Malware Analysis Report

2024-12-07 12:26

Sample ID 241113-vj61tswbnc
Target 2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye
SHA256 f602d9101b4da30ca8066315414c22a3390a65e61a7b34702897c8fef123a6b6
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f602d9101b4da30ca8066315414c22a3390a65e61a7b34702897c8fef123a6b6

Threat Level: Likely malicious

The file 2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:02

Reported

2024-11-13 17:04

Platform

win7-20240903-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}\stubpath = "C:\\Windows\\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CC593E-78D4-4e64-9804-5AD49650E279} C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3001DEAB-CB10-4835-9651-04B98BF02E48} C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267AE581-375C-42cf-8004-E29FBADC6508}\stubpath = "C:\\Windows\\{267AE581-375C-42cf-8004-E29FBADC6508}.exe" C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6122809-F618-446b-A74D-2744D7E14CE7} C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{093FCDE6-2445-45f5-A9F8-D3AF77B37787} C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}\stubpath = "C:\\Windows\\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe" C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}\stubpath = "C:\\Windows\\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe" C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267AE581-375C-42cf-8004-E29FBADC6508} C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5} C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640981C6-D5B3-4da0-93B3-BB51297F6595} C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640981C6-D5B3-4da0-93B3-BB51297F6595}\stubpath = "C:\\Windows\\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe" C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA} C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7} C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}\stubpath = "C:\\Windows\\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe" C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6122809-F618-446b-A74D-2744D7E14CE7}\stubpath = "C:\\Windows\\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe" C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CC593E-78D4-4e64-9804-5AD49650E279}\stubpath = "C:\\Windows\\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe" C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EF8456-B075-4738-8F18-19BC875C88B2} C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3001DEAB-CB10-4835-9651-04B98BF02E48}\stubpath = "C:\\Windows\\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe" C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74E8798-0275-44fb-BBB3-3B35CE799324} C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B74E8798-0275-44fb-BBB3-3B35CE799324}\stubpath = "C:\\Windows\\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe" C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3EF8456-B075-4738-8F18-19BC875C88B2}\stubpath = "C:\\Windows\\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe" C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
File created C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe N/A
File created C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe N/A
File created C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe N/A
File created C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe N/A
File created C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe N/A
File created C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe N/A
File created C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe N/A
File created C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe N/A
File created C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe N/A
File created C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
PID 2536 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
PID 2536 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
PID 2536 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe
PID 2536 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2716 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
PID 1788 wrote to memory of 2716 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
PID 1788 wrote to memory of 2716 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
PID 1788 wrote to memory of 2716 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe
PID 1788 wrote to memory of 2820 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2820 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2820 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2820 N/A C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1968 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
PID 2716 wrote to memory of 1968 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
PID 2716 wrote to memory of 1968 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
PID 2716 wrote to memory of 1968 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2776 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
PID 1968 wrote to memory of 2776 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
PID 1968 wrote to memory of 2776 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
PID 1968 wrote to memory of 2776 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe
PID 1968 wrote to memory of 2652 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2652 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2652 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2652 N/A C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2732 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
PID 2776 wrote to memory of 2732 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
PID 2776 wrote to memory of 2732 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
PID 2776 wrote to memory of 2732 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe
PID 2776 wrote to memory of 2200 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2200 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2200 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2200 N/A C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2360 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
PID 2900 wrote to memory of 2360 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
PID 2900 wrote to memory of 2360 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
PID 2900 wrote to memory of 2360 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe
PID 2900 wrote to memory of 704 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 704 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 704 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 704 N/A C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 832 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
PID 2360 wrote to memory of 832 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
PID 2360 wrote to memory of 832 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
PID 2360 wrote to memory of 832 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe
PID 2360 wrote to memory of 1652 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1652 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1652 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1652 N/A C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"

C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe

C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe

C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF47~1.EXE > nul

C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe

C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6AB~1.EXE > nul

C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe

C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6122~1.EXE > nul

C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe

C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98CC5~1.EXE > nul

C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe

C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{093FC~1.EXE > nul

C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe

C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3C56E~1.EXE > nul

C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe

C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{64098~1.EXE > nul

C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe

C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B74E8~1.EXE > nul

C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe

C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3EF8~1.EXE > nul

C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe

C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3001D~1.EXE > nul

Network

N/A

Files

C:\Windows\{6FF47C1C-F189-4657-A2E4-D70AE3191ACA}.exe

MD5 ebd515114a0957c9dfb8b49e01060280
SHA1 5a9d704bdff8322349e879ba191c27e17193cfb8
SHA256 5f2fad15144730b1dbe2698cd9123021b9714734d01bf3f7bb237b3469cd7593
SHA512 b31508b10c803d3c46baf184c459410f11bd2408abe34724f8e355a7283e27d4bbd1c5adb5330a56b9ce44d3ef9fffae658d3318c93fb87b23968e2596be13b7

C:\Windows\{CC6AB27A-73C3-4911-857B-5D9F27C9C0E7}.exe

MD5 40dd50e6bc88e37dc41243c710dcd818
SHA1 5a180deb5c67df65e825210b4970d4204eeb7880
SHA256 405a344eb040d79c8c3274c4f48a67e105e399b537a423888137ae626ebcb4a7
SHA512 4dfc55391ad6c30caf22c63c6344e97f84b3df89a876bedc6c97e52d51f2ba9f7841582763c5ba505c50863c121eaadedf0ae902eae71f69eac2bc4085bac307

C:\Windows\{F6122809-F618-446b-A74D-2744D7E14CE7}.exe

MD5 ead24fda618b7ccfabfcd7485441869d
SHA1 cc5850cf4194e569602a06356f5dfff4326e39ce
SHA256 826fab8c069339959082bfaa0ceadfa5440e018e3e37aef7b292576740749048
SHA512 311e7e14d8b7be37d1e7d0e8aa01de058ea62737b499a00d9bfb15a56bdbe3f15246e335efb9c9cf681d4a98c4482001217c846e7b899dcaeb6f5897a1e19814

C:\Windows\{98CC593E-78D4-4e64-9804-5AD49650E279}.exe

MD5 fe802a036bf328f7febfea297bedb949
SHA1 ccf7dbdfcc5aebc8f17242ae1e819b4d3ff76e72
SHA256 b9d50f7be2b2451839357f77e3326f1f6ef995c1170da37a03207e55bbdfce84
SHA512 435ff1e7b81a9d767f3e4c720ed815a3badbd37944a1e271162ac2af4f17805426eeb53c02b0d45ae67f7b60f7133960f4c5226bbaba0a7592d73204963ad434

C:\Windows\{093FCDE6-2445-45f5-A9F8-D3AF77B37787}.exe

MD5 166136072b4bd1f070316a2cef171575
SHA1 687622300bdd718f3bb1d2a2d3e6335fbc5b3ab1
SHA256 7dc4b898fce134ba04630854f2a2cdf329ced6c0cdaf6cfc312ee838f42a5872
SHA512 cd9e8c94fb09a41411af21cae99983d83a4c70c1c74f6578ae9d776c3a794b4861c0804806d83ca54157193bbde70dc98da1e6d30a988745b2aafd31f56687d0

C:\Windows\{3C56E2D8-AF72-40f7-BCFB-D95F751DD4F5}.exe

MD5 ecfb34f9285c3c71dc88fea921f4a564
SHA1 ddeb3d2ef6acafa753c43539a3dbeed7d7d42500
SHA256 8e903e79b0db962b7bdb079e512371673c63db4fdacabba2d8c4887f5839c8c9
SHA512 80c860ef0df1858b980b70c3ceb23cbbe628ca4232e3c59077fd30623506f72749f099e6cc1bc0d811b1423f4b9a371b33a714cb79728991954573768ff24d84

C:\Windows\{640981C6-D5B3-4da0-93B3-BB51297F6595}.exe

MD5 dd07f60e70f053ad84f4158a2e3e0cd6
SHA1 30c37000520f50600c2b54d4e7cf1121258423ec
SHA256 2203ce3bdaa9bae004791643466aa851963a4d47dd94ed30590883293ac5731f
SHA512 ffa33c29dc4730250444dd5c3a1f2cee612df2c69219bab795941a4ccedf9f5f08eb4c987f97285b8b6746e81bd7a99449ae26b83fe82e9427fd400cdca4ff73

C:\Windows\{B74E8798-0275-44fb-BBB3-3B35CE799324}.exe

MD5 84525e9e2519b1db4f08658c8a87453f
SHA1 f0f5683800b519d51c7d37895d468156d5137e45
SHA256 eb8daf740e3a88a72c49236cbb282587f2b1bd854beab537699c77905408a9ad
SHA512 5df819a9c13cf19e3290dca7f17708a7c4c477e92b45a9d324ffcf0ad8ec35eb1f5918974434e83cca1bbfd015f90b70f4ea9816917d976a8602b7202b567083

C:\Windows\{D3EF8456-B075-4738-8F18-19BC875C88B2}.exe

MD5 80a34a23cb1e3d85083024100d519628
SHA1 901a6c75d8c1ed042ef1272aad5715f0c26e82ee
SHA256 180a6b02d1236f2aafa07a48ed108f4f2714d34079579f2f07feac06eeeca5d6
SHA512 26e9efdf56185e207eb31ccef5410a6e935955cf1fb072020e7bb9b96d64f4bdc50d66e2822aab5d20d9b9f67a8f47037ce6d7b4a7c4f49093b252fb0919190f

C:\Windows\{3001DEAB-CB10-4835-9651-04B98BF02E48}.exe

MD5 683b126a232a9fced854ba9e6c77777c
SHA1 60afadea58ab41def6fb9e9d1776e31f392a2989
SHA256 fcf451bf3f2903dbba1311e8544326fc12acc128077be42ce0f33fd1ed43cff9
SHA512 5e038786c3f405fdcd7cf0b3875294fc83fd7a0215fdaa2b0fc93dbac4fea409e53b263ee1aad31e0888e05f64492b8d17830fcf4e6f06264e4e39a7b7dbc6a8

C:\Windows\{267AE581-375C-42cf-8004-E29FBADC6508}.exe

MD5 b31c67d2f2737eb7f97988b509546417
SHA1 13d9b9d6d639f978a42d59be9b2f1bbf5db2b91f
SHA256 efbf380a93ef05077fb5b41c8d96b77ea54eb197dbde3afd390043a38ca97809
SHA512 4b5bc9c56b2d209fb8b8e0a991e56ee8c7eb006d0d3b815963a14e10d9da0d7be36193894edfef97a6a485d3f02e4cd3e3c09dc537bc7c7e9b3f215fe07d4285

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:02

Reported

2024-11-13 17:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}\stubpath = "C:\\Windows\\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe" C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1575E72-A304-45f0-8258-4A0F1797092D} C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF8EF88-9C47-429a-936B-E72EC8B154EC} C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}\stubpath = "C:\\Windows\\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27692E41-CA5A-4161-9A9A-25701F044C48}\stubpath = "C:\\Windows\\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe" C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68464B4B-958E-414a-8743-01950BBC1CBC}\stubpath = "C:\\Windows\\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe" C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D861F7AD-DA23-44bb-BB93-81CB07C529BF} C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523} C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}\stubpath = "C:\\Windows\\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe" C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}\stubpath = "C:\\Windows\\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe" C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}\stubpath = "C:\\Windows\\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe" C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD9FA70-20F5-4845-9758-8B32523756E3} C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1575E72-A304-45f0-8258-4A0F1797092D}\stubpath = "C:\\Windows\\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe" C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27692E41-CA5A-4161-9A9A-25701F044C48} C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0} C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9} C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E} C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD9FA70-20F5-4845-9758-8B32523756E3}\stubpath = "C:\\Windows\\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe" C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}\stubpath = "C:\\Windows\\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe" C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199A4197-54B8-45ed-B748-9FCA1E81E9DC} C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68464B4B-958E-414a-8743-01950BBC1CBC} C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}\stubpath = "C:\\Windows\\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe" C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383235A2-85CB-4379-B1FA-C92783097B0F} C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383235A2-85CB-4379-B1FA-C92783097B0F}\stubpath = "C:\\Windows\\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe" C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
File created C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe N/A
File created C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe N/A
File created C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe N/A
File created C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe N/A
File created C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe N/A
File created C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe N/A
File created C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe N/A
File created C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe N/A
File created C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe N/A
File created C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe N/A
File created C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
PID 4340 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
PID 4340 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe
PID 4340 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 3784 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
PID 4764 wrote to memory of 3784 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
PID 4764 wrote to memory of 3784 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe
PID 4764 wrote to memory of 1176 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 1176 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 1176 N/A C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 1084 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
PID 3784 wrote to memory of 1084 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
PID 3784 wrote to memory of 1084 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe
PID 3784 wrote to memory of 3888 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 3888 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 3888 N/A C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 2112 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
PID 1084 wrote to memory of 2112 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
PID 1084 wrote to memory of 2112 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe
PID 1084 wrote to memory of 3052 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 3052 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 3052 N/A C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1780 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
PID 2112 wrote to memory of 1780 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
PID 2112 wrote to memory of 1780 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe
PID 2112 wrote to memory of 2868 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2868 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2868 N/A C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 4360 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
PID 1780 wrote to memory of 4360 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
PID 1780 wrote to memory of 4360 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe
PID 1780 wrote to memory of 4364 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 4364 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 4364 N/A C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 4844 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
PID 4360 wrote to memory of 4844 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
PID 4360 wrote to memory of 4844 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe
PID 4360 wrote to memory of 1316 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 1316 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 1316 N/A C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2192 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
PID 4844 wrote to memory of 2192 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
PID 4844 wrote to memory of 2192 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe
PID 4844 wrote to memory of 2740 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2740 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2740 N/A C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3520 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
PID 2192 wrote to memory of 3520 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
PID 2192 wrote to memory of 3520 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe
PID 2192 wrote to memory of 4388 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4388 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4388 N/A C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 4620 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
PID 3520 wrote to memory of 4620 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
PID 3520 wrote to memory of 4620 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe
PID 3520 wrote to memory of 116 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 116 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 116 N/A C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe
PID 4620 wrote to memory of 1548 N/A C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f0e9c96166df89b12ed5c5d3dab1c13f_goldeneye.exe"

C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe

C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe

C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{199A4~1.EXE > nul

C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe

C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27692~1.EXE > nul

C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe

C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68464~1.EXE > nul

C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe

C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D861F~1.EXE > nul

C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe

C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7F5~1.EXE > nul

C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe

C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6E3~1.EXE > nul

C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe

C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38323~1.EXE > nul

C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe

C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A86C~1.EXE > nul

C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe

C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD9F~1.EXE > nul

C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe

C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EE8F4~1.EXE > nul

C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe

C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1575~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Windows\{199A4197-54B8-45ed-B748-9FCA1E81E9DC}.exe

MD5 a8502837d24d3d4ad2c77047bd872b9d
SHA1 09dd527781953c6df647077b29455665ba9fa0f4
SHA256 974e0afd9f0c7102a95bfe22a61da87c56c34fa7b03b03374b7628ae8be09fc1
SHA512 ab2caa375ca27dd2df7867324504762ec7ede60c3191199efc207d5d62fcc1d93611e6dbc760782ac34f5945999d6420aaef4293bc1b250779fd64f9c89dac8e

C:\Windows\{27692E41-CA5A-4161-9A9A-25701F044C48}.exe

MD5 cc36445db903c596267ff89ab5f1fbc6
SHA1 2bcc0eaa4f925e11ac2a51a4a05447c9ccf54abd
SHA256 f100c07f4f6f2af6ef46ff855c1b1d96ddb4da0de61be323043db6713f0f6ba1
SHA512 027601748e7902ba1d6f444a2c8ad78a18244d2f0e000b68b98e81843aa1377bc6cbfa3e07a4c8116e05ca4b4d9a0b8987db6c64b250901bcc878c03c22917af

C:\Windows\{68464B4B-958E-414a-8743-01950BBC1CBC}.exe

MD5 238f457755bb34eaad92690e256b913d
SHA1 f8ca2b7e965696182378038d576261f8b568437e
SHA256 58b56f6db97c6186114dcff124b094d4bd099df68f9a2d4b82dd2860ce2c36e6
SHA512 7df6bdb608e066b6cf3c5dc40a5dd48b69846adafe9c4e8c14bece7c1d106c5b3dc55384fb10f81d157c6784b8c60603b4cb2a54a85563c4ba28bb16d0af0dac

C:\Windows\{D861F7AD-DA23-44bb-BB93-81CB07C529BF}.exe

MD5 77c2c1c2369efa233cee3a7d3528d452
SHA1 06c046af3fc76899adb8e495c58fdb7189cc15cd
SHA256 2f411e6b7550993eaf8c156ce67988a8002eef73230c1d2d8c0d733a65d7181b
SHA512 cfbc278e09e57e7075d3a2a80431bb803d8c86e22cc8a9f395fff2263fe210a3c3c34d8918945cf932ca0c726b5f47719b84601629d19f207bffa037e6e080bf

C:\Windows\{8B7F5CDD-DEE4-46a0-89BE-F109E45BF523}.exe

MD5 957229e15b623c47c2ca32649f634afe
SHA1 1fb4dd1dbd2d7497d8df8b7660896c2cbebc09e6
SHA256 2672f1e3786246354aafcb01137e694853ae9d6b82b17150d24559a40e370780
SHA512 2d331ed3fa28424c35dd9eae63c7d67086f4e44903f0ba0f12b7d794a433c4db00a4b97c8654a5c1738acda23b44761aea036eeb2ec1e44d6722e8d33e3887cf

C:\Windows\{DA6E35A2-F97A-4cb2-B9C6-68303EA8CBC0}.exe

MD5 265b4a64573123e7c3295fba0b50eb1a
SHA1 fe5995e57040e73dbe69acf11ca9654e0ade76fe
SHA256 853830c5a8c048db2ebc710989b106ade119ecd532d82e277f4c596a847022f6
SHA512 46059a5658751ebb709a88207c804be5b3c4306bfd452bda77e373ca8f209ad7a835ad6a6c7c85b1b970d08a731c2206d556f3ac842d232e4897981e8dd22b76

C:\Windows\{383235A2-85CB-4379-B1FA-C92783097B0F}.exe

MD5 0fcaab194100881c0b1e381a92cdc99c
SHA1 9b236718049d3c5e08ca12393ff8b600f264e996
SHA256 a6adb3713541a892e34be8d0cd82484d984ce791197f3261a7819b52535a7b0f
SHA512 ba0d0e683e4bb79d24290b822f085293e4f49a80d7893a23fa0f3b740902d2e6f1b7fcd7c6f2f1001c167e4388a92535e034bf302cc6c9fb794298a3e3f60567

C:\Windows\{8A86CE2B-7F2A-43d4-B17C-476CCC6217B9}.exe

MD5 130dd01f9bee56e22be34a10fafe9f40
SHA1 507497c97c32e1b87eb3c04d562843be54666f75
SHA256 12751b1c934a2025455b558ec54aa20755f08ebd7a86496a985b6c10788a3829
SHA512 8f925a51c414c9e5715a1abe6e0ea65772af5ed1d6dd2222f546ebbb69a8c5178231ee69b2180a7ba823850b7d39e7dd6867cea4e6ad8db516ba04ccbf92278c

C:\Windows\{4BD9FA70-20F5-4845-9758-8B32523756E3}.exe

MD5 d78f04e50802cbab72d07dbd5cd58c4e
SHA1 ad10e12ce45a876bc8c75516c9e23660264a46d2
SHA256 62242784402f26f12cb68ce82ca04dc1e63e8226550a218c20944adaadee10dd
SHA512 868b05e9ea71e50aa4dc81f17b92068462f6a5cf7ea6e880287d0af2146c5ac115c76c02b6fd65cc9f9fcedec30382025b265065df71129bc2f49281e967fe23

C:\Windows\{EE8F4118-0FE8-4019-8DEE-44FE5F35BA1E}.exe

MD5 bf4dc9431237f67cfea4f936d0294f86
SHA1 76ebea7069100f18f5e84494a9c83c53c78799cb
SHA256 030d3b26e14dddea498fef6147e8ca88314f62971c5bd2246d89c4c7814696c5
SHA512 3e49d65f41d68a134cfd3b7a94bd7a33480b45ce583cc54e4806b574863ac6a9f17db4e75dc7922cc5b3f64246458070b1b3fe4dadd8ca0a0e2858cfc65bd057

C:\Windows\{B1575E72-A304-45f0-8258-4A0F1797092D}.exe

MD5 fc348826e4904b964a472d572f154704
SHA1 7aca5f53b9cf461f821c78dbd13d36ddee6e00d7
SHA256 edf85b7734e9dfe17c85d9b21633eca9c4802946a8208cbfdb38795669ca7f66
SHA512 b26832cc613792249192957e9824405bf9cfc7e3fe049aaa5976251b567c31576f370235849cc3afa44138970200bf48ab8122a09e00d145608d5da1a14e46a3

C:\Windows\{CEF8EF88-9C47-429a-936B-E72EC8B154EC}.exe

MD5 ebef918c010a88c15a4754fafe5627fe
SHA1 d7fdb259b0c3303a6928626f95a4a3bad6d71933
SHA256 85c12605478d8f47c401be198ebca27ef24dd1fb1977f66b958731dd25ef34de
SHA512 ab9fa5dce7ca5728ca41c3c024ec46c61bcf8fd42d1ea0b85633f07e537fe77e88f8185c4d28cee5ccfeb97ba123d0cd9053b32dae48ee367948440d19d8c6e0