Malware Analysis Report

2024-12-07 12:22

Sample ID 241113-vjhy1avnhs
Target 2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye
SHA256 72b2a84b660df86b6e255558666f6c81ae42eb8981d30bd90cc2d414fd37cdd2
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

72b2a84b660df86b6e255558666f6c81ae42eb8981d30bd90cc2d414fd37cdd2

Threat Level: Likely malicious

The file 2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:03

Platform

win7-20240903-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}\stubpath = "C:\\Windows\\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe" C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}\stubpath = "C:\\Windows\\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe" C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}\stubpath = "C:\\Windows\\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe" C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94F6014-2FD8-437e-85F5-EE9496EAEECD} C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1893E4-98DA-411b-8803-FDA4A2823A22}\stubpath = "C:\\Windows\\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe" C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}\stubpath = "C:\\Windows\\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe" C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}\stubpath = "C:\\Windows\\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe" C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4} C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}\stubpath = "C:\\Windows\\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe" C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918} C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE} C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E} C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9} C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}\stubpath = "C:\\Windows\\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85062772-B07A-4fc5-94CC-D4949C2ED1F8} C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980} C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}\stubpath = "C:\\Windows\\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe" C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}\stubpath = "C:\\Windows\\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe" C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}\stubpath = "C:\\Windows\\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe" C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1893E4-98DA-411b-8803-FDA4A2823A22} C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC} C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAFD2AAD-EECA-4eb7-8025-21CD93752061} C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe N/A
File created C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe N/A
File created C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe N/A
File created C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe N/A
File created C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
File created C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe N/A
File created C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe N/A
File created C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe N/A
File created C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe N/A
File created C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe N/A
File created C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
PID 2012 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
PID 2012 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
PID 2012 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe
PID 2012 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2860 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
PID 2284 wrote to memory of 2860 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
PID 2284 wrote to memory of 2860 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
PID 2284 wrote to memory of 2860 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe
PID 2284 wrote to memory of 2912 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2912 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2912 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2912 N/A C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2988 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
PID 2860 wrote to memory of 2988 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
PID 2860 wrote to memory of 2988 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
PID 2860 wrote to memory of 2988 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe
PID 2860 wrote to memory of 2640 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2640 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2640 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2640 N/A C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2660 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
PID 2988 wrote to memory of 2660 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
PID 2988 wrote to memory of 2660 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
PID 2988 wrote to memory of 2660 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe
PID 2988 wrote to memory of 2600 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2600 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2600 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2600 N/A C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2656 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
PID 2660 wrote to memory of 2656 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
PID 2660 wrote to memory of 2656 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
PID 2660 wrote to memory of 2656 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe
PID 2660 wrote to memory of 2180 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2180 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2180 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2180 N/A C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2816 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
PID 2656 wrote to memory of 2816 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
PID 2656 wrote to memory of 2816 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
PID 2656 wrote to memory of 2816 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe
PID 2656 wrote to memory of 536 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 536 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 536 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 536 N/A C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1800 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
PID 2816 wrote to memory of 1800 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
PID 2816 wrote to memory of 1800 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
PID 2816 wrote to memory of 1800 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe
PID 2816 wrote to memory of 844 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 844 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 844 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 844 N/A C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 628 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
PID 1800 wrote to memory of 628 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
PID 1800 wrote to memory of 628 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
PID 1800 wrote to memory of 628 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe
PID 1800 wrote to memory of 2692 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2692 N/A C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"

C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe

C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe

C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4CE1C~1.EXE > nul

C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe

C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61538~1.EXE > nul

C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe

C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{85062~1.EXE > nul

C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe

C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE98~1.EXE > nul

C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe

C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F94F6~1.EXE > nul

C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe

C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{42E4F~1.EXE > nul

C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe

C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF189~1.EXE > nul

C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe

C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8ED~1.EXE > nul

C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe

C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BAFD2~1.EXE > nul

C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe

C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC86C~1.EXE > nul

Network

N/A

Files

C:\Windows\{4CE1CEAD-7A11-4d43-BBDD-335EC0753918}.exe

MD5 8d557af35f29fb604f2afc788d0f620e
SHA1 e9d3685d9339e3e107bc5f2673571e65af0209ac
SHA256 fd093278512f105cac7b3f5688de69e18b227113818d7aab6551cbc0fbabdb6e
SHA512 e335c98310ac2802dbc5d004e64b991430a0c0eec6f9f3620512ade8847b57539b41148b6e7aecec9535a420d637185b4dc3aa5e5d48a4371ccec909f0f714eb

C:\Windows\{615380AF-3D1B-4a1a-B2E5-92AA838B73BE}.exe

MD5 e4aa70f9c457e13b98f80e900afaf4d0
SHA1 0f40d8b9d21be18af17f2260d19557fc2ebc43d3
SHA256 709b5ac229ea0d0455c6799a6adb4242f46ad6a25cfa627bce89a263ac46b0bd
SHA512 d76016002d4438360ac9533b37a42ba277d41e17ae4644e1cbe3bf776d6828682682622c1975d4367af20af11c3349915c7d01ef90dd6379a2e312693251baf6

C:\Windows\{85062772-B07A-4fc5-94CC-D4949C2ED1F8}.exe

MD5 18855c72f6aa22127d7b95c676d98467
SHA1 e2109f7e6268104014cd00cdcbf31b0aac2aea22
SHA256 dbe4f769cdcdafc4d928e5aa0b8b68d459f6a637ffc32d251388bbc639948def
SHA512 7c83b4edc2f6ae21f6e04912db16528082bdbfb56cede88ff014c5acfa055a40624b393a5b05ee28220afb5d2dbbba04d22c524275cf3422f2f51c9644eb1f8e

C:\Windows\{6EE984CE-8D2D-4eaa-B552-02EE7F5D1980}.exe

MD5 04bf8b8ee62f020845a5603ebfcc325d
SHA1 d9c6b2196bda1b7125c59b11e685d4dca8307c43
SHA256 c8c7ef32ac784467d177e124d2df687a7946fb3c4b8b67516163ce2074324463
SHA512 b49f74146fe3daeeea92bf0182323a13bd6f2efed0eb30e83396da280d05369b9adae4c5c5bcc481a68514952e4f8a56a8e891d1230e3650b5daff7ee3d14245

C:\Windows\{F94F6014-2FD8-437e-85F5-EE9496EAEECD}.exe

MD5 fc9e40b7d75aeaaf88761ba908e8089b
SHA1 2dd5babe15af7ab207f5d0a76a260df157b61046
SHA256 ad42f62bc3b2ad8b1493b922ddcbe8912d691ca67ff3f1f363e57207fbfe5683
SHA512 8d524c9134901df2db30bab4333ed2b1cbdbc1157e825fa39e60d376eb7954416e19f053092a8018bfe71d74b22897b8425f76c1bb0ee3dc48f369e2b292ef46

C:\Windows\{42E4F5F5-E169-4280-BC9B-D65D78FFC21E}.exe

MD5 1824302ba637df1e9ef44e85da7a586f
SHA1 6ced469c051cbba5b018a13db686bf00936e9195
SHA256 a4780f2d45bfd6b230b1f92774499504d00635d57fc1367a0387936eb45620bc
SHA512 296ba0f89205553f80d2dbe7c968404bfed25f375bb8e3d99479a500579fa755acac90a5007d781c0717e2000f61562bedc6a527ad81f19299b76eda94501980

C:\Windows\{CF1893E4-98DA-411b-8803-FDA4A2823A22}.exe

MD5 ecd78515688c086b51312e9c2005c4d9
SHA1 80edd90066dd5940a8fb38166d57efd7b3cecf0f
SHA256 6fae171ff46a799656a0430041d415f7b0e841afef5103e0facad1a98d8b11a2
SHA512 8dccc58018fcd6633b9f35af1adff4f17919756ca02c44e390800101441208f90ddcf657d22d43594e132e9dedb056beedaecd852a2ccf3a3d4bae5f5d29b24b

C:\Windows\{5E8EDE35-429E-43e9-93B7-E5ABA2F06BEC}.exe

MD5 096af8f4459c4fef6e576d51bfa46c0a
SHA1 8b5a81d16f189baac83ec22cefc1ad7a8221cfd8
SHA256 1850a119515f01777885705c80a40bd45cdf4784f7b9d6347173e387e011f17a
SHA512 4cb35ee5b3b510b2d089db99918e181d2b283ccb7961bf555e40081e4d185edc0e59e7408fedf62d7a0aa6946f5890627b1fc7facf84a507ab35b7d8d806326b

C:\Windows\{BAFD2AAD-EECA-4eb7-8025-21CD93752061}.exe

MD5 497fcb46f36c5e8502ae87ad6037ec3b
SHA1 36c895c50b66691dd9dcce04a0c8d1f004dea2ac
SHA256 bb22dcb7e14f57d8df959e2578d597774b811d8beb08936ab7a8987e4ec16714
SHA512 430b95573cbf5671af15b0399d9a36bec7be940192185fb4f3d39031c9cdfef6926c5604f7c66f116e98e94abf786b70f25789298d8818fdedad7e56d0cecb39

C:\Windows\{EC86CCBE-13F6-44d7-9841-7E8E5DD87BE9}.exe

MD5 18126ec24e895b5df79579ae4657e969
SHA1 8834ecb8cd8747ffd089a6d23a205b6f0800f88b
SHA256 9d31fded6d5b1c85fda7743f3b6fc1fd8ebb0f84f0d82bd17a359bd17f2cf27b
SHA512 a08c4edac0dd45a765dda14946adbb3dd8caaae15333eb841e20d476d57c9d9963a3e9b38cf913354bf0386d5013f840d2c99e06039901ff51e9e11007a94e89

C:\Windows\{6441CF8E-4C57-4dd2-96C9-CFCD0490D7F4}.exe

MD5 501d89e1cac2c6bdafb308b72c4b4627
SHA1 4f743c5e3b445c83f52eb84b610918ef162eb24e
SHA256 12613f4e7eeb433288b494ad0495010e8e1a825711b8687aeb5b9b5484caf129
SHA512 027d30581714c1bacc8eb280755b2cded2d896f509c90001164b7000b98106a2bae461bf227392e8c45d5b5453f9e8ebb79ddb76dd9dc124407a1a07c3d934cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}\stubpath = "C:\\Windows\\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe" C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}\stubpath = "C:\\Windows\\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe" C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC0306C-F35B-467e-B0EE-232F9D268A2D} C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3178A2-B2F8-428a-BC74-D65D4986895D} C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3178A2-B2F8-428a-BC74-D65D4986895D}\stubpath = "C:\\Windows\\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe" C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62E58AE-7019-4709-8CEA-34E37492BE17}\stubpath = "C:\\Windows\\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe" C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}\stubpath = "C:\\Windows\\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe" C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F46C35-DEF0-4e93-AC46-594F684E264B}\stubpath = "C:\\Windows\\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe" C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DD17C6E-30C6-43a8-99E4-5816C6841B75} C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}\stubpath = "C:\\Windows\\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe" C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24264C4E-4CEF-41ab-B321-BF4A0415D38B} C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F46C35-DEF0-4e93-AC46-594F684E264B} C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BBC482-5272-4328-8346-BDE4F82DB919}\stubpath = "C:\\Windows\\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe" C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010DD0E7-CD97-4bc7-A47C-95330BFC6870} C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}\stubpath = "C:\\Windows\\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe" C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1} C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}\stubpath = "C:\\Windows\\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe" C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB48FFA-93D9-4767-B37A-93998DF7C18F} C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4BBC482-5272-4328-8346-BDE4F82DB919} C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62E58AE-7019-4709-8CEA-34E37492BE17} C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A} C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}\stubpath = "C:\\Windows\\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe" C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E25C532-7B7D-4db0-8810-6FA50B89D028} C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E25C532-7B7D-4db0-8810-6FA50B89D028}\stubpath = "C:\\Windows\\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe N/A
File created C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe N/A
File created C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe N/A
File created C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe N/A
File created C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe N/A
File created C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe N/A
File created C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe N/A
File created C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe N/A
File created C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe N/A
File created C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
File created C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe N/A
File created C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
PID 3728 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
PID 3728 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe
PID 3728 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2060 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
PID 5064 wrote to memory of 2060 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
PID 5064 wrote to memory of 2060 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe
PID 5064 wrote to memory of 3964 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 3964 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 3964 N/A C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2488 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
PID 2060 wrote to memory of 2488 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
PID 2060 wrote to memory of 2488 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe
PID 2060 wrote to memory of 2160 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2160 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2160 N/A C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 4988 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
PID 2488 wrote to memory of 4988 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
PID 2488 wrote to memory of 4988 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe
PID 2488 wrote to memory of 1304 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1304 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1304 N/A C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4964 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
PID 4988 wrote to memory of 4964 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
PID 4988 wrote to memory of 4964 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe
PID 4988 wrote to memory of 4376 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4376 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4376 N/A C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 2808 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
PID 4964 wrote to memory of 2808 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
PID 4964 wrote to memory of 2808 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe
PID 4964 wrote to memory of 1384 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 1384 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 1384 N/A C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4724 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
PID 2808 wrote to memory of 4724 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
PID 2808 wrote to memory of 4724 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe
PID 2808 wrote to memory of 4516 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4516 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4516 N/A C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1404 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
PID 4724 wrote to memory of 1404 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
PID 4724 wrote to memory of 1404 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe
PID 4724 wrote to memory of 4588 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4588 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4588 N/A C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4468 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
PID 1404 wrote to memory of 4468 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
PID 1404 wrote to memory of 4468 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe
PID 1404 wrote to memory of 2936 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2936 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2936 N/A C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1880 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
PID 4468 wrote to memory of 1880 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
PID 4468 wrote to memory of 1880 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe
PID 4468 wrote to memory of 4240 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 4240 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 4240 N/A C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 5096 N/A C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
PID 1880 wrote to memory of 5096 N/A C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
PID 1880 wrote to memory of 5096 N/A C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe
PID 1880 wrote to memory of 2196 N/A C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_147420674be0316e9b58a92b4e5b1008_goldeneye.exe"

C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe

C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe

C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E25C~1.EXE > nul

C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe

C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D62E5~1.EXE > nul

C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe

C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{24264~1.EXE > nul

C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe

C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB48~1.EXE > nul

C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe

C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BBC~1.EXE > nul

C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe

C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{010DD~1.EXE > nul

C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe

C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD4B~1.EXE > nul

C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe

C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07F46~1.EXE > nul

C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe

C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DD17~1.EXE > nul

C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe

C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC03~1.EXE > nul

C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe

C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1BE~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Windows\{8E25C532-7B7D-4db0-8810-6FA50B89D028}.exe

MD5 82472e526a8d788e6b495be916bab0b2
SHA1 a6e5b39815d7a73ce9b7dd5b4ca31a4e865a5d9f
SHA256 a16ee6d7dd24ca49d5aad65fca20a5384532b61d2b86a807da953e08579eafaa
SHA512 f12386fb167d44ec197d9676b779b38d7d7d66a5605ecc22bcbc6b8c2bf5127bb97894623cc33ae89d8c7c2b99862d5e06db53833f6606dbeedff564dce70d22

C:\Windows\{D62E58AE-7019-4709-8CEA-34E37492BE17}.exe

MD5 7db6df032c7004bdda5858d66606fa8f
SHA1 c14538f25221de846fb8049a1779e7f5be76872e
SHA256 ffca67f84bb292c4416102ea9293ec8fc093c61cd8b7768cd2f76c0bdb07d029
SHA512 38b015dc9e32729b4f23ce094cdce4f1387f3c84a5449c2a9537c39329c87fcf010352b5f80bc42ebeaf1a7beacc84046bcefd9af4893becfae1e3365cf534a5

C:\Windows\{24264C4E-4CEF-41ab-B321-BF4A0415D38B}.exe

MD5 55f9be7458e47d50134135a26fc65c0d
SHA1 b0746d1df5e3caec1f7016b8e7c49bbd00e39ab2
SHA256 57115ae3e26ab12b0605128bad380634a359130c0c373002a899910f0e19ae0c
SHA512 bfdb52f4ab4ac033ade9ddb31de6d56c470739e1eeb4e557110a203ff2d3239b8eb7719d73f3d6fc550c2f18a7a4ffb420320c040b5c854040d3512b89ed370e

C:\Windows\{2AB48FFA-93D9-4767-B37A-93998DF7C18F}.exe

MD5 df1bdaee5b8071eb1778828ce139d6be
SHA1 0169987fc2ecb7e36a35d6b43162ffc54a3586b8
SHA256 cc0521a328e62c1f081f578a73add41dd40edf10ef02f56dabf3a8f394d5c111
SHA512 bf3874651c04ce5de113a3ba132d92f371fcc9e6da50c42a1ee25aa65c7975004546d8e1927d4d8b1ac4cbd327d64dabd97501beca2357537117277fc11d9728

C:\Windows\{C4BBC482-5272-4328-8346-BDE4F82DB919}.exe

MD5 b9a142713e2461656a1d51db4292bf8c
SHA1 1b45d8dd54e94b577f7332c4b646236110ba4c44
SHA256 df3869da2165447a112efce64e9ca87209b9e82a27babc2ae2b3b911fd628cf8
SHA512 ee2837a890e4e0425e2798b1c82702f28aa68e662583de7b4115b1498114970d5e83b994d5c1e195a80b948256a97dcf6231c58d03f0c909e848a3c2cd438656

C:\Windows\{010DD0E7-CD97-4bc7-A47C-95330BFC6870}.exe

MD5 5f52ccd46e44a1a9421181ed84d84935
SHA1 be1f3ccf43efcb926e243ada02c0fe8d378c367a
SHA256 86b522e9335a818389e2f5eb7936c12fde0828cec6b981c5cc4acb27856df465
SHA512 382b55c2e861d27e8d03922776eeb60087fba557f3b2b2a2316a7b1ac7e4015a711a2fc12d67c8e4c699b92bb20df8280b55f29b393e69602e62a172e1721d9a

C:\Windows\{4BD4B631-6CC4-47e9-AFA3-1667826B0FD1}.exe

MD5 dff9221b67990a2ab3222821083ad751
SHA1 7d4b687d852d02cd236f11caf3bd27927965fb4a
SHA256 5e108754eff515b3ab40fa998d0f146bad05b8ba2d976ce56855a0c4f2e7fcaf
SHA512 72519924239e23522551fd5ab79724a723fede60ac20374ac789f8472e6178e4d5c776bbda33ac16dbc8ad47e6c5625b5269814032916752774f3a8e8fd4f389

C:\Windows\{07F46C35-DEF0-4e93-AC46-594F684E264B}.exe

MD5 883d4ee4acce2fb01bbe0f5e0dd89d93
SHA1 b64c1fc8f1a21878388673070b59df0c944b5f37
SHA256 1f34213209a4c93fc9c87d2dd08ecdadfeb3c61a6edd591ee1a01cef19689dda
SHA512 0a123163fc2610f407a1c417f92933ae3e17b3594e8983bb77db833ceacf78ad299ece7ed7134ca3d3ea4dde56c813c427930e6313cc0d7f277a0f25ad4e908b

C:\Windows\{3DD17C6E-30C6-43a8-99E4-5816C6841B75}.exe

MD5 c4dee37caf85b43d0d97d38c2eddba6b
SHA1 41aed659f189284cf861b1277deec6bb6eedc325
SHA256 a7ae1eac045e3bb678bee3ea537f59b8f1142f212b2689326b37de0aacc6f4d1
SHA512 9644c9acb1c021b32923a6aa3562a74f494dc9e3fc866b4e2d5a954f59e29a6c3d0ce3ea77bdc11eac6582e00aa88ead239382ea4b7e8beb44edf600fce127b8

C:\Windows\{EDC0306C-F35B-467e-B0EE-232F9D268A2D}.exe

MD5 b8520f416a6138cc6d680b3b9cc0f378
SHA1 c3ec898d7bdfd4cf681283f1fa8b62c1d8b5ea00
SHA256 4b166cd214bb099982572e72bd6c450da4c0c79cc2675b00de7f671b4f0d710d
SHA512 4ceac8097792bf76a3051726ade86d18b7c56a702fbc4385019f74083efbfb8668b1306f58a4bb95c2341466521ddc8a0d8b12123fc015ce5ff707f29af1b016

C:\Windows\{DE1BE9A0-73CB-4c2e-93A8-C47AA3267E4A}.exe

MD5 ffe3748d31768bef0b08edcb5bacb7c6
SHA1 e72c37677f5af1d4be1b4c170ca2e83cdd68e89f
SHA256 138030c51441a8459cea23920c52e3881080f57b5898dbbc371fe5a27e3961d8
SHA512 6462ff626ba18dd208c34582b7282bbfd2180fff9b178d1cf03a23de805c44e669694d8b2a013e0d868ae8141af4e31d54a29b9a0afdeba4d4eb4875b137d6fc

C:\Windows\{8B3178A2-B2F8-428a-BC74-D65D4986895D}.exe

MD5 24a03f635e7e3ac94174dd7f1142becd
SHA1 bbf778066317ca200267c4437f281c62cc740762
SHA256 b5fcba7b6277f0fd08879168f7e53fb54eb02dfdca0026dce13caca4c2784f31
SHA512 5abc80e9dcefaa15f22e6616fa5905391859fffc7f3e0e830250572cb874a5e35bcafa472505bdf3115ea9863ea4344f1829cb6a47638ec3000f5f7a5ff91574