714b3e26b559afb5f2697b3506dd6c3c79141e18a61980705e87d96208e4554a

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 09:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
Size

372KB
MD5

49faa4c92a6fe8c2dff8f3e7399441eb
SHA1

314f37f3f07a2dabcb11bd37afd231770f4ec21b
SHA256

714b3e26b559afb5f2697b3506dd6c3c79141e18a61980705e87d96208e4554a
SHA512

14c352d06f01990bdb29a5fdaa900393c223aaed682daf5a4b55f44db08ebeae22dc4439ef47b995487786eb2b24844fd4f0038f6f39a97ac8284d46a30b51e5
SSDEEP

3072:CEGh0onlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG5lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EB1977-E77A-4cc2-81E0-33293050C105}	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83E6FAB-E57B-453d-9153-C6262985FE85}	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83E6FAB-E57B-453d-9153-C6262985FE85}\stubpath = "C:\\Windows\\{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe"	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72392154-8C32-4934-BF42-ABC4141C88EB}	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72392154-8C32-4934-BF42-ABC4141C88EB}\stubpath = "C:\\Windows\\{72392154-8C32-4934-BF42-ABC4141C88EB}.exe"	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C140751C-28F9-4137-A4E9-A7B615C3908A}	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC16CF62-F424-45fe-8A68-E40A1A660632}\stubpath = "C:\\Windows\\{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe"	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}\stubpath = "C:\\Windows\\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe"	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EB1977-E77A-4cc2-81E0-33293050C105}\stubpath = "C:\\Windows\\{74EB1977-E77A-4cc2-81E0-33293050C105}.exe"	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21677D58-EEC0-44a4-A498-AEED3E29510A}	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}\stubpath = "C:\\Windows\\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe"	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C140751C-28F9-4137-A4E9-A7B615C3908A}\stubpath = "C:\\Windows\\{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe"	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC16CF62-F424-45fe-8A68-E40A1A660632}	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}\stubpath = "C:\\Windows\\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe"	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}\stubpath = "C:\\Windows\\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe"	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}\stubpath = "C:\\Windows\\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe"	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21677D58-EEC0-44a4-A498-AEED3E29510A}\stubpath = "C:\\Windows\\{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe"	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890E92F7-E373-4b17-A72B-CEF330CF5E88}	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890E92F7-E373-4b17-A72B-CEF330CF5E88}\stubpath = "C:\\Windows\\{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe"	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe

Executes dropped EXE 12 IoCs

pid	Process
380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
4184	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe
732	{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
File created	C:\Windows\{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
File created	C:\Windows\{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe
File created	C:\Windows\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
File created	C:\Windows\{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
File created	C:\Windows\{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
File created	C:\Windows\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
File created	C:\Windows\{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
File created	C:\Windows\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
File created	C:\Windows\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
File created	C:\Windows\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
File created	C:\Windows\{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
Token: SeIncBasePriorityPrivilege	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
Token: SeIncBasePriorityPrivilege	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
Token: SeIncBasePriorityPrivilege	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
Token: SeIncBasePriorityPrivilege	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
Token: SeIncBasePriorityPrivilege	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
Token: SeIncBasePriorityPrivilege	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
Token: SeIncBasePriorityPrivilege	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
Token: SeIncBasePriorityPrivilege	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
Token: SeIncBasePriorityPrivilege	3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
Token: SeIncBasePriorityPrivilege	4184	{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 380	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	89
PID 2708 wrote to memory of 380	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	89
PID 2708 wrote to memory of 380	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	89
PID 2708 wrote to memory of 2864	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	90
PID 2708 wrote to memory of 2864	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	90
PID 2708 wrote to memory of 2864	2708	2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe	90
PID 380 wrote to memory of 1064	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	93
PID 380 wrote to memory of 1064	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	93
PID 380 wrote to memory of 1064	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	93
PID 380 wrote to memory of 3348	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	94
PID 380 wrote to memory of 3348	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	94
PID 380 wrote to memory of 3348	380	{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe	94
PID 1064 wrote to memory of 4468	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	97
PID 1064 wrote to memory of 4468	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	97
PID 1064 wrote to memory of 4468	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	97
PID 1064 wrote to memory of 1628	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	98
PID 1064 wrote to memory of 1628	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	98
PID 1064 wrote to memory of 1628	1064	{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe	98
PID 4468 wrote to memory of 3572	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	99
PID 4468 wrote to memory of 3572	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	99
PID 4468 wrote to memory of 3572	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	99
PID 4468 wrote to memory of 4328	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	100
PID 4468 wrote to memory of 4328	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	100
PID 4468 wrote to memory of 4328	4468	{74EB1977-E77A-4cc2-81E0-33293050C105}.exe	100
PID 3572 wrote to memory of 2132	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	101
PID 3572 wrote to memory of 2132	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	101
PID 3572 wrote to memory of 2132	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	101
PID 3572 wrote to memory of 4488	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	102
PID 3572 wrote to memory of 4488	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	102
PID 3572 wrote to memory of 4488	3572	{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe	102
PID 2132 wrote to memory of 1128	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	103
PID 2132 wrote to memory of 1128	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	103
PID 2132 wrote to memory of 1128	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	103
PID 2132 wrote to memory of 2292	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	104
PID 2132 wrote to memory of 2292	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	104
PID 2132 wrote to memory of 2292	2132	{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe	104
PID 1128 wrote to memory of 2284	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	105
PID 1128 wrote to memory of 2284	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	105
PID 1128 wrote to memory of 2284	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	105
PID 1128 wrote to memory of 4160	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	106
PID 1128 wrote to memory of 4160	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	106
PID 1128 wrote to memory of 4160	1128	{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe	106
PID 2284 wrote to memory of 4256	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	107
PID 2284 wrote to memory of 4256	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	107
PID 2284 wrote to memory of 4256	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	107
PID 2284 wrote to memory of 3924	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	108
PID 2284 wrote to memory of 3924	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	108
PID 2284 wrote to memory of 3924	2284	{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe	108
PID 4256 wrote to memory of 4600	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	109
PID 4256 wrote to memory of 4600	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	109
PID 4256 wrote to memory of 4600	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	109
PID 4256 wrote to memory of 1204	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	110
PID 4256 wrote to memory of 1204	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	110
PID 4256 wrote to memory of 1204	4256	{72392154-8C32-4934-BF42-ABC4141C88EB}.exe	110
PID 4600 wrote to memory of 3340	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	111
PID 4600 wrote to memory of 3340	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	111
PID 4600 wrote to memory of 3340	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	111
PID 4600 wrote to memory of 4164	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	112
PID 4600 wrote to memory of 4164	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	112
PID 4600 wrote to memory of 4164	4600	{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe	112
PID 3340 wrote to memory of 4184	3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe	113
PID 3340 wrote to memory of 4184	3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe	113
PID 3340 wrote to memory of 4184	3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe	113
PID 3340 wrote to memory of 4980	3340	{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_49faa4c92a6fe8c2dff8f3e7399441eb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
  C:\Windows\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
    C:\Windows\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
      C:\Windows\{74EB1977-E77A-4cc2-81E0-33293050C105}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
        
        C:\Windows\{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
        
        C:\Windows\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
        
        C:\Windows\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
        
        C:\Windows\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
        
        C:\Windows\{72392154-8C32-4934-BF42-ABC4141C88EB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
        
        C:\Windows\{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
        
        C:\Windows\{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe
        
        C:\Windows\{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe
        
        C:\Windows\{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC16C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21677~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1407~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72392~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F823~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3829D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53557~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A83E6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74EB1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{993A9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2DEAB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21677D58-EEC0-44a4-A498-AEED3E29510A}.exe

Filesize
372KB

MD5
6f8a2ca26d6183725c4b810c2a1f9d31

SHA1
f78afbf4a4ec8b9dc5b33eab0b1cc73e5a39fcd0

SHA256
7ba6662362ca444ced0c053676443ae908a58bae8e17db165f1e3f2b2a7ea19f

SHA512
86036f40e4f6ff1945f6d99e1656a76a749bc0bad6d40157c2ce8c5b8d827d49761083e8a08adc305bf38728b782c7e1f5e272e2c617a84678351903365bb436

Download Submit
C:\Windows\{2DEAB43D-6C6A-4231-8A2A-6C347D79EC7B}.exe

Filesize
372KB

MD5
98de2fb23282705d12aa80e3fbd008fa

SHA1
7720d83964490739dcecf4e848d1ed22b813d1c0

SHA256
0600bc212be492740bedbef26ed28f5e6d95e1f5edbce9226f4fad77137e53d8

SHA512
5af1f777367828167834085f2be1c21ade6a1707da2ab38fc4b81a3da1f34b34fd6c555d6da91335ac27de09cd318d4ebb88cc274b8f4b60a516d39e9322191c

Download Submit
C:\Windows\{3829DA15-0143-45e7-B5CB-AACF6E6B7611}.exe

Filesize
372KB

MD5
8fe7968806a2568eb564525efa615ae9

SHA1
c3a9eec467d5d75e510c232bb3b76203973f86c4

SHA256
2c2bf5584c3e6a385cf4c75744bfe3fd1c7b28089eaba878849b3b86e36dfa6a

SHA512
2d2840f1fe1073df57c7b33c50b8e793cdea6178d18a850bf0e7b245fc77e530c844ea06058955f192da5fed1504e0daa4dac8e8d0dfc908966dd07177121557

Download Submit
C:\Windows\{3F823BA6-8A5A-4d15-BE12-CB8B5F0C4E2B}.exe

Filesize
372KB

MD5
1f633f4f2c4ba1d460dc991bbe04686a

SHA1
7c07916455ad2f571f754c168f6dd4f3d3221412

SHA256
0b67086065d44669d95918e04aff7e7edd06237857179eea3f0fb1eccb187968

SHA512
b2320d7f1e1e7216078210ab797ebb3d1516c40b86d5dd592091afea7a8746dd70ad1ec6684612ced768a1d51a7f3123a97854e6fb0bd7d36a1f3168bea4a465

Download Submit
C:\Windows\{53557A95-A997-4bca-B346-CE4AF2A0C1E3}.exe

Filesize
372KB

MD5
09347d7779b410704fea73757a5431cc

SHA1
bdfdb10dffd61d3ce866277e9f457c3ec0ad34d4

SHA256
578ba4bf3bb018e00bedf4e1f73ded4cfc4413e0480331daaa83449bdfb435c7

SHA512
f289af33b793a9b24c2e40c9e99cae022f8649dba6c3ceaf15cacd51f889acc4f7e782a604ed97106dd84ddd9dc8ac608b2df579f3ec255d7112a044cfabcbed

Download Submit
C:\Windows\{72392154-8C32-4934-BF42-ABC4141C88EB}.exe

Filesize
372KB

MD5
47cc4142143cc201bfa64c0a866cf2bd

SHA1
20223129c972bff4322d86df5157561e25deca0c

SHA256
fd83102cde45b54aaa05cdaf801b074243d56eb5af4af0fba70db75aeaa75561

SHA512
d7e50cc014265957111c75887df09e688f901364928f10a401e46924fb52b67529fff3a1f88f071dc9efae4736d62885514b6944a456b76e4cbda5a9a8858b7c

Download Submit
C:\Windows\{74EB1977-E77A-4cc2-81E0-33293050C105}.exe

Filesize
372KB

MD5
b21d1a1b8c45dbfd3dcbd0208ca322fc

SHA1
c1ea1088ccf9e0de7b23aacd34f7410377eb8d92

SHA256
fa3d08f42c6dca986bb6efb8dfcd25a081395a78d296f9f5b48f1d57596132a4

SHA512
a6c652509864a273bb1a5faa75973538ab5036ce7fa9f4a53a0c70c2a4275e15244d6d4ef05dc6c98560ad4d4f3200171328102b2c558262efd08154968efcbc

Download Submit
C:\Windows\{890E92F7-E373-4b17-A72B-CEF330CF5E88}.exe

Filesize
372KB

MD5
7a3844d246be3afca01480163226662b

SHA1
a2110fbf610f410c3251468006e5588151b60103

SHA256
222a78001bdc89534b8634fc63e4581e33d2f0cd8653e4c055797e6d171b86ae

SHA512
7234503a64c5ee3be79d8ca18865ab11a3ccc5675c3a2614a20d4a5562156fb430a943cd385ba939b45c96116a24ec15199a2183fc4ad1a7e02341a4dd1af97b

Download Submit
C:\Windows\{993A9F05-2E84-4ecf-BFBC-E08B4AAFE40C}.exe

Filesize
372KB

MD5
08c3d32a496695d44a1f5d3397ec2c50

SHA1
e8d2d19e4ef9db92137ac653e5a728c6f11e1e50

SHA256
b967de151171129c58405fc35b9ea5b8d17ddcab96e715d98aa8f63e790d37cb

SHA512
54bf058fd1de1f0782a22d018b76ef3c09ef2c6abc3ffb0a060ec7bc2b1462d2d681f13e63f1491fb9fcefe242d94121b6d5a83c3346cddabde98ff3114dc1d1

Download Submit
C:\Windows\{A83E6FAB-E57B-453d-9153-C6262985FE85}.exe

Filesize
372KB

MD5
0513c0a2cbde6d72733e57c81a43737f

SHA1
42d6c3d7a47f555f736826664a2d97bb6c170d90

SHA256
f95dc8c93e5e7d4043b2a00696bc1a893443a6efb9270cdc6ac4d9f3d9458bb1

SHA512
303d7c3916c98c9d0a8004b0990f8fea6796036e940616859b275960376c32e07649a8cd0b4caaa51215b565b33c73d7a15aad5476e81d260f9044e9384b8cbc

Download Submit
C:\Windows\{BC16CF62-F424-45fe-8A68-E40A1A660632}.exe

Filesize
372KB

MD5
c7c204025004b7da1539971d60ec31a0

SHA1
8e8f268d9e87f50280c36a993549547e578dceab

SHA256
39643252f04407a98240f5ae786624589389dafb49fb3d2b650fd95e4a4d6b3b

SHA512
04a9f1db9ad977d2b1a1d05c735e437386d1d41cf9ccf81b1cfec858bbcfb8bd1f90475214102b833781b39ed3783ce66ac8ad4f31905bcbffd0a5b8f0f402ad

Download Submit
C:\Windows\{C140751C-28F9-4137-A4E9-A7B615C3908A}.exe

Filesize
372KB

MD5
0aca75d246f45d314847db708eea4d4c

SHA1
d123f297b5726a0ce836ce440634298d5a43af25

SHA256
a48663c6b0b3129db0783700d3b515745c9a34df1fcc953332ce09118f787e72

SHA512
2d728b83a489560f69bc287e347bfcd988497696c30604719c352e19c23d2f1e96aa1b0dc9af81e5404bfbfc4ea1d0c4d6ac1d2c49d1f4b5fe4cc6776781911c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads