Malware Analysis Report

2025-08-05 11:30

Sample ID 241111-pyvcpazcqa
Target 2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye
SHA256 c41a94fcd55fecbb3c558e9dcaa69db7e8d82475dd37653d51d36e5dce859ebb
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c41a94fcd55fecbb3c558e9dcaa69db7e8d82475dd37653d51d36e5dce859ebb

Threat Level: Likely malicious

The file 2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:44

Reported

2024-11-11 12:47

Platform

win7-20240903-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2859455D-28FF-421d-9927-C30BCA4DE292} C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2859455D-28FF-421d-9927-C30BCA4DE292}\stubpath = "C:\\Windows\\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe" C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9051735-DE32-40f4-8D47-BB83102B6CF5}\stubpath = "C:\\Windows\\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe" C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63040175-D15B-4d3f-BFFE-50CB1455D068}\stubpath = "C:\\Windows\\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe" C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF} C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}\stubpath = "C:\\Windows\\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe" C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB46A62-85CB-4726-B059-3A56EF104DA5} C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63040175-D15B-4d3f-BFFE-50CB1455D068} C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB46A62-85CB-4726-B059-3A56EF104DA5}\stubpath = "C:\\Windows\\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe" C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}\stubpath = "C:\\Windows\\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe" C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9051735-DE32-40f4-8D47-BB83102B6CF5} C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6034D52-3871-4e8f-BC37-86CACDDC27E1} C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}\stubpath = "C:\\Windows\\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe" C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739100CD-99E8-4c1a-BD13-BB725914A8E5} C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240573A9-2182-40e3-AF2F-B4100EE1B230}\stubpath = "C:\\Windows\\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe" C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}\stubpath = "C:\\Windows\\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16} C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0} C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240573A9-2182-40e3-AF2F-B4100EE1B230} C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A} C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}\stubpath = "C:\\Windows\\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe" C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739100CD-99E8-4c1a-BD13-BB725914A8E5}\stubpath = "C:\\Windows\\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe" C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe N/A
File created C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe N/A
File created C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
File created C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe N/A
File created C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe N/A
File created C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe N/A
File created C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe N/A
File created C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe N/A
File created C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe N/A
File created C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe N/A
File created C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe
PID 2260 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe
PID 3020 wrote to memory of 2728 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2728 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2728 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2728 N/A C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2712 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
PID 2296 wrote to memory of 2712 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
PID 2296 wrote to memory of 2712 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
PID 2296 wrote to memory of 2712 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe
PID 2296 wrote to memory of 2588 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2588 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2588 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2588 N/A C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe
PID 2712 wrote to memory of 2760 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2760 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2760 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2760 N/A C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
PID 2880 wrote to memory of 2652 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
PID 2880 wrote to memory of 2652 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
PID 2880 wrote to memory of 2652 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe
PID 2880 wrote to memory of 3040 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3040 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3040 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3040 N/A C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
PID 2652 wrote to memory of 2024 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe
PID 2652 wrote to memory of 1160 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1160 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1160 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1160 N/A C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1560 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
PID 2024 wrote to memory of 1560 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
PID 2024 wrote to memory of 1560 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
PID 2024 wrote to memory of 1560 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe
PID 2024 wrote to memory of 2124 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2124 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2124 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2124 N/A C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 2368 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
PID 1560 wrote to memory of 2368 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
PID 1560 wrote to memory of 2368 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
PID 1560 wrote to memory of 2368 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe
PID 1560 wrote to memory of 840 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 840 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 840 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 840 N/A C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"

C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe

C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe

C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36F5B~1.EXE > nul

C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe

C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFC9~1.EXE > nul

C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe

C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB46~1.EXE > nul

C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe

C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0919E~1.EXE > nul

C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe

C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28594~1.EXE > nul

C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe

C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6034~1.EXE > nul

C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe

C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AB04C~1.EXE > nul

C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe

C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E9051~1.EXE > nul

C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe

C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{73910~1.EXE > nul

C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe

C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{24057~1.EXE > nul

Network

N/A

Files

C:\Windows\{36F5B0A9-2CFB-4687-9552-C7E8E1D576FF}.exe

MD5 105102fcc1f91f1e0464ab5d73831240
SHA1 ad4e72dfe03310da82cb03f15e07caa9092f9026
SHA256 cb159df8db98cb5e8d80a19ec69518b4c2d3248e2621f6aa6b3a35e87b1b07c6
SHA512 07ab76a9c335e26a0b68dfc63b6cbf2f2dbaeafc8b08275ca7fe9bad1b98eb265a74eaceb2d52c18ae65e680d2db65a6bb9c0482c7c715719bcb129b94664932

C:\Windows\{9DFC94EE-6CC6-4121-A2DD-EDE405B09F16}.exe

MD5 05af0b39ce57b85866b27e0982f9eaf8
SHA1 501967b479dfd5ccb6727a9497bbaf5e42b531db
SHA256 9a2186aa39e5b11ca4cfde0570ee47bd7ff1f95b24e11c77442e710dd4be6ec1
SHA512 d559063ae92106ff8711f5e001dea132a8ce8cb1ee1e20d969bbd6134cc899f9e6659cdf214934c4bbc31eae6de52022cfe488ee467af44cb6337338b30e52a9

C:\Windows\{4FB46A62-85CB-4726-B059-3A56EF104DA5}.exe

MD5 20e096e2f50b58fa5a19ee2e30a1b9f3
SHA1 b1ba1ed242a0994801685baec4b69d9bd6a4c747
SHA256 5f213d74cb748e0e3dc6476f2b7b79d6b49db0319575d2ee5e1d87e3eedb1b12
SHA512 4607675f1890b983a395d61d0741185e650feb5bad4c2a4fadce603236cc1a2c3167966ec49c32ab0a09c2e781a2807a6de6955a65de34390b7171d906c6f94a

C:\Windows\{0919E7EB-F21C-4f18-9826-DCF9F7B99FA0}.exe

MD5 28415c048f472e2b56c1b80eb499da8e
SHA1 1129c68094f4f98cfab479c08fec1861d48edd8a
SHA256 7d62274a1f66eed6a4ec24a46785ad3abe194a1183facef3d6d074f4e7d4a5d4
SHA512 f373cf9ee65b0bf89d52717495bd1473841f8c67e25619e66b483aa6a2ee195c825e2b07a35b8e3cd87d1b3cae071cc377aaa4ea8f2c7116ba26b923a43905e5

C:\Windows\{2859455D-28FF-421d-9927-C30BCA4DE292}.exe

MD5 c87a83dadb776c1f116f4e5c58c2b715
SHA1 0ea2c88e0e2f3fcd0223ee97a5e08d2b8d9bd52b
SHA256 0b09570a651f939e61a70cc2717d7c3437b9a5c1caea6fd2b02e9371a06ad828
SHA512 5913c9d91b387302011baac68c699edf243394c2aeff7f438da20e229720d0b2e7bef66362100172bfb336cc97c4ab3c43e3aa1618efb8d36a7dd635a630703d

C:\Windows\{F6034D52-3871-4e8f-BC37-86CACDDC27E1}.exe

MD5 b57455f4a77c524d2b52851d54845d28
SHA1 64ff393f53b5238bfe6adeb8ce5ba97035f78515
SHA256 7e976ef97568eac84bf9ebac5eb0ac186a8aeaccc79645df7e35739de59ce547
SHA512 636bb020719084283307be4161fa1b25a853c41d9f15d67fb9c2592f0a1ee160d744597d50c9d1b3cb4464fad1a783bff6565b25e0570492c13e6412149bff69

C:\Windows\{AB04C9B0-E68D-41f7-A0D3-2685E652AC7A}.exe

MD5 b99f2eab8d4972b2cdf4170790c17126
SHA1 e737ca8062a7e85d6d801067447b7caf11d55057
SHA256 ca1c0838563861ad4ceb2448e3a301deeca33b011148f8f7db9f8c026eecb4d0
SHA512 ba69a49653efae050ab9d4842de735728114ca3e3c354adcc2aba781549b7b1d788d9060a0de28e1efaaa5a694ed04d61271ccc32bc72de56e9cead2ef1cafab

C:\Windows\{E9051735-DE32-40f4-8D47-BB83102B6CF5}.exe

MD5 5a5ad383ca91ec2b0db5e591ba7c3edb
SHA1 6dcf6aaf0d59d9b2db7f4250e8c1a276f3b8bd2a
SHA256 a7b5f180a1dac13dc40ad3f8d5967d2dcd03333625096015ab19ebd61aef1861
SHA512 9e0bda4b9c08bfd802f341832978dba6249c9f5411d531d52e85bece15a8fdf473bc36332a429b9303dabb99fd940ba800b1b2386676d8224c218e0c5489454a

C:\Windows\{739100CD-99E8-4c1a-BD13-BB725914A8E5}.exe

MD5 6a7cbe89b75dd42ddf8256d0906c10c4
SHA1 160ab0e20fe75808687e1ad955ea0ae54503dbd4
SHA256 96f157635f1895cd84177ea672fd91caa97e7f8c49131b96a7496df29c1c0429
SHA512 f4d7398c8017a1686c57d5d132ff1c201568968272841218dfcb5294b3cc55122f4aaf097756f3ab96f3e23e34b4a826b067b0b00443e25c23e50607922b8192

C:\Windows\{240573A9-2182-40e3-AF2F-B4100EE1B230}.exe

MD5 a9c71135e934d4f24d8293fbf272f963
SHA1 a3647ee9a57713e08d0cc97afad039c83b8e8073
SHA256 f2b691c45a2b9b53689c5efa5de584c929bdbbafa7faaf42813d81fe5acfd920
SHA512 d54d5b564c15379dc412a7031c2def9ddcaefea63af7670247951bea839aac14d66a2add5397021e38842c1c1282f929c184dba41dd9080a26c923ed823623e6

C:\Windows\{63040175-D15B-4d3f-BFFE-50CB1455D068}.exe

MD5 50b66c31b42a75aadbf3ab6fa6bb27e5
SHA1 425019f3375c705ee958b59d2078db60941ec27b
SHA256 95b9c60ec32404123202749199b50724d51127db38340f717bbe7bcd80a5577f
SHA512 740206d1c0e127645f82c51c48d70723a7e27c70d05e5563d1ddf403f2c1d50458231aee0ac0736fa9677f2a08837f55128072995c2f7f77a67e70a89e00dc4c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:44

Reported

2024-11-11 12:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}\stubpath = "C:\\Windows\\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe" C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF} C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}\stubpath = "C:\\Windows\\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe" C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C028EB-5439-474d-9450-52A69AB4D710}\stubpath = "C:\\Windows\\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe" C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1600B7-678F-4133-92D3-F60615B92B5B} C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}\stubpath = "C:\\Windows\\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe" C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58463E48-89AC-4904-BE45-E3E3912E8E84}\stubpath = "C:\\Windows\\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe" C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC061E6D-8FD3-42af-9547-AFACB1A6F840} C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}\stubpath = "C:\\Windows\\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe" C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3718F11-EEF4-4ac2-9958-A50383FEF543} C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21} C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1600B7-678F-4133-92D3-F60615B92B5B}\stubpath = "C:\\Windows\\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe" C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58463E48-89AC-4904-BE45-E3E3912E8E84} C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C028EB-5439-474d-9450-52A69AB4D710} C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}\stubpath = "C:\\Windows\\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe" C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0} C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3718F11-EEF4-4ac2-9958-A50383FEF543}\stubpath = "C:\\Windows\\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe" C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9174A466-2CD1-4ef6-81EC-434E5748015D} C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9174A466-2CD1-4ef6-81EC-434E5748015D}\stubpath = "C:\\Windows\\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe" C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49689193-4991-4d07-A803-D6E303D6081D} C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}\stubpath = "C:\\Windows\\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D} C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD} C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49689193-4991-4d07-A803-D6E303D6081D}\stubpath = "C:\\Windows\\{49689193-4991-4d07-A803-D6E303D6081D}.exe" C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe N/A
File created C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe N/A
File created C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe N/A
File created C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
File created C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe N/A
File created C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe N/A
File created C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe N/A
File created C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe N/A
File created C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe N/A
File created C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe N/A
File created C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe N/A
File created C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
PID 812 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
PID 812 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe
PID 812 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1824 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
PID 2900 wrote to memory of 1824 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
PID 2900 wrote to memory of 1824 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe
PID 2900 wrote to memory of 624 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 624 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 624 N/A C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3352 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
PID 1824 wrote to memory of 3352 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
PID 1824 wrote to memory of 3352 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe
PID 1824 wrote to memory of 1036 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 1036 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 1036 N/A C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 4716 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
PID 3352 wrote to memory of 4716 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
PID 3352 wrote to memory of 4716 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe
PID 3352 wrote to memory of 2704 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 2704 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 2704 N/A C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2756 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
PID 4716 wrote to memory of 2756 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
PID 4716 wrote to memory of 2756 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe
PID 4716 wrote to memory of 4384 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4384 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4384 N/A C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4440 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
PID 2756 wrote to memory of 4440 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
PID 2756 wrote to memory of 4440 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe
PID 2756 wrote to memory of 5060 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5060 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5060 N/A C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 456 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
PID 4440 wrote to memory of 456 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
PID 4440 wrote to memory of 456 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe
PID 4440 wrote to memory of 3444 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3444 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3444 N/A C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4428 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
PID 456 wrote to memory of 4428 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
PID 456 wrote to memory of 4428 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe
PID 456 wrote to memory of 1132 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 1132 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 1132 N/A C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4056 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
PID 4428 wrote to memory of 4056 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
PID 4428 wrote to memory of 4056 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe
PID 4428 wrote to memory of 3132 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 3132 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 3132 N/A C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 4636 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
PID 4056 wrote to memory of 4636 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
PID 4056 wrote to memory of 4636 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe
PID 4056 wrote to memory of 1600 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1600 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1600 N/A C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 1592 N/A C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
PID 4636 wrote to memory of 1592 N/A C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
PID 4636 wrote to memory of 1592 N/A C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe
PID 4636 wrote to memory of 4124 N/A C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-11_a9814e9f37ce3de7fc5003d08703a386_goldeneye.exe"

C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe

C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe

C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC48~1.EXE > nul

C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe

C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C02~1.EXE > nul

C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe

C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9604E~1.EXE > nul

C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe

C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F160~1.EXE > nul

C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe

C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58463~1.EXE > nul

C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe

C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3868~1.EXE > nul

C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe

C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC061~1.EXE > nul

C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe

C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A9F14~1.EXE > nul

C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe

C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B0A~1.EXE > nul

C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe

C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A3718~1.EXE > nul

C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe

C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9174A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{BCC48AF3-CBD8-4e12-89B7-F7AFA213AC21}.exe

MD5 d7ea58dffaf6983cdded39b53a10b21c
SHA1 6d33d59a6975028d05836d2d1405f725d34f52d4
SHA256 00e95111e1be0206e618d252fd983dfcd5a62fd71d978aa8aa1d1e0e2c598b46
SHA512 c20a96cb5a79a10ed603839dc6172f0fd27b8aa4477ca6325bf9176f69e0a02e63b8eab452b210cacc4151764858e371a5259b6fd62034fe451e14f3b8fbb17d

C:\Windows\{A5C028EB-5439-474d-9450-52A69AB4D710}.exe

MD5 a80882a152514bd3df5f7173546096f3
SHA1 bc4d39b35e29e6285d973a2667b374cdd345c112
SHA256 5e221ab29cc19648c224d16745c0f91fc4a48bd04e63fd8c0c39f17b35653b5a
SHA512 e76c0d4cd6bea4d25bdc4ca857b77a9b46c4070e316bba388dbe16a94b57e352110ead7e957cd17a6e8782cea16636cc3d22f0b13f7bc71be522dd27de93684c

C:\Windows\{9604E04F-4C02-412a-B09C-8D46AFD4CE0D}.exe

MD5 067cfe6bd38a04df0cc1e4030e28b4ac
SHA1 303051b5d428afb08e8bd0c9941edded78c87f3b
SHA256 22d0788cd1a888a41ed66b74b3d1afaa8bd8ead921f08086b11643db7d82be44
SHA512 2dd4fda627a8b9ee305394c1f8e61141ecf77b7711b57cb5f8ccc7841fe859cbe9d3634fa295bd2cb56596049311e02ecc497cd31c775f2ef42ea416543def66

C:\Windows\{0F1600B7-678F-4133-92D3-F60615B92B5B}.exe

MD5 9121f0716542ca25a48cfd46925df29b
SHA1 92516e728553202e6936b54d5325f25e50cb15f0
SHA256 304403a041bfabb4b898f20ab531b50ae0ae96bc4e469bcd7cc47c1cebae831b
SHA512 eb58d4b3645f0881e2476b605227fda0f495e9b17c7f561ae643afef260aa12252ac6304b098bf0708c552b8f19ef30f7d96c2246848e20a4c816888df9d7cac

C:\Windows\{58463E48-89AC-4904-BE45-E3E3912E8E84}.exe

MD5 00465131ce920b0569849f103d9affb6
SHA1 d484fa5ff6dd65ba3097c8ea23eb57c16fc60cda
SHA256 6e30ba6b8c90a1c3629f45e33bd46326f2a11443f9403e4745c2f58de7b48b3a
SHA512 c6b38e33e6b7b5cba2d0d490dd64d3bd6ebd261f64d9268b919389e9cedd5ebd87b4bbf2e6436aa23ee78ffeb685ecf3eea59b5a28d7b8d775cf939539d38442

C:\Windows\{C38687ED-F3B4-47d8-B0D6-92BD99EB17AD}.exe

MD5 98d8a7626f05c2f3122beb08ddc19958
SHA1 a78f5e904a34ebd3544c9f5bf460a717208b0129
SHA256 af971f03f89af9342936df21e40ae2731508c87f0bafcdf1bcc3471c6ac63f62
SHA512 4338834e968ca786f210d7a54b65cb2513da592c2e62fcf3589c8d04637533c18f7727cccc90425633f369c1adaa76ae18ec8e76e9522437e08fbd348bee4f78

C:\Windows\{BC061E6D-8FD3-42af-9547-AFACB1A6F840}.exe

MD5 2e6696e847587f014f051b277f6cde3d
SHA1 1fbc888cbcb52d01e55792dfc483f93617d6ac8d
SHA256 0ab46f60b164b429f890c7a0711aecfe132529f80cf75173cdc8b5091eaa32f7
SHA512 cfdff24dd25a604a7f06dcdafee85a68fa0bd9b1a4e5716c35b2f4dbb024479626278238da8592f9e5f73eb9042aaa76bb287eeb689d369869f84a14d330f49f

C:\Windows\{A9F14873-F5BA-4b57-99A2-4D64C91D27E0}.exe

MD5 d7228e36e4393d5bc4c496829a0b8d60
SHA1 dde50dd360c8337a404bf01aa24cb013801e00e9
SHA256 2e91683bce5dd7ffdf533266ff5cc930b2f28a1aa9249aafa94d9b52c3301f84
SHA512 c74f8f5104fa9ab5b02a7e49106fe9a5124e243a474228190822fdd937bc3d40367870448e38ad5185e96645516d902e8f4bea22bfdf867563c81edf4d5278a4

C:\Windows\{B2B0ADCE-60E4-474b-9681-9EACD8E449EF}.exe

MD5 fac460d2d9d374d21b40f90e0b9a8f53
SHA1 9abfd88280645a6a564d826a0717b9c8e0dada60
SHA256 c31f4ed30efc97af427dec194ab10d939b64d40b064219b9f74b8c84d546798e
SHA512 bdddc58e626d793aa24f808a22748641f271957706664bdd3c47262dbf0649180af6fce5a0a49e9d1d55d07d5a3ab53c15b87e5f43248663c192ce3922e1627a

C:\Windows\{A3718F11-EEF4-4ac2-9958-A50383FEF543}.exe

MD5 fd22b08ccabfef08fdc7705279aa254b
SHA1 ae59a469630ef9dad9d8b7977036a5a327f6b62c
SHA256 4ff72f19c1ef901eb7ff188637de73f9fbb0eb54871a1716d72bc02eee6b821e
SHA512 8a04cae55c09e0fa5dde9d10aecaae06ca693dcbfda1e64895db1124d7ad559aa0fb436bb07987a281b47123d4b6865008b738b6a64beed05dce67101bb88ea6

C:\Windows\{9174A466-2CD1-4ef6-81EC-434E5748015D}.exe

MD5 fe588dbd9783795bfe1c104f95369ff6
SHA1 f2200415fd3842573157e13ea6315e90f2c98e2c
SHA256 688b720e3d506b04bc5a4f8765c063be2592920beee23db98607bf18f1809529
SHA512 f0b4e14c2b4a35579f01ec6555598352421e1adb991cd5ae7668584fc470df39017c6ce1d1ef7acc887f9e0b4fe580bcce81e2c73e63ebdfcaf3c47819802550

C:\Windows\{49689193-4991-4d07-A803-D6E303D6081D}.exe

MD5 44c1150d61741a416330cd28ce8028f1
SHA1 6885237b0b84cdcabf2b5de56a2aae6c0d4f7a94
SHA256 a962cd4fe36a301d92be29306fa4b8972da78677ef609b7db75c0a72b352ead0
SHA512 3d3110c2c7d20464812a9bbb268082c4663f1e85c676fa5528b801c583e75314134ac806014b43012367bccc46536852ef1cd9307d80eabd4ef0bd22a668a2e8