26135ce5c7dfa97d820d476854ec6e22be856e0b3586e79e3c6167d8825c7091

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
Size

344KB
MD5

885ef39fd534e498918d4b29ea5f2d1e
SHA1

4d8d8de64e2292f9f0a126554ec97243591442d1
SHA256

26135ce5c7dfa97d820d476854ec6e22be856e0b3586e79e3c6167d8825c7091
SHA512

68518b3b630b969a3a18e88d4afc48ddf0579ec7ee8e55f024ec79c902df6a4271be4cff462d29fbcd83051b4626834e47cc7fe58ad198bb8c4c5b8b584c5a64
SSDEEP

3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGDlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6587A351-4D35-4754-B613-523D242B7DD5}	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}\stubpath = "C:\\Windows\\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe"	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}\stubpath = "C:\\Windows\\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe"	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6587A351-4D35-4754-B613-523D242B7DD5}\stubpath = "C:\\Windows\\{6587A351-4D35-4754-B613-523D242B7DD5}.exe"	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2CE93C-9091-4b11-A6B7-6010C3456911}\stubpath = "C:\\Windows\\{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe"	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}\stubpath = "C:\\Windows\\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe"	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48783903-34A6-4424-BC4C-511FB3C783F4}	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}\stubpath = "C:\\Windows\\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe"	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2CE93C-9091-4b11-A6B7-6010C3456911}	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E74CAFD-7E66-4482-9173-493B9AA7B544}\stubpath = "C:\\Windows\\{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe"	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}\stubpath = "C:\\Windows\\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe"	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48783903-34A6-4424-BC4C-511FB3C783F4}\stubpath = "C:\\Windows\\{48783903-34A6-4424-BC4C-511FB3C783F4}.exe"	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}\stubpath = "C:\\Windows\\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe"	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4974271-F63D-462a-96C3-694CF0C2641E}	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4974271-F63D-462a-96C3-694CF0C2641E}\stubpath = "C:\\Windows\\{B4974271-F63D-462a-96C3-694CF0C2641E}.exe"	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}\stubpath = "C:\\Windows\\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe"	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E74CAFD-7E66-4482-9173-493B9AA7B544}	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe

Executes dropped EXE 12 IoCs

pid	Process
5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
4184	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
2640	{48783903-34A6-4424-BC4C-511FB3C783F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
File created	C:\Windows\{6587A351-4D35-4754-B613-523D242B7DD5}.exe	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
File created	C:\Windows\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
File created	C:\Windows\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
File created	C:\Windows\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
File created	C:\Windows\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
File created	C:\Windows\{48783903-34A6-4424-BC4C-511FB3C783F4}.exe	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
File created	C:\Windows\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
File created	C:\Windows\{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
File created	C:\Windows\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
File created	C:\Windows\{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
File created	C:\Windows\{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48783903-34A6-4424-BC4C-511FB3C783F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
Token: SeIncBasePriorityPrivilege	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
Token: SeIncBasePriorityPrivilege	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe
Token: SeIncBasePriorityPrivilege	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
Token: SeIncBasePriorityPrivilege	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
Token: SeIncBasePriorityPrivilege	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
Token: SeIncBasePriorityPrivilege	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
Token: SeIncBasePriorityPrivilege	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
Token: SeIncBasePriorityPrivilege	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
Token: SeIncBasePriorityPrivilege	1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
Token: SeIncBasePriorityPrivilege	4184	{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 5880	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	97
PID 1700 wrote to memory of 5880	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	97
PID 1700 wrote to memory of 5880	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	97
PID 1700 wrote to memory of 4872	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	98
PID 1700 wrote to memory of 4872	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	98
PID 1700 wrote to memory of 4872	1700	2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe	98
PID 5880 wrote to memory of 5772	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	99
PID 5880 wrote to memory of 5772	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	99
PID 5880 wrote to memory of 5772	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	99
PID 5880 wrote to memory of 5564	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	100
PID 5880 wrote to memory of 5564	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	100
PID 5880 wrote to memory of 5564	5880	{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe	100
PID 5772 wrote to memory of 4660	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	103
PID 5772 wrote to memory of 4660	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	103
PID 5772 wrote to memory of 4660	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	103
PID 5772 wrote to memory of 2104	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	104
PID 5772 wrote to memory of 2104	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	104
PID 5772 wrote to memory of 2104	5772	{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe	104
PID 4660 wrote to memory of 2196	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	105
PID 4660 wrote to memory of 2196	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	105
PID 4660 wrote to memory of 2196	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	105
PID 4660 wrote to memory of 396	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	106
PID 4660 wrote to memory of 396	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	106
PID 4660 wrote to memory of 396	4660	{6587A351-4D35-4754-B613-523D242B7DD5}.exe	106
PID 2196 wrote to memory of 5748	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	107
PID 2196 wrote to memory of 5748	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	107
PID 2196 wrote to memory of 5748	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	107
PID 2196 wrote to memory of 4924	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	108
PID 2196 wrote to memory of 4924	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	108
PID 2196 wrote to memory of 4924	2196	{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe	108
PID 5748 wrote to memory of 3032	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	109
PID 5748 wrote to memory of 3032	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	109
PID 5748 wrote to memory of 3032	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	109
PID 5748 wrote to memory of 1804	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	110
PID 5748 wrote to memory of 1804	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	110
PID 5748 wrote to memory of 1804	5748	{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe	110
PID 3032 wrote to memory of 2108	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	111
PID 3032 wrote to memory of 2108	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	111
PID 3032 wrote to memory of 2108	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	111
PID 3032 wrote to memory of 5576	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	112
PID 3032 wrote to memory of 5576	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	112
PID 3032 wrote to memory of 5576	3032	{B4974271-F63D-462a-96C3-694CF0C2641E}.exe	112
PID 2108 wrote to memory of 3056	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	113
PID 2108 wrote to memory of 3056	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	113
PID 2108 wrote to memory of 3056	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	113
PID 2108 wrote to memory of 3344	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	114
PID 2108 wrote to memory of 3344	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	114
PID 2108 wrote to memory of 3344	2108	{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe	114
PID 3056 wrote to memory of 2248	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	115
PID 3056 wrote to memory of 2248	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	115
PID 3056 wrote to memory of 2248	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	115
PID 3056 wrote to memory of 5108	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	116
PID 3056 wrote to memory of 5108	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	116
PID 3056 wrote to memory of 5108	3056	{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe	116
PID 2248 wrote to memory of 1616	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	117
PID 2248 wrote to memory of 1616	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	117
PID 2248 wrote to memory of 1616	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	117
PID 2248 wrote to memory of 1052	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	118
PID 2248 wrote to memory of 1052	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	118
PID 2248 wrote to memory of 1052	2248	{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe	118
PID 1616 wrote to memory of 4184	1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe	119
PID 1616 wrote to memory of 4184	1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe	119
PID 1616 wrote to memory of 4184	1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe	119
PID 1616 wrote to memory of 5628	1616	{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_885ef39fd534e498918d4b29ea5f2d1e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
  C:\Windows\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Windows\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
    C:\Windows\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5772
  - - C:\Windows\{6587A351-4D35-4754-B613-523D242B7DD5}.exe
      C:\Windows\{6587A351-4D35-4754-B613-523D242B7DD5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
        
        C:\Windows\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
        
        C:\Windows\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5748
        
        C:\Windows\{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
        
        C:\Windows\{B4974271-F63D-462a-96C3-694CF0C2641E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
        
        C:\Windows\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
        
        C:\Windows\{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
        
        C:\Windows\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
        
        C:\Windows\{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
        
        C:\Windows\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\{48783903-34A6-4424-BC4C-511FB3C783F4}.exe
        
        C:\Windows\{48783903-34A6-4424-BC4C-511FB3C783F4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D33A5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E74C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C04~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A2CE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3869~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4974~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10D6F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F65EC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6587A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B50AF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{68E57~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10D6FDA0-4EFA-47e6-B792-18D7EAA0EEC6}.exe

Filesize
344KB

MD5
3bbc2230d67e3100b5becfc68a7ea7b8

SHA1
cdea5907419796a1c3958e589db19269c50354e9

SHA256
db973bc2f50cfdd3b6aa83940ec3c7bdd9da8b0e9d770002e53bea4130c132a3

SHA512
a9c63affb75601bcf6ca157ef330fbfa1fe97ffaf148e18128638ff98592e43616fce35dc5163603211d6c07f72c0be55e8d7457d290c55890f157a12dea6169

Download Submit
C:\Windows\{1A2CE93C-9091-4b11-A6B7-6010C3456911}.exe

Filesize
344KB

MD5
22b8f372a2578320b8805d5c973a552f

SHA1
838af5e925ee3e09434f4647caaa1ba381794a11

SHA256
c15bf2c617d4a7c2e2f6335b19e5fdc5c5ba120768c7f841cb124316e4b370d6

SHA512
c5a008eabcebcb5a9c9b7f20ecca9effcd08e53b90102db9aff47c683f447e4913aa8de85a3fa4036ca9f99130855b5b94ecab80589159ce51ed91051f13b8fc

Download Submit
C:\Windows\{22C0417C-B520-45ec-9548-BFC0C4AB2B0A}.exe

Filesize
344KB

MD5
8178d0f2f6cdfe7478a9435ecabd0b36

SHA1
da4057fd17a472b7bff29dd2a33048f330a72648

SHA256
378ee0ef5b21ac8a7445813a0919136043cfeec6c46dfe4d81468d650522697a

SHA512
fffd360b0f6692d788cb621b7c6353b27c72e6d5f1dde6203dbfd5f552c378d0b28e1be7d09789f6f6762c5104337e47b42aa7b0e8107b1ab9d4d30803c03a03

Download Submit
C:\Windows\{48783903-34A6-4424-BC4C-511FB3C783F4}.exe

Filesize
344KB

MD5
5447a498519ea8719800ffb120857288

SHA1
ceea49a9bb6001d4d2a5490ab7bd13ecbbbb17a8

SHA256
7ffc008388a212f03e8041892621e073ab0114a61aa84be364554caabd395251

SHA512
19a4622d59e033dd54df3544eff2977e9a9fd71288274d435c794f48de787fb9143e50107466ab03878e82f05860329b2939b701d238c5fc7c949d7f81bdf4cf

Download Submit
C:\Windows\{6587A351-4D35-4754-B613-523D242B7DD5}.exe

Filesize
344KB

MD5
972d2465a72c1c80936e60fff6d74c97

SHA1
121b5eaadf53841fd2c6b7d152a3d510bc83d3c5

SHA256
7eac7d2f00fa47ccddeec044a6b6e29393ce45d3024498a3af70f52fa41cf1ab

SHA512
223d9bbc6ac7a45c7cd9a101564e240c551fbb1bac13c7f59cb734660f959fa5b7cdbdf0845fbd01b2894c5b920dd0b9b81d6b3564af677cbb523a14f508a4b3

Download Submit
C:\Windows\{68E57EF2-C1FA-4e8d-9E5C-CDA4745054CD}.exe

Filesize
344KB

MD5
5c7cd058b423e983e9bc17cc4762bc49

SHA1
1e68d44f8669b0839f17521a11cb07cac16cb27e

SHA256
1fd477925e78af104d4b8d3d731f31a3f110a4d09d73ff7f1cc09f8116378c16

SHA512
f4d4fbd85b864d4bc708fe6c19c3a5aab6ae65641401a5c07a456a81497cea767e1d6dbff5d26ef09293f54598499a60df4a484c9f8204e42d0bb980c765863c

Download Submit
C:\Windows\{9E74CAFD-7E66-4482-9173-493B9AA7B544}.exe

Filesize
344KB

MD5
bb514d7f962e51fb333059280048770e

SHA1
838414aec06972c2d856d8a924033a811d57d085

SHA256
b0d00d0b0b753bf20047cae0ca1d0ffcb66b146a841fc88e7bbe6b3a2b061a1f

SHA512
412401c1078e2d95965c45c56816cc699a7fcb5d8c4cf7664f460a184de1e5f062db4f1db94809ea0505a25ce1008412463c680794b18bb0c60505505f24681f

Download Submit
C:\Windows\{B4974271-F63D-462a-96C3-694CF0C2641E}.exe

Filesize
344KB

MD5
7f7b3bb59bf56853a46296829fcb1531

SHA1
4573651a4cc4d9c0d7841eb82b9a3a2fce2fe053

SHA256
acff9027c23d7368ae9cdfaea6050c212df913ce6fc2a943761bf9f94977d9a0

SHA512
072e29fe9652663cd8e41675fa0ac3e048a2be93e506302d966cdfc8d24fce2246fa4de5e764649effcb5a1555bf5f05361d7b7d2850d8b34e44b634aeb88c62

Download Submit
C:\Windows\{B50AF352-BFC2-4097-A18D-57CB18EA24DA}.exe

Filesize
344KB

MD5
22d04c647da113271db106335a9db7d1

SHA1
bb299d0803ee2379efca791935c71c25d8c59cfb

SHA256
41e1505bd51bd1dd63f127ea695b03ee114ccbb011cefd59aae75e254871b636

SHA512
52b9bafaecbfdd2ff3f8c4c0ac67425ec237cc28f33f80eccb50d1692462856f5963ebd834fa778396a2b40e7358cad1961e29e41f7738e187339198dfdd9d01

Download Submit
C:\Windows\{D33A5BCE-2887-4343-A6C4-DA8882E0C61C}.exe

Filesize
344KB

MD5
ed8f5ab684e01bcb8dea1ae3a5a226ec

SHA1
a73e2a2567f45261ba2073ecdd6dfc3a0c3ae09e

SHA256
83ccf052e320406ecd2d00cdcb8f6b66a11249943178f60cc6a3220966bf07f3

SHA512
f35c6597eb1e25d756a5a7413e655975f4febfb00a6c784ed74d8bdde97f1ae27fa551a155025ebc138bac2be5652481ecfe5f1040bb6f46f7e69428f6addcfa

Download Submit
C:\Windows\{D3869969-A3BF-44a6-B30E-C3BC24A7EA22}.exe

Filesize
344KB

MD5
3b15d10a98d2d821a87befff0f9727a4

SHA1
d3499a659c179de3af5613175d2e5fa4fcb8c5d9

SHA256
4de4b5db55e9ce31b6ceed20f3bbbfa04ee37a2863d1e782adf1202cdfb7a43d

SHA512
24f73112e72711b8838d50a1b83249430aae1633151790850e74ccf1b07b7e3075b4759845b6ba57736106ed5318eb74b59e665164639221e7caeee0f7ddf4e7

Download Submit
C:\Windows\{F65EC91C-1D9A-4960-BE4C-B79273F5B8C2}.exe

Filesize
344KB

MD5
59b8724ad45b7b8b28539bcbc8583b0b

SHA1
33b5f7fc33e0fcdaaec0a1eab727d2b3de8e5700

SHA256
112ec208606a06123c5618b5f032a19949c4c436a438571310b0ee65844795ae

SHA512
9e0792e12e510e1de4b413843c6df56a65b3dbb29091408af2d9a67f8a3bbfb9519e53a9255ee507e07fe5faecbbbb3182b59e6cecdde5292aff67b2a71e27e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads