Malware Analysis Report

2024-12-07 12:54

Sample ID 241113-vkazsawdmp
Target 2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye
SHA256 04abb388ddb92df04718484ce2bef2d85715f564a37685851f799d3395d49951
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

04abb388ddb92df04718484ce2bef2d85715f564a37685851f799d3395d49951

Threat Level: Likely malicious

The file 2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:02

Reported

2024-11-13 17:04

Platform

win7-20240903-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}\stubpath = "C:\\Windows\\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A} C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116C90BE-628D-4e73-9D97-8998D9A8131F} C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E6A912-E222-4736-8593-E34B7EF07694} C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA37C69-3738-4024-B633-BC5D91F5A0F6} C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A31DDB-4779-45b8-8747-CE508CD457F5} C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF} C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}\stubpath = "C:\\Windows\\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe" C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC} C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}\stubpath = "C:\\Windows\\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe" C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}\stubpath = "C:\\Windows\\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe" C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4} C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55924DAD-C30F-4563-A09D-892BA5F34B49}\stubpath = "C:\\Windows\\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe" C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}\stubpath = "C:\\Windows\\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe" C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}\stubpath = "C:\\Windows\\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe" C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B} C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E6A912-E222-4736-8593-E34B7EF07694}\stubpath = "C:\\Windows\\{46E6A912-E222-4736-8593-E34B7EF07694}.exe" C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387F95F2-D435-49f3-A48E-13A3F21B0BBD} C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}\stubpath = "C:\\Windows\\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe" C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{116C90BE-628D-4e73-9D97-8998D9A8131F}\stubpath = "C:\\Windows\\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe" C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55924DAD-C30F-4563-A09D-892BA5F34B49} C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A31DDB-4779-45b8-8747-CE508CD457F5}\stubpath = "C:\\Windows\\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe" C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe N/A
File created C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
File created C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe N/A
File created C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe N/A
File created C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe N/A
File created C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe N/A
File created C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe N/A
File created C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe N/A
File created C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe N/A
File created C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe N/A
File created C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
PID 1876 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
PID 1876 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
PID 1876 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe
PID 1876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2856 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
PID 2804 wrote to memory of 2856 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
PID 2804 wrote to memory of 2856 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
PID 2804 wrote to memory of 2856 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe
PID 2804 wrote to memory of 2724 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2724 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2724 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2724 N/A C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2612 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
PID 2856 wrote to memory of 2612 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
PID 2856 wrote to memory of 2612 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
PID 2856 wrote to memory of 2612 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe
PID 2856 wrote to memory of 1516 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1516 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1516 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1516 N/A C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1368 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
PID 2612 wrote to memory of 1368 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
PID 2612 wrote to memory of 1368 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
PID 2612 wrote to memory of 1368 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 1172 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
PID 1368 wrote to memory of 1172 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
PID 1368 wrote to memory of 1172 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
PID 1368 wrote to memory of 1172 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe
PID 1368 wrote to memory of 884 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 884 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 884 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 884 N/A C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 1488 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
PID 1172 wrote to memory of 1488 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
PID 1172 wrote to memory of 1488 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
PID 1172 wrote to memory of 1488 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe
PID 1172 wrote to memory of 2752 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2752 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2752 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2752 N/A C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1212 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
PID 1488 wrote to memory of 1212 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
PID 1488 wrote to memory of 1212 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
PID 1488 wrote to memory of 1212 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe
PID 1488 wrote to memory of 584 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 584 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 584 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 584 N/A C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2932 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
PID 1212 wrote to memory of 2932 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
PID 1212 wrote to memory of 2932 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
PID 1212 wrote to memory of 2932 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe
PID 1212 wrote to memory of 1568 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1568 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1568 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1568 N/A C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"

C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe

C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe

C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D08B0~1.EXE > nul

C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe

C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55924~1.EXE > nul

C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe

C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{84A31~1.EXE > nul

C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe

C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F8F~1.EXE > nul

C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe

C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AB4CD~1.EXE > nul

C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe

C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8984~1.EXE > nul

C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe

C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46E6A~1.EXE > nul

C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe

C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A01C6~1.EXE > nul

C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe

C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CDA37~1.EXE > nul

C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe

C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{387F9~1.EXE > nul

Network

N/A

Files

C:\Windows\{D08B06E3-AE7E-4e8a-B4E6-69F2602C98A4}.exe

MD5 a176bdce1b51e1a5181002b0f996323d
SHA1 c72d68f374b0c16a341844c80ee512b17541a504
SHA256 f6d08f3a8c945a8b19ecf6e2707907ff45c6dbcb9e5f05682b56e64d538e459f
SHA512 8ff70d0c21f135e4ea62d693b27e1745eb20769b40d87e84232014e68063f181ebfe72df4f6ead653231a4f8e713733081cf546823f902bfde664ac1d5aba778

C:\Windows\{55924DAD-C30F-4563-A09D-892BA5F34B49}.exe

MD5 6a668301735c29228bb350914ca82b3e
SHA1 3f8ee5a0565c4557e600414c96a245f93d65a320
SHA256 05a31d67f355f25bd68d65ef0dbbfaef3828886012164f31cdbb2b3301f63d7b
SHA512 7bd0c978f17ca2c347041172763735247135d3da67dfb4aa7be7839e2355c210e57ac358031b4edf7dce8fe9b42b0f9ce79b1e8cd939df52ba1620d7a504affb

C:\Windows\{84A31DDB-4779-45b8-8747-CE508CD457F5}.exe

MD5 4fb0e4de1b2308d1294d0651b9d4c901
SHA1 af1c6348a29cdebdbe1f878100637b4f4bd07ae7
SHA256 54131341ac1d799320e6df05be5205faf6ed857ddac9cacff452b59d820e5f8e
SHA512 e9b99e7c9ca4b5600031818f0ca51384aea524ad5d63a210ca259ad168f849db7ef26ca8832082fbdaf5c9a811e374777336d085807419b974c42274c1560a45

C:\Windows\{C5F8F344-7AB6-4113-8B5F-B6E2A508BDAF}.exe

MD5 efff616091f10bc7f9f54a761ad5a1a5
SHA1 0a416ee52d9330b28eabed7af5dd4d8d15c0d20d
SHA256 11eef9f55aef17d75884e6af74ea53e01aa5582514222392a41f86156be5a5fa
SHA512 422b179f7344fd15724e5729b0115968dfb3d432208377b4dc4228dafe0f6afdf8e82285ffd5b6685f295d5917fd0dbdbb0635ce694763c68190054b02712a3a

C:\Windows\{AB4CD8AC-F1C8-493b-9B8B-985D6F724ECC}.exe

MD5 4a22de5f8fa1ab085773e5706352c5da
SHA1 c28a049b844857c2a315c1496fc058c9d59796f7
SHA256 924b1b494d4cc5e01b8b23593714fc851493cf374ccd4387ce62e4d7c2b44bbc
SHA512 252dc65c583ebf102942f091a4b0ef231ec229dafd874a237fb3958b0208dec94e545a6acde496e79b5561add9742921f4269a0e01237881ef41b4882cf5d960

C:\Windows\{A8984C5F-C3A2-40bb-A2BB-BE399975F27B}.exe

MD5 46f51f0f91d8c4049993ae058f9034f8
SHA1 2ba25a572014ac5093f6d81cc1d374c15ebe3dc0
SHA256 ab12435d3929fbe9ad22a75e65dea43fdd05f29b4eec0f1666efbed99239ed57
SHA512 74dadb941bc1b04bed250816c13357fc7ca62bb6bb70d9d176258ac93d328a46fd8b96ecdac5aca2eae00f6727241dccc419a7af987658a68e2c3a7a072fe83d

C:\Windows\{46E6A912-E222-4736-8593-E34B7EF07694}.exe

MD5 cd49b9bcc998402d9cb7ffac38bee788
SHA1 e2bfbc511176a1c24043e48a75bc480ca2c7d5a4
SHA256 24e074ec1b17a3873404270467e2d84a010102d56a9bf1f0b62ca6870317bec7
SHA512 36508cea4dd0146cda86dd851927551a27eabddd88d12e0e2c92dbf43a392b827971edeaa270e1038b5f6245f649651346555695bfa8d35c1af1767303d74d1a

C:\Windows\{A01C6C9F-0F16-4d36-B1BB-C3C852A6E45A}.exe

MD5 1508f9566854451cba21da23dbf46a5a
SHA1 7e4c4135e3243a3713b60d5b84156290eb14b2af
SHA256 62a900c6368341a9592c8fd0670619457d4fd5cec0e17ea9e31e7574f2c9646a
SHA512 4fc576c3d61c339217db885595ab0325d4371a7947cdb9ca3c2166e68cd8c89aa443928adce57be0a94b3d4d9cd2764179338f08cb0bfe00bb4c8d2ddef842e1

C:\Windows\{CDA37C69-3738-4024-B633-BC5D91F5A0F6}.exe

MD5 963d6e83e487a2fc7c9694760f7c3f18
SHA1 e2e2e906613aaeba7f3dd3331564a528d2fff389
SHA256 aa46a4e2e814163b93562ae5b50d98a25556af72366d8796dce37aab3643c0e7
SHA512 f15d9edb480397a093d985aa235c69aec98ce0b64edd28ae9cec1b0e88561eb5db885b0e4077048e15165592fc8f2c57d4676506c5c8ca9103fb278a1c3174b3

C:\Windows\{387F95F2-D435-49f3-A48E-13A3F21B0BBD}.exe

MD5 8a64be999c2d03a865cc2b509351a12f
SHA1 6f640d8deb9f834271e282adc635c8968638e019
SHA256 d60c4afbc4cf0ec16d01757d3ef3cb39d899d744adc4e1f5c58a9d329d7f4884
SHA512 bce869da82243faebc3253460fc7d6e61179d606b3f32861d959e5d7dc731ed36c9d6e78566ae96c831a71f88499fabb4a7ad1699b8cd54022342ed911042b84

C:\Windows\{116C90BE-628D-4e73-9D97-8998D9A8131F}.exe

MD5 3cf0ac174204b315624772047af133c3
SHA1 5c72a19416a41d98f0248f1e6bff5ae165dc6a0a
SHA256 8e76a22d50fd48eca01c6bd283bc04548b6ef5b57308e06b72159107459d45eb
SHA512 fa5d030b832422cf531019a0f7ffc9c70a1325f930f7fc59146f96d66e2975f08f5cd18d5f908b24f84bbc71e65ec3ba641cd591d492003c3d9af69b5f60349f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:02

Reported

2024-11-13 17:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}\stubpath = "C:\\Windows\\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe" C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FE400EC-45C4-495f-892E-D2E7A91AC676}\stubpath = "C:\\Windows\\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe" C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}\stubpath = "C:\\Windows\\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe" C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FE400EC-45C4-495f-892E-D2E7A91AC676} C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654} C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F0801D1-0E0D-4966-BBF9-107D84BD0966} C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}\stubpath = "C:\\Windows\\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe" C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}\stubpath = "C:\\Windows\\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe" C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}\stubpath = "C:\\Windows\\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe" C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A716678B-DFC5-47c6-8675-B2EEC262DB04}\stubpath = "C:\\Windows\\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe" C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067CCD3-3153-4fd3-B89E-0FA0B315E947} C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}\stubpath = "C:\\Windows\\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD73D465-2CF8-42d6-B61B-35E94E9422D9} C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}\stubpath = "C:\\Windows\\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe" C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD4EFA3-015D-49a4-973A-D2809EEF1539} C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}\stubpath = "C:\\Windows\\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe" C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A716678B-DFC5-47c6-8675-B2EEC262DB04} C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A} C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}\stubpath = "C:\\Windows\\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe" C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}\stubpath = "C:\\Windows\\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe" C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D} C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A} C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E} C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A2357-E740-4b06-9DE9-F50E05A4DC6A} C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe N/A
File created C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe N/A
File created C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe N/A
File created C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe N/A
File created C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe N/A
File created C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
File created C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe N/A
File created C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe N/A
File created C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe N/A
File created C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe N/A
File created C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe N/A
File created C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
PID 4244 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
PID 4244 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe
PID 4244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 5116 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
PID 4080 wrote to memory of 5116 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
PID 4080 wrote to memory of 5116 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe
PID 4080 wrote to memory of 4184 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 4184 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 4184 N/A C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1260 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
PID 5116 wrote to memory of 1260 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
PID 5116 wrote to memory of 1260 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe
PID 5116 wrote to memory of 1940 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1940 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1940 N/A C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2816 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
PID 1260 wrote to memory of 2816 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
PID 1260 wrote to memory of 2816 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe
PID 1260 wrote to memory of 4712 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4712 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4712 N/A C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3880 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
PID 2816 wrote to memory of 3880 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
PID 2816 wrote to memory of 3880 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 3592 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
PID 3880 wrote to memory of 3592 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
PID 3880 wrote to memory of 3592 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe
PID 3880 wrote to memory of 4132 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 4132 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 4132 N/A C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 2076 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
PID 3592 wrote to memory of 2076 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
PID 3592 wrote to memory of 2076 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe
PID 3592 wrote to memory of 2544 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 2544 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 2544 N/A C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 3320 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
PID 2076 wrote to memory of 3320 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
PID 2076 wrote to memory of 3320 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe
PID 2076 wrote to memory of 760 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 760 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 760 N/A C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4964 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
PID 3320 wrote to memory of 4964 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
PID 3320 wrote to memory of 4964 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe
PID 3320 wrote to memory of 4032 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4032 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4032 N/A C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4376 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
PID 4964 wrote to memory of 4376 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
PID 4964 wrote to memory of 4376 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe
PID 4964 wrote to memory of 4248 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4248 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4248 N/A C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 3604 N/A C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
PID 4376 wrote to memory of 3604 N/A C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
PID 4376 wrote to memory of 3604 N/A C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe
PID 4376 wrote to memory of 4548 N/A C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_f31fcbf9bf1a0b48f7a04cb917076bf6_goldeneye.exe"

C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe

C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul

C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe

C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E067C~1.EXE > nul

C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe

C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD73D~1.EXE > nul

C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe

C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86C97~1.EXE > nul

C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe

C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE40~1.EXE > nul

C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe

C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED1DF~1.EXE > nul

C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe

C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD4E~1.EXE > nul

C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe

C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3F080~1.EXE > nul

C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe

C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A4EEE~1.EXE > nul

C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe

C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C1A5~1.EXE > nul

C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe

C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A7166~1.EXE > nul

C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe

C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{907A2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Windows\{E067CCD3-3153-4fd3-B89E-0FA0B315E947}.exe

MD5 466a5fbb9b5adfd5e0f3d748531ff261
SHA1 79ffc81d7c9cf6ae7ae9e7154f83225ef554d574
SHA256 17da1a56a609b91fded76e2cb3b78320425e062cef658c410e93d3ded64d2644
SHA512 b47b7f2c77e051216f6767bd5cfa08d9013af16ba5f0c65ac6ad2f872711b5878e3e4debcda6ecf8d889cfb1f753f744f734a5afd91a3102a9e60b9a55703aaf

C:\Windows\{CD73D465-2CF8-42d6-B61B-35E94E9422D9}.exe

MD5 b5eb79389c4056a0d7d1089a0ff73134
SHA1 858428b1bcba7711e871d6592e8f834e708378b7
SHA256 4e102aba47cde4cc0b12f5f28e7a4da5496b636d239f05b7a099e7c25474d67d
SHA512 065874b11f8f2668d883f75179fc72c1216d42aa9c482ce6fc9d6d77446aaf36913e5baad86c67881282f08024c53d24b82a0baba6abbdbd0dfa41350e1548f9

C:\Windows\{86C97FD8-E64B-4af4-B94B-D7ED2883DC5D}.exe

MD5 16bcf7f00928421ab6820b61bc74f60d
SHA1 eb11f27ab6e52769d08935aa22527cc48eae4de3
SHA256 b5770dcb17483943995b147babd0ca68eeb343691e2b96aff138af85bc5eb867
SHA512 5cc352470d5d466c334f1b8d7b1bfcd6a84c3ded42d95bd517a339d3aaf4a73c2509a5053659dc1e02f351e0cab2a9451246fa6da68dab5d5cf3ece4856f175e

C:\Windows\{3FE400EC-45C4-495f-892E-D2E7A91AC676}.exe

MD5 641b819480c8380d6e313610660e31b5
SHA1 c1ac627a1c830c5f4c9f5149afbce483e49eb1a8
SHA256 48e2aee58e93c0669a96e0373a293b30cf3440575122139f5d1d25b51d124efc
SHA512 515105de978d2f4a2372bf40976e44d3710eb70fff1e7e83cd7b5ab2ed9ddd1de356c8ec2ee62b6414b9636b7500c4d1dd88935c69df9b4b5b926e0dc626a6bc

C:\Windows\{ED1DF4DA-8DDF-4ad8-9A92-1E3E8E048654}.exe

MD5 4a2dec28904b423d3d3b842bc0ab374f
SHA1 c2cc430a81a533d900da6e01df98ae780b4318e7
SHA256 ce737a20b8d70980f4688e7f1b4ea81e5e16f43dce3c2654e07c1a596d58b586
SHA512 d41af33aa5fa282801e4fc87e0c840ec1766c882952f04e58f89d43892409f1fa23d602fe90689f8ee5a9c48ed49e742ba129a05f81f9fbca57882201d302b1a

C:\Windows\{8AD4EFA3-015D-49a4-973A-D2809EEF1539}.exe

MD5 b415f5fecf5f15c4efd13fbe645ca81f
SHA1 9e61bde605569dbd52e63a5b5fe0468032619ac3
SHA256 61343e81bdd1cfdb27d59e4c353932b9339373448ccff8f66f5e13a15819b042
SHA512 d42b665f4730ba8ae943a49d1a06ff8868ab93b57af51c157de10de1653d4ea94ddd8fdd33ad3a3626a76279a4ef7025cfcdb1419de8972ca70e5453d6b3be55

C:\Windows\{3F0801D1-0E0D-4966-BBF9-107D84BD0966}.exe

MD5 283400b4ff48479526ad3fb99dcfd96d
SHA1 1a24a013cc881b9df2348081ef759c85accbd082
SHA256 916b68e042fb014a3059df1f6667459c5900b20a23637d9359d6c209d6954e8e
SHA512 c514bc190658952de69903b358da1673db9204da4b13cdcc593d1b31ef31146c4e4201b8cf7cffdee8c69c14fe2fce4006fb673a2f34575d1957f7c7f703ad81

C:\Windows\{A4EEEA44-93F6-4707-BADF-258A71BFEA1A}.exe

MD5 1885e73072c209baf4e580883714404b
SHA1 47aa632bb4d3334f8a57b919a1f1f3825d1efe62
SHA256 f839ec9040dbeee0dd0dd6bc30eb47cfa6f08dc6bb04befd4686eb9995ddf2c8
SHA512 767cd6bea90f3d3a5946a9997d3e66dd619120478e4698639c0194900bfd3b11b081ee3687135591badb1fbed9f188d2692e3bcda1ff21412bb1f41d90ad4fca

C:\Windows\{5C1A5B11-3C86-40f2-A1BB-4CCFF618FD2E}.exe

MD5 84087e0eab586a3f492151ea5b4d4004
SHA1 a88f1b028bda51921ddb7b06be941fc2a6088997
SHA256 2b7fe8331d12d37fa1a98ac70a43ecc40a05da1a91b28aa9c2fffab8cfca2cec
SHA512 b33514f37e4e167904f64895c29e99b449bfe010b93b8fd56159fb403c3e79d3d1b37e78c00c2ae7d71810b6fb1572533d3d81ce91c3c4941cf330cadfb5cd1d

C:\Windows\{A716678B-DFC5-47c6-8675-B2EEC262DB04}.exe

MD5 30ba7bf58d8bc17614fb9302d93881dc
SHA1 06340ed48a7e6f3f7de8543165d794f3df205c3e
SHA256 014e606cf26d25583768d84585e97c6a47553506861c6c51ddc3e91fdaeb93c4
SHA512 71aa8e11171fd2f460bb12a7202e44051b38454427e27bf7d0c970291ff76a050b81cc453f526f137c0f049e58b9356491f4bf54b7e5a675331432783a9cd50a

C:\Windows\{907A2357-E740-4b06-9DE9-F50E05A4DC6A}.exe

MD5 4e6e30572fc4fbd75b400bead734190d
SHA1 eb754cf67f8f208f6b603344b0ab5f68e14bf7f1
SHA256 d4af430c93044fd054e6f0fff9ef915560463619f16b58cf31c2365e869354a6
SHA512 2bba1772a5d5fcfeaf32c0bcb26e6a79bd318fb59e75cda3d9132a18ec364c997428f3bc94188e220c8eb5c0cbdb88f60aa2382e971e92c8d3c37779af49fd8e

C:\Windows\{2B398A3C-60AE-4c3f-B54B-6836FA77B36A}.exe

MD5 68e901df972c472c171f6ee3db247682
SHA1 db5c076d3b22496cf1bb087effe12dba70b386c5
SHA256 8702e4dc5880e7bea29cf36a1fa05f67f8ea68e8233a41de1b00c32b7023e849
SHA512 1efc22cc7d5d40742e6d1aaafd870d94889df1d2ee8c43647da21e7f12abc8a0a33157e5ea15ddec65eda93129a1e5e17b9ffffe38cc552b48c35883434175e5