5a2d510135528984a594f5adc0d7f432e37ede48e837c16ff33986fdc419b200

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
Size

192KB
MD5

cbadcb03f792cafcc399b0698554074c
SHA1

6362ed42ed7c3721a07d7347f4922c923da43ae1
SHA256

5a2d510135528984a594f5adc0d7f432e37ede48e837c16ff33986fdc419b200
SHA512

f4310f3a506eaf380aef43a026d3c08376a51cf0e030ffacb0b88ba8e08a5539aef25507f0b7315bdee98de91ab75f469844e0ece79b46147997319af58c245c
SSDEEP

1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oOl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4509281-4BEC-4ae1-A048-6AD01D205C07}\stubpath = "C:\\Windows\\{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe"	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F034D3B-6947-48bd-9F06-769CE9588771}\stubpath = "C:\\Windows\\{9F034D3B-6947-48bd-9F06-769CE9588771}.exe"	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}\stubpath = "C:\\Windows\\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe"	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015B1971-22C4-4f32-9364-6A6502C2F70F}	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0742B55-6468-44ee-A009-3A9EF6582BE3}\stubpath = "C:\\Windows\\{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe"	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4509281-4BEC-4ae1-A048-6AD01D205C07}	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}\stubpath = "C:\\Windows\\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe"	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F034D3B-6947-48bd-9F06-769CE9588771}	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B3080B-6D3A-4455-8C98-B334030823BC}\stubpath = "C:\\Windows\\{72B3080B-6D3A-4455-8C98-B334030823BC}.exe"	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7309D126-79F3-4e9d-AA9A-2908090627E5}\stubpath = "C:\\Windows\\{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe"	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}\stubpath = "C:\\Windows\\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe"	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015B1971-22C4-4f32-9364-6A6502C2F70F}\stubpath = "C:\\Windows\\{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe"	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B3080B-6D3A-4455-8C98-B334030823BC}	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5497C590-0FD0-481b-BB48-B059329CA530}	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0742B55-6468-44ee-A009-3A9EF6582BE3}	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7309D126-79F3-4e9d-AA9A-2908090627E5}	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}\stubpath = "C:\\Windows\\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe"	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6210F85C-2656-4d05-AADF-103CB35687D8}	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6210F85C-2656-4d05-AADF-103CB35687D8}\stubpath = "C:\\Windows\\{6210F85C-2656-4d05-AADF-103CB35687D8}.exe"	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5497C590-0FD0-481b-BB48-B059329CA530}\stubpath = "C:\\Windows\\{5497C590-0FD0-481b-BB48-B059329CA530}.exe"	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe

Executes dropped EXE 12 IoCs

pid	Process
2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
4616	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
2244	{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
File created	C:\Windows\{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
File created	C:\Windows\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
File created	C:\Windows\{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
File created	C:\Windows\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
File created	C:\Windows\{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
File created	C:\Windows\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
File created	C:\Windows\{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
File created	C:\Windows\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
File created	C:\Windows\{5497C590-0FD0-481b-BB48-B059329CA530}.exe	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
File created	C:\Windows\{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
File created	C:\Windows\{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
Token: SeIncBasePriorityPrivilege	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
Token: SeIncBasePriorityPrivilege	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
Token: SeIncBasePriorityPrivilege	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
Token: SeIncBasePriorityPrivilege	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
Token: SeIncBasePriorityPrivilege	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
Token: SeIncBasePriorityPrivilege	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
Token: SeIncBasePriorityPrivilege	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
Token: SeIncBasePriorityPrivilege	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
Token: SeIncBasePriorityPrivilege	4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe
Token: SeIncBasePriorityPrivilege	4616	{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2588	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	94
PID 4768 wrote to memory of 2588	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	94
PID 4768 wrote to memory of 2588	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	94
PID 4768 wrote to memory of 4272	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	95
PID 4768 wrote to memory of 4272	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	95
PID 4768 wrote to memory of 4272	4768	2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe	95
PID 2588 wrote to memory of 3320	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	99
PID 2588 wrote to memory of 3320	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	99
PID 2588 wrote to memory of 3320	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	99
PID 2588 wrote to memory of 1548	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	100
PID 2588 wrote to memory of 1548	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	100
PID 2588 wrote to memory of 1548	2588	{9F034D3B-6947-48bd-9F06-769CE9588771}.exe	100
PID 3320 wrote to memory of 3220	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	103
PID 3320 wrote to memory of 3220	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	103
PID 3320 wrote to memory of 3220	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	103
PID 3320 wrote to memory of 4880	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	104
PID 3320 wrote to memory of 4880	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	104
PID 3320 wrote to memory of 4880	3320	{72B3080B-6D3A-4455-8C98-B334030823BC}.exe	104
PID 3220 wrote to memory of 3164	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	105
PID 3220 wrote to memory of 3164	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	105
PID 3220 wrote to memory of 3164	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	105
PID 3220 wrote to memory of 3232	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	106
PID 3220 wrote to memory of 3232	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	106
PID 3220 wrote to memory of 3232	3220	{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe	106
PID 3164 wrote to memory of 4708	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	107
PID 3164 wrote to memory of 4708	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	107
PID 3164 wrote to memory of 4708	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	107
PID 3164 wrote to memory of 112	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	108
PID 3164 wrote to memory of 112	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	108
PID 3164 wrote to memory of 112	3164	{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe	108
PID 4708 wrote to memory of 1972	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	109
PID 4708 wrote to memory of 1972	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	109
PID 4708 wrote to memory of 1972	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	109
PID 4708 wrote to memory of 1480	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	110
PID 4708 wrote to memory of 1480	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	110
PID 4708 wrote to memory of 1480	4708	{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe	110
PID 1972 wrote to memory of 1772	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	111
PID 1972 wrote to memory of 1772	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	111
PID 1972 wrote to memory of 1772	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	111
PID 1972 wrote to memory of 4800	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	112
PID 1972 wrote to memory of 4800	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	112
PID 1972 wrote to memory of 4800	1972	{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe	112
PID 1772 wrote to memory of 3664	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	113
PID 1772 wrote to memory of 3664	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	113
PID 1772 wrote to memory of 3664	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	113
PID 1772 wrote to memory of 548	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	114
PID 1772 wrote to memory of 548	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	114
PID 1772 wrote to memory of 548	1772	{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe	114
PID 3664 wrote to memory of 4332	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	115
PID 3664 wrote to memory of 4332	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	115
PID 3664 wrote to memory of 4332	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	115
PID 3664 wrote to memory of 4660	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	116
PID 3664 wrote to memory of 4660	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	116
PID 3664 wrote to memory of 4660	3664	{6210F85C-2656-4d05-AADF-103CB35687D8}.exe	116
PID 4332 wrote to memory of 4276	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	117
PID 4332 wrote to memory of 4276	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	117
PID 4332 wrote to memory of 4276	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	117
PID 4332 wrote to memory of 4128	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	118
PID 4332 wrote to memory of 4128	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	118
PID 4332 wrote to memory of 4128	4332	{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe	118
PID 4276 wrote to memory of 4616	4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe	119
PID 4276 wrote to memory of 4616	4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe	119
PID 4276 wrote to memory of 4616	4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe	119
PID 4276 wrote to memory of 2792	4276	{5497C590-0FD0-481b-BB48-B059329CA530}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_cbadcb03f792cafcc399b0698554074c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
  C:\Windows\{9F034D3B-6947-48bd-9F06-769CE9588771}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
    C:\Windows\{72B3080B-6D3A-4455-8C98-B334030823BC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
      C:\Windows\{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
        
        C:\Windows\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
      - C:\Windows\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
        
        C:\Windows\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
        
        C:\Windows\{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
        
        C:\Windows\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
        
        C:\Windows\{6210F85C-2656-4d05-AADF-103CB35687D8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
        
        C:\Windows\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{5497C590-0FD0-481b-BB48-B059329CA530}.exe
        
        C:\Windows\{5497C590-0FD0-481b-BB48-B059329CA530}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
        
        C:\Windows\{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe
        
        C:\Windows\{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0742~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5497C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7779B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6210F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F7C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{015B1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{464CF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0FE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7309D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72B30~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F034~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{015B1971-22C4-4f32-9364-6A6502C2F70F}.exe

Filesize
192KB

MD5
31b18b5c92303d38f54b8073c03d7e31

SHA1
6c03fac554d6b462354e943342aa7c67e0f53320

SHA256
0b37161484b3120fc38c2dc696b45007ad043c562e90ef1f160e89634c44ec62

SHA512
74c47ea255321ed9816efc9c30013435e908856e3a1e0cd1e84fa4bc12815249b55f36b55d627ea19eb855c53fb0a8f5835495eab593506eaaa4ccab35a31cf6

Download Submit
C:\Windows\{464CF5F4-F5F7-45f6-8370-A37E5E64C38D}.exe

Filesize
192KB

MD5
ccaa7f8649e03b0fb4db87c19d44a85b

SHA1
651dac459f4bc2f5dd96d59f4dc3db7901425437

SHA256
f0e8aed39ef1abbe3fc2331f22c32ccc6f47fca008d48a03fe2eb190e1b6c99f

SHA512
e682337a4605c1541aef51c6f76c47bd88673faa95f095ba8478fa1fe20f85770957523668f3452b265a8acc77d32c71a7be52440721b3ca9e902019e36c8c20

Download Submit
C:\Windows\{5497C590-0FD0-481b-BB48-B059329CA530}.exe

Filesize
192KB

MD5
fe4070285673d1ec4f085aeeccb5f350

SHA1
208ed63a35ca99dd333e55cd221450343beab699

SHA256
5372aa2593bec0fc85a48a872b5c785fb6aefeb9b304e19b545679284777d965

SHA512
6d9b09a131e466082da32b7425a6efdc926f075a29c697849374a6d4a8ca17f869cfff5460754813c374cf3b50d7911df5d8de1fa125b3491c945ecb9376a373

Download Submit
C:\Windows\{6210F85C-2656-4d05-AADF-103CB35687D8}.exe

Filesize
192KB

MD5
df6a2e1cfd0b554d90d2991b2316a296

SHA1
a66c11f9e0bc8eb682fe7f68dbe4b892229ddb23

SHA256
105c24812be43194a4a26972fa2d06f24ec05db3f174956057cf019c197c665e

SHA512
aada02b85118976f66397306c24865737cf8506d141fab2153e18f891536c70e7e5b461bcc8512fe2afffa04b5bb02708061968389e504136a08833e5ee364c0

Download Submit
C:\Windows\{72B3080B-6D3A-4455-8C98-B334030823BC}.exe

Filesize
192KB

MD5
49afaec6b1dd0949e283b636ac7fe304

SHA1
6bc643e5309af044eaaf4baf52690273b7bce589

SHA256
499cf4364eb988065126b7539b0d251c9b7f20435d20196976342fba5b360796

SHA512
678a060d046c41496920dc3add6cbf33c294f96d7e4770f7762b4ba9b0fcf1f38d7deb070187e0c799cc4abd1ac2eb62b4012e5f7cd7bd8c984a1de0dd0bd506

Download Submit
C:\Windows\{7309D126-79F3-4e9d-AA9A-2908090627E5}.exe

Filesize
192KB

MD5
975e275b1f812406dd4092a357fd83de

SHA1
277842ff593a944b33fa7f601aeeb4b3e30092e7

SHA256
1171232ac6eb2700d5e484f6581704f77a36e51860fb6a79c25ade334bfdc7eb

SHA512
21bfae481a742c305ff66714c81d09b95ec3cba07c26e1a6305de3612eda07a95f843262f506555e8a9f212ac99e8e1b61be366fedc345ea7dc8e493b1a194b3

Download Submit
C:\Windows\{7779B1A3-FFDC-4378-9E9B-23FBA6525D81}.exe

Filesize
192KB

MD5
2e569fb9655e88cf8d73991d06eaa4a4

SHA1
7d6d0bcd7cc1fd573761d22f8226a191590b005f

SHA256
e4ec82752da1afde9b36ac482e1b1731d6d07dabaa36b55e20f1d8d89bff69ee

SHA512
1737f0de6eb7f6d17ff240349921230b29e189cee0f4e6c3a52c611cb9c817fac2159abd0189099e8d78d5059839ae38e543703b6fea76ab47b148bd49afb5bb

Download Submit
C:\Windows\{9F034D3B-6947-48bd-9F06-769CE9588771}.exe

Filesize
192KB

MD5
88ad2f3fca1b05c8e8effbf804b96ff9

SHA1
1fa069fc57fab53f4794d2f2bb17d1ba2ecf108b

SHA256
0518e071adb2bb84e6503d414009262c210ad0d2d26050cc61df66274d98855e

SHA512
65f24d212fd7e2f7b658bf4714e4ef15ac07131572d4c8011745cef41946380cef648799429012c0a1e26c73a89aabc2ad2ba22e6233251c9329a77a4a3bb84c

Download Submit
C:\Windows\{C3F7CDD6-377C-4b58-B7FF-C0490A94D165}.exe

Filesize
192KB

MD5
2b89c43155f9835f9609e6fe3d47d698

SHA1
b725900acfbc565302f0417e1ac9fdc74afe2bcc

SHA256
d578b551a698600e3fb11b84bace1622dc59d33c4a9a0a703a229d6f717b0457

SHA512
969aab2f57acf16ccf05ed4819019c3c8ed60846f1021ae48068147edaebf445e2122400c97b9d70a77bb2e7a11a535df252b7a16dea0fed6f9e94ffaf02aa49

Download Submit
C:\Windows\{E0742B55-6468-44ee-A009-3A9EF6582BE3}.exe

Filesize
192KB

MD5
e6a38f95c5579d46b00fd64e764bc284

SHA1
39ec6a58e2ecd86728fb78ba47e4c6fc01c0a754

SHA256
47650de030cc47f84544d013b00880fa36dff935c299c0eb21461c823ec3bb8b

SHA512
8c0ce2d8f85dc2fea53378ef88e83437d756fc298067155095179665e8f252bd5843d2c261fa1e4f11f187258deb995f44f9471d6882916d04c00cba43c49323

Download Submit
C:\Windows\{E4509281-4BEC-4ae1-A048-6AD01D205C07}.exe

Filesize
192KB

MD5
28ac92a5b097da0b9e43f71b0266b1b7

SHA1
0b2ee4b7f7d913893708db7425c65b188d7790e3

SHA256
545205a65639d5aeac438f469ef8f5f7bc75f59bb862831f055cd342b590a041

SHA512
d982cb36245392638b95490a16ee9e9d180cb81e41a096cb62c2d28bc6a0675603b5607f8809a6c8f88c68d9142d3a41f6cc0719331b98628cf56650ed553570

Download Submit
C:\Windows\{FC0FEE89-8455-44d8-8798-E6603DBE2D5B}.exe

Filesize
192KB

MD5
72ae8dcfa5680210f81b35c37d9a0d30

SHA1
a562e0ae5e15101f7f6f0b140586cd5eb9373ac9

SHA256
87524ad37d63545a8d97abfdbbf0af4b399688a997de4671864d47c11732b2b3

SHA512
c1af6f0b3a860a699dbaf23948d97e96545f1a638edad87452398cea4c19947fe15f8f06ffa14892f8360bc1173beb249f52b092d0b43dd2589d0b053278767d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads