Malware Analysis Report

2025-08-05 11:21

Sample ID 241112-rxvyyaxpfk
Target 2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye
SHA256 ccf8f77b4b030d82f1069122a1687d3a2ffa6bcb607e6c997a13f13caf4ed88e
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ccf8f77b4b030d82f1069122a1687d3a2ffa6bcb607e6c997a13f13caf4ed88e

Threat Level: Likely malicious

The file 2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 14:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 14:34

Reported

2024-11-12 14:37

Platform

win7-20240903-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7EAAEA-A234-4572-A5C5-D37C540100F1} C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807A9290-1446-4088-99A8-55D89031F654} C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86064520-5804-4dc3-AC8D-0A4A1B666C17} C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}\stubpath = "C:\\Windows\\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe" C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB10725-ABF2-4106-B158-DDB4CF803788} C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3400A2-B0D1-4529-B840-BF01BF80A627} C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}\stubpath = "C:\\Windows\\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe" C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}\stubpath = "C:\\Windows\\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe" C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0} C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807A9290-1446-4088-99A8-55D89031F654}\stubpath = "C:\\Windows\\{807A9290-1446-4088-99A8-55D89031F654}.exe" C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86064520-5804-4dc3-AC8D-0A4A1B666C17}\stubpath = "C:\\Windows\\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314} C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349} C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DB10725-ABF2-4106-B158-DDB4CF803788}\stubpath = "C:\\Windows\\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe" C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF93DC2-A110-4f85-90B1-2AD12E964634}\stubpath = "C:\\Windows\\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe" C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}\stubpath = "C:\\Windows\\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe" C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF93DC2-A110-4f85-90B1-2AD12E964634} C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}\stubpath = "C:\\Windows\\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe" C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3400A2-B0D1-4529-B840-BF01BF80A627}\stubpath = "C:\\Windows\\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe" C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998} C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}\stubpath = "C:\\Windows\\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe" C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F} C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe N/A
File created C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe N/A
File created C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe N/A
File created C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe N/A
File created C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe N/A
File created C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe N/A
File created C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe N/A
File created C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe N/A
File created C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe N/A
File created C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe N/A
File created C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
PID 2640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
PID 2640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
PID 2640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe
PID 2640 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2648 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
PID 2880 wrote to memory of 2648 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
PID 2880 wrote to memory of 2648 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
PID 2880 wrote to memory of 2648 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe
PID 2880 wrote to memory of 2244 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2244 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2244 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2244 N/A C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2576 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
PID 2648 wrote to memory of 2576 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
PID 2648 wrote to memory of 2576 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
PID 2648 wrote to memory of 2576 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1552 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
PID 2576 wrote to memory of 1552 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
PID 2576 wrote to memory of 1552 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
PID 2576 wrote to memory of 1552 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe
PID 2576 wrote to memory of 2444 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2444 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2444 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2444 N/A C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1096 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
PID 1552 wrote to memory of 1096 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
PID 1552 wrote to memory of 1096 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
PID 1552 wrote to memory of 1096 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe
PID 1552 wrote to memory of 1240 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1240 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1240 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1240 N/A C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2864 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
PID 1096 wrote to memory of 2864 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
PID 1096 wrote to memory of 2864 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
PID 1096 wrote to memory of 2864 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe
PID 1096 wrote to memory of 2908 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2908 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2908 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2908 N/A C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2748 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
PID 2864 wrote to memory of 2748 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
PID 2864 wrote to memory of 2748 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
PID 2864 wrote to memory of 2748 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe
PID 2864 wrote to memory of 2616 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2616 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2616 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2616 N/A C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 1668 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
PID 2748 wrote to memory of 1668 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
PID 2748 wrote to memory of 1668 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
PID 2748 wrote to memory of 1668 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe
PID 2748 wrote to memory of 588 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 588 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 588 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 588 N/A C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"

C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe

C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe

C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86064~1.EXE > nul

C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe

C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CEC98~1.EXE > nul

C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe

C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC0F~1.EXE > nul

C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe

C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB10~1.EXE > nul

C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe

C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF93~1.EXE > nul

C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe

C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE340~1.EXE > nul

C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe

C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{364EF~1.EXE > nul

C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe

C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6765C~1.EXE > nul

C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe

C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B1C~1.EXE > nul

C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe

C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC7EA~1.EXE > nul

Network

N/A

Files

C:\Windows\{86064520-5804-4dc3-AC8D-0A4A1B666C17}.exe

MD5 143717fde94a137faccef92702eb7706
SHA1 8b336d970fdf5b8da84d62ed90744e503cc9f519
SHA256 8439892242946fe58b81b16fe75ff593313f0b6d29bc4953cf6d1ee0b4fe91c9
SHA512 d55879d6c1952d5c0f4a853563c16ca269ebd982d5c5aa094e549d8c5e141732affd874e6114f650c51b65203803f0259001730631ce8f364e322ab11019f7b7

C:\Windows\{CEC988F6-A3DF-46fd-8F9D-93CFCDD89314}.exe

MD5 99feacaa4a209bff5b8a146afde46f4f
SHA1 35508f0079f8cae9296c363a1b8b5ec0ec0ac5ab
SHA256 001bd885c16b2d48ecf94de1aa3df7434d275d8526f39a5649ec831434302ba3
SHA512 538457ba746d6c30e7165f6d5199d883ec45b1daefebe606e963cc8a1027af177fd393bb0f495280235c22d526fc4cdef35124f044f7cb3ac107eddef6379472

C:\Windows\{7AC0FBEF-A3F5-4827-9999-669B5E7AE349}.exe

MD5 58a552cdc36a173bb3e2a4216ef11990
SHA1 d9395fef41f4372768d1e1baeb25e919ab565137
SHA256 f8ff7a2060df0c5ed14284022d9073eb3db9e4bcdf9279d566ffd843ce20cdca
SHA512 69cf2d7d7d3d029c8b917a32e9f6233a3a483846ba9efc78167fe55ab12e2ac8dbdfd40a7afe78aaf02c20a5061dcdae74440b58a4d512589e6928d1fcccf021

C:\Windows\{0DB10725-ABF2-4106-B158-DDB4CF803788}.exe

MD5 a6a0e102ae5e38df813aa59d507e5e70
SHA1 b1f611f9f0108bba789e0a4b71c9979688ca291d
SHA256 58d374cce6e1de95de659a75cbb2a00b1ec4900b3297030f9793a3606bdaa01b
SHA512 7edf2b119b11fd9203ba965ec55d8264dde47d7cd50f3f72c0c56e05b5aa06686328a268f38ad803e87a8836e2c63c1caf94b9ef6dbd1920e4de33ff6cf54982

C:\Windows\{EFF93DC2-A110-4f85-90B1-2AD12E964634}.exe

MD5 66947ef07c6acb67a25e607d8b0299a5
SHA1 53b0a337838f49ab655581ecea4c9bf3edc3d2ba
SHA256 3d514837ec904b9c0514277be2836bc11cf6952d144302a28087e489f9d335c8
SHA512 618c9c57e3850ebdb0d46832db17d80bd51e135046fd27e1202512b626c2b866dc579cc4abc5803e3c2001174776f6ede426ccd5d691369792a3afd123cad9b1

C:\Windows\{AE3400A2-B0D1-4529-B840-BF01BF80A627}.exe

MD5 052075ff91d2a2a083bc9bc9e9405658
SHA1 fcc9a83a7efbbaf7c68e57bb53633e1b577e43a0
SHA256 f920c376382142c8b84a3ab193f1625aba8a576943b5452a450df51c7b8caeea
SHA512 4d0370772fbfd1ab2c4c756e8f4c6b9e5765f27c1508daad1f65dad84e4dcfd18d42dd6999bc660632c9dd562452c0d87688d19517098acd45408b18c8da5188

C:\Windows\{364EF7A1-C9F5-4d62-B1EF-7CC35A7CC998}.exe

MD5 2b3594d95c8d1dda577daeb190100789
SHA1 ba80ac5d5d68dd786d5938fae0f13db88e4295c6
SHA256 7620dbdc6eeb837ff45ec02ba92b0bf463c047b2ed4f049b1d87095e71bff829
SHA512 3dbbaa1923c28f00cb612fae3bb65b8129f6e65c4b76e37b5a0c6fe46e766b0edb4c176c5c998c07bee763a887e3dc726d4ff51986fc3a7ee1b816a23e4ab089

C:\Windows\{6765CE43-E607-4b4e-8EA1-47DA85F6CE5F}.exe

MD5 ce7e9a5e0b8310ede63cec6d0db009ef
SHA1 ac25211495d31849015463ee1e4540cba452a7b0
SHA256 f7269026de6cd0067edaf565e38084bca93173b73188f3a575e7332406afdfc7
SHA512 53346b54b1dd2e5e083463f6d3323f89950e26a8201b4ddb17908b89023424b790349b14f25c2d45633a13ac3a759c9965e51b07f09ebb1adabfdbe29a31cb6e

C:\Windows\{D6B1C63F-447F-4b30-B7F1-7E8AF252ACA0}.exe

MD5 632762fbd2eb3bc9bca474666c6df722
SHA1 51c527235d9e48ef3166413105929a1e4daff3f9
SHA256 eea5825f41820ac298426ee57dc46ed17521070d2b7cf021c6c28f3ede351663
SHA512 6efc978acadc18fcb27d66f23fd4b2df66a44e3d870996cf8ef4a7ca66d7f99f24648f2f95bf59c4804e754e4b1f4834fb1cf7dd97db835c6a1aded98c5e98c2

C:\Windows\{AC7EAAEA-A234-4572-A5C5-D37C540100F1}.exe

MD5 9fef1aa3bec869a5bc8a96bf5a8d88b7
SHA1 156bb13780136e127fa030e57a309652af1f4007
SHA256 516481fbe53c0c09f373fc0e556810b994ef532ee026422e65538b5bfcfd0574
SHA512 458c40908157ff0e1ce00f63dec394021bc1c72292155c34b0cb94eb0deccebaf08bc3fd384ada1a5b75453865da95f1a852a061e3cbfeabe184b045c9ef9c57

C:\Windows\{807A9290-1446-4088-99A8-55D89031F654}.exe

MD5 3e9699a387339f487844770e13c266bf
SHA1 a4f898e177a464ebbc8aaecd3df6eac30b8f824f
SHA256 5effd5c7740df457efb3c1aee1d2e1fb0406dbf7c9a81022674c6564f7f8f2b5
SHA512 6edc34dd39c736cb4438dc672c1cdc7e3c9cc34d7c9001853c7cf4d2458047ba2068fa8c1e6784cf6ab84fd346283ec217a00a59f0acd5f8e27af4281dab130f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 14:34

Reported

2024-11-12 14:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}\stubpath = "C:\\Windows\\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe" C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C} C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A0C504-E52B-49bc-818C-CF1407CAD46D} C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87832885-91B8-46c5-B7E9-B1184F6088BA} C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76732DE2-B150-4f86-A783-F25B7D73E53E}\stubpath = "C:\\Windows\\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe" C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA604791-1269-4682-8D67-1336E1B2432A} C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA604791-1269-4682-8D67-1336E1B2432A}\stubpath = "C:\\Windows\\{FA604791-1269-4682-8D67-1336E1B2432A}.exe" C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4} C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4B66A-7631-4b29-8F71-2C85B7DC0292} C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF7A370-0A34-4051-B174-A805676D52E6} C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}\stubpath = "C:\\Windows\\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe" C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}\stubpath = "C:\\Windows\\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe" C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A0C504-E52B-49bc-818C-CF1407CAD46D}\stubpath = "C:\\Windows\\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe" C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87832885-91B8-46c5-B7E9-B1184F6088BA}\stubpath = "C:\\Windows\\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe" C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395BDADE-7766-4bfa-94D5-8F934C88D9B6} C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}\stubpath = "C:\\Windows\\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe" C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}\stubpath = "C:\\Windows\\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D6711C5-AE09-4d7e-89F9-9193AAB28958} C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430} C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}\stubpath = "C:\\Windows\\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe" C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76732DE2-B150-4f86-A783-F25B7D73E53E} C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}\stubpath = "C:\\Windows\\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe" C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF7A370-0A34-4051-B174-A805676D52E6}\stubpath = "C:\\Windows\\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe" C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681} C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe N/A
File created C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe N/A
File created C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe N/A
File created C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
File created C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe N/A
File created C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe N/A
File created C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe N/A
File created C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe N/A
File created C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe N/A
File created C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe N/A
File created C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe N/A
File created C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
PID 1216 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
PID 1216 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe
PID 1216 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3172 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
PID 2900 wrote to memory of 3172 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
PID 2900 wrote to memory of 3172 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe
PID 2900 wrote to memory of 1848 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1848 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1848 N/A C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 3916 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
PID 3172 wrote to memory of 3916 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
PID 3172 wrote to memory of 3916 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe
PID 3172 wrote to memory of 3516 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 3516 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 3516 N/A C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1420 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
PID 3916 wrote to memory of 1420 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
PID 3916 wrote to memory of 1420 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe
PID 3916 wrote to memory of 1664 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1664 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 1664 N/A C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 732 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
PID 1420 wrote to memory of 732 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
PID 1420 wrote to memory of 732 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe
PID 1420 wrote to memory of 3512 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3512 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3512 N/A C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1528 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
PID 732 wrote to memory of 1528 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
PID 732 wrote to memory of 1528 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe
PID 732 wrote to memory of 4356 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4356 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4356 N/A C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2904 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
PID 1528 wrote to memory of 2904 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
PID 1528 wrote to memory of 2904 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe
PID 1528 wrote to memory of 3868 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 3868 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 3868 N/A C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 5056 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
PID 2904 wrote to memory of 5056 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
PID 2904 wrote to memory of 5056 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe
PID 2904 wrote to memory of 1152 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1152 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1152 N/A C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 3496 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
PID 5056 wrote to memory of 3496 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
PID 5056 wrote to memory of 3496 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe
PID 5056 wrote to memory of 2520 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 2520 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 2520 N/A C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2260 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
PID 3496 wrote to memory of 2260 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
PID 3496 wrote to memory of 2260 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe
PID 3496 wrote to memory of 4716 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4716 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4716 N/A C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4844 N/A C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
PID 2260 wrote to memory of 4844 N/A C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
PID 2260 wrote to memory of 4844 N/A C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe
PID 2260 wrote to memory of 2064 N/A C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-12_fca281afcdabc0e6d3185745fd858df6_goldeneye.exe"

C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe

C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe

C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBF0~1.EXE > nul

C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe

C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55A0C~1.EXE > nul

C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe

C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{87832~1.EXE > nul

C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe

C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{395BD~1.EXE > nul

C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe

C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76732~1.EXE > nul

C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe

C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FA604~1.EXE > nul

C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe

C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49E37~1.EXE > nul

C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe

C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9FE~1.EXE > nul

C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe

C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49F4B~1.EXE > nul

C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe

C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF7A~1.EXE > nul

C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe

C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D5E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Windows\{DCBF0336-2F7A-4a59-B4E1-6A213F8FE430}.exe

MD5 0151ec62f7690acdd943bb326bb09bd9
SHA1 8e3d80fa902c83ea0b171d7d7a342b35577e0591
SHA256 dbe13ffd5dfa67a839412c50e411d110760df61906873764c20b8907ed136a32
SHA512 e8e028ff7de89604e77180136c8bd29a3017ce803307687569f26b28827f26995161d581f55670f0f7e178441aef5fa08bb61dc901f61d55e6daf3fd97ce78f2

C:\Windows\{55A0C504-E52B-49bc-818C-CF1407CAD46D}.exe

MD5 2a218b6dceb8b37cd311405fd8af1493
SHA1 40c92cff30e8d13319b4d19505dfbb5aae9296b3
SHA256 e2fc12d9dccdc78dff1c2702a737e9c3ac3ec03d6c0f01747e8443d7118b5e73
SHA512 e49b7a9154fdc8199ade7b1adbe7faf962f1ec4fde4900e60a36cc0f5c5facea3015cc1ac6bec625059711f1660ea1b18d4f199d316f32b19a8ba84cf45d9350

C:\Windows\{87832885-91B8-46c5-B7E9-B1184F6088BA}.exe

MD5 5cbc44c11d8de9d7be0ebe14d20af98b
SHA1 35b0491677785fe4cf406497ac45597fbc31e725
SHA256 2e5751640dd3fdb4de067e2ff55b314c92a793b3524a86a55ce06bbbfbb1cde0
SHA512 35ee23d4309be60c5bbe48e143156b4b89c84fb778f475364d48ba6b8c0c3c4fcaefb956b0ae18745460bfb0b2cffd1c3c9b473aa71fa8d9bb7f26d444e48589

C:\Windows\{395BDADE-7766-4bfa-94D5-8F934C88D9B6}.exe

MD5 240c3af038484ce58aa0064a01747054
SHA1 5c19acf2aa3e1cce32a4fd6f8b441f1f7b9aff1f
SHA256 697647dcf7606494fa9c08ceb48e2b73f5038bff075eebe1ae5334950188c967
SHA512 bc357347b6a29d40dfb2ad0a7811954ad72039c2cb6676a65d6bf520900b1ddd46504adefd1292f292565e8b0107b32b6239e0c06eb9e8c9941144f0573740ed

C:\Windows\{76732DE2-B150-4f86-A783-F25B7D73E53E}.exe

MD5 07ce41c47f608ccf65eb0489f514183b
SHA1 03c568fc3e74cec3044d7ee0eb7f0b57d1fe3de1
SHA256 3ec81806853e8582abdfdb352b2f43a1709ae44ab4d9f425ecb21b3e78e40ea4
SHA512 f9823006907e59fa1e7e74dd741560e6d162519078d9184f68572c009667fb19479649d7d86ddf60f5104d5f9d485ea425447c0d7c5595974ebdc8b79f701bff

C:\Windows\{FA604791-1269-4682-8D67-1336E1B2432A}.exe

MD5 8aa0e87f4d749d0d1aabd703d805c5cd
SHA1 7e1be2897fdd82290c7caeced40ee27599ab8325
SHA256 fb9ac2ff59702016c99935cb272a3cb48c20b272337cd14373359932a50aa09d
SHA512 5b800f99a74aa0d4bf745553a9c4008d52beb434d9217f97abc2aaadbf4b04e477beb1b1f1ac5035b0ce4093a96cc4055c792b7274e9c098d5be37f2743ea982

C:\Windows\{49E37F96-4DB2-46f1-9561-EDF29BA57DB4}.exe

MD5 371ddb9f16c7012949e0e49f7b1f5439
SHA1 f629c12e906c01bbf3b8608e8983ef339f077f45
SHA256 43137261cb3b80345e08b5e71b0654bee4d1c7fb89fd523bef64a536369bfbda
SHA512 15f3cce051fc5a51622ef76996e0563897875928f24418ba0af2fc99529d002a62f0bacbfae6a4a933c9089a3b00d2433912128d722a0dc2d0ff65dbeb74aed8

C:\Windows\{CD9FE2DC-77BB-4b80-AAA8-F97EC0B49E5C}.exe

MD5 145a0925de16259a41e714e2bb068d59
SHA1 ebbb88d609f5f178890fd8b1aaf3bbf5315cc4aa
SHA256 9d03c58ac170cd978398b05b405989ea50b280a39c1bf50aa448a6ec59406675
SHA512 e3ddf9890debe7d0b212f349fb6ee26d08b46784c54cd025933ab50d6df7c940fc311e6a56f822901cc7a23b1c2cdddaf208a00efb50caf530d1c95fe6dc916d

C:\Windows\{49F4B66A-7631-4b29-8F71-2C85B7DC0292}.exe

MD5 75fdfeb3e729254696aab893f66be796
SHA1 e38a3e800efe3a08cd071b69e5f35ed822c77981
SHA256 9a66b8bee2b11583db4ab3b9c98372174ec5d39f38c2b97c42b5656bc3dcdb24
SHA512 f3fd517894279e6d857dedf7dd8498c76211ea25a6313972f9583f58f6cccaef10731afaa1be1da0ea83a2aa43988797d28c712ca313da4bf4dd2f36805687a4

C:\Windows\{1EF7A370-0A34-4051-B174-A805676D52E6}.exe

MD5 1e0b6573e761afe1acf94dc5dfe5217d
SHA1 42b4685e11d9fead7b9f93f4ca17a669d8877a00
SHA256 d8ddef30734c018be80b7df2ff99d876890f457f4d108c695108cc5d3f3caecf
SHA512 068a48d7aea06b243eff3fbbbea575008552b81f529cf16ba11052ebd0530574f8b2af83df1e61c3a45b05078b466563ff095992c035edde7aff894611970f35

C:\Windows\{E9D5EEFC-5CFC-4d46-AF8D-A27417CE2681}.exe

MD5 46dc4fdf3cbe84669d4eed255bebfb1c
SHA1 78c5d739b0eb8bbbb17c93f68e57ff591358a1c9
SHA256 b7a094975196fada7632549ed8fd172baf525c0d9a3aeba7cf13d311be163fb1
SHA512 6bd1b0a0db04935163a036038813fb227fdf4629bf49db0188f01b88f2210bda1ed589b84abc97dd241c99e4b2bae703b7cc130012350c0e19b8f3e7c7f42013

C:\Windows\{7D6711C5-AE09-4d7e-89F9-9193AAB28958}.exe

MD5 c85791b768c9abad107b4e0744d41871
SHA1 d225b84e84fbf96ec7cc9569101eacf229deb5f6
SHA256 580cd3748eb2ccae1d521d07576ecc6749b0124c8b38c8d39e8e046c14d56ed8
SHA512 d06be37aed7500043cd9dacaceeaf4c917c579e379f95be3a95370a3be5ee153ec72d297c83c59defe88ab733dd52b0c95b87729f2d3ea319b7666f24031fc97