7fcff9950745add59395f3a3f000ea6c1aaac869b86bef40963aa15b36c7a61a

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 04:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
Size

197KB
MD5

f56d4f2328e69732cfe1186a965b30bf
SHA1

f72f61624c0a55a9c77da1c1b5081b9958044cee
SHA256

7fcff9950745add59395f3a3f000ea6c1aaac869b86bef40963aa15b36c7a61a
SHA512

8ec2eddaf428df6cb3e5bb14f5171d6b77624550d73eca57f3d689db9cee606ad473afb643aaaef9cbf05a46497b7e59f8f9d8c015a92df155af21032e1b563a
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGdlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F377B94F-407C-45ca-8942-E8551F3953F3}	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94CA1106-7635-400a-9870-F2533DEBBD32}	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07A0C240-DFA4-4dce-B378-267C1B548F0D}	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B722CC-9C64-49fc-8411-D1B316027B62}	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}\stubpath = "C:\\Windows\\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe"	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}\stubpath = "C:\\Windows\\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe"	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B64367-C719-4584-93AE-E4E14C83CD30}	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B64367-C719-4584-93AE-E4E14C83CD30}\stubpath = "C:\\Windows\\{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe"	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B722CC-9C64-49fc-8411-D1B316027B62}\stubpath = "C:\\Windows\\{67B722CC-9C64-49fc-8411-D1B316027B62}.exe"	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}\stubpath = "C:\\Windows\\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe"	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F377B94F-407C-45ca-8942-E8551F3953F3}\stubpath = "C:\\Windows\\{F377B94F-407C-45ca-8942-E8551F3953F3}.exe"	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}\stubpath = "C:\\Windows\\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe"	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}\stubpath = "C:\\Windows\\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe"	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94CA1106-7635-400a-9870-F2533DEBBD32}\stubpath = "C:\\Windows\\{94CA1106-7635-400a-9870-F2533DEBBD32}.exe"	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07A0C240-DFA4-4dce-B378-267C1B548F0D}\stubpath = "C:\\Windows\\{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe"	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}\stubpath = "C:\\Windows\\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe"	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}\stubpath = "C:\\Windows\\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe"	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe

Executes dropped EXE 12 IoCs

pid	Process
404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
4392	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
888	{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
File created	C:\Windows\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
File created	C:\Windows\{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
File created	C:\Windows\{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
File created	C:\Windows\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
File created	C:\Windows\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
File created	C:\Windows\{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
File created	C:\Windows\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
File created	C:\Windows\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
File created	C:\Windows\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
File created	C:\Windows\{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
File created	C:\Windows\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
Token: SeIncBasePriorityPrivilege	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
Token: SeIncBasePriorityPrivilege	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
Token: SeIncBasePriorityPrivilege	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
Token: SeIncBasePriorityPrivilege	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
Token: SeIncBasePriorityPrivilege	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
Token: SeIncBasePriorityPrivilege	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
Token: SeIncBasePriorityPrivilege	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
Token: SeIncBasePriorityPrivilege	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
Token: SeIncBasePriorityPrivilege	2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
Token: SeIncBasePriorityPrivilege	4392	{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 404	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	102
PID 316 wrote to memory of 404	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	102
PID 316 wrote to memory of 404	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	102
PID 316 wrote to memory of 4080	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	103
PID 316 wrote to memory of 4080	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	103
PID 316 wrote to memory of 4080	316	2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe	103
PID 404 wrote to memory of 1888	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	104
PID 404 wrote to memory of 1888	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	104
PID 404 wrote to memory of 1888	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	104
PID 404 wrote to memory of 2004	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	105
PID 404 wrote to memory of 2004	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	105
PID 404 wrote to memory of 2004	404	{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe	105
PID 1888 wrote to memory of 2120	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	109
PID 1888 wrote to memory of 2120	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	109
PID 1888 wrote to memory of 2120	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	109
PID 1888 wrote to memory of 2320	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	110
PID 1888 wrote to memory of 2320	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	110
PID 1888 wrote to memory of 2320	1888	{94CA1106-7635-400a-9870-F2533DEBBD32}.exe	110
PID 2120 wrote to memory of 2208	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	111
PID 2120 wrote to memory of 2208	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	111
PID 2120 wrote to memory of 2208	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	111
PID 2120 wrote to memory of 4704	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	112
PID 2120 wrote to memory of 4704	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	112
PID 2120 wrote to memory of 4704	2120	{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe	112
PID 2208 wrote to memory of 2972	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	113
PID 2208 wrote to memory of 2972	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	113
PID 2208 wrote to memory of 2972	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	113
PID 2208 wrote to memory of 2372	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	114
PID 2208 wrote to memory of 2372	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	114
PID 2208 wrote to memory of 2372	2208	{67B722CC-9C64-49fc-8411-D1B316027B62}.exe	114
PID 2972 wrote to memory of 8	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	116
PID 2972 wrote to memory of 8	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	116
PID 2972 wrote to memory of 8	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	116
PID 2972 wrote to memory of 3004	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	117
PID 2972 wrote to memory of 3004	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	117
PID 2972 wrote to memory of 3004	2972	{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe	117
PID 8 wrote to memory of 3060	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	118
PID 8 wrote to memory of 3060	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	118
PID 8 wrote to memory of 3060	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	118
PID 8 wrote to memory of 1664	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	119
PID 8 wrote to memory of 1664	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	119
PID 8 wrote to memory of 1664	8	{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe	119
PID 3060 wrote to memory of 1188	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	122
PID 3060 wrote to memory of 1188	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	122
PID 3060 wrote to memory of 1188	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	122
PID 3060 wrote to memory of 888	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	123
PID 3060 wrote to memory of 888	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	123
PID 3060 wrote to memory of 888	3060	{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe	123
PID 1188 wrote to memory of 316	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	129
PID 1188 wrote to memory of 316	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	129
PID 1188 wrote to memory of 316	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	129
PID 1188 wrote to memory of 3204	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	130
PID 1188 wrote to memory of 3204	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	130
PID 1188 wrote to memory of 3204	1188	{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe	130
PID 316 wrote to memory of 2104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	131
PID 316 wrote to memory of 2104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	131
PID 316 wrote to memory of 2104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	131
PID 316 wrote to memory of 3104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	132
PID 316 wrote to memory of 3104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	132
PID 316 wrote to memory of 3104	316	{F377B94F-407C-45ca-8942-E8551F3953F3}.exe	132
PID 2104 wrote to memory of 4392	2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe	136
PID 2104 wrote to memory of 4392	2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe	136
PID 2104 wrote to memory of 4392	2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe	136
PID 2104 wrote to memory of 4412	2104	{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_f56d4f2328e69732cfe1186a965b30bf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
  C:\Windows\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
    C:\Windows\{94CA1106-7635-400a-9870-F2533DEBBD32}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
      C:\Windows\{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
        
        C:\Windows\{67B722CC-9C64-49fc-8411-D1B316027B62}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
        
        C:\Windows\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
        
        C:\Windows\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
        
        C:\Windows\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
        
        C:\Windows\{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
        
        C:\Windows\{F377B94F-407C-45ca-8942-E8551F3953F3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
        
        C:\Windows\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
        
        C:\Windows\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe
        
        C:\Windows\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8434E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4931D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F377B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B64~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{774E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E300~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0A9C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B72~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07A0C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94CA1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A32~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07A0C240-DFA4-4dce-B378-267C1B548F0D}.exe

Filesize
197KB

MD5
abf947a2c2114ff86d34e953d1892dc0

SHA1
9205b045bc3aac14f5edd250307c9c2cf228d8f3

SHA256
95022a69fb37cf711d5305d2a460ba910719864a91d1a330fee9594ee6fce9a6

SHA512
c7801dfb8f32d857ed2d02d942e63f7cb7764efb1b5d0e0ad5c9ae60cb5ae22ee4258253c4c6ad51101a813dacd30878565c075840443d38501ccc236275e71c

Download Submit
C:\Windows\{3E300DF0-2513-4fe3-AE52-DECB4697AD4A}.exe

Filesize
197KB

MD5
f1dd139d77b29f38ce92dc0e165ad7e9

SHA1
ac09a621a3e1bd6636b98c53ce7e5db0dfb2e387

SHA256
5518681ffaa9962505aee67a269fb9e00c40958ea1cc15a01e7c42d1a15503c5

SHA512
70d507e210a957f13190266180da6c510e0dcc5400af5e6510164b10fd189bf54a6a55023a8e3014387f5b1c7d4a19134a7eb4dbb7dff690cd56a109554b7683

Download Submit
C:\Windows\{4931DE7D-5797-4195-9F1A-60FEB2FFC4E5}.exe

Filesize
197KB

MD5
c4863da977ab3346cf04ccede205e81e

SHA1
699adbac137b078dffd16ef9fd631ad3a1b309a8

SHA256
11d9cfaa7491d58d7a2c2c0297131082a84d2554e0f570c4e4e50f573ad2f3b1

SHA512
cd3f651f8b94a6af295e1981bb7c034e35c5c7ecbe79d02b2972d9476f44efa6c248720afcd2204bc391548363dcf5afb67dc8b1c98975194d47e37e4128e154

Download Submit
C:\Windows\{67B722CC-9C64-49fc-8411-D1B316027B62}.exe

Filesize
197KB

MD5
3d0c5db5deccc5865ecc69fe228cf575

SHA1
3f0b70c8a65a72bc39da20c85eae0fc52149bfec

SHA256
8e86100bfee38948349ece7ac38ee91719adc9a020306c8b9b4f0d6f691a6f1f

SHA512
17835e6c517896a5670e745f8014520d280f8bdfbafb569f6f9f2c2f805a6a2053cd6009ac6ef555dde32b1f3368a7732b11b39dccfde678d19abe2ee403f4b1

Download Submit
C:\Windows\{6DED45ED-1C0F-4e27-BB0D-4BA7FE792296}.exe

Filesize
197KB

MD5
5c4c9b0ce505dcc0b26ec2b3e97db456

SHA1
c241a90d56d86c19d0a2f0c60deb44d317e3dc64

SHA256
a08ddec049cd0a8153bfaf38849dedf74801d94729a34b406416c58ff46f5917

SHA512
2d1f9d1d72fea1c16f1dcd5649ed761039e279a998976db88900429525b81bfb7fa6a94c5d1f670c3cbc0b56b74d42c4177307213eb1c0be55a4743695220748

Download Submit
C:\Windows\{774E4F4D-9FDC-417a-9E5A-480B9DBFF3C3}.exe

Filesize
197KB

MD5
20956e858da38827e059b575d3df1032

SHA1
556bb8f2f1501840daa38ad63e4e3ada43fdb312

SHA256
2a7fe801f06c41d0856d71225ca5ca57535aa3eb76c14bdf7994f42114f0b9b0

SHA512
bacc43a71d81644c5eafe5bf55dba2ba44ff49664ddf107794e2b216ac3ef5377ec4bef7e8887eb5d1e3a6d64fb2597826552115cdd115c53af2d10f880a6035

Download Submit
C:\Windows\{8434E8FD-E88E-4d93-BCCB-EC2D9855F03E}.exe

Filesize
197KB

MD5
43daf2a0df32858a8c33f78b7b0c702a

SHA1
5e3360addf8831e3ce12cacaf37132e9ffb6c039

SHA256
59af57f3d35f4e94286852198db3700c672e8b69e3dc99c9ab69b1ef22ecf27d

SHA512
47bfbd66ddbd7f0d03d8c858473b5681f795098db7d4455d8d77cbabce83e55174b8fcafae06aeef2b5f70ba72124edd3098e12033f24b8e2413c912b11f4b1b

Download Submit
C:\Windows\{94CA1106-7635-400a-9870-F2533DEBBD32}.exe

Filesize
197KB

MD5
c360085688d0d7df28bca1f8bfa1e4dd

SHA1
9879560585c5e57f8a8fb2914b17907c2746db8a

SHA256
c637839b521c22b5f544427d4101c3214361ba468c4047d3a634c9ff42816a0a

SHA512
329ca9c71c13f69a13e76b09926873f9d6824e73dcac5150f0224d84f110abda025a04072da58c1d4be0b4ba18cd56e975dad5db0cb1031bf71ac440d1ccb09e

Download Submit
C:\Windows\{D6B64367-C719-4584-93AE-E4E14C83CD30}.exe

Filesize
197KB

MD5
d4873dc11bceb7e2e7bb61df90ae505d

SHA1
ed9f934e88fb3b2a45f575d03fc725d18647b52c

SHA256
32e9e086ba058a3fe21d57fe57e961f9fc8a6a94ea3bbd173053b12617de9e2d

SHA512
276bbfd3fb1901253e4733db4031ef0d332cbb7d588a3bea6b9cf5f28e8d87f4d0da4912afdf79fbe55dc9a586ba0aa28e3974fbd21ec7c590eba2859411fe8d

Download Submit
C:\Windows\{E0A9C1AF-15B5-489e-9003-B9C302E86E5B}.exe

Filesize
197KB

MD5
e3da6107278620715a94d1a635061d1b

SHA1
75af988dd785c8585903e07db8c7b46989eedd5e

SHA256
c4f83668e999432551cb9001b8fba11e611c6338d2dd5a271141359aff57faaf

SHA512
fcda5efec5da829d1d6d18b206bdc6460550e4604acd2529dbec13c83f06b0697e5904007bb3c73ecbd197f93f271a90ff42f14f956fed1a4b2515e740a32350

Download Submit
C:\Windows\{E9A321D2-D083-4b8a-9580-4AD947BC9F31}.exe

Filesize
197KB

MD5
2d7afe8be9173cd1a158cb9dc8320ef4

SHA1
5883b8be3d9d82f1e57976f39f0d9613a6215ce7

SHA256
1438470c2c9d228b230f084ff21d5def9c85a53e5d46626b7d3f0b54463e6aae

SHA512
0af051e3fbe3bd450a18d0cd0954908772d01ac0972f08458eda24b2e4cf61e2b595ed06c4292fcca810752d85d57b254f87db9f0ae7492cf042c5db59176dfc

Download Submit
C:\Windows\{F377B94F-407C-45ca-8942-E8551F3953F3}.exe

Filesize
197KB

MD5
ffe5c9bf568aa7cc61755a861e2a4656

SHA1
bf8365aac27e38a6f3b41740a15663454ba7e0d6

SHA256
88cc2b173192049791036b74e15433c9883a70e72eb9813215714b74747748ad

SHA512
14ac3e4545c9e56d6c6719dd8490853863d4eb12e635a3ffeb748e8751741cb343900d6d91bb57c06ac2323cef6325d9056cb31173f824b303c3c8cda5c7601f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads