3ecad09fb334c9a95ce6fbf4c546e5cd43c1b203ca54d2dae423f08ba7143307

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
Size

168KB
MD5

c19608277fd53c0f798d2f57f2d86be8
SHA1

272d783edc17a5e456e4d0ab4f096620805c41e2
SHA256

3ecad09fb334c9a95ce6fbf4c546e5cd43c1b203ca54d2dae423f08ba7143307
SHA512

0bb6d89b5c4ebb84d3709e3804ad1431f5da32c54c5ff1e6a836351fb79cb52215e9446df1dd0da99a735b4d887cf7be3139ddda002074a62517c05d9cb79bab
SSDEEP

1536:1EGh0o5lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o5lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}\stubpath = "C:\\Windows\\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe"	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}\stubpath = "C:\\Windows\\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe"	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93955819-F9C6-4390-96B6-E1260132F00C}	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC855923-650E-49a3-916F-9C4AB5D2AD19}	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11E849E-D910-4161-9752-418ACDB3302B}	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D79D101-0E30-412b-AB39-F8604607D425}\stubpath = "C:\\Windows\\{1D79D101-0E30-412b-AB39-F8604607D425}.exe"	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}\stubpath = "C:\\Windows\\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe"	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{348B0556-BFA7-4e71-A75E-87C6534E71E1}\stubpath = "C:\\Windows\\{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe"	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B146B315-7F48-4058-AE4B-D17145D766D6}\stubpath = "C:\\Windows\\{B146B315-7F48-4058-AE4B-D17145D766D6}.exe"	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}\stubpath = "C:\\Windows\\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe"	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11E849E-D910-4161-9752-418ACDB3302B}\stubpath = "C:\\Windows\\{E11E849E-D910-4161-9752-418ACDB3302B}.exe"	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D79D101-0E30-412b-AB39-F8604607D425}	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}\stubpath = "C:\\Windows\\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe"	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93955819-F9C6-4390-96B6-E1260132F00C}\stubpath = "C:\\Windows\\{93955819-F9C6-4390-96B6-E1260132F00C}.exe"	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{348B0556-BFA7-4e71-A75E-87C6534E71E1}	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC855923-650E-49a3-916F-9C4AB5D2AD19}\stubpath = "C:\\Windows\\{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe"	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B146B315-7F48-4058-AE4B-D17145D766D6}	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A10D84-3558-43f1-985B-66E325D0B891}	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A10D84-3558-43f1-985B-66E325D0B891}\stubpath = "C:\\Windows\\{D0A10D84-3558-43f1-985B-66E325D0B891}.exe"	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe

Executes dropped EXE 12 IoCs

pid	Process
324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
3516	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
3284	{1D79D101-0E30-412b-AB39-F8604607D425}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
File created	C:\Windows\{E11E849E-D910-4161-9752-418ACDB3302B}.exe	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
File created	C:\Windows\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
File created	C:\Windows\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
File created	C:\Windows\{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
File created	C:\Windows\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
File created	C:\Windows\{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
File created	C:\Windows\{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
File created	C:\Windows\{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
File created	C:\Windows\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
File created	C:\Windows\{1D79D101-0E30-412b-AB39-F8604607D425}.exe	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
File created	C:\Windows\{93955819-F9C6-4390-96B6-E1260132F00C}.exe	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D79D101-0E30-412b-AB39-F8604607D425}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe
Token: SeIncBasePriorityPrivilege	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
Token: SeIncBasePriorityPrivilege	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
Token: SeIncBasePriorityPrivilege	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
Token: SeIncBasePriorityPrivilege	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
Token: SeIncBasePriorityPrivilege	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
Token: SeIncBasePriorityPrivilege	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
Token: SeIncBasePriorityPrivilege	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
Token: SeIncBasePriorityPrivilege	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe
Token: SeIncBasePriorityPrivilege	2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
Token: SeIncBasePriorityPrivilege	3516	{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 324	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	86
PID 636 wrote to memory of 324	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	86
PID 636 wrote to memory of 324	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	86
PID 636 wrote to memory of 4936	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	87
PID 636 wrote to memory of 4936	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	87
PID 636 wrote to memory of 4936	636	2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe	87
PID 324 wrote to memory of 2740	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	88
PID 324 wrote to memory of 2740	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	88
PID 324 wrote to memory of 2740	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	88
PID 324 wrote to memory of 5064	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	89
PID 324 wrote to memory of 5064	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	89
PID 324 wrote to memory of 5064	324	{93955819-F9C6-4390-96B6-E1260132F00C}.exe	89
PID 2740 wrote to memory of 4352	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	93
PID 2740 wrote to memory of 4352	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	93
PID 2740 wrote to memory of 4352	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	93
PID 2740 wrote to memory of 4376	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	94
PID 2740 wrote to memory of 4376	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	94
PID 2740 wrote to memory of 4376	2740	{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe	94
PID 4352 wrote to memory of 4892	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	96
PID 4352 wrote to memory of 4892	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	96
PID 4352 wrote to memory of 4892	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	96
PID 4352 wrote to memory of 3900	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	97
PID 4352 wrote to memory of 3900	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	97
PID 4352 wrote to memory of 3900	4352	{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe	97
PID 4892 wrote to memory of 888	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	98
PID 4892 wrote to memory of 888	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	98
PID 4892 wrote to memory of 888	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	98
PID 4892 wrote to memory of 4808	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	99
PID 4892 wrote to memory of 4808	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	99
PID 4892 wrote to memory of 4808	4892	{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe	99
PID 888 wrote to memory of 5052	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	100
PID 888 wrote to memory of 5052	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	100
PID 888 wrote to memory of 5052	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	100
PID 888 wrote to memory of 3776	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	101
PID 888 wrote to memory of 3776	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	101
PID 888 wrote to memory of 3776	888	{B146B315-7F48-4058-AE4B-D17145D766D6}.exe	101
PID 5052 wrote to memory of 1384	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	102
PID 5052 wrote to memory of 1384	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	102
PID 5052 wrote to memory of 1384	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	102
PID 5052 wrote to memory of 4368	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	103
PID 5052 wrote to memory of 4368	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	103
PID 5052 wrote to memory of 4368	5052	{D0A10D84-3558-43f1-985B-66E325D0B891}.exe	103
PID 1384 wrote to memory of 2956	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	104
PID 1384 wrote to memory of 2956	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	104
PID 1384 wrote to memory of 2956	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	104
PID 1384 wrote to memory of 3440	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	105
PID 1384 wrote to memory of 3440	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	105
PID 1384 wrote to memory of 3440	1384	{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe	105
PID 2956 wrote to memory of 2300	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	106
PID 2956 wrote to memory of 2300	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	106
PID 2956 wrote to memory of 2300	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	106
PID 2956 wrote to memory of 1312	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	107
PID 2956 wrote to memory of 1312	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	107
PID 2956 wrote to memory of 1312	2956	{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe	107
PID 2300 wrote to memory of 2200	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	108
PID 2300 wrote to memory of 2200	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	108
PID 2300 wrote to memory of 2200	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	108
PID 2300 wrote to memory of 1104	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	109
PID 2300 wrote to memory of 1104	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	109
PID 2300 wrote to memory of 1104	2300	{E11E849E-D910-4161-9752-418ACDB3302B}.exe	109
PID 2200 wrote to memory of 3516	2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe	110
PID 2200 wrote to memory of 3516	2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe	110
PID 2200 wrote to memory of 3516	2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe	110
PID 2200 wrote to memory of 940	2200	{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_c19608277fd53c0f798d2f57f2d86be8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\{93955819-F9C6-4390-96B6-E1260132F00C}.exe
  C:\Windows\{93955819-F9C6-4390-96B6-E1260132F00C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
    C:\Windows\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
      C:\Windows\{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
        
        C:\Windows\{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
        
        C:\Windows\{B146B315-7F48-4058-AE4B-D17145D766D6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
        
        C:\Windows\{D0A10D84-3558-43f1-985B-66E325D0B891}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
        
        C:\Windows\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
        
        C:\Windows\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{E11E849E-D910-4161-9752-418ACDB3302B}.exe
        
        C:\Windows\{E11E849E-D910-4161-9752-418ACDB3302B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
        
        C:\Windows\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
        
        C:\Windows\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\{1D79D101-0E30-412b-AB39-F8604607D425}.exe
        
        C:\Windows\{1D79D101-0E30-412b-AB39-F8604607D425}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E7C7~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8A9B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E11E8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6D2B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B02BD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0A10~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B146B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC855~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{348B0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02EA5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93955~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02EA59B3-EFC0-48d2-8FDE-CAFD8DDD3193}.exe

Filesize
168KB

MD5
bb2113e7b43e9d07a2cb00e26657be14

SHA1
43a49b84ab5596f7ab49341d0b72f3838527a0e4

SHA256
1dbdad1fdfbae93a031b6c6a9c378836f25fcf3592883b1f8bef5e9b7fcc53aa

SHA512
f8585fcb67262cb4fa2f47912f5c1ebf8d809a90c22664956e12361beb492f3edc0f414aec9b51d8a890e56e02712dd71482c515a85e00e295a599439a27fa13

Download Submit
C:\Windows\{1D79D101-0E30-412b-AB39-F8604607D425}.exe

Filesize
168KB

MD5
9afac8b29d69857718b76d9620c00477

SHA1
873d594ac0cd3a22432cb748f40c2e67e662edb4

SHA256
1a976ec393833439db020707f461df40495eda4ce3c4ecd215ab7a3b64f174cc

SHA512
74ce247317b1b621bca24cfe9d363d3abd683f08cfee1f5442f55db38e470f58cd1e038fddd9ee39bc31bd5751a214cae3dbee4f0b800d4cf82fd4330d4d453c

Download Submit
C:\Windows\{1E7C795E-6D8C-4822-BEC7-E2DC44B77A82}.exe

Filesize
168KB

MD5
41a6e76430028fce26145c039e4165d9

SHA1
0c48f25db5c099292fae4792349384fbbd1384bb

SHA256
1b7458cb1d8ee927cb009157bae1acfd1d43f94e52852c07ceba626b8b2d245c

SHA512
6066bcd8090ec5bdb876cceff818c2e26f0f7cb56b1dd6222e1237694cfb856e670997fba513776600137f86155b147a14878933e94e84770fe36b235d995096

Download Submit
C:\Windows\{348B0556-BFA7-4e71-A75E-87C6534E71E1}.exe

Filesize
168KB

MD5
437118f00807aa846a7e37cef7f781a2

SHA1
3920f157173ae6d17d225cb4eb947daca032ed77

SHA256
7f671c8ee87abf9ce0416e088619aac6bb2010bc4e6b3f4d762021258a86073f

SHA512
08d494923f898072a25e658adff00c0be109b36807db2e7d402b1253806a968ff57a389a3554fbc4e780c6e6638ee95482c1a1e8e2a4663db7b9dc32f5179d30

Download Submit
C:\Windows\{93955819-F9C6-4390-96B6-E1260132F00C}.exe

Filesize
168KB

MD5
dbbf32c9470ac956b0d0de9b1feb8e5c

SHA1
d0e6b132a55f1a34db36b64f9803f20245cc8256

SHA256
575a4b7bc67a1880ac32cf48a305a8f02dd597b21b0067e5f2aa6ad62d15241b

SHA512
99e53f6240b0aed19dd2274b7d933675d990b3c77540569887e1b4662e3221a4d63bce2178945dbdbce79bf66d03e41d7ea2986aa500fb9dd0bd9caab2573ee0

Download Submit
C:\Windows\{A8A9B825-AF41-4f3b-BBA7-CE3BC6A8EA73}.exe

Filesize
168KB

MD5
52f94c49aeae59b51c3af18b021ef55c

SHA1
4d70eb35231eae128e4e2741055c9b1691d27c5a

SHA256
6cd7ce67962f48fdc133fa072dd0fc0006782866bf6223d09005ca9f21c6dc26

SHA512
1e7a50f05cf51d272ce9ac892caf7e7fc17ac41d3c19b4b05a2a1e8181abd41df3c33ad3cb0995ee8649335d30000fe88350843252ad1666901819f75bdf0c6d

Download Submit
C:\Windows\{B02BD064-8DE3-48de-BB52-8B76F41BB9F7}.exe

Filesize
168KB

MD5
bbc30e4e129574cb5fdc410dfe68ddd7

SHA1
f3068bdcd791d7b83d84d3a3f8ed2248f3bfc930

SHA256
789884a2d5f476f4f6e4800c62b45932cf0c6893575d15b4d62da9cfa23550d9

SHA512
642cf3f4523f3ffd081d65d417c22aa254241d87b6ceb328f1e3bf1ddeee779a8eac527fe8354a00be6f4b356690c7a7b9f3f79df0b0c0a54a8b436ace0d4181

Download Submit
C:\Windows\{B146B315-7F48-4058-AE4B-D17145D766D6}.exe

Filesize
168KB

MD5
ef31d303308061100ac7478eab5efa66

SHA1
f0c6a5e3b4cf62f5252e7559e5b6194c0483312f

SHA256
3e705d25022eb2973059a166dcdae6c423ceaedfbd2b1e3a7d784438131bc649

SHA512
9a501a958728d52425cdd6b1eba2246cda9b616d558be8a67549f4edd131c4eeca439cfa92a842e8bc1746e65b64f23afbb3ab5abd21c0537d8c9aafdfbb4705

Download Submit
C:\Windows\{C6D2B8BC-662C-4cfd-80F0-19E5759F1771}.exe

Filesize
168KB

MD5
0fc4dc42ada529edf3e83bd4abb2d385

SHA1
d4ed5630424202deb4053ba1ceb4cf2e9d77bedd

SHA256
2b33d5a851d54c6b5ace44f0b7b9b4cdbead51a91b41aecc5c5a321048d7b3a8

SHA512
f67c2faa00e2920bc9c6421665abae4ea20f9b0090b98668b99eda51424da4ec5637eebe800161ede8bb74855bd9db3d3349dcbbf11ef10dcfe2b8967800bbe5

Download Submit
C:\Windows\{D0A10D84-3558-43f1-985B-66E325D0B891}.exe

Filesize
168KB

MD5
fe6ddee9f0e1f16699f896e082ce4c80

SHA1
be9f1803e2ccb0f441e49d4db5bacb7c21e64bcf

SHA256
c5f535ea3d11dbda4a23a6ae2c51522b252cc8aaca68d55f285484528ce1d701

SHA512
44cea452a6211c51900bf920f5d98714bfbb217031f3985224674d0c1f0a177878d333b3a72e041c7696f408e1ceb7703224c16ea3386b6a1201849514c8d2e1

Download Submit
C:\Windows\{E11E849E-D910-4161-9752-418ACDB3302B}.exe

Filesize
168KB

MD5
40f3c22955c06bed13220535a7ed1fa5

SHA1
85bcec4169cf83a15330e5669082427eec0d39f4

SHA256
01c5ef2cc2d790bacf5a438cf9cf5b5d0f2c4a2eb4b41cd4548cff13be845f44

SHA512
3162780425b98b1e3e0e0de2949505f89de3ec9024b982750980e1d516636c22397db571e89da3ec1f7720d629536791876e419e89a2f57afe740ffcec977301

Download Submit
C:\Windows\{FC855923-650E-49a3-916F-9C4AB5D2AD19}.exe

Filesize
168KB

MD5
b357629f5e79189560fa2335cc442a35

SHA1
1bead5d337246b9020eec4dcbd03ce4bb2be5f3b

SHA256
799b3f9dfe1dc7553213871b1c48eab501587a208ada7c21e0f640935a33e31b

SHA512
91112c54633887f83cd2556048496e0788132c8aba03129590da7a71d2c3eef37f5ebb37504755929f1fc74974c8b03732d2b343f1884eb2595c57dc15a7f57e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads