Malware Analysis Report

2024-12-07 11:35

Sample ID 241113-vj22wawbmg
Target 2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye
SHA256 cbf3ef0300cbe871b19b01392db4b0d9ee8db7ce8f575a4b377472920aadf427
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cbf3ef0300cbe871b19b01392db4b0d9ee8db7ce8f575a4b377472920aadf427

Threat Level: Likely malicious

The file 2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:04

Platform

win7-20241023-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F39AADD-6439-411c-BA24-A1F22AECAB28} C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}\stubpath = "C:\\Windows\\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe" C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7} C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C} C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}\stubpath = "C:\\Windows\\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe" C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}\stubpath = "C:\\Windows\\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe" C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879A088A-9115-4745-B672-57451A41D607}\stubpath = "C:\\Windows\\{879A088A-9115-4745-B672-57451A41D607}.exe" C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE50E6-8A75-4246-A5CA-DB37A4A19837} C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F727D49E-B92E-4d75-A6C2-1B58C073C839} C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A5779-4457-4290-905C-B73D06E657F9} C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A5779-4457-4290-905C-B73D06E657F9}\stubpath = "C:\\Windows\\{F18A5779-4457-4290-905C-B73D06E657F9}.exe" C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}\stubpath = "C:\\Windows\\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe" C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397499F-A32A-4050-BEF8-59C177965A10}\stubpath = "C:\\Windows\\{9397499F-A32A-4050-BEF8-59C177965A10}.exe" C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC0E8D7-94FE-4933-913D-C5984A076B8B} C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9397499F-A32A-4050-BEF8-59C177965A10} C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}\stubpath = "C:\\Windows\\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe" C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A} C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}\stubpath = "C:\\Windows\\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879A088A-9115-4745-B672-57451A41D607} C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F39AADD-6439-411c-BA24-A1F22AECAB28}\stubpath = "C:\\Windows\\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe" C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0EC37C-62A5-4917-B56A-24C2E57A4201} C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F727D49E-B92E-4d75-A6C2-1B58C073C839}\stubpath = "C:\\Windows\\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe" C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe N/A
File created C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
File created C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe N/A
File created C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe N/A
File created C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe N/A
File created C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe N/A
File created C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe N/A
File created C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe N/A
File created C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe N/A
File created C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe N/A
File created C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
PID 2084 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
PID 2084 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
PID 2084 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2796 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
PID 1656 wrote to memory of 2796 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
PID 1656 wrote to memory of 2796 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
PID 1656 wrote to memory of 2796 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe
PID 1656 wrote to memory of 2972 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2972 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2972 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2972 N/A C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 584 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
PID 2796 wrote to memory of 584 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
PID 2796 wrote to memory of 584 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
PID 2796 wrote to memory of 584 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe
PID 2796 wrote to memory of 2852 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2852 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2852 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2852 N/A C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2980 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
PID 584 wrote to memory of 2980 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
PID 584 wrote to memory of 2980 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
PID 584 wrote to memory of 2980 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe
PID 584 wrote to memory of 2804 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2804 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2804 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2804 N/A C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 868 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
PID 2980 wrote to memory of 868 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
PID 2980 wrote to memory of 868 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
PID 2980 wrote to memory of 868 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe
PID 2980 wrote to memory of 1524 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1524 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1524 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1524 N/A C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 2752 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
PID 868 wrote to memory of 2752 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
PID 868 wrote to memory of 2752 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
PID 868 wrote to memory of 2752 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe
PID 868 wrote to memory of 1152 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1152 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1152 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1152 N/A C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe
PID 2752 wrote to memory of 1960 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1960 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1960 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1960 N/A C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1780 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
PID 1528 wrote to memory of 1780 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
PID 1528 wrote to memory of 1780 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
PID 1528 wrote to memory of 1780 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe
PID 1528 wrote to memory of 1240 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1240 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1240 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1240 N/A C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"

C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe

C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe

C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7207A~1.EXE > nul

C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe

C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{879A0~1.EXE > nul

C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe

C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40CE5~1.EXE > nul

C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe

C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F39A~1.EXE > nul

C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe

C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0EC~1.EXE > nul

C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe

C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F727D~1.EXE > nul

C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe

C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93974~1.EXE > nul

C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe

C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC0A5~1.EXE > nul

C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe

C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9F888~1.EXE > nul

C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe

C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F18A5~1.EXE > nul

Network

N/A

Files

C:\Windows\{7207A1BB-4507-4d88-9D1A-E2EA4EFA002A}.exe

MD5 caed4d5778515d72d1abebda30bf0f0b
SHA1 57f2ab8eda7c0336578a83f8314672932b6941dc
SHA256 6105742eb36faf9f5ce850513b9fb216edc9ec0b1539bb2d7c560f010489b6c6
SHA512 31cfe1b58177a8aba1163dd0c2252ed056b72c7ab0f31bdbf3afa544067865388b6cc1fff6d0de9b0882a58077451145bb98035b6248ab12708af8bd73b2326e

C:\Windows\{879A088A-9115-4745-B672-57451A41D607}.exe

MD5 edfd5268d3eeb107ed3eeb897a5b45d7
SHA1 0158c282fb08ac3f98cd2677fea682443a30e17b
SHA256 2728de2ce171933cdc7b86d1dd74b20dfe16b9a6e31e16f3831637ede4df317e
SHA512 780b629fb297c5d73637776f46c46ccbebd257c5f1712e51a56fac5b1d4faeda8a4bcfadedd72e0209b1347330be16fc225d54676db7a66901dbeb8b4b4a6ec5

C:\Windows\{40CE50E6-8A75-4246-A5CA-DB37A4A19837}.exe

MD5 cc90ae31317727d00e537f0d55377ff1
SHA1 56961833f7ea8dab0b548ee8da8d5d6b6410d4d8
SHA256 0b3dbec27a1783d7acee20c8d8b2bf8d5b5ca0a7f7a80f0bfa97d4397b1bc8d1
SHA512 0a4a592341c62a57ae2cd55e48da5065d00fc1098e1c85ccd7c3a2286d35bbf5033889b9dc7d103f62ae9cb29d44d058b185d00219e6bf6543a8d1f321494e99

C:\Windows\{8F39AADD-6439-411c-BA24-A1F22AECAB28}.exe

MD5 379d157d2194594c15e522d640ce25e1
SHA1 fcc2e6dba4b35661894bc1f0bfece345dceac03e
SHA256 284f0953fd295ddefe7475be4be420cbfc0ee370d299cd05d577ff6ebe73ea79
SHA512 9e213e1d341d45b68772f400f53acdcbfcc4abd1eff6f906dae5346ad8a10d7af9e751e1479286409ad53a6d1911c1503070ab55b6efeff649ae524f325e9102

C:\Windows\{8F0EC37C-62A5-4917-B56A-24C2E57A4201}.exe

MD5 7d9afb3eca09e313022a6bc1b56efa33
SHA1 c978e57d90385db2bbf2a4570a78d0fcf2ac5684
SHA256 266ec6ce0ee1d3df7fd3f572f64a1f6957c9eca45a13128b8300d1f4f66e8da7
SHA512 0694a0572c027a7f40487f7d1b073745d3411a93c1e177fe4826fb4e7ac1d3058c4b5606340d38664598892dca9e752480a8e178e8de818f516b0481cfa5798b

C:\Windows\{F727D49E-B92E-4d75-A6C2-1B58C073C839}.exe

MD5 fd73d8b1177a0d9de447546cd30a6aef
SHA1 271f9ea8561bb9e0f22fd1988b353e8b9462e4f6
SHA256 3910e9b6e60cd68ff8ffde89a8f95200d51e993b144b2e9e631f58d51d066b3f
SHA512 161fc0e3ae9ba6a97da48d19e96950cd2b5e8861e52aea9a104671a8b4beeb2bae30e82f8642a4e1432db921a644545bde54b344694c52f507a4ced2c39b0c68

C:\Windows\{9397499F-A32A-4050-BEF8-59C177965A10}.exe

MD5 73d638fea355224cc5f19e091208d46d
SHA1 7d3631efbb32a26a4f94f1e4fa275e6f9d632c7a
SHA256 36be9efd026c597da73fedc5fd71eb455ffaafe0444001fc6348757a723dba3a
SHA512 20c98da13cc3f27dfebe2db6f1395db6e829d0b560bce7387eb10b94ea2a54a1c79e0e970694aa27286cfe388255af3bc80e62aa2f9214633500e3d0b0f05252

C:\Windows\{EC0A50C0-C3DE-4ab4-A1F1-6C3EC28F55D7}.exe

MD5 f923ceb71d94c58f1166d96180f39ac5
SHA1 b7582ff929a268b2e32ad0c9690aed3acdf89055
SHA256 d865ad2afbe98cb4baf22189386ffc9ffb181503dc2758be30cd40a6bedee6f7
SHA512 23e3f440f824ce55efa33239606eb372791630e505deae354d00d9bcb518573767c177229359bc6534a5ac0734ae971c2c7ae1c2dcb2477364a0b5319ba5d79f

C:\Windows\{9F888403-4E6D-4e56-9C3A-39F58AB2B47C}.exe

MD5 b54803be16feb4a1457b8d060ad2cee9
SHA1 a9ea826a70977e9070250eccf408c06bec056679
SHA256 79bc773fc6b947e527d9c5dd5158c1986765a188993c616056a0f69e9f2c479c
SHA512 a85d07f23388d356b360c1d54d8b6a439d0fd31a2c84800638746bc8d20513266e22815e5d94ad784b5a062814c45d52b613ff1ba9de9bd61b23639d9d9d12af

C:\Windows\{F18A5779-4457-4290-905C-B73D06E657F9}.exe

MD5 7c3333039cd1273ed6fe794522d9292e
SHA1 e90c627bf664e6aa5299b5b0380bd43f41299d13
SHA256 f991d9ace4cb1166475b33246d630ef18994e4d3036f5d4bc836736df58c0b01
SHA512 e76f314faebe3be24e60da7e4759d3a7ca35d78e240087df661dc82bf40274f6b9353a64dbb4242a466021bb40f7b63d6b2f659337a79aaa2460e67b6f6c2a8a

C:\Windows\{DCC0E8D7-94FE-4933-913D-C5984A076B8B}.exe

MD5 b6e664338cc77f8ab470a0e0a4d5f221
SHA1 123f2fcb920d0be5e4fcdaf6d243bc4d9992f143
SHA256 fdcacf84447c58a96e1635622a9322386538101fc2cfe731d24b81b2a130e07c
SHA512 d723dfa6bd56f4416172f6f0aadb7e21061698e448d40f4aa57f694c609738df1590feb84e98528f486781bd5bfcdedc114fe2515afff386388f8fb140a26080

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747} C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0226E8A7-A838-474d-9057-6C5CDF67B586} C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF1528F-6268-4a47-990C-2D83998DA4C4}\stubpath = "C:\\Windows\\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe" C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C} C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6} C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25986D9B-870D-4494-9219-F17AFCE9FBAC} C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25986D9B-870D-4494-9219-F17AFCE9FBAC}\stubpath = "C:\\Windows\\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe" C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32509209-0672-4fe3-B958-CA07069F1CDA}\stubpath = "C:\\Windows\\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe" C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC22F8A-9C56-4408-905A-B7BECE76C39D} C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}\stubpath = "C:\\Windows\\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe" C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0226E8A7-A838-474d-9057-6C5CDF67B586}\stubpath = "C:\\Windows\\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe" C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9} C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}\stubpath = "C:\\Windows\\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe" C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF1528F-6268-4a47-990C-2D83998DA4C4} C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}\stubpath = "C:\\Windows\\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe" C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9} C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}\stubpath = "C:\\Windows\\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe" C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}\stubpath = "C:\\Windows\\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0} C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}\stubpath = "C:\\Windows\\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe" C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65} C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}\stubpath = "C:\\Windows\\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe" C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}\stubpath = "C:\\Windows\\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe" C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32509209-0672-4fe3-B958-CA07069F1CDA} C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe N/A
File created C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe N/A
File created C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe N/A
File created C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe N/A
File created C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe N/A
File created C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe N/A
File created C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe N/A
File created C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
File created C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe N/A
File created C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe N/A
File created C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe N/A
File created C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
PID 1144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
PID 1144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe
PID 1144 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 3796 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
PID 2576 wrote to memory of 3796 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
PID 2576 wrote to memory of 3796 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe
PID 2576 wrote to memory of 1972 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1972 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1972 N/A C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4420 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
PID 3796 wrote to memory of 4420 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
PID 3796 wrote to memory of 4420 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe
PID 3796 wrote to memory of 2612 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2612 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2612 N/A C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4876 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
PID 4420 wrote to memory of 4876 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
PID 4420 wrote to memory of 4876 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe
PID 4420 wrote to memory of 760 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 760 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 760 N/A C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3976 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
PID 4876 wrote to memory of 3976 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
PID 4876 wrote to memory of 3976 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe
PID 4876 wrote to memory of 5116 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 5116 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 5116 N/A C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4432 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
PID 3976 wrote to memory of 4432 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
PID 3976 wrote to memory of 4432 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe
PID 3976 wrote to memory of 4008 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4008 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4008 N/A C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 1320 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
PID 4432 wrote to memory of 1320 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
PID 4432 wrote to memory of 1320 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe
PID 4432 wrote to memory of 4368 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4368 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4368 N/A C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 5060 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
PID 1320 wrote to memory of 5060 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
PID 1320 wrote to memory of 5060 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe
PID 1320 wrote to memory of 4776 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 4776 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 4776 N/A C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe
PID 5060 wrote to memory of 4816 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4816 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4816 N/A C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1448 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
PID 3580 wrote to memory of 1448 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
PID 3580 wrote to memory of 1448 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe
PID 3580 wrote to memory of 1704 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1704 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1704 N/A C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3776 N/A C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
PID 1448 wrote to memory of 3776 N/A C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
PID 1448 wrote to memory of 3776 N/A C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe
PID 1448 wrote to memory of 2692 N/A C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_c033187193bab4c99346baed79d42f2e_goldeneye.exe"

C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe

C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe

C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E64D~1.EXE > nul

C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe

C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{13DB6~1.EXE > nul

C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe

C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0226E~1.EXE > nul

C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe

C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{815DE~1.EXE > nul

C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe

C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF15~1.EXE > nul

C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe

C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47221~1.EXE > nul

C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe

C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14DF9~1.EXE > nul

C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe

C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD8B~1.EXE > nul

C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe

C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D0B8~1.EXE > nul

C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe

C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25986~1.EXE > nul

C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe

C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{32509~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\{4E64DBFB-05D2-49f7-81E8-9D1F08EB2747}.exe

MD5 4b63291b1771c9ec77b1937844a2691a
SHA1 c5bbc49432912df6a62b7ad22f101fefaf50c882
SHA256 b31fe7ee705733f295e18df82e01de8d053ec5ff9268ee9a18925bd1216d51ac
SHA512 f87912a953e7ba4b19c0b921395fb802986186046948451511c6dfffa52245674ea2f9307c3fb92f1cd76978ba8df5fecdbe77e9952ed9d5ea8e88a933afbb3b

C:\Windows\{13DB626F-AF41-4836-AD6C-43AC7F6B81F0}.exe

MD5 119bf51375247b208e6c8703ccec8e02
SHA1 f009cece460320c31f930c320081741d0cd684c9
SHA256 c46a3a6a75b52ef315410ac6a6da80132a4b060d20ad07650b91ac00c1f1309f
SHA512 3ae651e6383620e8c3a84c97ebc9309c3b3a7dfdb1f51a60dcb5c78a1c612668d7e2749839a2a250401f15553e0982baf43a49d10e7964ec8f740997ed92e822

C:\Windows\{0226E8A7-A838-474d-9057-6C5CDF67B586}.exe

MD5 a6d7b539d4a6b42b58c7f079485890c8
SHA1 28fb3aab5e34985061414301db726072a1f116e5
SHA256 8a753a3cc52d34cdd3f913866f3801e5f292c89aa74c96f98bc0cf661e602b56
SHA512 dfc086f0b344c374cfdb5a70f91d4421c493f4cbd03748f6c8394e4503725d1875312d6cd808045badf7f8a0e0b38603795d30878655a8495f4b59d8980c64c3

C:\Windows\{815DE4A8-DD28-4644-B4F1-182ACBFE4F65}.exe

MD5 08db86adf955bc9b72f9f819a45bb1e4
SHA1 44098101e563d53f61f8a14eb3635d702f4088ab
SHA256 4e5638c7119a4a03168d5703711834aac5f5b6afebf53b9876d3f9dfb9193738
SHA512 8d1b466759849565dd468ee50d7a1961e3f30dc769353278e602f8ef5ad01eef28626718e7c4a3007aca49e81e1b64a9a6f220f6d6a9ca507c4fcaa5c040d7e0

C:\Windows\{DBF1528F-6268-4a47-990C-2D83998DA4C4}.exe

MD5 f603094b50df52af1bc7a01f79727cde
SHA1 26cf803d5f40093400d9e72ee5ae8a4de03f0a5d
SHA256 2531a30ddde8645bf7ae9ee4df38a90e9edb62edc7e56352f0e53e0045810879
SHA512 701a3a0ffa9ad526ef0ff3cdd29af41fce6c36a76ace32b0abf89ab78245a2cf4a901d83360de81c9ce3c13a4552f68848bd940750e2469c00db707b0ef88481

C:\Windows\{47221E9D-AF32-4907-A0D9-18E4BE6BDB4C}.exe

MD5 6ea1174c1b0e4de0dcfbd34468a66b0d
SHA1 e3a9e1d02945ae71389bc97032bae040d4ac5308
SHA256 e2f9ae742931d8b937e3136c5d067301a1a0a1aa25e044291dfbfbc4bf846c48
SHA512 e55586cc8b9f4879495958bc858feae84633abbd2ab917a6d9b3fd04a902c68e6fdb53c1d9daefa4d8ac81aa24f92b9f3cfc97dee54e41cf2616b2d921755e09

C:\Windows\{14DF98E0-93D3-4a18-8982-5E7BF9D5E7A6}.exe

MD5 cf2581314dee4c4962b6d0f1cd717587
SHA1 384ffe110b94310efed6c91063bc589e26a596ec
SHA256 b6f6744f62bea004823e47b083e17732ec6c69486aaa2bd7a826eee86b61de97
SHA512 7ef45c373d04dc0ae44dac092d0349e3eb50cab060680d524c7b8f18e1250db7eeefb35a4005327b468c3a8256714753b44f4fe920e7b3fa10a70275bad20509

C:\Windows\{CDD8B03A-AFA5-4d3c-9DD6-B4E0754B51A9}.exe

MD5 bd6b427d8410649d95705a1b40f667a6
SHA1 e4d255ec8137de78a0a59b68023d4aaade55f363
SHA256 388d3ee9e917b0f95791db85a395f2ef9b6c26069412ffcf6756d6a0fe082c54
SHA512 0685d69015a037a1d41b8e0728b04f1de497a4aae32c21544f8dad32e80b4bebc86ba09d755c2705c0c7fadb98dbf13d3c79e2f762d747372bf8587548a3aed6

C:\Windows\{0D0B8CCE-16A3-4cb8-A0DC-84BE9AF689B9}.exe

MD5 e454929d666d15f897050bce50f714e9
SHA1 2fe644dd8fe27851c0d7c9e9fa31f6e2f3ea7003
SHA256 f362406f0f86188767968e8618717d8ad47d15661697f5fffea2e9f1c81c36a2
SHA512 80e0ad90f5ff63363d5c6597d0132cd7de3a630ddacdcaafef174dfc76a1fbb9c374a53b5393e261ae4f7a1078bd9513f434fdfdf31768f4d6985f36366e727b

C:\Windows\{25986D9B-870D-4494-9219-F17AFCE9FBAC}.exe

MD5 fbee3de06c1d453719c5f89d0ee6300a
SHA1 5e5b0f6a2ba9146c38603b1165dd65ea72cd10b4
SHA256 59e1a532ecada95b358e1b7ea3be252026302f72058f15f443b8ba7b65ec65c3
SHA512 4f53223204080f0815e7ce14049ed8d5f59f4f4afa2fad8f198b77096a0fafb6ee625cd8d5afeda3c3f38410ed6e8b265530fc73684316f38c0d3eabe59377ab

C:\Windows\{32509209-0672-4fe3-B958-CA07069F1CDA}.exe

MD5 e7502cdc099ddb34ce32cf5996c0b8e6
SHA1 6e3f5de3751dbc6125b8c051c9854d1d5ca7b561
SHA256 b66bf9bcace7aa7fce7c4c21ff0b8700afdc466c54ae219d6bbfc3c4eafbf5a1
SHA512 d1478d526bbc4ff20426f0ca0a239f9b15427f615112623e154ce2b27ec78bc76d5985cc98d19f1a7511aa8f38b55785ddcde199a84245fb22488d9bc73a698c

C:\Windows\{ABC22F8A-9C56-4408-905A-B7BECE76C39D}.exe

MD5 45a03b2b123f9ad8a2917021130d627f
SHA1 11d75c29ed71b7b488a96d28bc1d4f97423ea45a
SHA256 5435f7914ab11ee6af5316631707cc5618d4623fcf42e2c232ac2f290cf5e201
SHA512 cd4e87e5a8cb2fb5c9da526495447ef9665e48bacf0f087cacd61c61213d7c6fe2409b4814ba08b0847a18d4a4b6542316b09118381a910e5ed217cd29abc652