b264be4b8195c6118bf8e8ab002d2ed99eca502f7ddd03963b32c29ccb6ec4ea

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
Size

216KB
MD5

1214e16331e699f2f27c568dde9c3c80
SHA1

78751462d4a0abd3b5711e5f7e5ce1d990d1d1f4
SHA256

b264be4b8195c6118bf8e8ab002d2ed99eca502f7ddd03963b32c29ccb6ec4ea
SHA512

955b544cbdaad767c565fc3995dd822df594ea36c48b817a68a156e30cd3fd744363150278e694d2a9b4c9438610980c22da2aaa68dc21f14bf4211d3a10abce
SSDEEP

3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191F1D38-58D0-494a-9C47-D671912272E9}	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6917855A-01A2-4a0b-9659-426FBF3518A1}	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B3374CD-1830-4abd-B627-12F1B095ABC9}	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}\stubpath = "C:\\Windows\\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe"	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}\stubpath = "C:\\Windows\\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe"	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD230B8-9765-497e-A62B-13344C605542}\stubpath = "C:\\Windows\\{CBD230B8-9765-497e-A62B-13344C605542}.exe"	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6917855A-01A2-4a0b-9659-426FBF3518A1}\stubpath = "C:\\Windows\\{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe"	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}\stubpath = "C:\\Windows\\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe"	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B565ABFB-103D-45b7-AB50-13962F3E49A9}\stubpath = "C:\\Windows\\{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe"	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}\stubpath = "C:\\Windows\\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe"	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C65760-C060-4db3-A839-40DDAD73EEDF}	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C65760-C060-4db3-A839-40DDAD73EEDF}\stubpath = "C:\\Windows\\{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe"	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B3374CD-1830-4abd-B627-12F1B095ABC9}\stubpath = "C:\\Windows\\{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe"	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B565ABFB-103D-45b7-AB50-13962F3E49A9}	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}\stubpath = "C:\\Windows\\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe"	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}\stubpath = "C:\\Windows\\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe"	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191F1D38-58D0-494a-9C47-D671912272E9}\stubpath = "C:\\Windows\\{191F1D38-58D0-494a-9C47-D671912272E9}.exe"	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD230B8-9765-497e-A62B-13344C605542}	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
1756	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
112	{CBD230B8-9765-497e-A62B-13344C605542}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
File created	C:\Windows\{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
File created	C:\Windows\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
File created	C:\Windows\{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
File created	C:\Windows\{CBD230B8-9765-497e-A62B-13344C605542}.exe	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
File created	C:\Windows\{191F1D38-58D0-494a-9C47-D671912272E9}.exe	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
File created	C:\Windows\{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
File created	C:\Windows\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
File created	C:\Windows\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
File created	C:\Windows\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
File created	C:\Windows\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
File created	C:\Windows\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBD230B8-9765-497e-A62B-13344C605542}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
Token: SeIncBasePriorityPrivilege	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe
Token: SeIncBasePriorityPrivilege	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
Token: SeIncBasePriorityPrivilege	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
Token: SeIncBasePriorityPrivilege	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
Token: SeIncBasePriorityPrivilege	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
Token: SeIncBasePriorityPrivilege	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
Token: SeIncBasePriorityPrivilege	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
Token: SeIncBasePriorityPrivilege	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
Token: SeIncBasePriorityPrivilege	2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
Token: SeIncBasePriorityPrivilege	1756	{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3736	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	86
PID 2556 wrote to memory of 3736	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	86
PID 2556 wrote to memory of 3736	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	86
PID 2556 wrote to memory of 2724	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	87
PID 2556 wrote to memory of 2724	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	87
PID 2556 wrote to memory of 2724	2556	2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe	87
PID 3736 wrote to memory of 1100	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	88
PID 3736 wrote to memory of 1100	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	88
PID 3736 wrote to memory of 1100	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	88
PID 3736 wrote to memory of 220	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	89
PID 3736 wrote to memory of 220	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	89
PID 3736 wrote to memory of 220	3736	{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe	89
PID 1100 wrote to memory of 4104	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	94
PID 1100 wrote to memory of 4104	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	94
PID 1100 wrote to memory of 4104	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	94
PID 1100 wrote to memory of 2996	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	95
PID 1100 wrote to memory of 2996	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	95
PID 1100 wrote to memory of 2996	1100	{191F1D38-58D0-494a-9C47-D671912272E9}.exe	95
PID 4104 wrote to memory of 4248	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	96
PID 4104 wrote to memory of 4248	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	96
PID 4104 wrote to memory of 4248	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	96
PID 4104 wrote to memory of 4120	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	97
PID 4104 wrote to memory of 4120	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	97
PID 4104 wrote to memory of 4120	4104	{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe	97
PID 4248 wrote to memory of 1128	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	98
PID 4248 wrote to memory of 1128	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	98
PID 4248 wrote to memory of 1128	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	98
PID 4248 wrote to memory of 3692	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	99
PID 4248 wrote to memory of 3692	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	99
PID 4248 wrote to memory of 3692	4248	{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe	99
PID 1128 wrote to memory of 3236	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	100
PID 1128 wrote to memory of 3236	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	100
PID 1128 wrote to memory of 3236	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	100
PID 1128 wrote to memory of 4936	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	101
PID 1128 wrote to memory of 4936	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	101
PID 1128 wrote to memory of 4936	1128	{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe	101
PID 3236 wrote to memory of 1040	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	102
PID 3236 wrote to memory of 1040	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	102
PID 3236 wrote to memory of 1040	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	102
PID 3236 wrote to memory of 4868	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	103
PID 3236 wrote to memory of 4868	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	103
PID 3236 wrote to memory of 4868	3236	{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe	103
PID 1040 wrote to memory of 1636	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	104
PID 1040 wrote to memory of 1636	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	104
PID 1040 wrote to memory of 1636	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	104
PID 1040 wrote to memory of 208	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	105
PID 1040 wrote to memory of 208	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	105
PID 1040 wrote to memory of 208	1040	{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe	105
PID 1636 wrote to memory of 1956	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	106
PID 1636 wrote to memory of 1956	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	106
PID 1636 wrote to memory of 1956	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	106
PID 1636 wrote to memory of 3800	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	107
PID 1636 wrote to memory of 3800	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	107
PID 1636 wrote to memory of 3800	1636	{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe	107
PID 1956 wrote to memory of 2804	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	108
PID 1956 wrote to memory of 2804	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	108
PID 1956 wrote to memory of 2804	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	108
PID 1956 wrote to memory of 4212	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	109
PID 1956 wrote to memory of 4212	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	109
PID 1956 wrote to memory of 4212	1956	{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe	109
PID 2804 wrote to memory of 1756	2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe	110
PID 2804 wrote to memory of 1756	2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe	110
PID 2804 wrote to memory of 1756	2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe	110
PID 2804 wrote to memory of 4968	2804	{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
  C:\Windows\{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\{191F1D38-58D0-494a-9C47-D671912272E9}.exe
    C:\Windows\{191F1D38-58D0-494a-9C47-D671912272E9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
      C:\Windows\{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
        
        C:\Windows\{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
        
        C:\Windows\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
        
        C:\Windows\{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
        
        C:\Windows\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
        
        C:\Windows\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
        
        C:\Windows\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
        
        C:\Windows\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
        
        C:\Windows\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{CBD230B8-9765-497e-A62B-13344C605542}.exe
        
        C:\Windows\{CBD230B8-9765-497e-A62B-13344C605542}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{386F5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF99E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA3E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7841~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{633D0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B565A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A37C2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B337~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00C65~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{191F1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69178~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C65760-C060-4db3-A839-40DDAD73EEDF}.exe

Filesize
216KB

MD5
8590edd5352be5609281a68d9ff28d8b

SHA1
5a745e056541c38b634bf13d22a54170f56c06b4

SHA256
4fed74e0003dce2feadb85846fe9af044da1e1589f4e64124fb4d9438ce68bf4

SHA512
7063cde1b24f4f30602c71862ac4511133e1e2916010ba01a893081334c0593d089646b7cf08f02778ea4b3e982d648e2dc3bb6569ca9bd9e8b026105ec0afd0

Download Submit
C:\Windows\{191F1D38-58D0-494a-9C47-D671912272E9}.exe

Filesize
216KB

MD5
5ef7e1f5210a83d339dbfada424ed21f

SHA1
bb73d12da4b650c8b5cbda42d204a7b66e5e0971

SHA256
8ba731ef3e2a87dd2db0646c9c064cf7863e10cdf3c44958008e7767b7f54d25

SHA512
d223154e5f329f0d544842941bafcc627514e90444ce2a81477db96bf4f979a414bc7ddaf480a271f5e1086b952d1f4e563c9d6242d6306bd2d692982dd43a54

Download Submit
C:\Windows\{386F565B-6B4D-4aa5-8A09-A61DDA846E6C}.exe

Filesize
216KB

MD5
09a62d2137108ad8f33b0f7ff49df681

SHA1
b89cee9545c861e609cc9740d1958157d8f2feb0

SHA256
d21ebc43acc3097152628fbd6f004bacc4637cfaa175ffad5542a57349760c8d

SHA512
472a75ada2553ffad02a3426eef9bff23b6c1df11bd12db478cfdb6ce7396a9ed00c3efb12cc4188daca325af8bb3e4117c65bcd86101bb469ebf736f1efa0cd

Download Submit
C:\Windows\{4B3374CD-1830-4abd-B627-12F1B095ABC9}.exe

Filesize
216KB

MD5
2331742059715b877a8863b99978fab0

SHA1
23730fc9f613a73d56946a3d56f1dfa2ab934a45

SHA256
bf34cd67dcf2140e9beb837cc19a188a6e304c611687128bf995c464167265db

SHA512
270274908726fb92592b021df5a3ccd879895de6106154dc0af483b444ac1d26c7b999bf800413c7ffb91db112e740d0bb6f841e0d041c501ee6a8a2be256149

Download Submit
C:\Windows\{633D0C06-EF77-4f2a-8E97-77F92916CFE9}.exe

Filesize
216KB

MD5
8904f4f05d3c521dafbd097c7f4b285e

SHA1
5eb0a54a2f3ad29f0404d82bd7133942fdc12d74

SHA256
2205b4b7b766014b04198d0b822516e62e72dadb04a28dc64365cd293a9c605f

SHA512
b04ecbb1bf0e4da35cde068de130e569b9211bd683196765df691d19c4e7defd711365fa3034036f4b289426f8c86edd7de405deefc0401a6cdd62fd9f15497c

Download Submit
C:\Windows\{6917855A-01A2-4a0b-9659-426FBF3518A1}.exe

Filesize
216KB

MD5
f276dc906e04e6774dd68e95feac8f8f

SHA1
1077a954d88bb91316b76b65dd467aae8c5e19f2

SHA256
45875a5730ec5ca8c55a0b1aa5dfa19b238c844a32e8b6f79f31196e5e30ff22

SHA512
d3e133e5958c143d985f47c805bf9ff18212d320614fdee7b33011632f09f866a0c0df06fce36749702e6f113bcbfd95501745ccba632ba50599e6a3e3e30ad5

Download Submit
C:\Windows\{A37C21EB-AF28-405a-8A13-AC73EBF97EA6}.exe

Filesize
216KB

MD5
e6e52618eef2036a35ca0c96375085e3

SHA1
cfe86e9e977f2559f94c3ed74a2b42c388168797

SHA256
97cc1870084b1472933d99887ba060441990231cbfe9c119540642de82817c09

SHA512
ed42f034cf235262e3657a2cf3cef80c81d8fa0517ed2408d726a19d9b43fb4a266a41f3fbcdc89204918071708329bf73a2c2ac895a469cdb9f399d146592ea

Download Submit
C:\Windows\{B565ABFB-103D-45b7-AB50-13962F3E49A9}.exe

Filesize
216KB

MD5
cb2088dc37f57b5414e17e80624ddb30

SHA1
f820a00372207f45751c4607b87126f2441885ee

SHA256
3ef18aef5305f2e01f2bb26f2aa1c895e89943a222dfd0615128fd4bcb600686

SHA512
f3c689656cad696d12380470e8fc2f5261473bc5b17abdb311e4e3c1bfaf6650f78c758f00dda7d0e8b5094654b0a9f9987d9c0a69e55c4df58b677dd0f19d58

Download Submit
C:\Windows\{CBD230B8-9765-497e-A62B-13344C605542}.exe

Filesize
216KB

MD5
f2381aa5c5f7cc74be05eea608c9d910

SHA1
221bc4d036959223b0e674cf6c7ac6361a870d5f

SHA256
cc15d2954377a76ef97bb172ce2c930c24f3ef86ea258f4a814935353c63a1b4

SHA512
7b082c865e5748007c989dc40acf083ff10e48f568679b14c98eeb1f822d8c7c1f3a5bf3009de5069e636a889fae1316550f3f17ddde992f0058af2376b02588

Download Submit
C:\Windows\{CF99EC54-CDAC-49e1-9184-90707FFE10C8}.exe

Filesize
216KB

MD5
aa2c15938c24c1e70ce670c6e3e8e708

SHA1
d5555fce82847f6efdd9cfd28da4b8a2f0ad60e9

SHA256
3a8be106220b27955efbc8333c867760639b634cf011e068de83f1963d4ae4fc

SHA512
7009ba00f3b6ac907a70564eb320d02227a0dffe5d2a5e4327c72a85aa45a89f306bd3eef80f488a4a9a333ccb136cd61d915cb43293a5b16f32f4505abb0544

Download Submit
C:\Windows\{E78416F8-93B4-4ce0-91F2-6B88FA55184B}.exe

Filesize
216KB

MD5
401d399ede957ea393fcb82520941f74

SHA1
e9ef6cd993493a781da60f59428ae0c838e41185

SHA256
e7d749c5e694428d548fcdc618f897e470937eeb8aac1ed401f006853dcec689

SHA512
76c1fc66e1f167e67a7c1ac76d1c437f4d9353e65d70203cddc1ff177030a7b127c37de456bc420faca80b0b97cd21f9fcc719097eb006311bdd21d8890796cb

Download Submit
C:\Windows\{FBA3EFCF-9A08-4359-B2D6-CADACEA2A6C7}.exe

Filesize
216KB

MD5
094444e006e80ca5f61a648f281cbdd4

SHA1
ce57e7a76c5405cf77745b1337f3bc3414f90c65

SHA256
585965ccd9c7aee9b5f549ea92549a249523dbc052db9bc9f68db0be662264ae

SHA512
d3debfe55d725b17721fabf3a89d421f250ae033f8b38519db4400aa5223a841025e0082c00cb4bae9d6eda2c627348424ee5d4433b48aa859789515207ffd5e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads