a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Size

372KB
MD5

8fad08cbb212a40ae81dca1250153e82
SHA1

de2cc9bed4e4452411138e6499c3d9709ae06f0a
SHA256

a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73
SHA512

ddb0099c9168c4fb45c670f856257f27f07bdaf49e968b50aeeef92e95cec7a00df3a73bbec8e9e72380248a5558d79f8d16037a1f08ac24ce2a0de4b6f940be
SSDEEP

3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG/lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11974A9D-4E9E-483e-A299-7E372B215643}\stubpath = "C:\\Windows\\{11974A9D-4E9E-483e-A299-7E372B215643}.exe"	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}\stubpath = "C:\\Windows\\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe"	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA991F5D-FC20-44e2-A91F-817B96062125}	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA991F5D-FC20-44e2-A91F-817B96062125}\stubpath = "C:\\Windows\\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe"	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070EC92B-85C4-4538-868E-F14C0EE8F21B}	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070EC92B-85C4-4538-868E-F14C0EE8F21B}\stubpath = "C:\\Windows\\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe"	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5511CF-19BF-458d-A10A-18656205DE4C}\stubpath = "C:\\Windows\\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe"	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{463ACF36-FF4C-4485-B330-BEF84BF0E662}\stubpath = "C:\\Windows\\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe"	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}\stubpath = "C:\\Windows\\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe"	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}\stubpath = "C:\\Windows\\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe"	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}\stubpath = "C:\\Windows\\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe"	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}\stubpath = "C:\\Windows\\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe"	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5511CF-19BF-458d-A10A-18656205DE4C}	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{463ACF36-FF4C-4485-B330-BEF84BF0E662}	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}\stubpath = "C:\\Windows\\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe"	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11974A9D-4E9E-483e-A299-7E372B215643}	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}\stubpath = "C:\\Windows\\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe"	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe

Executes dropped EXE 12 IoCs

pid	Process
1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
2052	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
2460	{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
File created	C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
File created	C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
File created	C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
File created	C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
File created	C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
File created	C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
File created	C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
File created	C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
File created	C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
File created	C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
File created	C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
Token: SeIncBasePriorityPrivilege	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
Token: SeIncBasePriorityPrivilege	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
Token: SeIncBasePriorityPrivilege	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
Token: SeIncBasePriorityPrivilege	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
Token: SeIncBasePriorityPrivilege	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
Token: SeIncBasePriorityPrivilege	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe
Token: SeIncBasePriorityPrivilege	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
Token: SeIncBasePriorityPrivilege	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
Token: SeIncBasePriorityPrivilege	1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
Token: SeIncBasePriorityPrivilege	2052	{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1080	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	86
PID 3088 wrote to memory of 1080	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	86
PID 3088 wrote to memory of 1080	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	86
PID 3088 wrote to memory of 3436	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	87
PID 3088 wrote to memory of 3436	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	87
PID 3088 wrote to memory of 3436	3088	2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe	87
PID 1080 wrote to memory of 544	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	88
PID 1080 wrote to memory of 544	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	88
PID 1080 wrote to memory of 544	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	88
PID 1080 wrote to memory of 1412	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	89
PID 1080 wrote to memory of 1412	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	89
PID 1080 wrote to memory of 1412	1080	{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe	89
PID 544 wrote to memory of 4340	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	93
PID 544 wrote to memory of 4340	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	93
PID 544 wrote to memory of 4340	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	93
PID 544 wrote to memory of 3316	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	94
PID 544 wrote to memory of 3316	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	94
PID 544 wrote to memory of 3316	544	{DA991F5D-FC20-44e2-A91F-817B96062125}.exe	94
PID 4340 wrote to memory of 1100	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	96
PID 4340 wrote to memory of 1100	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	96
PID 4340 wrote to memory of 1100	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	96
PID 4340 wrote to memory of 3672	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	97
PID 4340 wrote to memory of 3672	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	97
PID 4340 wrote to memory of 3672	4340	{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe	97
PID 1100 wrote to memory of 760	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	98
PID 1100 wrote to memory of 760	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	98
PID 1100 wrote to memory of 760	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	98
PID 1100 wrote to memory of 2920	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	99
PID 1100 wrote to memory of 2920	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	99
PID 1100 wrote to memory of 2920	1100	{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe	99
PID 760 wrote to memory of 1660	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	100
PID 760 wrote to memory of 1660	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	100
PID 760 wrote to memory of 1660	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	100
PID 760 wrote to memory of 3784	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	101
PID 760 wrote to memory of 3784	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	101
PID 760 wrote to memory of 3784	760	{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe	101
PID 1660 wrote to memory of 1644	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	102
PID 1660 wrote to memory of 1644	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	102
PID 1660 wrote to memory of 1644	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	102
PID 1660 wrote to memory of 2220	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	103
PID 1660 wrote to memory of 2220	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	103
PID 1660 wrote to memory of 2220	1660	{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe	103
PID 1644 wrote to memory of 1120	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	104
PID 1644 wrote to memory of 1120	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	104
PID 1644 wrote to memory of 1120	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	104
PID 1644 wrote to memory of 812	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	105
PID 1644 wrote to memory of 812	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	105
PID 1644 wrote to memory of 812	1644	{11974A9D-4E9E-483e-A299-7E372B215643}.exe	105
PID 1120 wrote to memory of 2392	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	106
PID 1120 wrote to memory of 2392	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	106
PID 1120 wrote to memory of 2392	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	106
PID 1120 wrote to memory of 2140	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	107
PID 1120 wrote to memory of 2140	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	107
PID 1120 wrote to memory of 2140	1120	{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe	107
PID 2392 wrote to memory of 1588	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	108
PID 2392 wrote to memory of 1588	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	108
PID 2392 wrote to memory of 1588	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	108
PID 2392 wrote to memory of 3836	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	109
PID 2392 wrote to memory of 3836	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	109
PID 2392 wrote to memory of 3836	2392	{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe	109
PID 1588 wrote to memory of 2052	1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe	110
PID 1588 wrote to memory of 2052	1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe	110
PID 1588 wrote to memory of 2052	1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe	110
PID 1588 wrote to memory of 1244	1588	{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
  C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
    C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
      C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
        
        C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
        
        C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
        
        C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe
        
        C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
        
        C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
        
        C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
        
        C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
        
        C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe
        
        C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{463AC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B551~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DFC8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3B9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11974~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5970A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82AFB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C74C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{070EC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA991~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB96~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe

Filesize
372KB

MD5
445e943422f9d7b6eae4b4be7cd0c827

SHA1
1cc0914b6d6ce251ab9484d9e0304ef0daad05d1

SHA256
b9615a8dc08870d1e7a5ac13b47c93b6c376eb2ca71883bb3e33cda5cdf70505

SHA512
3a133e82aa5b8bf8c7d884adcbbb2105d0ba2ac68c5229ff46cd56649cf7c4e4644bf94abbc01e5c71b33b9793814786a594639329fb6f9b349288be03861a74

Download Submit
C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe

Filesize
372KB

MD5
6a378fa67ac0014cff70f2f603be31d4

SHA1
742ddb6a44ea85f323decbf2e5542fe56bc0c0ca

SHA256
2a0593a84a7c157844a01aae61c6d4515643ece254ce498c4c6da9a2fb8e42cc

SHA512
a921631ed5ccb51df11a61c0ae2385fc537f5a9e706731d2b0428202f0559b354e8e47b8d9f47213695e79d84b1f0ce8c6524012694312b9eaeb927ca33aa475

Download Submit
C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe

Filesize
372KB

MD5
0d90a75d75383ba4533b2beb56269abc

SHA1
ebc05e6780272a18e0b9277bf3ba1c5a49e92a6f

SHA256
76e0ec8e78239386715d9431c4d852dd68fb0079a9ac47c661c242607abe662c

SHA512
7b90581e98effdf11eb7d14ed2e62a8faa0326e6065b84943f5952e70756db3ec10c018724449c93d9d1c103b0bf5e7a9f2d1e7f406ad9d6d0d5c67c46a35d35

Download Submit
C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe

Filesize
372KB

MD5
5f7ce71b6df6255d8e93b2da7dbb4366

SHA1
318124d3e1a152f3c81799bc1467b5b68ee0ec51

SHA256
82be995730e3a11b98c5be350686a44c159cfc715ab9da0328ee9f0c11c39988

SHA512
3f78916f6b6bdaba68a88e9a6873ec603dd2a12c81fe4d53c0216ca66df64f72457c353ccde528e11ce13cb1b09d902f415354537f118a039ceac79084d896e5

Download Submit
C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe

Filesize
372KB

MD5
d5f3550dc0aa8a3acbe1ad2c5f0f0662

SHA1
a2c6404342dd6e7084b1f4071338960a01da0be6

SHA256
4b541602e9a3ab386d3f92cde1dd21d29004e12f56dada098a2c0cb7f5e4167b

SHA512
be18655eca4f963a9aa5e62ca2d447b4a8cea5b46433e78ad3ef7919377b79cac260310ae979dcc6993c851e614cbb5ad99b595a822bee5aa8681dca40ed3c28

Download Submit
C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe

Filesize
372KB

MD5
556aa66dfff3ba3ae98a4970622e2bec

SHA1
e2d9aabf706227be41ed6d7562c4bc178cfad57d

SHA256
d52ca249fb3b59dd810c0c922cc8097a271f6eae09d92cae9772d4a1149b19bb

SHA512
c37ea85a951fdc5850cb69aba4fc1d02cce6fa406b4d5e957d028f9b92f2bcd3553d03e058668af71afcff7040110179320be772cbcc533b101dfabc53d22eb6

Download Submit
C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe

Filesize
372KB

MD5
b0ef1e12de8968d8e15719225a471144

SHA1
4aea8d8e8c9879f1d6e8b76ce305cc91f86fda8c

SHA256
a925fb11fdbee1b79bc2add00286e256d558221af82ff2fb88b7bf9ee9f03fc2

SHA512
b9a408ab9a9a2faa46d569f63e5fc6388958be21829a941f7367dd6ea7d3d4ce633a15ffe3e36824ae3b51be5d00ded66812fcd630184986895045afbabf67d9

Download Submit
C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe

Filesize
372KB

MD5
dd0b3918afff643ce47002d7f4547f30

SHA1
88e2a81a079593245817c86dc5edd41dff6544c1

SHA256
fcd91ac6d33542a773be8838111694f35408cc80b12843458b317b75161d5c12

SHA512
62672c19e0ba57be67bfb4387c92fb3e88aaf635fc084349c3e5b96c6fa3012d3637c58b40f116067ea81a22b8fdf482e6bef20201468d8abaaaa50a0cb55788

Download Submit
C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe

Filesize
372KB

MD5
8979491b898398351827148c48fd19ed

SHA1
56102cec4d0885c69e68cf683192b9b99fd41174

SHA256
38f2526534d48e7fece8aac6345ec4229861a1c85aafe71556b779f17461f89a

SHA512
b7a8c047547511ae8edc9aa6e578f2dc8d2f4fc2a5e623dfe62a60f4364b64bcf4f4fe18d83710271577db5221d87cbaecdd3d150c184d928e9344ec70ddb3d7

Download Submit
C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe

Filesize
372KB

MD5
be6ee36ab2b42745783f5b938e12d495

SHA1
51f5df72dd497e995dae1afc1316daa8bfd6bd83

SHA256
ac0deab258d854f430c380e308b5e1396e2156a7868d7d080633d9326486bbc9

SHA512
048653890523a99806a5ac76b418a70a3cadf3b7c4b2e9091da4302c3e4890c55bf6a4b67f690a0a5c3248004e866d66a60b3272d50041883471e33d6359adfa

Download Submit
C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe

Filesize
372KB

MD5
48ee74afdd2d578ac04a76d35c442cd3

SHA1
29291ff41066b8d31660cff3912102f78bfb2d2c

SHA256
129a8004325d2087272c71114cf28116a26f9c9534f987b1c9063c31c76e65b8

SHA512
9ff865af0467373249bff6bf4a2c54ade18ecea8ea04554447bc2a16215990656813fed1018071920c1753f4ccc547fdd85ae4b8e603e17ed37ebfe05f106f23

Download Submit
C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe

Filesize
372KB

MD5
a5378cdd30e9594f099238b9ae26063c

SHA1
fc232d726fc202840704e7cb732b1c29e2d4da1a

SHA256
e4d6d0b936c0f419c0a1d8f464f52b418375c1655907ccdae6d2661b7a77e49c

SHA512
ebaa9d54736c608958701db0c97133a4aad8996641483395fc73cb4c6b4e68eacf9a3514bfb6ff1cf7db83d05c0e8bc793977f39339e92f7f1488273efa00a00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads