbbc3954cd22d72f42162c
SHA256 482dc341f8e80256b2f1e86537ca9b2708fe865b8a7308259cc3be308e4e9ca4
SHA512 b823479c0e2891fdbb44634ae8870ef207e3d3e9158dfd0c27c5369901ae84e9afb076fbe9d4e3c873c1025610ef06f97ccc1af459e4c21f5e9681b15a13e188

C:\Windows\{5A75B699-D789-4bcf-AFC8-0D4196ECD069}.exe

MD5 ffd95fabd5d0237124a7e7ed8bfadc7f
SHA1 e3f8987bebd81aeb0c06256d0cf3d8eb8e7d0926
SHA256 dacfd0fea71c33e1bbcb160a8d35ad6ec49fc74465da427b9161adc098d9d0c4
SHA512 19705a69b608027bcfa630a01574b4bea82b48292172c8c688358c14b4dd91b2ce635f304337c68aa3fbd0696048f018a07031505fe2e4ef1ce1ed4d01db0532

C:\Windows\{3026C878-2D0F-497b-87CB-3142AEB1075C}.exe

MD5 e6279add8029e545a224787c64089917
SHA1 6ae87dccbd53896311fad2a5a64c0371a53be286
SHA256 7afc43342a191dab7ea08996dcc087f316aeaa70a3e1df756423fd6f7feceec3
SHA512 b078b1723e4b8017f5f4eb1e73a33ef9a17187204ce56dc053e7584572c70133045cfbc868ad4bdbf2feb528d756a5da2e3aa21c254113fe493707fa75e6f758

C:\Windows\{8A8D3353-D033-4e4b-95FF-9379B77007A9}.exe

MD5 624f14411bba992b71e3c84e5ea60af2
SHA1 f7e713e41e07889d91629b22df17453071fbe530
SHA256 dc544b9a48e8b81e37e87ad98ca414b146ce7134a267c61800b49e6f3c8ac643
SHA512 ddea9211551596b6c3f79d3b6508e58b54ea3b17b3a57b622f95f7060040df936bf9f92070775ab7632618957ec3eab6ccd42c53cd2569da76fe3b820d05c144

C:\Windows\{41FBE632-405C-4eda-9BF6-C1D1EFACBF1B}.exe

MD5 1aa49f5e250a984f6dbc135dc1193696
SHA1 401731eff5b7ef26a0932e7678f35f3e72d278b2
SHA256 180f0072932f89135ea4bd33bf5363e2bbef7bf6d93d4e1b36b95f478a4a1911
SHA512 59612fb8b6d09afe6dd2c1580eb7cedd3de401e8cd2da8862a448bcce5d4b2b5c8bc858036fd2ae62847dd8394477145a232685e4e6f1a9f5b52a5c570757140

C:\Windows\{CC0059C2-18CB-4f30-B09F-EA16B0C70C4F}.exe

MD5 2ab1f6baf2752cedfda677125fb69fb6
SHA1 9c8c217277a1c8693311292ca041705b107b00f7
SHA256 0fb4632e115fac44dfe689004e580e487b8358b0e435355a236211c8cd0ddb6e
SHA512 da0e52847e44ee74ca5ec4feb72d93673d69fa5cb0a1ecea2b05b1514b38442da5ece4bf2cb7168731f7c1acee9497f2396bb21375c4876570d374d622395425

C:\Windows\{6AA52106-E65D-41ba-B581-4C74B1F1A120}.exe

MD5 d15543d3f0bd7844ac4bf2b0cf60409b
SHA1 b9e7568c323a899a48f2619666aa94857b98aa0f
SHA256 709d3345f6f232611404cc5ee94ce47cb79cf752fbb820d8cdc08531092aad95
SHA512 a36ff727a68d570e5472be6e5f6f06aad8c8e7016509b586aab30aa059e48457a0bc16e628e489d5df9ee4f5557b028d7252d2f52325e103c3efbc8245d5e1ff

C:\Windows\{38ACD593-6666-4dd8-8B86-2B4FDD9BD6E2}.exe

MD5 f272cbf1a312ad960abb0d154056c7a3
SHA1 1fc2aa8e5620d838c39a8b73e90b208e926888a2
SHA256 8cf579524fe947feb7dacbe6b7f39d317df1800354da86cbe3e99341c41347c4
SHA512 4a1a6fd24b16f5f8e4765ef07b169a47d777987003161d0b00831340073d758ada9c64cd6c095e6a1d443bdc560cd95a2a3f7f54c495cbda32f189f325ee5d95