7a7c597846202901c214caac140960caac449d0a7a1dc73960ec99398bb9f91a

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Size

408KB
MD5

f4abd3a3c9a41a66ab767bd241b52387
SHA1

44a3e4773e9a6992ceb025fd8d16f51f84cb7ab1
SHA256

7a7c597846202901c214caac140960caac449d0a7a1dc73960ec99398bb9f91a
SHA512

ab9b00b9ac8172d66b7cb8f7b2c17f06240487944eb591340b09aca8c4f68adb7e948d4ba905b29c338ce6cc4329c81762f0294e68bd0e12aee72b7980d46db5
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG8ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B869DC-3BA0-41fe-A589-9C473499DD1E}\stubpath = "C:\\Windows\\{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe"	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4C3121-8360-448c-8901-17B3E76A14C7}	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}\stubpath = "C:\\Windows\\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe"	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}\stubpath = "C:\\Windows\\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe"	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}\stubpath = "C:\\Windows\\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe"	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F7671A-9D61-4232-A44E-653F6F63EE02}	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E059170E-5C53-4a4e-8567-D1C70870E5C5}	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}\stubpath = "C:\\Windows\\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe"	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC35838D-2558-4b8e-A516-A1696A3599B9}	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B869DC-3BA0-41fe-A589-9C473499DD1E}	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC35838D-2558-4b8e-A516-A1696A3599B9}\stubpath = "C:\\Windows\\{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe"	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}\stubpath = "C:\\Windows\\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe"	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E059170E-5C53-4a4e-8567-D1C70870E5C5}\stubpath = "C:\\Windows\\{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe"	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4C3121-8360-448c-8901-17B3E76A14C7}\stubpath = "C:\\Windows\\{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe"	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}\stubpath = "C:\\Windows\\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe"	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F7671A-9D61-4232-A44E-653F6F63EE02}\stubpath = "C:\\Windows\\{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe"	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}\stubpath = "C:\\Windows\\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe"	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe

Executes dropped EXE 12 IoCs

pid	Process
3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
4804	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
2516	{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
File created	C:\Windows\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
File created	C:\Windows\{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
File created	C:\Windows\{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
File created	C:\Windows\{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
File created	C:\Windows\{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
File created	C:\Windows\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
File created	C:\Windows\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
File created	C:\Windows\{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
File created	C:\Windows\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
File created	C:\Windows\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
File created	C:\Windows\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
Token: SeIncBasePriorityPrivilege	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
Token: SeIncBasePriorityPrivilege	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
Token: SeIncBasePriorityPrivilege	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
Token: SeIncBasePriorityPrivilege	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
Token: SeIncBasePriorityPrivilege	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
Token: SeIncBasePriorityPrivilege	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
Token: SeIncBasePriorityPrivilege	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
Token: SeIncBasePriorityPrivilege	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
Token: SeIncBasePriorityPrivilege	668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
Token: SeIncBasePriorityPrivilege	4804	{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3724	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	97
PID 3536 wrote to memory of 3724	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	97
PID 3536 wrote to memory of 3724	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	97
PID 3536 wrote to memory of 3728	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	98
PID 3536 wrote to memory of 3728	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	98
PID 3536 wrote to memory of 3728	3536	2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe	98
PID 3724 wrote to memory of 2516	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	99
PID 3724 wrote to memory of 2516	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	99
PID 3724 wrote to memory of 2516	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	99
PID 3724 wrote to memory of 4236	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	100
PID 3724 wrote to memory of 4236	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	100
PID 3724 wrote to memory of 4236	3724	{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe	100
PID 2516 wrote to memory of 1128	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	103
PID 2516 wrote to memory of 1128	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	103
PID 2516 wrote to memory of 1128	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	103
PID 2516 wrote to memory of 5024	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	104
PID 2516 wrote to memory of 5024	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	104
PID 2516 wrote to memory of 5024	2516	{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe	104
PID 1128 wrote to memory of 1260	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	105
PID 1128 wrote to memory of 1260	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	105
PID 1128 wrote to memory of 1260	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	105
PID 1128 wrote to memory of 2080	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	106
PID 1128 wrote to memory of 2080	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	106
PID 1128 wrote to memory of 2080	1128	{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe	106
PID 1260 wrote to memory of 3564	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	107
PID 1260 wrote to memory of 3564	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	107
PID 1260 wrote to memory of 3564	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	107
PID 1260 wrote to memory of 2332	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	108
PID 1260 wrote to memory of 2332	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	108
PID 1260 wrote to memory of 2332	1260	{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe	108
PID 3564 wrote to memory of 772	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	109
PID 3564 wrote to memory of 772	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	109
PID 3564 wrote to memory of 772	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	109
PID 3564 wrote to memory of 4360	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	110
PID 3564 wrote to memory of 4360	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	110
PID 3564 wrote to memory of 4360	3564	{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe	110
PID 772 wrote to memory of 3492	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	111
PID 772 wrote to memory of 3492	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	111
PID 772 wrote to memory of 3492	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	111
PID 772 wrote to memory of 2776	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	112
PID 772 wrote to memory of 2776	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	112
PID 772 wrote to memory of 2776	772	{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe	112
PID 3492 wrote to memory of 3664	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	113
PID 3492 wrote to memory of 3664	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	113
PID 3492 wrote to memory of 3664	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	113
PID 3492 wrote to memory of 916	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	114
PID 3492 wrote to memory of 916	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	114
PID 3492 wrote to memory of 916	3492	{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe	114
PID 3664 wrote to memory of 2396	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	115
PID 3664 wrote to memory of 2396	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	115
PID 3664 wrote to memory of 2396	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	115
PID 3664 wrote to memory of 4560	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	116
PID 3664 wrote to memory of 4560	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	116
PID 3664 wrote to memory of 4560	3664	{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe	116
PID 2396 wrote to memory of 668	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	117
PID 2396 wrote to memory of 668	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	117
PID 2396 wrote to memory of 668	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	117
PID 2396 wrote to memory of 3936	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	118
PID 2396 wrote to memory of 3936	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	118
PID 2396 wrote to memory of 3936	2396	{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe	118
PID 668 wrote to memory of 4804	668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe	119
PID 668 wrote to memory of 4804	668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe	119
PID 668 wrote to memory of 4804	668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe	119
PID 668 wrote to memory of 4500	668	{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_f4abd3a3c9a41a66ab767bd241b52387_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
  C:\Windows\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
    C:\Windows\{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
      C:\Windows\{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
        
        C:\Windows\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
        
        C:\Windows\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
        
        C:\Windows\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
        
        C:\Windows\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
        
        C:\Windows\{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
        
        C:\Windows\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
        
        C:\Windows\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
        
        C:\Windows\{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe
        
        C:\Windows\{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B86~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E5E6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ACA8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99F76~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70C3E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA0E4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF27~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F38~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC358~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4C3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCCB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4ACA8AC8-4F01-4034-8D99-45B482CFE6F8}.exe

Filesize
408KB

MD5
70ae0238e60b5b50f43161dea02047b8

SHA1
48bdeec43effc444faadd3cb33dd5366c05d8eef

SHA256
1c0db6a9962110b5ffd2f42da2cafea3a34bd0bb9a6cb9c8f0b563681c31ae25

SHA512
0604227efd32cc54e5c761ae9d27894d7cc48c5b13292fd802b79d5d57fb9c07bb46186b535ece82297bff7fca1d13409815071cee57bf8ed387112afd5f4304

Download Submit
C:\Windows\{6CF27F8C-FD91-476f-8FE4-BA9C5B357088}.exe

Filesize
408KB

MD5
c5c91004da9de824c52fb8d644304bb8

SHA1
4cd700d7b2a0d77ea4aea7f4a619e069f505d103

SHA256
e462f6765d41369f079171f0ec1053183c2d5dba0179d1929f48682a542fa709

SHA512
9529c22588fa2e712af4067c9ffacaaaa18379213400a91981e423954f876100d43f5f31ae1b87da822c7ad04251bff88e6c4e7a51ad233d2abfa9c00ca2ea51

Download Submit
C:\Windows\{6E5E6872-CF2B-43e8-9629-9E2A840628DA}.exe

Filesize
408KB

MD5
2bcdd027ada3bdc412f0e9bd46503cde

SHA1
af37f03d2786960dcfdc06326a7f870f0c986845

SHA256
2a0ac9bf7a6c66273fc8ccf4941d4441dc0d2f537616820073b625cf24cdecf2

SHA512
d0b736a33661fb30af7bc7917c331a93ed9b8a349a6fc06d45903a7ee19add26cd47c8ba48b3543040ac1fe4086a1741613906df334571e8bc51e7f86a2af5fb

Download Submit
C:\Windows\{70C3EC4F-60BF-489c-966D-F74CC2BC1EAB}.exe

Filesize
408KB

MD5
897af443ce7f04256c5f246217643025

SHA1
86f1dad0ea7cc1a5e9c8cb520b03aaf4d1d63d1d

SHA256
a6a44120df3f0c2533e2ce8a9fecbdf15b2aba73bf531f6813d3fdd326e64686

SHA512
71411276e87adb2cda874517cb16902ed80f41c00c0e2a5b823b95eb0e7eb089cd4a8b57751d16f413d10c74451080d41694c528ac51db89189465d9090161a2

Download Submit
C:\Windows\{94B869DC-3BA0-41fe-A589-9C473499DD1E}.exe

Filesize
408KB

MD5
d702be49161687d1e0118077b4db41ac

SHA1
de019393c155c5193879b4583dcb1d9dad9a081b

SHA256
f409a2e9405725b814aa25cd7b87bf0d1b7e04d6c4c4f20d23e050e624e0b38c

SHA512
c4e7c3a12fd31d9bf6d0da3fd09bd54169bd26c85bc81ca557eeee072d048def60ed4cd73bfcdea4c2eff7b7df5094aa926a1dc2068e930311a0444a3ac8b5a8

Download Submit
C:\Windows\{99F7671A-9D61-4232-A44E-653F6F63EE02}.exe

Filesize
408KB

MD5
f36940dcae2e416bb3ee7c59cf352a84

SHA1
2a21d0ec14a8b9813bbaae4d3dc502c03decf3c4

SHA256
0037a8fa24898d9c5ca4ec0f7162ecea888e0bff981789634d95b5ece8f8e4cc

SHA512
e51da9a1b3cd02af8bb127f2f47214bc9af78fe3c17913e6c879dfc255abb5c8a5fcba348942062fccd5c8c9526d7c966c26543c91462b39985eb556620f1665

Download Submit
C:\Windows\{AD4C3121-8360-448c-8901-17B3E76A14C7}.exe

Filesize
408KB

MD5
ad6519a7ff56f27bd0d7808d20e22f84

SHA1
153b3d9b3c6474b44907f7702053ddb57f64c5d2

SHA256
def3c230c51fb812daebbf5cd40a0046c3e315bdcb3fcc6bbf6b08794f877d1b

SHA512
9308dcb65bf5ce2b67b82e1da3d02b48cb0c7800957d0d4098c34ca6bcaaa9363da336a86bec259239d230d8f6c6a7e7c770a6de61030ef4436313bc888c616c

Download Submit
C:\Windows\{BDCCB9AB-D3D4-4a48-A085-A32009497CD1}.exe

Filesize
408KB

MD5
c7f9faa6bb29151d044e2ac9b9aa8312

SHA1
e5f71a57389b48c50ce675a92358e222c4bc417c

SHA256
d662dfbade02b2d83697d3f90c9d164e266b76cebe035cd170cea1d75529e176

SHA512
14feb6256832d650035ebeffd542b4fe44f5262463a63e27c4807e4b7e35e9ebb65dd1d568851f727a8017b2ec56a0a86c3f4ca7c7cf83aa41610b884edd4a66

Download Submit
C:\Windows\{D2F38D89-7B98-47b2-B9F1-C944D124DCEF}.exe

Filesize
408KB

MD5
448575292150ce229fcff773b2fe54a9

SHA1
9c45da9c871c264e2f49a55f28646d854e7e2ad9

SHA256
b6cf594be7725ba8f67fe8c24d8a958d3774f836ab35ba2cff5d545580e2f6ba

SHA512
e9efb87e515af2f107339b1f95e528e9f8647492eb0e91badc04fa6f6c1a6e62308747386e798f1e73ab1524cd6cf75917eb51889d68eedd3a5749402ba1aded

Download Submit
C:\Windows\{E059170E-5C53-4a4e-8567-D1C70870E5C5}.exe

Filesize
408KB

MD5
c816b7a5929a678a7c4491fbc88ab178

SHA1
2ab3822400ad6fffca8a87f7fa807e33dc9effd9

SHA256
172a2b91288312a27d8ec6c547f56028e16ceffc7f32d9ba40a2eeba90b90f8e

SHA512
fe994afeb1ea3659fb68df89feed086d648b344897349aeb64386385e453b6fd9eb58db8f2ed5a5c667047d29298e4f18c7d210faadc04fe70996193db284f29

Download Submit
C:\Windows\{EA0E4716-7EAC-49fa-9DD5-E8F7713A06CE}.exe

Filesize
408KB

MD5
04b75b8c01d2cd0cfbc97ea13bf68057

SHA1
40eff73e164bb5f791192375e34936888790a32f

SHA256
dda4818ae7f52a5bba456a8f02c466de9c51aeb75538e560fa84ea17de9e6ebc

SHA512
3e1b35be73a38f421b800ced1c989c4e17dfd4118d933b7ec048e1cda5144961f722d5c324b8a29a4eda4bd2d6b4498a11c6e9d1f6e6669bfc18f5fed165b97a

Download Submit
C:\Windows\{FC35838D-2558-4b8e-A516-A1696A3599B9}.exe

Filesize
408KB

MD5
29ee1c025a4815804e89ac97e8c5f2fc

SHA1
e321138caee0f5386514aff51b088c7e3430ea84

SHA256
c55849d25c8174961763a8a6a025eb2706c8b5b985ed011d4a91d14464ac5463

SHA512
dd957328e236501ba6cc63501a14859efc3de96012d1ddd5da3ef8ea612ef3fa71e91f94aa2e805ab6e2ff9eb1232a4659b53763ec468b4b617c297889c2dde8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads