c59d0e340b164f141e4a52e35e343679c449c8f1e6d14716606323581d871960

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Size

408KB
MD5

2aaade61d7f630f627783468869f8ebd
SHA1

4547f3580d0adc91d51ef79f4657eac1b6b3e3b4
SHA256

c59d0e340b164f141e4a52e35e343679c449c8f1e6d14716606323581d871960
SHA512

4807f5aa94fa844b652409b496c3f500c159cb3e186cbc64f41ec27dc973044b33bd16a1a16e950f2d90802029e47fb174d9e394ee267cb393a2d3d252ad1cf2
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}\stubpath = "C:\\Windows\\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe"	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C16835-A713-4664-8111-68701F313E88}\stubpath = "C:\\Windows\\{15C16835-A713-4664-8111-68701F313E88}.exe"	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}\stubpath = "C:\\Windows\\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe"	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31573326-1EAC-4804-A125-EA04F3ADA1F5}\stubpath = "C:\\Windows\\{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe"	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F85AA9-9358-4af2-9393-DAD78D8526B1}	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}\stubpath = "C:\\Windows\\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe"	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}\stubpath = "C:\\Windows\\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe"	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BD5C91-94A5-432c-9111-9E03557370DD}\stubpath = "C:\\Windows\\{82BD5C91-94A5-432c-9111-9E03557370DD}.exe"	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31573326-1EAC-4804-A125-EA04F3ADA1F5}	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F85AA9-9358-4af2-9393-DAD78D8526B1}\stubpath = "C:\\Windows\\{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe"	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE362E81-7091-4f0c-9CB8-5B3453A38081}\stubpath = "C:\\Windows\\{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe"	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C16835-A713-4664-8111-68701F313E88}	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AEBB84-D748-494a-9EB3-E2311D633AB1}	{15C16835-A713-4664-8111-68701F313E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}\stubpath = "C:\\Windows\\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe"	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE362E81-7091-4f0c-9CB8-5B3453A38081}	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AEBB84-D748-494a-9EB3-E2311D633AB1}\stubpath = "C:\\Windows\\{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe"	{15C16835-A713-4664-8111-68701F313E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BD5C91-94A5-432c-9111-9E03557370DD}	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}\stubpath = "C:\\Windows\\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe"	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe

Executes dropped EXE 12 IoCs

pid	Process
4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
4328	{15C16835-A713-4664-8111-68701F313E88}.exe
3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
4788	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
2696	{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
File created	C:\Windows\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
File created	C:\Windows\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
File created	C:\Windows\{15C16835-A713-4664-8111-68701F313E88}.exe	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
File created	C:\Windows\{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
File created	C:\Windows\{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
File created	C:\Windows\{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
File created	C:\Windows\{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
File created	C:\Windows\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
File created	C:\Windows\{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	{15C16835-A713-4664-8111-68701F313E88}.exe
File created	C:\Windows\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
File created	C:\Windows\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15C16835-A713-4664-8111-68701F313E88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
Token: SeIncBasePriorityPrivilege	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
Token: SeIncBasePriorityPrivilege	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
Token: SeIncBasePriorityPrivilege	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
Token: SeIncBasePriorityPrivilege	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
Token: SeIncBasePriorityPrivilege	4328	{15C16835-A713-4664-8111-68701F313E88}.exe
Token: SeIncBasePriorityPrivilege	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
Token: SeIncBasePriorityPrivilege	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
Token: SeIncBasePriorityPrivilege	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
Token: SeIncBasePriorityPrivilege	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
Token: SeIncBasePriorityPrivilege	4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
Token: SeIncBasePriorityPrivilege	4788	{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4000	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	94
PID 4064 wrote to memory of 4000	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	94
PID 4064 wrote to memory of 4000	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	94
PID 4064 wrote to memory of 116	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	95
PID 4064 wrote to memory of 116	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	95
PID 4064 wrote to memory of 116	4064	202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe	95
PID 4000 wrote to memory of 2468	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	96
PID 4000 wrote to memory of 2468	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	96
PID 4000 wrote to memory of 2468	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	96
PID 4000 wrote to memory of 2524	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	97
PID 4000 wrote to memory of 2524	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	97
PID 4000 wrote to memory of 2524	4000	{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe	97
PID 2468 wrote to memory of 1912	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	100
PID 2468 wrote to memory of 1912	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	100
PID 2468 wrote to memory of 1912	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	100
PID 2468 wrote to memory of 896	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	101
PID 2468 wrote to memory of 896	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	101
PID 2468 wrote to memory of 896	2468	{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe	101
PID 1912 wrote to memory of 1648	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	102
PID 1912 wrote to memory of 1648	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	102
PID 1912 wrote to memory of 1648	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	102
PID 1912 wrote to memory of 4148	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	103
PID 1912 wrote to memory of 4148	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	103
PID 1912 wrote to memory of 4148	1912	{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe	103
PID 1648 wrote to memory of 4328	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	104
PID 1648 wrote to memory of 4328	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	104
PID 1648 wrote to memory of 4328	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	104
PID 1648 wrote to memory of 4288	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	105
PID 1648 wrote to memory of 4288	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	105
PID 1648 wrote to memory of 4288	1648	{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe	105
PID 4328 wrote to memory of 3512	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	106
PID 4328 wrote to memory of 3512	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	106
PID 4328 wrote to memory of 3512	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	106
PID 4328 wrote to memory of 4956	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	107
PID 4328 wrote to memory of 4956	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	107
PID 4328 wrote to memory of 4956	4328	{15C16835-A713-4664-8111-68701F313E88}.exe	107
PID 3512 wrote to memory of 1524	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	108
PID 3512 wrote to memory of 1524	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	108
PID 3512 wrote to memory of 1524	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	108
PID 3512 wrote to memory of 4168	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	109
PID 3512 wrote to memory of 4168	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	109
PID 3512 wrote to memory of 4168	3512	{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe	109
PID 1524 wrote to memory of 4036	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	110
PID 1524 wrote to memory of 4036	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	110
PID 1524 wrote to memory of 4036	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	110
PID 1524 wrote to memory of 4156	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	111
PID 1524 wrote to memory of 4156	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	111
PID 1524 wrote to memory of 4156	1524	{82BD5C91-94A5-432c-9111-9E03557370DD}.exe	111
PID 4036 wrote to memory of 1016	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	112
PID 4036 wrote to memory of 1016	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	112
PID 4036 wrote to memory of 1016	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	112
PID 4036 wrote to memory of 1028	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	113
PID 4036 wrote to memory of 1028	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	113
PID 4036 wrote to memory of 1028	4036	{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe	113
PID 1016 wrote to memory of 4500	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	114
PID 1016 wrote to memory of 4500	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	114
PID 1016 wrote to memory of 4500	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	114
PID 1016 wrote to memory of 4572	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	115
PID 1016 wrote to memory of 4572	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	115
PID 1016 wrote to memory of 4572	1016	{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe	115
PID 4500 wrote to memory of 4788	4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe	116
PID 4500 wrote to memory of 4788	4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe	116
PID 4500 wrote to memory of 4788	4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe	116
PID 4500 wrote to memory of 1480	4500	{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe	117

C:\Users\Admin\AppData\Local\Temp\202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202409062aaade61d7f630f627783468869f8ebdgoldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
  C:\Windows\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
    C:\Windows\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
      C:\Windows\{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
        
        C:\Windows\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\{15C16835-A713-4664-8111-68701F313E88}.exe
        
        C:\Windows\{15C16835-A713-4664-8111-68701F313E88}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
        
        C:\Windows\{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
        
        C:\Windows\{82BD5C91-94A5-432c-9111-9E03557370DD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
        
        C:\Windows\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
        
        C:\Windows\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
        
        C:\Windows\{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
        
        C:\Windows\{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe
        
        C:\Windows\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27F85~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31573~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{515C3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C56F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82BD5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04AEB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C16~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4427~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE362~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9BDD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97731~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04AEBB84-D748-494a-9EB3-E2311D633AB1}.exe

Filesize
408KB

MD5
7a12f13ee47e15590ba91a1f481fc8f4

SHA1
be86b4d422df21567e39eca88a076139c489f37a

SHA256
9c7dd7a8258f24340a5c45e022277800bf6752aba28c74455a2ef8673b743eba

SHA512
5e930ceddcce9aea7ada844badc7f21313acf3293c4985adfd756205427b79d335f5191601a9a96d5316f86cec02a6683bade1ad0c21279a1b99162132a79602

Download Submit
C:\Windows\{15C16835-A713-4664-8111-68701F313E88}.exe

Filesize
408KB

MD5
0aa32f8306427ac7270247e4c3e5ac0a

SHA1
6c4ebd61b2d0c00a1a0203873c362430cb939ae7

SHA256
32395dec14261a96a3ba59d8a7bf42f097c78a0229b0496f5ab6dc33636cbb2b

SHA512
9741b4d5394c971d51b3f3f94681070e20b242c62009a5f5e87c9abbd1f8eb45e3783bdae826e9652946802a84a41073aae262e9ae89f31b6f9b190c2a22f0ca

Download Submit
C:\Windows\{27F85AA9-9358-4af2-9393-DAD78D8526B1}.exe

Filesize
408KB

MD5
717ef0f80448b9a1af7562566d99b45f

SHA1
cda7ce3eabd05ea20dc3f189d0e3dff81e01243c

SHA256
8835357bcff65e363797e2a95f25d965305785548297b6f90cdbbf42750d3c4a

SHA512
60a8559a6b757110dc0599cca5515206f3e61159d63412adc8bb23db99685bc58d567795447275e9e69171842cd83ca3048ecd5cc86067bae0f8d1ffea8f0104

Download Submit
C:\Windows\{2C56F0B0-0B87-4d3b-9D65-D4D60EEEFF83}.exe

Filesize
408KB

MD5
972016a28faa8ea0886c2810ea84fe7f

SHA1
26d22ee4e11979fc2546a0484342201422ba0ac5

SHA256
ef8420aa1c43611abaaa84b817407277526c5a04cf9eb15a3c849784a83dbcb7

SHA512
bdb39faf4606d33415a0ce07fa28c1c4ebd008a88dc81d6977cafdd873858df533920b186230df1076171c28c9de1288efab5a1ea9014f8a5fa9f999fedef5d9

Download Submit
C:\Windows\{31573326-1EAC-4804-A125-EA04F3ADA1F5}.exe

Filesize
408KB

MD5
e80a274aed9de9fd0135da5cbddf47bc

SHA1
5c40030f904bf843cca01fdf9962e035794ca376

SHA256
f3acf5e0c81d21d964f8030b39083942fc364ceb9cdce258d106013908ce220e

SHA512
d56c8283e0371ff23ea3c93f52b26dc0a662be4de755a039460812205335e8320df47f0d3fadbfdb43970565fc2591dbd742d9b0429853971385c2f53bdf1ab1

Download Submit
C:\Windows\{515C3D48-24B3-43d9-ACCB-7B58103A50D5}.exe

Filesize
408KB

MD5
d79473704a39288dd421f3ec5bec8136

SHA1
8dc8d0ed09536096018f759dfcb28259b19b4df4

SHA256
b6f25cb7124f1d67518198ff0620455861605e08b653efd6faea20688e419c59

SHA512
e93bc312b16fde8354e704ae06caee833b27c88a69e61800c1e1c6af2e9164a173532246d2273c5c265f815e2db744a0646ee7f49fae5495827649af0bfad7b7

Download Submit
C:\Windows\{82BD5C91-94A5-432c-9111-9E03557370DD}.exe

Filesize
408KB

MD5
0db6c148607a76de4d93598469825954

SHA1
578e29aa188ec78280c498a684da898fbe1c752c

SHA256
07aa4c5fba5f3ed3f3eb439c64b69c6d98f9b2290f175073a99dd1e16b32523f

SHA512
2f5d655cb87baabb608d17db9a0c88003c03f0f4e3fccd9e6e2865351aff59008cbe28264b32b6b2100afab54e91080e7616a9df3f0539674d0c8b25eeb47cae

Download Submit
C:\Windows\{9773177C-B1EB-4b69-80D0-D4EBE4C43C56}.exe

Filesize
408KB

MD5
25d24435c339f4a80c67868e62731763

SHA1
f05f738bfbc56cdcd0843898e1c9a6f727c21939

SHA256
38a45476891fdd4b2dadaf4d58cd6428f23b38761f8aa9fd0af6d0a55c6c33c1

SHA512
85baff1c71ba28b1e231cd1f09e71d75679ccb8022c4337af4e2aa2e3ae0601f619ffcb98b50b1b593d27706b24fd77df48e3cb0979b6c6dd104aded4db62cac

Download Submit
C:\Windows\{A4427B72-EBE2-4a6d-9816-CD456CBAD725}.exe

Filesize
408KB

MD5
138eaa36437ecc5a6724d5fca8b68e2f

SHA1
6ac27f2c9d30fe931b8eaff17d08cfd38d9c1bb2

SHA256
561d994c8676e65abc0411281793eb9aca03ba029bd752e386506b2c8edde66b

SHA512
2b8c77eb69ee649eaafdc6be8d614d93c958286523b62920d788fc27b9a4adba0d55387c5e19ea2b2da0019b733c488930971d63444879d6681dd40735aceab9

Download Submit
C:\Windows\{A9BDDAA3-9E9C-4a37-B6F0-CDECF10A8397}.exe

Filesize
408KB

MD5
7f18afe017dda10e7c83a89505bf7ce2

SHA1
901ce5369156aadb6503640eabc737dbdcc055e1

SHA256
d8af714b04fe48c6d91d15e122f07349959329867f0a6682ea97ce10af6fbcc9

SHA512
85d692db37a14719c93d3f3323d53537794391137dbca7d7f9a79e5ee69fbfae9ab55a9b9a772f4871724f75a6455ddb1620bf3ffb1ed2af6419e977ad04c4fb

Download Submit
C:\Windows\{AE362E81-7091-4f0c-9CB8-5B3453A38081}.exe

Filesize
408KB

MD5
8a3c2ae5ed4f88a2f95e1189be0ca9ce

SHA1
e338bc14350f70f4183b19beedd67828ede84e51

SHA256
a60e084c84efe9c4578b0c7d823a3a635067ef7a0d7d84a31ac05daeef66d564

SHA512
1f3839d77fae13708d87b1fdf5a09b2018e8d1d46997145a2827561c146c810eb79840ddc36498c968e2400f0c996797d86cc8da54db23de9b31894f716aa290

Download Submit
C:\Windows\{B44BDBF9-DAAE-4da1-8DCD-354F0B2AB201}.exe

Filesize
408KB

MD5
31176930c54e9b6a01d249336508dd01

SHA1
a943a894f81202c4da0387dba50aa326e650726d

SHA256
0667305510ef5986b3f6cd3ff0a323d57a8cd7b3d022f331b9a2f9dcab0e82c3

SHA512
a81a3ee9e1a989cf7439440997cea5fe9fd4e94edb21329a59b6e328bb98c0b8085eec81bfbd3e60917d0af21080894b3d9cdacbfe56f9c564fad5a2c045bc08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads