a99a8f0d8472d34c2abe5c14eab1a905c62b67d14e1e7b4c843bc012f3b34deb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
Size

380KB
MD5

d54095e9797e89c3955e85a9509d23e7
SHA1

855b6ed290c6a5cff25c3b40b7a557a86a4d7984
SHA256

a99a8f0d8472d34c2abe5c14eab1a905c62b67d14e1e7b4c843bc012f3b34deb
SHA512

74dc5fee1173fc2091bdf0b2167c8fce3c5bf073499f18bb46607facc79231ff94a26f403ae6602b57ed37c2aec12fca952684bd72c348525a38d1262fdf153d
SSDEEP

3072:mEGh0ob1lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF560552-E188-4659-9940-1A9F918F35CB}\stubpath = "C:\\Windows\\{CF560552-E188-4659-9940-1A9F918F35CB}.exe"	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EB36A5-D189-496a-8B26-22A457DC3FE9}	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}\stubpath = "C:\\Windows\\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe"	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E632A47-6252-42d4-B786-B2C19E698EAC}	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E632A47-6252-42d4-B786-B2C19E698EAC}\stubpath = "C:\\Windows\\{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe"	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44A3126-83A7-4092-9634-67DA20170FCA}\stubpath = "C:\\Windows\\{E44A3126-83A7-4092-9634-67DA20170FCA}.exe"	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF560552-E188-4659-9940-1A9F918F35CB}	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}\stubpath = "C:\\Windows\\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe"	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EB36A5-D189-496a-8B26-22A457DC3FE9}\stubpath = "C:\\Windows\\{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe"	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39492964-E2BA-474f-9ECC-6495A503A841}\stubpath = "C:\\Windows\\{39492964-E2BA-474f-9ECC-6495A503A841}.exe"	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E811FB2D-9928-44f3-9F96-22F2109858C6}\stubpath = "C:\\Windows\\{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe"	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}\stubpath = "C:\\Windows\\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe"	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39492964-E2BA-474f-9ECC-6495A503A841}	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899F989-F4B7-4906-8142-D7530D489474}\stubpath = "C:\\Windows\\{B899F989-F4B7-4906-8142-D7530D489474}.exe"	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB9C452-B1D8-45d5-B591-603F00A30168}\stubpath = "C:\\Windows\\{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe"	{B899F989-F4B7-4906-8142-D7530D489474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899F989-F4B7-4906-8142-D7530D489474}	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB9C452-B1D8-45d5-B591-603F00A30168}	{B899F989-F4B7-4906-8142-D7530D489474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}\stubpath = "C:\\Windows\\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe"	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E811FB2D-9928-44f3-9F96-22F2109858C6}	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44A3126-83A7-4092-9634-67DA20170FCA}	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe

Executes dropped EXE 12 IoCs

pid	Process
2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe
3808	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
4320	{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{39492964-E2BA-474f-9ECC-6495A503A841}.exe	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
File created	C:\Windows\{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
File created	C:\Windows\{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
File created	C:\Windows\{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
File created	C:\Windows\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
File created	C:\Windows\{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
File created	C:\Windows\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
File created	C:\Windows\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
File created	C:\Windows\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
File created	C:\Windows\{B899F989-F4B7-4906-8142-D7530D489474}.exe	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
File created	C:\Windows\{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe	{B899F989-F4B7-4906-8142-D7530D489474}.exe
File created	C:\Windows\{CF560552-E188-4659-9940-1A9F918F35CB}.exe	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B899F989-F4B7-4906-8142-D7530D489474}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe
Token: SeIncBasePriorityPrivilege	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
Token: SeIncBasePriorityPrivilege	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
Token: SeIncBasePriorityPrivilege	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
Token: SeIncBasePriorityPrivilege	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe
Token: SeIncBasePriorityPrivilege	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
Token: SeIncBasePriorityPrivilege	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
Token: SeIncBasePriorityPrivilege	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
Token: SeIncBasePriorityPrivilege	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
Token: SeIncBasePriorityPrivilege	4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe
Token: SeIncBasePriorityPrivilege	3808	{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2468	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	93
PID 3480 wrote to memory of 2468	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	93
PID 3480 wrote to memory of 2468	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	93
PID 3480 wrote to memory of 1136	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	94
PID 3480 wrote to memory of 1136	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	94
PID 3480 wrote to memory of 1136	3480	2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe	94
PID 2468 wrote to memory of 3592	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	97
PID 2468 wrote to memory of 3592	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	97
PID 2468 wrote to memory of 3592	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	97
PID 2468 wrote to memory of 4484	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	98
PID 2468 wrote to memory of 4484	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	98
PID 2468 wrote to memory of 4484	2468	{CF560552-E188-4659-9940-1A9F918F35CB}.exe	98
PID 3592 wrote to memory of 660	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	104
PID 3592 wrote to memory of 660	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	104
PID 3592 wrote to memory of 660	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	104
PID 3592 wrote to memory of 1928	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	105
PID 3592 wrote to memory of 1928	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	105
PID 3592 wrote to memory of 1928	3592	{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe	105
PID 660 wrote to memory of 2740	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	110
PID 660 wrote to memory of 2740	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	110
PID 660 wrote to memory of 2740	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	110
PID 660 wrote to memory of 620	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	111
PID 660 wrote to memory of 620	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	111
PID 660 wrote to memory of 620	660	{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe	111
PID 2740 wrote to memory of 4384	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	112
PID 2740 wrote to memory of 4384	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	112
PID 2740 wrote to memory of 4384	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	112
PID 2740 wrote to memory of 2412	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	113
PID 2740 wrote to memory of 2412	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	113
PID 2740 wrote to memory of 2412	2740	{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe	113
PID 4384 wrote to memory of 4684	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	115
PID 4384 wrote to memory of 4684	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	115
PID 4384 wrote to memory of 4684	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	115
PID 4384 wrote to memory of 1348	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	116
PID 4384 wrote to memory of 1348	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	116
PID 4384 wrote to memory of 1348	4384	{39492964-E2BA-474f-9ECC-6495A503A841}.exe	116
PID 4684 wrote to memory of 2968	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	117
PID 4684 wrote to memory of 2968	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	117
PID 4684 wrote to memory of 2968	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	117
PID 4684 wrote to memory of 1436	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	118
PID 4684 wrote to memory of 1436	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	118
PID 4684 wrote to memory of 1436	4684	{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe	118
PID 2968 wrote to memory of 4820	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	119
PID 2968 wrote to memory of 4820	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	119
PID 2968 wrote to memory of 4820	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	119
PID 2968 wrote to memory of 2548	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	120
PID 2968 wrote to memory of 2548	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	120
PID 2968 wrote to memory of 2548	2968	{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe	120
PID 4820 wrote to memory of 4916	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	121
PID 4820 wrote to memory of 4916	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	121
PID 4820 wrote to memory of 4916	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	121
PID 4820 wrote to memory of 4612	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	122
PID 4820 wrote to memory of 4612	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	122
PID 4820 wrote to memory of 4612	4820	{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe	122
PID 4916 wrote to memory of 4444	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	123
PID 4916 wrote to memory of 4444	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	123
PID 4916 wrote to memory of 4444	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	123
PID 4916 wrote to memory of 1424	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	124
PID 4916 wrote to memory of 1424	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	124
PID 4916 wrote to memory of 1424	4916	{E44A3126-83A7-4092-9634-67DA20170FCA}.exe	124
PID 4444 wrote to memory of 3808	4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe	125
PID 4444 wrote to memory of 3808	4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe	125
PID 4444 wrote to memory of 3808	4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe	125
PID 4444 wrote to memory of 2892	4444	{B899F989-F4B7-4906-8142-D7530D489474}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_d54095e9797e89c3955e85a9509d23e7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\{CF560552-E188-4659-9940-1A9F918F35CB}.exe
  C:\Windows\{CF560552-E188-4659-9940-1A9F918F35CB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
    C:\Windows\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
      C:\Windows\{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
        
        C:\Windows\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{39492964-E2BA-474f-9ECC-6495A503A841}.exe
        
        C:\Windows\{39492964-E2BA-474f-9ECC-6495A503A841}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
        
        C:\Windows\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
        
        C:\Windows\{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
        
        C:\Windows\{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
        
        C:\Windows\{E44A3126-83A7-4092-9634-67DA20170FCA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{B899F989-F4B7-4906-8142-D7530D489474}.exe
        
        C:\Windows\{B899F989-F4B7-4906-8142-D7530D489474}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
        
        C:\Windows\{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe
        
        C:\Windows\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB9C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B899F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E44A3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E632~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E811F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A940E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39492~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E17D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78EB3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A4C3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF560~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FB9C452-B1D8-45d5-B591-603F00A30168}.exe

Filesize
380KB

MD5
173c7347dfcedba6c8159ad225cd09e4

SHA1
eb969d68813238480c992348350a7ec1572b6163

SHA256
4e3b0f398b0515a286550147116fb898e2b8ff4eed33089ba9418d3f331f94f7

SHA512
d7a0ea4a3272facee9427398a54f04e8cf53f56bd266b4fe5857c04bc1b1437e8a20930ade8771cfedcd07c5ca50734c6f3d7ae4e0d6cf0b6bf9546f541d832d

Download Submit
C:\Windows\{2E17D51F-6CD6-4fb5-8911-83ED5A251255}.exe

Filesize
380KB

MD5
c4a1b743733fb6a1adf6dcd937c4ff4b

SHA1
f992b4f6d0f1a3b9c58f3ed743a7db369a6d4598

SHA256
646bd9987df6300794b307bcb9f84d8deb3998da9fcb4dd1147e3dfa71d9a766

SHA512
ea5e934f33bd44385127acca29587730ce6b6ec2e16bc89e4df7205fe435a17f2eb60728ee511350ab304b9387a7ed36eadc73918bc137058bef6964224cb922

Download Submit
C:\Windows\{39492964-E2BA-474f-9ECC-6495A503A841}.exe

Filesize
380KB

MD5
9edfa72bb6dcb3e9c45858a25953618e

SHA1
237a232031794780df3e18117155f82da4b8f33c

SHA256
0534163c691e1e96fdce8df4f5b04c9af8c8effd8829020a71603fba4e229154

SHA512
0cedd15dfa66691876a290f9d3aee9da285c48d93e2b41cb94393bc25c57b5a0879a2a3d294e1746b803b8bb27d479386c2d0ed7763ed05bb087181cf136a8c3

Download Submit
C:\Windows\{3E632A47-6252-42d4-B786-B2C19E698EAC}.exe

Filesize
380KB

MD5
c0e36e0d7cf59089eac0c84e85462c11

SHA1
97deccf77de08f5ba47acb6665f12df11aa856e0

SHA256
cc73655f82685107b62db795e25f98715e0e3524dc0e30b73f049e3525c591a0

SHA512
9aa02aab112ef5120490490afe764abfe5438a5341c67403b168a2c04134ccba1a9b3bc0d720e2c88cb00877ffac8d69c2b8cf77eb8faf47b7b998b9f69918a1

Download Submit
C:\Windows\{6A4C398E-44D6-4ff4-A9BB-49886939D8E4}.exe

Filesize
380KB

MD5
19177559e0df2d0fe7cb2b8914692a3d

SHA1
43c4992f452685d76bee2289a6acb413387ee74e

SHA256
a802c37c0c838c714d6e794c4c6747813a09a6753e22c46c86911b1bc84ba412

SHA512
c1d78bcbd0f4a2daf414b922b6bddb0d9fa9bd356798d9a8815dfb183124b2f6da1a754277c710d0bf7fb25ae060a87cade9236886c1b459c2254b7a6f082171

Download Submit
C:\Windows\{78EB36A5-D189-496a-8B26-22A457DC3FE9}.exe

Filesize
380KB

MD5
bf314286ca8c3153bc16418bf29e580e

SHA1
c1050f695819ad645e1e3950718c1ca2b1bf001b

SHA256
377e2157d4a7f3afef4c69062e10ccf06e475c2d7d822ea289cea413f4b7b993

SHA512
7b240701d575742f3a54451f2774a34e3ed91edc025519e56ab71339e0796b9a30a495688fa5e56aef45da9ffaf8c1b2e05c82cf8e6d228e80ac7a81d8474567

Download Submit
C:\Windows\{A940E7D0-11E5-4ece-BCB6-0F96F35855E3}.exe

Filesize
380KB

MD5
5170195b95cdd2a20914f32cdf44179d

SHA1
303280666a40a2b15de3318064da9da2672dede1

SHA256
310d90f01eb26f6dd022f4d80b9b29ea3f89404202efb040d03dd5d4a75cced0

SHA512
0ae3a4f6547025e083d12b4890e4d456fcf723187d67cd0865a73d13edfdf68836273c9743a744925d5627742911fe094d8cc00f7dceeb528fdf47b6e7425f6e

Download Submit
C:\Windows\{B899F989-F4B7-4906-8142-D7530D489474}.exe

Filesize
380KB

MD5
3399a3f54f98a132df5f90aa3a6b68c3

SHA1
33d73d7d59a45bc38752f1ad9329b23afa298179

SHA256
2604459e54bf4a8701b9f95405e8ead1ae948ad85c46fbbf170c17c6e96b0842

SHA512
c806e699d564a6e5f8f314aaea49f946ecf0020491b1724cea6c94c91ad237d7e82fa6dbd44cf75328ea3846c49c1d45be20f01eac7063c640860deb851a95dc

Download Submit
C:\Windows\{BF4A96FC-3765-4411-84C8-886EFCA41FBB}.exe

Filesize
380KB

MD5
a82708b792a70af04e9ee9199ec7024e

SHA1
ba0d521d8d4634185678ba3ee7097b0b83173ceb

SHA256
2e84b0036f34b07d0f5e784bc14ab256a7af30f434b901dca9a7f612048dd7db

SHA512
d8afce2ee744198210e892b9768504f0f17bd059afaddefbfeec903d69fced8b93f8a25bc0a2fb8d1747ee7e7456f782ec56cac93f4e99d52f6a17e94e14f117

Download Submit
C:\Windows\{CF560552-E188-4659-9940-1A9F918F35CB}.exe

Filesize
380KB

MD5
a7157131402e22e01771e19953d944a5

SHA1
8be874666c43e83f9fa40951aa098e46d29c5edf

SHA256
750c187c1f3ae685d2addf2cee46399cd3925a93b3b3c72f6588b8bdee431f40

SHA512
9cabb118ea63d8d1688e82cdaa06e73b6dc8a771052c9c4e445ac490fb6f607bf26b0aabd951228d8e2ec81c3d93ba94ef3e66cfee017d191ef524dc18cd1954

Download Submit
C:\Windows\{E44A3126-83A7-4092-9634-67DA20170FCA}.exe

Filesize
380KB

MD5
60a80ad3116d9c8f42ff4ca9a14eabeb

SHA1
5f24fa45490f277e39baf8af7e0fe3fb0b68d3bb

SHA256
092a77c5348e7bcb2c6dd2652dca4aa22f9c7d6da2f55978a3fb9eadf5317b5f

SHA512
72368395700fa4619c28a5e08984d247d62e532d9effa8ffa073cc174fe88046c3e695656e56b876d25192df9a6d5e5b1d67598e682a196b28012456e953ecbb

Download Submit
C:\Windows\{E811FB2D-9928-44f3-9F96-22F2109858C6}.exe

Filesize
380KB

MD5
5f8779ea7dcdab6e49f97c976f4fdb41

SHA1
4e052887a7356498480ab4c368f39a3b99249231

SHA256
d9a94e79b788d1dee7fa93352c4da3d2ebfb405a47d1c15c2ffa538e32fc7da7

SHA512
53e7c078657b483be8a4fc80045eb7be72304e2df8b537de10f32e71e0be3cdb663a79323a2b73c52fa73da61fbc2495d2cc4a0e161e4d2c184146fa3834473b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads