Malware Analysis Report

2024-12-07 12:01

Sample ID 241113-vjnjgswdlk
Target 2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye
SHA256 f6cb08b1b962653e519b0c00359779f923105999334b45e5e1eff001cb447a8d
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f6cb08b1b962653e519b0c00359779f923105999334b45e5e1eff001cb447a8d

Threat Level: Likely malicious

The file 2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:03

Platform

win7-20241010-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973E1756-05B4-44be-BD1B-99BD59EE1E11} C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6C9A84-311A-4c6b-9870-B6714100BBC2} C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6265BA-5C34-4116-93D1-619ED791E476} C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}\stubpath = "C:\\Windows\\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe" C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933D4D93-9CF9-486d-85AF-5EE54BBB341E} C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E452A98-9E37-41ed-872C-112B610E86FB} C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}\stubpath = "C:\\Windows\\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe" C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E452A98-9E37-41ed-872C-112B610E86FB}\stubpath = "C:\\Windows\\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe" C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}\stubpath = "C:\\Windows\\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe" C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}\stubpath = "C:\\Windows\\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe" C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}\stubpath = "C:\\Windows\\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5} C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53} C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973E1756-05B4-44be-BD1B-99BD59EE1E11}\stubpath = "C:\\Windows\\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe" C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5} C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609C0694-2563-4cd7-B21A-7C988DF0BE5D} C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}\stubpath = "C:\\Windows\\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe" C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}\stubpath = "C:\\Windows\\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe" C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6265BA-5C34-4116-93D1-619ED791E476}\stubpath = "C:\\Windows\\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe" C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C} C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD} C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}\stubpath = "C:\\Windows\\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe" C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
File created C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe N/A
File created C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe N/A
File created C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe N/A
File created C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe N/A
File created C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe N/A
File created C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe N/A
File created C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe N/A
File created C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe N/A
File created C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe N/A
File created C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
PID 1840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
PID 1840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
PID 1840 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe
PID 1840 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2856 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
PID 1948 wrote to memory of 2856 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
PID 1948 wrote to memory of 2856 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
PID 1948 wrote to memory of 2856 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe
PID 1948 wrote to memory of 2752 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2752 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2752 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2752 N/A C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2848 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
PID 2856 wrote to memory of 2848 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
PID 2856 wrote to memory of 2848 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
PID 2856 wrote to memory of 2848 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2892 N/A C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe
PID 2848 wrote to memory of 2612 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2612 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2612 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2612 N/A C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1928 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
PID 2592 wrote to memory of 1928 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
PID 2592 wrote to memory of 1928 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
PID 2592 wrote to memory of 1928 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe
PID 2592 wrote to memory of 1244 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1244 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1244 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1244 N/A C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3000 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
PID 1928 wrote to memory of 3000 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
PID 1928 wrote to memory of 3000 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
PID 1928 wrote to memory of 3000 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe
PID 1928 wrote to memory of 2784 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2784 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2784 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2784 N/A C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 520 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
PID 3000 wrote to memory of 520 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
PID 3000 wrote to memory of 520 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
PID 3000 wrote to memory of 520 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe
PID 3000 wrote to memory of 2932 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2932 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2932 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2932 N/A C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 520 wrote to memory of 896 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
PID 520 wrote to memory of 896 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
PID 520 wrote to memory of 896 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
PID 520 wrote to memory of 896 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe
PID 520 wrote to memory of 2020 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\SysWOW64\cmd.exe
PID 520 wrote to memory of 2020 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\SysWOW64\cmd.exe
PID 520 wrote to memory of 2020 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\SysWOW64\cmd.exe
PID 520 wrote to memory of 2020 N/A C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"

C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe

C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe

C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{609C0~1.EXE > nul

C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe

C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F20C6~1.EXE > nul

C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe

C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{261C4~1.EXE > nul

C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe

C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D1CE7~1.EXE > nul

C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe

C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{933D4~1.EXE > nul

C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe

C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E452~1.EXE > nul

C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe

C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{973E1~1.EXE > nul

C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe

C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AE2~1.EXE > nul

C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe

C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C6C9~1.EXE > nul

C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe

C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5758E~1.EXE > nul

Network

N/A

Files

C:\Windows\{609C0694-2563-4cd7-B21A-7C988DF0BE5D}.exe

MD5 eb2ea0418bd121f6625242e838088212
SHA1 31b6ccf60e0589415ef2c92b432f18fe18d3bcaa
SHA256 13884e146695ae55e82e8b9618810b914342a88be0138fd3b0e799565f958184
SHA512 1a75222c6cd242a322075257eafc9c4f0dd30051dc0ad3039d480c92f652ae72240ae7933343b810a944c9588f46db930e57c92b82fef2687b8d2a5e69904cbe

C:\Windows\{F20C6DC4-B79E-440e-ACFA-EE871E4B10D5}.exe

MD5 1a5efad944dd2e2dd58ee29ce91c105a
SHA1 d517c6547f463cec9becf8e22a9c719f5fa3f114
SHA256 589923d70829b72fedf406efec6d1e506f7cbab1c414dccbc23f1e0f13b19a19
SHA512 22c97e671849d5fc3805ce6cdf1c4ac475fcbf2006d0f9b53c66577b054b16c7b466838eb083603b16baea1d84239923a37416c6a6d9655297ec9506e06645da

C:\Windows\{261C44D1-9FAB-4bcf-A322-7D2EFA9F443C}.exe

MD5 c7775e16d5375821d3609691ed9165fa
SHA1 50c05a7a319606d6b0a2606d266fb4f16af764cb
SHA256 276b0d523bee667095e49569258d16d567fd2b4e3f6527de30689dc760117028
SHA512 2a5daa267916afd3a1b129d8aabf5e7e8b5dce719b500ca824933fb0b3ccdfc942a506f8ff34ca3832a589f3c419601dbd34e3bb7f4cfa642505f9d691c7c7f9

C:\Windows\{D1CE7350-3F37-4060-B099-8BE7CF9DBE53}.exe

MD5 8d16c2d119f5c56587da75fe8278aa1c
SHA1 0c78b14492f678d2dfb441b0d246276186629468
SHA256 89d9fd280eaf518008de82df2e98996fc411668bcc2391c7aabb0c77588afb21
SHA512 35a8af73ac17bd2a32f637d5d94c49d2be4097f8a41a587bdffdc1b367edcc507de9a9d46f65fa4e86f0c0f45249aaa0dfe1351059b0ff5124d2bebc6ab619a5

C:\Windows\{933D4D93-9CF9-486d-85AF-5EE54BBB341E}.exe

MD5 4b4c60dc5684dc8f785dc7e13e900a90
SHA1 5a0c0447b3fa71cfbde6a658e3c8a06b5cfb6d45
SHA256 32f81b5fa6877534a9f6eff6c0c74c9c5e5040793a142fcfff056eead261049c
SHA512 71f7901746dc04f079378dacc26d3bf8181a9146ed5c7b6041306ff7bb75fbd05e235b3c0db52f933a2b2db78fcfed0cf97259d8bde206aa09151d4c5b156b96

C:\Windows\{8E452A98-9E37-41ed-872C-112B610E86FB}.exe

MD5 1afe872026dc006d366d6b5bfc8b5b0a
SHA1 9133a181a1ee409a49ef30e72b00748175149dc6
SHA256 de348b75369314c050578925785b44ebd760ac67dc316c67c11b46f69230a33f
SHA512 add108e797e91aa49b13c7d229f5ccf0da9714381163bbeb0493bd54acd51dfc2e21c46461cfda691798f9a35be37c2aaefad16800af6a28dedc53743664d2de

C:\Windows\{973E1756-05B4-44be-BD1B-99BD59EE1E11}.exe

MD5 0694b40b7790cd2b7ef0dc2e41f880df
SHA1 e8b08549ff84f4645905cc059b103e57c1e208b6
SHA256 74014c99e2bae913424bd13ed92e040262911f1c98c8a19f51a32381f23ed9f4
SHA512 ada8f3e9e583a2a9c5f202c0a556d92bc04dda1ad1cf8ebdce4fdcafce6cd06378009e0f3417152acc752467bbf35f213dd18e2117116bd7f57ea742a0faf220

C:\Windows\{E7AE2B9D-3D15-4a26-97E4-0A97754CB8CD}.exe

MD5 88bf2bc78d840bbda79fe89c563d6dce
SHA1 67ff7b3eb6863691180a2e7fc33c62eba61b5444
SHA256 a80720e770107a3e59b9fccc4458e3ac086516dec6bd0d28288e7bbcaa8d2da7
SHA512 111a44993e6b41678c96ce1d4991e7d26ef894d994df46a0892d43c443cd8c30870b04d31101fadcf249f2fd85ff73fbe07be7ff80ea15387bd0506b4d10d110

C:\Windows\{0C6C9A84-311A-4c6b-9870-B6714100BBC2}.exe

MD5 1ad7e83025282e967465a719b52680c8
SHA1 90fd44e68da6563796f5a96b969a8b29ea4bfd38
SHA256 6d5beac7c5b9d986811b8da505a48eaee13c85219afa8d24c5d5a26b4c0cb3e8
SHA512 264d839cfbd9ddf15c2102a1b8c239cc10708705120c9d839b2383930349b78c4424ad7a0c94a35368fb6c3f415e15d1d5b9274f8d56567c5ac914ef65de0106

C:\Windows\{5758E1BC-E378-4de9-B661-8BD00EA7AEF5}.exe

MD5 6f602232b0490736e3b935be0f234d4f
SHA1 74487507fa7181f48885b931f6a38a05c54f1e13
SHA256 ca20731f91fbdc7e33c717761ea82bb1a1d87b0b2513bef086602e89feafdca8
SHA512 ab1ce372452edf7ba0f3bf47b758e45beb168cf4aeeb8bfd475b4f119b9647157ac6ae8eb0a62d3a5ea5188d1a5e7550a6212350282aaa9fbe7b1ee16d96355b

C:\Windows\{8C6265BA-5C34-4116-93D1-619ED791E476}.exe

MD5 69fc628fb773c91357163f943295e7b7
SHA1 100fd54b5daaddf243e632258d781d95b208a303
SHA256 0b5426c2cc1ca719000d7bfeabf07b37048c6db93a5ceaa4c4db0a97f331d8de
SHA512 90847c641b7dc1678e0781380038c00da9c634bb7add00d71e65c6502bc42d8851abee548bd159463544e259a7fd8e47737aa305c6d33b8da63fd4e82680e0c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}\stubpath = "C:\\Windows\\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe" C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5} C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}\stubpath = "C:\\Windows\\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe" C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}\stubpath = "C:\\Windows\\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe" C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A447D4-5F84-49cb-9777-4C800DD53B1D}\stubpath = "C:\\Windows\\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe" C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF} C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}\stubpath = "C:\\Windows\\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe" C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF0480D-606F-453c-8DBB-F5113E1BE326} C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E144AC-EB33-402d-9494-2AC9727FBBD5} C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}\stubpath = "C:\\Windows\\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe" C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E} C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B8F8D7-819F-495d-99FF-1AF8C025846E} C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B8F8D7-819F-495d-99FF-1AF8C025846E}\stubpath = "C:\\Windows\\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe" C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E144AC-EB33-402d-9494-2AC9727FBBD5}\stubpath = "C:\\Windows\\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe" C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267} C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14} C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5} C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF0480D-606F-453c-8DBB-F5113E1BE326}\stubpath = "C:\\Windows\\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}\stubpath = "C:\\Windows\\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe" C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}\stubpath = "C:\\Windows\\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe" C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F} C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}\stubpath = "C:\\Windows\\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe" C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A447D4-5F84-49cb-9777-4C800DD53B1D} C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69} C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe N/A
File created C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe N/A
File created C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe N/A
File created C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe N/A
File created C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe N/A
File created C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe N/A
File created C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe N/A
File created C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe N/A
File created C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe N/A
File created C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe N/A
File created C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe N/A
File created C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
PID 1036 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
PID 1036 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe
PID 1036 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 3532 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
PID 2172 wrote to memory of 3532 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
PID 2172 wrote to memory of 3532 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe
PID 2172 wrote to memory of 2768 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2768 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2768 N/A C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 5100 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
PID 3532 wrote to memory of 5100 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
PID 3532 wrote to memory of 5100 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe
PID 3532 wrote to memory of 3008 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3008 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3008 N/A C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5080 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
PID 5100 wrote to memory of 5080 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
PID 5100 wrote to memory of 5080 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe
PID 5100 wrote to memory of 5092 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5092 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5092 N/A C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 1612 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
PID 5080 wrote to memory of 1612 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
PID 5080 wrote to memory of 1612 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe
PID 5080 wrote to memory of 2512 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2512 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 2512 N/A C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 2012 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
PID 1612 wrote to memory of 2012 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
PID 1612 wrote to memory of 2012 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe
PID 1612 wrote to memory of 468 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 468 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 468 N/A C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4612 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
PID 2012 wrote to memory of 4612 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
PID 2012 wrote to memory of 4612 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe
PID 2012 wrote to memory of 4052 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4052 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4052 N/A C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 1616 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
PID 4612 wrote to memory of 1616 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
PID 4612 wrote to memory of 1616 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe
PID 4612 wrote to memory of 4144 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4144 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4144 N/A C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1316 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
PID 1616 wrote to memory of 1316 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
PID 1616 wrote to memory of 1316 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe
PID 1616 wrote to memory of 4068 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 4068 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 4068 N/A C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 528 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
PID 1316 wrote to memory of 528 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
PID 1316 wrote to memory of 528 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe
PID 1316 wrote to memory of 2520 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2520 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2520 N/A C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1140 N/A C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
PID 528 wrote to memory of 1140 N/A C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
PID 528 wrote to memory of 1140 N/A C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe
PID 528 wrote to memory of 2428 N/A C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_80a45e5b3e01f81685d7f696b20e9f40_goldeneye.exe"

C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe

C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe

C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF04~1.EXE > nul

C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe

C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{54D9B~1.EXE > nul

C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe

C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{61B8F~1.EXE > nul

C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe

C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DB202~1.EXE > nul

C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe

C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{90E14~1.EXE > nul

C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe

C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BCA~1.EXE > nul

C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe

C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC479~1.EXE > nul

C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe

C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{47F3D~1.EXE > nul

C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe

C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7D1~1.EXE > nul

C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe

C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51A44~1.EXE > nul

C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe

C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D58E1~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\{3EF0480D-606F-453c-8DBB-F5113E1BE326}.exe

MD5 2ff8425c534df4e986c5188cf9eaa750
SHA1 5b33bb34c3325a1fb590ec951a7531b9e58bc4dc
SHA256 862964ae7c4332a46cd390fb73d252e607e791f242ef3c042f3b828958950ce4
SHA512 2d64bb6741845b2e5db6fa0cb5bf68015b8a7f8b7d940e9e6600f04505186ba92b54ab7f303e859d3c5984da4fac47d4e4110de4df80b2274171a4854b5de27b

C:\Windows\{54D9BA14-2DBE-49bb-A1B4-1C4FDF784D69}.exe

MD5 c7a03987f580fef32cd1c0d6f7ea6df5
SHA1 773401e1c0c3cfe39b30f3e628a1a0852773d177
SHA256 753b50d4dc5ac26b5a6bacc67fcc9458af8c076eff4596f2840e716bdad279c6
SHA512 778c034b590799e20880b525ff3239aa463d6e46f2a10a689feeecccbab635b172ed9d10b569cc795b48eb3e06c473fa8bddc55866f3bf8f0e9b3e74c4cff18d

C:\Windows\{61B8F8D7-819F-495d-99FF-1AF8C025846E}.exe

MD5 8710aa319746c84def57f71d5ff8df89
SHA1 82652d55464039d61a99fbcdfc4843aec628a870
SHA256 70f934e1f0c6b3b2c992ae7c0e88945ececead56159dce0f04a7532a41b369fa
SHA512 0e8525b1b86787781edbf07039b4948d20ff918b193719bf863e65aa55d4c5b6d81d39156dc30de484419f6c8cff91082312a965df5df801ea44017356a87540

C:\Windows\{DB202BDD-3C1D-4c6a-B8D7-AE106D36850E}.exe

MD5 2ee9be60dce478b7fa9844d7fac1ab29
SHA1 f94b66f59316e1f1a54d66adebe76cac37ab14b5
SHA256 28a812840f381db7ef119700bc607fd099aea1bb8df827992f93c87e32cff995
SHA512 28b11a48f3e3a2a48dbfbde4eab0fec79b40ea348dab524938a42c8a9d69a59b195d09c6f0b8d53b8919e5ee211446ea5bf62532efd4545be6be782bf9a8e775

C:\Windows\{90E144AC-EB33-402d-9494-2AC9727FBBD5}.exe

MD5 e9827caaa58e43a2ccb20869d7d3ecdb
SHA1 6c0190ea205e096633067d910c3e983506434ac4
SHA256 76a1a7d5c0a2b836819e32e5e4b7dbe615511f810636d42feca14b96f7a11ed2
SHA512 06a590ebaedd802d56e36909265a945cd04197a4ad6195352981eb4b0e752516289575271ec0f23d272a170c95f9146c873835a3d671a4d954cba9bbbbf1c83b

C:\Windows\{E6BCA7B1-C9EB-476b-8C1D-8E6EDCA5EAD5}.exe

MD5 93d45fa6e5b643a11ef9ba5ab2f9e230
SHA1 3c5443813cc7bbf89796d131b0a4c19bc6689140
SHA256 08d6cae58b8d202380447cb6dc27bc4a89041d685a70a3cd37735a12e9ac1eb1
SHA512 d8244059d1bb5f6e9c86cc2e69b24c6c5adab8ee1048f171811cea6827ab88a4e582a403af175ad12d39c06566325a679817a86af4066794db3db4510d5b045f

C:\Windows\{FC479457-6DC9-42fa-9D5D-EE9D0704F91F}.exe

MD5 4433bb308d9eb89b358889fb45d68468
SHA1 98b56614b09b2777e83af59948a2828f65c32056
SHA256 f95c0d2b82df8cf66b5c79125232f083e7b766b07a73bb183f94fce39b3fbbb8
SHA512 f56fd85964fb7860f8cd6003af9895731819d913a7503e7987c772869a314e20d6119640756371da021e456e045c372719ad46d18d59afcf1d6b730d3fd4c363

C:\Windows\{47F3DC0D-A1E6-416b-9EFC-6AA76E000267}.exe

MD5 c097abf8fdd99c1ced6d04274169707a
SHA1 08d7c3d8a071d651c2f558f4496878eec1aaed7c
SHA256 1057a1d201eebdd9671078378f9f69d5ba1b063068b772ba463b4f187f99b9a3
SHA512 5c189d82937497988de5eae40e6251117396af3cee1f7eba6a377066a0b8428567c709ce41e120715a01fe7f7a74b9e6c18ceaa6ab3a2f30945fa2cb1d825d55

C:\Windows\{8D7D1AB0-60FC-4645-AEC8-C758FD459F14}.exe

MD5 b1eac2689e0da12020ce757c23adaecb
SHA1 ed8bacfe5d1097dbde96637ded4478afee49b473
SHA256 19e4fd7bd4ab0367ec11cb303b80a5982aa41bae1fe9cf7237bb1b2adb14a6fe
SHA512 43df2e745babf253edf894b8e6841533108326010416ef28e628594b3cc4e20603b1658b0c2675e5cb99f61367733fb8e1bd468850710d2df1eddc80a738fbca

C:\Windows\{51A447D4-5F84-49cb-9777-4C800DD53B1D}.exe

MD5 53f89c957d062c0539e161edfb43072c
SHA1 c062f1b91a0075a433f7d515d151295e11eccd16
SHA256 0c9477d90750cf2f312305dab90cd63e45834ed92205067c6f89bd7c59d3a689
SHA512 a108a19581543b6667cdff986e9206bfebf757c9ea892baa1ac581a4fd3040a7db485c08898480af40263ffc556ffbb0b889cb86882777ad79d5cf4dfbe37d3f

C:\Windows\{D58E12F8-BEAE-40eb-8146-3FB269ADB3FF}.exe

MD5 0e2f87417da3bf083d77563cec657b6b
SHA1 1e117dc0b77269293c0bd67228f61f27435ff812
SHA256 da8f47ec94da3adb8feb6c4018cadf3db1c0271048b3051af5e9554984c4ca96
SHA512 60852870466a416c20bb8a8e51b1352be93284bf98a9503eef880c21c7755a3e298dfe12ec50822f595914fb3330d8f67a6bf148483340ad5a2d72d5dd5fc048

C:\Windows\{B981E8D5-E5CC-4aa2-A825-E0D9EEFF34C5}.exe

MD5 c4c69779ffd8bbc40a6cdb8bc18f3b93
SHA1 6c78c6ed894bb7fdc45b159887c11e6a13b2a169
SHA256 1f2b1b88a3f183d05ee8b709dd8a3b129c214b1c15a5f3f2037a578b17a38a5a
SHA512 e19148b7bd56f19f6a448f75fbbc739ac53644729771f179988c1f014644206b2033bfe4746b5bb02fe035eae425a16254a3e3742c65d750dffde99cd9620b95