Malware Analysis Report

2024-12-07 12:26

Sample ID 241113-vjshfawdll
Target 2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye
SHA256 017afeeb4ce6789eb3ce1f048e09a8f579627e73e43157b2d7653ac448082126
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

017afeeb4ce6789eb3ce1f048e09a8f579627e73e43157b2d7653ac448082126

Threat Level: Likely malicious

The file 2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:04

Platform

win7-20241010-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873BDB15-F50B-4d86-8E81-13979B67472D} C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDE664C-865C-49a8-BDF5-50B930A402B9} C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D} C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}\stubpath = "C:\\Windows\\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe" C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}\stubpath = "C:\\Windows\\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE36818-BDE5-4dc1-9879-29048ACB2545}\stubpath = "C:\\Windows\\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe" C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}\stubpath = "C:\\Windows\\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe" C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}\stubpath = "C:\\Windows\\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe" C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}\stubpath = "C:\\Windows\\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe" C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DF3AF2-91A6-4fbd-812B-14C81693E812}\stubpath = "C:\\Windows\\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe" C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889D4BB4-5A2F-441c-9808-C3AA69EF604E} C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE} C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873BDB15-F50B-4d86-8E81-13979B67472D}\stubpath = "C:\\Windows\\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe" C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDE664C-865C-49a8-BDF5-50B930A402B9}\stubpath = "C:\\Windows\\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe" C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D} C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00DF3AF2-91A6-4fbd-812B-14C81693E812} C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE36818-BDE5-4dc1-9879-29048ACB2545} C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD} C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315} C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}\stubpath = "C:\\Windows\\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe" C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2803213E-7283-43e6-90C4-FA0418D7699F} C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2803213E-7283-43e6-90C4-FA0418D7699F}\stubpath = "C:\\Windows\\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe" C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe N/A
File created C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
File created C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe N/A
File created C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe N/A
File created C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe N/A
File created C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe N/A
File created C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe N/A
File created C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe N/A
File created C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe N/A
File created C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe N/A
File created C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
PID 2860 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
PID 2860 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
PID 2860 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2800 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
PID 3020 wrote to memory of 2800 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
PID 3020 wrote to memory of 2800 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
PID 3020 wrote to memory of 2800 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe
PID 3020 wrote to memory of 1780 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 1780 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 1780 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 1780 N/A C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2112 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
PID 2800 wrote to memory of 2112 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
PID 2800 wrote to memory of 2112 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
PID 2800 wrote to memory of 2112 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe
PID 2800 wrote to memory of 2168 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2168 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2168 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2168 N/A C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2676 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
PID 2112 wrote to memory of 2676 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
PID 2112 wrote to memory of 2676 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
PID 2112 wrote to memory of 2676 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe
PID 2112 wrote to memory of 2336 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2336 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2336 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2336 N/A C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 772 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
PID 2676 wrote to memory of 772 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
PID 2676 wrote to memory of 772 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
PID 2676 wrote to memory of 772 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe
PID 2676 wrote to memory of 2268 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2268 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2268 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2268 N/A C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 2920 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
PID 772 wrote to memory of 2920 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
PID 772 wrote to memory of 2920 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
PID 772 wrote to memory of 2920 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe
PID 772 wrote to memory of 1664 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1664 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1664 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1664 N/A C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1632 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
PID 2920 wrote to memory of 1632 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
PID 2920 wrote to memory of 1632 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
PID 2920 wrote to memory of 1632 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe
PID 2920 wrote to memory of 576 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 576 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 576 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 576 N/A C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2464 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
PID 1632 wrote to memory of 2464 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
PID 1632 wrote to memory of 2464 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
PID 1632 wrote to memory of 2464 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe
PID 1632 wrote to memory of 832 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 832 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 832 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 832 N/A C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"

C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe

C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe

C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9ADA5~1.EXE > nul

C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe

C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE36~1.EXE > nul

C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe

C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CAC~1.EXE > nul

C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe

C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B68~1.EXE > nul

C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe

C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{873BD~1.EXE > nul

C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe

C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FDDE6~1.EXE > nul

C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe

C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C85C~1.EXE > nul

C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe

C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28032~1.EXE > nul

C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe

C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E98D~1.EXE > nul

C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe

C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00DF3~1.EXE > nul

Network

N/A

Files

C:\Windows\{9ADA5A42-DEA8-410e-86B6-39EE4CFF33FE}.exe

MD5 2e81fb1cede10971a71554bb0fca908b
SHA1 b170c5d29c828dce9afbbe714d50b88c6ecdd81f
SHA256 4ba59cce29d4d1fc191f23d9ab00f5a0a7df173888eff4f2e6f2724545d2abd5
SHA512 dd40aed501355f2b98fa3ca62fab40bb4622edbe91ea9dd1cc9475109a6004aa51036aa3342781b36f2b1db3a697535a5467a170c1a4cc9f976dae1efecefd6e

C:\Windows\{2BE36818-BDE5-4dc1-9879-29048ACB2545}.exe

MD5 218c7ad6d2dcdda99465f48996e5d0aa
SHA1 8f96c22a79f9e751b73f7dfaa8b3c34f41302e41
SHA256 5e4eb086f5635bbf810ecdbf06a3ef70582c0b65d665f01a98cba27ab4de21c0
SHA512 25671602dd63378812ba09ff4e3891977dfea1593c12055fe6de19e6778013bd6d843cd13c763bab8d2137f4ce612bfe4bafb4398573ed3e8fe9f312ef3b978f

C:\Windows\{C3CACCE5-A5AE-4523-B099-2C60D99E1CAD}.exe

MD5 e3a98463e800d82e50e468d457c8e965
SHA1 5e6666429bf10c6ea64d716cfa31200497029827
SHA256 d88edbde799a33955ef128b591812f58f278a32b736efb6034c46c9715a17f72
SHA512 4591843004f0054d9fa3686dcaaa45f73ac19f1b3bb99ea3a99702e2d47ee470d7ca7b78c13470dd9ce39567c05d2bacc5dd70237fec291b644b1dcfbee0ce0a

C:\Windows\{C9B68731-E426-4a7b-81FD-DE9EBD8B0315}.exe

MD5 a1e9fea736308b146c3b6ba877253275
SHA1 ceb6285378f9725ab94f555facd044c133e36d3c
SHA256 eeab5b8a6cf4002e1046b915999dcf882031fbb3b90317157e66e9a301769545
SHA512 df4ddae25dd23f0c3ca29236de50b2f21e702fb15160853ebb83ee926175643c718c9706ae8cfb61b43c252622f7780e11ec54589830491828f676692ef05631

C:\Windows\{873BDB15-F50B-4d86-8E81-13979B67472D}.exe

MD5 2c3e1e0e594ad0e23272d07720a91c96
SHA1 22a65c368b91e1d0f66f478cd77cd0c81570aa85
SHA256 9725bd0d472604c64add437523b10c7bd4a39349b0a1e24eecc04bf3528db95b
SHA512 ea1acc7652be6dd79c543a7b2821ac2c1a36993e8ad3c90a86462c1a3ce32634f60c12a0d22ab3c6f62f8de5a42b857271d2376286b41be5cf59ad6507cf3c05

C:\Windows\{FDDE664C-865C-49a8-BDF5-50B930A402B9}.exe

MD5 09bc217bb98eabe273c3fae9b4d81124
SHA1 d6c08515cfe42812209d1c169e198cf353df70a5
SHA256 8f74ba907f43ffc83304f7d9ce5cb958bcaea50a2a616569bd764e890388c233
SHA512 5634516af1cd2faa75c45a9fcda03f3434523835c695900483409b4879b876b01c089d17a34d483b60574c11dd39cd40e7b7e7c428981f50255445e2dfa9f99b

C:\Windows\{4C85C3C1-AF5F-4ab3-BCDE-2BF8BC057C1D}.exe

MD5 86e4e6e163f46b52281e8c5e31b3525d
SHA1 99abc8919c2f4b3057fa30f77d9feb5ede7005e7
SHA256 9acdf9f6904e3344445511a8747077f8769b582d2bf5318c739c6f3897e46d0f
SHA512 8dd242f36de261aca8540f774b77a1445304da2150590517db843a91478a8d3c215caa8310aa6da7a631e656ab0d44eae36bf5c2500a792b07efe336c032d894

C:\Windows\{2803213E-7283-43e6-90C4-FA0418D7699F}.exe

MD5 55c897369733a099687b426d77dc2872
SHA1 a7c5b38d30ef01ec6bdb3b36d1ef09cfd8778c7a
SHA256 7dec19d4f4b901140f36c6f7356146e4b6cbd0d99cdc0d87d874f285060b047f
SHA512 78b1c0c3033e6c9c9f4b3aec933017f719b8c7af23cdd7342c50b13343b512d3cfaa7a56b5d9fad991c6dd9679cf536f49ae90adbdc1b97a25008ee497fd7f02

C:\Windows\{2E98D1B8-AD88-48f9-A19A-A4FDD4B32C8D}.exe

MD5 19d7da41ff327cfa4a4526ea10280595
SHA1 79e3f47b9cdcade4b4742a69f31a4ea90cd69111
SHA256 a3ec303ada08c6a178e3b603bf0896a929557932c62e572de41a19a6064d8113
SHA512 dc63f05304e595cac0825400441a3aefeb983643c7a953085deca2abbf20ae2bab279710e052a657218c46104ad349e8654076de7490e172bfc991060e8b20c9

C:\Windows\{00DF3AF2-91A6-4fbd-812B-14C81693E812}.exe

MD5 1c71235eb9795a6109c81e450f2b9057
SHA1 92e9d8e425d815f37e703458c59109761e2a1b58
SHA256 4eb30b26b604d87937e72787096441e5f84b709ca65933443eb1368700e7d41d
SHA512 69ef935a3b0835891b9b680cbe182e2f91a8c3771ed3cafdfb6747d44ea8095c3f7361730a1acb696363b8220351b984d017d7ff2a5b0897b5ee7ffd9ae24e90

C:\Windows\{889D4BB4-5A2F-441c-9808-C3AA69EF604E}.exe

MD5 62032f60c68c6655dcc243b1a58b2ab7
SHA1 df975affef1a78ea50b556ac840df70f104f8e07
SHA256 2902109d66d4c5c7f700f58897bdbcf00b7d01ef6109ad7491199184fc47c33c
SHA512 ad17551bd7e6576e8410b196a92cd9950b42ee8dd051f5874c36d13d5d40d6e6f36ffd049c395776775b57c6493778a7b2a149820b30ff4930dd02886ccdb47f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:01

Reported

2024-11-13 17:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457A8537-A150-48ac-85AB-552983641D20} C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F1E73F-F79F-4b51-873A-60D34B31AA28} C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}\stubpath = "C:\\Windows\\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe" C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28EED0F2-3774-4646-95CB-04EB9688B30E} C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6CD116-4A97-479f-BD1C-9D345097A74B}\stubpath = "C:\\Windows\\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe" C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}\stubpath = "C:\\Windows\\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}\stubpath = "C:\\Windows\\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe" C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D401AB4D-E983-4b60-9308-27DA092FB280}\stubpath = "C:\\Windows\\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe" C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316D9C2E-E408-4015-B85E-88F60F79FC2C}\stubpath = "C:\\Windows\\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe" C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFF8995B-C731-4166-8439-2FE9B27C0A6E} C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}\stubpath = "C:\\Windows\\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe" C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3D7404-F4FA-4c12-A605-BCF712E04F51} C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9} C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C} C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D401AB4D-E983-4b60-9308-27DA092FB280} C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F1E73F-F79F-4b51-873A-60D34B31AA28}\stubpath = "C:\\Windows\\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe" C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316D9C2E-E408-4015-B85E-88F60F79FC2C} C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28EED0F2-3774-4646-95CB-04EB9688B30E}\stubpath = "C:\\Windows\\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe" C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}\stubpath = "C:\\Windows\\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe" C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}\stubpath = "C:\\Windows\\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe" C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457A8537-A150-48ac-85AB-552983641D20}\stubpath = "C:\\Windows\\{457A8537-A150-48ac-85AB-552983641D20}.exe" C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1535D9-2068-4e4f-978C-7FD88EA061C3} C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6CD116-4A97-479f-BD1C-9D345097A74B} C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AACEFC6-E40B-4134-BF51-AC673D79E71A} C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe N/A
File created C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe N/A
File created C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe N/A
File created C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe N/A
File created C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe N/A
File created C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe N/A
File created C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe N/A
File created C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe N/A
File created C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe N/A
File created C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe N/A
File created C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
File created C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
PID 4384 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
PID 4384 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe
PID 4384 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 3212 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
PID 836 wrote to memory of 3212 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
PID 836 wrote to memory of 3212 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe
PID 836 wrote to memory of 3964 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 3964 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 3964 N/A C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 1756 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
PID 3212 wrote to memory of 1756 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
PID 3212 wrote to memory of 1756 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe
PID 3212 wrote to memory of 4752 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 4752 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 4752 N/A C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3144 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
PID 1756 wrote to memory of 3144 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
PID 1756 wrote to memory of 3144 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe
PID 1756 wrote to memory of 1392 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1392 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1392 N/A C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3988 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
PID 3144 wrote to memory of 3988 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
PID 3144 wrote to memory of 3988 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe
PID 3144 wrote to memory of 4200 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4200 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4200 N/A C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 3460 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
PID 3988 wrote to memory of 3460 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
PID 3988 wrote to memory of 3460 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe
PID 3988 wrote to memory of 5028 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 5028 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 5028 N/A C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 2200 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
PID 3460 wrote to memory of 2200 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
PID 3460 wrote to memory of 2200 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe
PID 3460 wrote to memory of 3584 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 3584 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 3584 N/A C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4420 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
PID 2200 wrote to memory of 4420 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
PID 2200 wrote to memory of 4420 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe
PID 2200 wrote to memory of 4256 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4256 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4256 N/A C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1020 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
PID 4420 wrote to memory of 1020 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
PID 4420 wrote to memory of 1020 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe
PID 4420 wrote to memory of 2996 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2996 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 2996 N/A C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 4140 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
PID 1020 wrote to memory of 4140 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
PID 1020 wrote to memory of 4140 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe
PID 1020 wrote to memory of 2464 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2464 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 2464 N/A C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4384 N/A C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
PID 4140 wrote to memory of 4384 N/A C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
PID 4140 wrote to memory of 4384 N/A C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe
PID 4140 wrote to memory of 2704 N/A C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_9b932bfb6b541a425b4504acc4ddb447_goldeneye.exe"

C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe

C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe

C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3D7~1.EXE > nul

C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe

C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2F6E~1.EXE > nul

C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe

C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA34~1.EXE > nul

C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe

C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D401A~1.EXE > nul

C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe

C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{457A8~1.EXE > nul

C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe

C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25F1E~1.EXE > nul

C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe

C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{316D9~1.EXE > nul

C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe

C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA153~1.EXE > nul

C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe

C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28EED~1.EXE > nul

C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe

C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6CD~1.EXE > nul

C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe

C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF89~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Windows\{9F3D7404-F4FA-4c12-A605-BCF712E04F51}.exe

MD5 8dab19a3e4e1aa44fb975f525f656fed
SHA1 e323c11f66ef32eafe4be3e446b0707a4caae99a
SHA256 f96317304b8b95023e743ca6b4374feb934f7a21e426fdee028141eacd74af7f
SHA512 9625e63182905916f4b06b288cf004ce11bd5b619d0e57666621dddf777cf827feedc0e960b0debd7260f41889211674d83007f0389f22e46a6b423ed2a4156b

C:\Windows\{A2F6E79F-5171-4ee3-968A-1A51F7EBEEA9}.exe

MD5 fe2fdab7aaabb883ada2be13b0650b9b
SHA1 73e33163f9083d2fa6d1dec36df5932c0cba729f
SHA256 d08e9c54677ef42545e7282369ad262bb152e0edfe8a679f91196893bf3fcb03
SHA512 d2fcac605b4986e5d10f577ae2049a8bf8d111b46174ad0afada435b94430065718d0c46e2c06c9906da2e9540ba2f33c997e3e703a2b77396cafa73f51df93e

C:\Windows\{BCA3444B-F7AD-40b5-8A0F-B2F6304EBB1C}.exe

MD5 957ec8d6b9cd2bfd3f5da119206a8fef
SHA1 ec9c38eb407dd32e15f41edc4477fcc82f181159
SHA256 0c96cbb72924fa08644ac6a7f5a0c2921b98af7f78a9ae3d3d9ff1cb51dcaaae
SHA512 c2f802e1fab197b0868842e24672f3f8d9a9ac495e93d9868fc1d601ff21f5cf423480b3dcd01bb9c5f6e3289432fdc2249ba9474aa3fb3898ef8dc18dabb638

C:\Windows\{D401AB4D-E983-4b60-9308-27DA092FB280}.exe

MD5 3ecd5e68d9d7893478571b23f6ea6794
SHA1 42d64ca749c37ca257efd75696267a4dcfe83337
SHA256 21d321f2741f8568acfb7641f0eefa056b59979e9a790508fb9a68d188dd2cc9
SHA512 27c943b67cd8ea109e4aa246e047eccd8fdd7b7c45cf2e03c2dbc891318037b420a533ca69b8f12c5fa6044b6d05afdc7395c22020d099684607f630e2b4bf74

C:\Windows\{457A8537-A150-48ac-85AB-552983641D20}.exe

MD5 1476790f37a5e2037fcdc322ef4ecca8
SHA1 63e5adc9f335d64c768d31c9e64d41fe8ad24677
SHA256 fadd71879e967261b809d47927531c9754e405bec1f7d4d366060102052867f5
SHA512 b70321da3ed60442ef125bfa644216399947b2c274ce81a46910ffb635f2d66a03810e660353a51f580d4e58c16a7c6a4e217fd84738d906dad3efc3bdff71c1

C:\Windows\{25F1E73F-F79F-4b51-873A-60D34B31AA28}.exe

MD5 1f960d55bfe318dcd30a1f8af35e25a5
SHA1 a5edb21461426431802c718212c25a3784e21c33
SHA256 fc47890e7c1a1e64e785b772881dad2fd397ac21a066b8bd23ed208f0e942836
SHA512 6ecb18e543c55a8d687cc11f94119da453dd4c16c2c4fde5b7ea7624b21c4a9c69d89cd8ff26180104cb053d011b0a016bf0470ef462d1c5630071d4c635b6ea

C:\Windows\{316D9C2E-E408-4015-B85E-88F60F79FC2C}.exe

MD5 6dd9a51138167a558c44b4b600e6d3de
SHA1 96de0afa5758aa8d814ffdebd5a20dd50ac70f08
SHA256 4200368d17e6e616fea413d44deb28ef7f91c35d8ee145cd59fa52c8ffb5c03a
SHA512 0f50e24175dfeee9d310a476942e73d7aceb800ea59c49c8083755982026070ee0846aeb42fbc5a24b05e48644cffbce21e0b0bc07603fcedc46cfa8281552ca

C:\Windows\{DA1535D9-2068-4e4f-978C-7FD88EA061C3}.exe

MD5 27e3215cf5762f3c9b120f3d429cd906
SHA1 da4feef843d98c89d0249f072bfb6da73658c5e5
SHA256 77e3d36a0575ef96df5ef2fbf13774b0304a59a59830a83fd73fa88dd87b2c5a
SHA512 bbe87d367d564f133521ae1159639cab11c3cb959d57afbe1ba400a77c5fe058755d54d31997f38f99ccc2499268f290c34323013b01b10b3e8af94ef721cc91

C:\Windows\{28EED0F2-3774-4646-95CB-04EB9688B30E}.exe

MD5 d89081b102a4c224eaef10acadfa1312
SHA1 58ef7ad03d7de69a7ebbc64da7dcdda03fcde0e8
SHA256 6a6a484a2bdab0204cedfadf9fab6499bfdb53fed27922bb732ff0f228ad6de8
SHA512 e973f37fc9a41828813518f5896018c85da279539752a9dea0a873ff47140e0850c874cd6e4feb58edf97c6841ce5072588809f1111286cf3e0e49e1f95cfdbe

C:\Windows\{AF6CD116-4A97-479f-BD1C-9D345097A74B}.exe

MD5 ccb7dbfe8856eea1b23eb90d8d0669b8
SHA1 8317226784587e35df5dabb5b7e714dc5e778db3
SHA256 c9da40c457ddbd8d5a8a2469e1ade6bbacedb56b7af3bc61283eee4418159723
SHA512 69830b29c6be57dcf23a61f0f0401f040b54617c5f86dfdc9825f5393ee4c2750d0458a5690dbba8aa7921c0a5305e44422f32005a657686e2fa87f485bb1aaa

C:\Windows\{EFF8995B-C731-4166-8439-2FE9B27C0A6E}.exe

MD5 a695a04796be3f0993c4cffa0de2efa8
SHA1 9a5c06132aa6a8ccd27ef0e538574f47e57f0864
SHA256 ad4c6b8e8a2265fbdde27ae3db2225933601e887f560d36db9bc12f1b35c69ca
SHA512 11e13f76b98c71e6a363a4bce44d6dff3c0bec6806b3b565aade846059d649d1a7c4868e5c28c688a9cbf0c319f5faf4d442459fec4aeec92013647cbf485e6e

C:\Windows\{4AACEFC6-E40B-4134-BF51-AC673D79E71A}.exe

MD5 eb967b830eefab7c7f481b0219d95566
SHA1 8bb2a5c4ba5ff031178b3127d72d04c124140bf4
SHA256 83b530cbfa79a4acc149b53322fadbc20dbb62c52392e70815b20eb9aeea20e6
SHA512 c58bda1d28e2a00caeac577f52287bc5cd4b186dc010bb63afb6e86327c39d0d82e452900eaee690c3fc677d316e9930804c72a0038c805a104e6f91bd435008