b0c4f17ae6ef89db53ff0079a2d220d839d65b6ca9bf4f77f71bc668fe45be7d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
Size

408KB
MD5

9bd6cbaf6a2aa3bc6d82363ab612c717
SHA1

5e4693a71831148e258831fa71ce7d5fc9568301
SHA256

b0c4f17ae6ef89db53ff0079a2d220d839d65b6ca9bf4f77f71bc668fe45be7d
SHA512

1c0cceafe5376769207503b6c3f9865b5a2690b64fa14334674443488c47a7dd56c2241f8a9255a6ec6cbf56d879b0361e736dc1e59d02a760eff754b5660179
SSDEEP

3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGZldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BCF2B5-601C-40ec-AF48-C272E870F27C}	{AC79A317-3403-4f89-962E-099E632471D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BCF2B5-601C-40ec-AF48-C272E870F27C}\stubpath = "C:\\Windows\\{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe"	{AC79A317-3403-4f89-962E-099E632471D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79A317-3403-4f89-962E-099E632471D0}	{768B1230-A3F7-4888-A552-F699124733DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79A317-3403-4f89-962E-099E632471D0}\stubpath = "C:\\Windows\\{AC79A317-3403-4f89-962E-099E632471D0}.exe"	{768B1230-A3F7-4888-A552-F699124733DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}\stubpath = "C:\\Windows\\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe"	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}	{F690DC42-E931-4306-8432-19218A078ECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}\stubpath = "C:\\Windows\\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe"	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{768B1230-A3F7-4888-A552-F699124733DC}	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{768B1230-A3F7-4888-A552-F699124733DC}\stubpath = "C:\\Windows\\{768B1230-A3F7-4888-A552-F699124733DC}.exe"	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F690DC42-E931-4306-8432-19218A078ECA}	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}\stubpath = "C:\\Windows\\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe"	{F690DC42-E931-4306-8432-19218A078ECA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}\stubpath = "C:\\Windows\\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe"	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}\stubpath = "C:\\Windows\\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe"	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD358954-447E-4582-8993-C19ED7CC6554}	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD358954-447E-4582-8993-C19ED7CC6554}\stubpath = "C:\\Windows\\{CD358954-447E-4582-8993-C19ED7CC6554}.exe"	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}\stubpath = "C:\\Windows\\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe"	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F690DC42-E931-4306-8432-19218A078ECA}\stubpath = "C:\\Windows\\{F690DC42-E931-4306-8432-19218A078ECA}.exe"	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}\stubpath = "C:\\Windows\\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe"	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe
3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe
4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe
992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
4412	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
4356	{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F690DC42-E931-4306-8432-19218A078ECA}.exe	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
File created	C:\Windows\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	{F690DC42-E931-4306-8432-19218A078ECA}.exe
File created	C:\Windows\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
File created	C:\Windows\{CD358954-447E-4582-8993-C19ED7CC6554}.exe	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
File created	C:\Windows\{AC79A317-3403-4f89-962E-099E632471D0}.exe	{768B1230-A3F7-4888-A552-F699124733DC}.exe
File created	C:\Windows\{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	{AC79A317-3403-4f89-962E-099E632471D0}.exe
File created	C:\Windows\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
File created	C:\Windows\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
File created	C:\Windows\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
File created	C:\Windows\{768B1230-A3F7-4888-A552-F699124733DC}.exe	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
File created	C:\Windows\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
File created	C:\Windows\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC79A317-3403-4f89-962E-099E632471D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{768B1230-A3F7-4888-A552-F699124733DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F690DC42-E931-4306-8432-19218A078ECA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe
Token: SeIncBasePriorityPrivilege	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe
Token: SeIncBasePriorityPrivilege	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe
Token: SeIncBasePriorityPrivilege	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
Token: SeIncBasePriorityPrivilege	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
Token: SeIncBasePriorityPrivilege	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe
Token: SeIncBasePriorityPrivilege	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
Token: SeIncBasePriorityPrivilege	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
Token: SeIncBasePriorityPrivilege	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
Token: SeIncBasePriorityPrivilege	2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
Token: SeIncBasePriorityPrivilege	4412	{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4856	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	99
PID 2824 wrote to memory of 4856	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	99
PID 2824 wrote to memory of 4856	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	99
PID 2824 wrote to memory of 4448	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	100
PID 2824 wrote to memory of 4448	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	100
PID 2824 wrote to memory of 4448	2824	2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe	100
PID 4856 wrote to memory of 2540	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	101
PID 4856 wrote to memory of 2540	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	101
PID 4856 wrote to memory of 2540	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	101
PID 4856 wrote to memory of 1244	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	102
PID 4856 wrote to memory of 1244	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	102
PID 4856 wrote to memory of 1244	4856	{CD358954-447E-4582-8993-C19ED7CC6554}.exe	102
PID 2540 wrote to memory of 3532	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	107
PID 2540 wrote to memory of 3532	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	107
PID 2540 wrote to memory of 3532	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	107
PID 2540 wrote to memory of 4724	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	108
PID 2540 wrote to memory of 4724	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	108
PID 2540 wrote to memory of 4724	2540	{768B1230-A3F7-4888-A552-F699124733DC}.exe	108
PID 3532 wrote to memory of 4608	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	109
PID 3532 wrote to memory of 4608	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	109
PID 3532 wrote to memory of 4608	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	109
PID 3532 wrote to memory of 3692	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	110
PID 3532 wrote to memory of 3692	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	110
PID 3532 wrote to memory of 3692	3532	{AC79A317-3403-4f89-962E-099E632471D0}.exe	110
PID 4608 wrote to memory of 4832	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	111
PID 4608 wrote to memory of 4832	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	111
PID 4608 wrote to memory of 4832	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	111
PID 4608 wrote to memory of 4488	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	112
PID 4608 wrote to memory of 4488	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	112
PID 4608 wrote to memory of 4488	4608	{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe	112
PID 4832 wrote to memory of 3888	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	114
PID 4832 wrote to memory of 3888	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	114
PID 4832 wrote to memory of 3888	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	114
PID 4832 wrote to memory of 3776	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	115
PID 4832 wrote to memory of 3776	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	115
PID 4832 wrote to memory of 3776	4832	{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe	115
PID 3888 wrote to memory of 992	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	116
PID 3888 wrote to memory of 992	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	116
PID 3888 wrote to memory of 992	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	116
PID 3888 wrote to memory of 3872	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	117
PID 3888 wrote to memory of 3872	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	117
PID 3888 wrote to memory of 3872	3888	{F690DC42-E931-4306-8432-19218A078ECA}.exe	117
PID 992 wrote to memory of 2248	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	123
PID 992 wrote to memory of 2248	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	123
PID 992 wrote to memory of 2248	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	123
PID 992 wrote to memory of 2400	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	124
PID 992 wrote to memory of 2400	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	124
PID 992 wrote to memory of 2400	992	{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe	124
PID 2248 wrote to memory of 4424	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	129
PID 2248 wrote to memory of 4424	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	129
PID 2248 wrote to memory of 4424	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	129
PID 2248 wrote to memory of 3956	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	130
PID 2248 wrote to memory of 3956	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	130
PID 2248 wrote to memory of 3956	2248	{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe	130
PID 4424 wrote to memory of 2140	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	131
PID 4424 wrote to memory of 2140	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	131
PID 4424 wrote to memory of 2140	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	131
PID 4424 wrote to memory of 2864	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	132
PID 4424 wrote to memory of 2864	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	132
PID 4424 wrote to memory of 2864	4424	{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe	132
PID 2140 wrote to memory of 4412	2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe	133
PID 2140 wrote to memory of 4412	2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe	133
PID 2140 wrote to memory of 4412	2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe	133
PID 2140 wrote to memory of 1672	2140	{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_9bd6cbaf6a2aa3bc6d82363ab612c717_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\{CD358954-447E-4582-8993-C19ED7CC6554}.exe
  C:\Windows\{CD358954-447E-4582-8993-C19ED7CC6554}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\{768B1230-A3F7-4888-A552-F699124733DC}.exe
    C:\Windows\{768B1230-A3F7-4888-A552-F699124733DC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{AC79A317-3403-4f89-962E-099E632471D0}.exe
      C:\Windows\{AC79A317-3403-4f89-962E-099E632471D0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
        
        C:\Windows\{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
        
        C:\Windows\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{F690DC42-E931-4306-8432-19218A078ECA}.exe
        
        C:\Windows\{F690DC42-E931-4306-8432-19218A078ECA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
        
        C:\Windows\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
        
        C:\Windows\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
        
        C:\Windows\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
        
        C:\Windows\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
        
        C:\Windows\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe
        
        C:\Windows\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC3FD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6726~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA67~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A823~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E85D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F690D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A6F7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06BCF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC79A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{768B1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD358~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06BCF2B5-601C-40ec-AF48-C272E870F27C}.exe

Filesize
408KB

MD5
fb27cf77ad658a3ab899a266c02616f6

SHA1
a42f8fe0a86617027ab7ac6bdeee04ec33ba84c5

SHA256
2ce9b130a5bd3e5b7e2bc0571310c1efe19f68d42bb45b3732d4e20b111215a4

SHA512
2a56f17873b2cfadd9dc7de4851988cf2a2c772d1d98fb3506da67848ee67c23e2f7e812613feb900863cbfc146b605120b0a9d8b3cb90d3047bc6c605cc4c4e

Download Submit
C:\Windows\{1EA67351-E58E-485f-9B95-3EB00D50DDD6}.exe

Filesize
408KB

MD5
e83760e694ccfe700b74074332ff5396

SHA1
39e65bf1184f497242724c1640e3fe646942f652

SHA256
178e3cb3bccfc79f9e00c03f5d01569d0dd3e33a2a94dbe9302f22ba187bf921

SHA512
5356bca5830c78dc75a609c923c663b5a6bc08cc59013984f8979d5ffa9ab79a9187be91b4f913f4bf60c539e2e1a12dc282990e0c912c62571bcd60b8c2a5a6

Download Submit
C:\Windows\{2A6F7F40-AB2F-40bb-8695-824FFD9BE2B6}.exe

Filesize
408KB

MD5
9c0d27bc3ae4224cc308a06a32ba0aa7

SHA1
b73adc594eb04c7d155c4b58652ed743b98a0f80

SHA256
a0c4938825edeb36f056ef9d4916b746be0c99c9a2fb0642e32c643476bd1843

SHA512
56457409da143eb029d7f50713b658d8b103e999047b809e67d4b7676df94fd51225cd190646eb3c6b144276fdd0231277487828e5284ea8f0a0e3dacf63e1f3

Download Submit
C:\Windows\{4E85D2C2-8DC5-4d7c-B7C5-FB0C6744E33E}.exe

Filesize
408KB

MD5
6feaced591f01bec33c1ae48e4b343b8

SHA1
5e2b14b223fcfc72ba35564367b873ab698a2758

SHA256
1c04f8e06afbf30643c9250f552bd9510ea31a9dffbfc623269161f3d9a19507

SHA512
c89ce16aabd5ba039f4a8349db5af6715f0213eb434775adb0d0963e10296d513278d1096ea966d7905f2e7c5c59694a56eac9fba8cb466c9c71976c7db946ea

Download Submit
C:\Windows\{5A823B38-9A19-4d2d-ACAF-F5B56F27C252}.exe

Filesize
408KB

MD5
efa9966d45bd32c84b048e4597ce40a9

SHA1
0217ae2f9beb58072b0f60587f362cda7d89b248

SHA256
ab57e7f8248d4d07066cebcd544214172d1ddc0ff9a7fd45a6095cef60a30c59

SHA512
a4755732c3ff8c32a771102df5296b8d23f7dfeadb051d16d4819e6660b223ef96c80f6915208c2086f645266bf06ed6c5ec0c0062080d3bd5821271fc4f644d

Download Submit
C:\Windows\{768B1230-A3F7-4888-A552-F699124733DC}.exe

Filesize
408KB

MD5
1d4b28d805cab3981bfb9e9c70924d93

SHA1
27072b663ef9c855b0fe01db813abe1177857cff

SHA256
229e9b36ad434e4f9fdeaf247abe8c3c188e049929eb0be5495cad8964db9b0a

SHA512
bc58b462d2de02bb0f12f2c00284d93c3975c27096e0eab8f9ab04f0cad183ce1ac8d31af88194022209d92bcc33292ea16390d9acdfdba04ea83b80bdfd7ea2

Download Submit
C:\Windows\{AC79A317-3403-4f89-962E-099E632471D0}.exe

Filesize
408KB

MD5
3eb457fd1915afeb633dccc1b92b4d51

SHA1
ec8a715e6582c46f9bf91af78539b61b56bc11b7

SHA256
ce6420591b096c19947f1df896e7f010cd9053d3af1752f261e18b7bde6913f2

SHA512
3833b8166f22356a745854052d6adf892f37e4f162b3f6f719db2f7abfe679c5be9bc3ae580f13aab02672a843774cfb359f260cff067a3a310dc1028bf4f340

Download Submit
C:\Windows\{CC3FDF12-DA92-40c9-B82B-5F3158107DD0}.exe

Filesize
408KB

MD5
1cfc12abd9dab9b791949a64cc39890f

SHA1
28573b0572e889ea9801af48849dbccf790b1540

SHA256
365bff946f8beda431afcc3955bd31248cd7f3d4eccef9d4d7b765de068b60d2

SHA512
06b7e9f84586e2ff287880fedaa2550ddd0bdf2e5c160a7040beaa343b64235210089a0ed4a7c189cfe8beb045940c7a36411fc5976bdf6266bfdb4cca34b9cf

Download Submit
C:\Windows\{CD358954-447E-4582-8993-C19ED7CC6554}.exe

Filesize
408KB

MD5
5d3902f439861d289fa9bc435c8f5805

SHA1
ddc7a631e63190b7e58a2ffa439c29d0a977716d

SHA256
8c6a7cd3d51d31115c07b015f9d9a147d31dee517371bd08dbb6a15b7a45215d

SHA512
3588f28a1b14631b051710222570df931ef9034d1025c2d4609feb024b4adafeab81d398c1abf6a2e470c9aa8c9f9d28dd9843f21eb460dc9c9b197174447121

Download Submit
C:\Windows\{E61BCCC4-4B71-4a11-B36F-D0E85F1E87C0}.exe

Filesize
408KB

MD5
b7b665c5f625788ad270989af207c501

SHA1
c08dbd68980a55fc88468c8c9717d0cd38a0ad7d

SHA256
1ead9f848345ff3e54eeedcd675e484d23b3364a886549dda69ab4198299650a

SHA512
bcad73f884b1e539e98f9ef9fdb019e25cdb809219cc8e9d689f641fbf7cb9ad0c204884ccf4f1852d4f1af3c1f2a14ce19b99df28707833436745caf2380e3d

Download Submit
C:\Windows\{F6726153-3B0F-4a15-B896-30E81DA6BDA3}.exe

Filesize
408KB

MD5
7b0718cb0ffae22c7459a6b1bec9e4bc

SHA1
588eba41880dddac1f5360a98201d84372418279

SHA256
cf61e9d5aeb13f46ce56b4e8c2a2a700b324cf44bd83672050ca4a1317244acf

SHA512
c99d3270a37352893e3961806c785c663dd5e065a04297da40f813b0eee12b1bf3b0d0a249c332b10e6fd3557677efd55af3c2c63d12a469f57cd8f02720a55e

Download Submit
C:\Windows\{F690DC42-E931-4306-8432-19218A078ECA}.exe

Filesize
408KB

MD5
d6ceb0ef220e332a21a691f4c0137c4c

SHA1
0647a70c4478792e85c6e24d9e931577841f49a6

SHA256
4f3026daa56ef2a59621484c643282fc6fce52863263f19882934e007561400c

SHA512
96d9b119b08b9e4ac039aed94ea15cd6d14601fb5545ce792a6e66a311e0ec6ff51b80bf5124d340f374069ac58a615cee5f7e7ee90f9a6795cb1b5ee3a1c70f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads