3713d713584f6daff65e9cd220f01dd50d3e19b4013a7cb364bd9d4c03d6b4e4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
Size

408KB
MD5

fb7a014ccb227a9f8fc425ea6808aa92
SHA1

47c326bf0113753975bd64acd139574f51048943
SHA256

3713d713584f6daff65e9cd220f01dd50d3e19b4013a7cb364bd9d4c03d6b4e4
SHA512

49851bcd41c5ba81d790821a2bc02e0f45ed5d974b6f4f92146cc1c46d623d8095adddb8f450bbda3ea9154adea7fd3765ff32ce118ec935e5ff7922d7637608
SSDEEP

3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}\stubpath = "C:\\Windows\\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe"	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}\stubpath = "C:\\Windows\\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe"	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}\stubpath = "C:\\Windows\\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe"	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}\stubpath = "C:\\Windows\\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe"	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D6918A-8558-433b-B17B-E0FACDF47798}	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A774860-574A-4bac-A560-056153816336}\stubpath = "C:\\Windows\\{0A774860-574A-4bac-A560-056153816336}.exe"	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21EA190-B528-472b-BE8B-31734F304D9C}	{0A774860-574A-4bac-A560-056153816336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}\stubpath = "C:\\Windows\\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe"	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28CE91B-466E-44e6-A868-B20E4F244246}\stubpath = "C:\\Windows\\{D28CE91B-466E-44e6-A868-B20E4F244246}.exe"	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21EA190-B528-472b-BE8B-31734F304D9C}\stubpath = "C:\\Windows\\{C21EA190-B528-472b-BE8B-31734F304D9C}.exe"	{0A774860-574A-4bac-A560-056153816336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}\stubpath = "C:\\Windows\\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe"	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D6918A-8558-433b-B17B-E0FACDF47798}\stubpath = "C:\\Windows\\{09D6918A-8558-433b-B17B-E0FACDF47798}.exe"	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}\stubpath = "C:\\Windows\\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe"	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}\stubpath = "C:\\Windows\\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe"	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28CE91B-466E-44e6-A868-B20E4F244246}	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A774860-574A-4bac-A560-056153816336}	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe

Executes dropped EXE 12 IoCs

pid	Process
4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
4232	{0A774860-574A-4bac-A560-056153816336}.exe
4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
4988	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
4576	{09D6918A-8558-433b-B17B-E0FACDF47798}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
File created	C:\Windows\{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	{0A774860-574A-4bac-A560-056153816336}.exe
File created	C:\Windows\{09D6918A-8558-433b-B17B-E0FACDF47798}.exe	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
File created	C:\Windows\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
File created	C:\Windows\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
File created	C:\Windows\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
File created	C:\Windows\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
File created	C:\Windows\{0A774860-574A-4bac-A560-056153816336}.exe	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
File created	C:\Windows\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
File created	C:\Windows\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
File created	C:\Windows\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
File created	C:\Windows\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09D6918A-8558-433b-B17B-E0FACDF47798}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A774860-574A-4bac-A560-056153816336}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
Token: SeIncBasePriorityPrivilege	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
Token: SeIncBasePriorityPrivilege	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
Token: SeIncBasePriorityPrivilege	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
Token: SeIncBasePriorityPrivilege	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
Token: SeIncBasePriorityPrivilege	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
Token: SeIncBasePriorityPrivilege	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
Token: SeIncBasePriorityPrivilege	4232	{0A774860-574A-4bac-A560-056153816336}.exe
Token: SeIncBasePriorityPrivilege	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
Token: SeIncBasePriorityPrivilege	3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
Token: SeIncBasePriorityPrivilege	4988	{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4592	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	94
PID 540 wrote to memory of 4592	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	94
PID 540 wrote to memory of 4592	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	94
PID 540 wrote to memory of 2008	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	95
PID 540 wrote to memory of 2008	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	95
PID 540 wrote to memory of 2008	540	2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe	95
PID 4592 wrote to memory of 1356	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	96
PID 4592 wrote to memory of 1356	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	96
PID 4592 wrote to memory of 1356	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	96
PID 4592 wrote to memory of 3536	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	97
PID 4592 wrote to memory of 3536	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	97
PID 4592 wrote to memory of 3536	4592	{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe	97
PID 1356 wrote to memory of 4216	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	102
PID 1356 wrote to memory of 4216	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	102
PID 1356 wrote to memory of 4216	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	102
PID 1356 wrote to memory of 4916	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	103
PID 1356 wrote to memory of 4916	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	103
PID 1356 wrote to memory of 4916	1356	{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe	103
PID 4216 wrote to memory of 2584	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	104
PID 4216 wrote to memory of 2584	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	104
PID 4216 wrote to memory of 2584	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	104
PID 4216 wrote to memory of 3472	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	105
PID 4216 wrote to memory of 3472	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	105
PID 4216 wrote to memory of 3472	4216	{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe	105
PID 2584 wrote to memory of 4576	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	106
PID 2584 wrote to memory of 4576	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	106
PID 2584 wrote to memory of 4576	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	106
PID 2584 wrote to memory of 1016	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	107
PID 2584 wrote to memory of 1016	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	107
PID 2584 wrote to memory of 1016	2584	{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe	107
PID 4576 wrote to memory of 4384	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	109
PID 4576 wrote to memory of 4384	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	109
PID 4576 wrote to memory of 4384	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	109
PID 4576 wrote to memory of 4536	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	110
PID 4576 wrote to memory of 4536	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	110
PID 4576 wrote to memory of 4536	4576	{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe	110
PID 4384 wrote to memory of 1644	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	111
PID 4384 wrote to memory of 1644	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	111
PID 4384 wrote to memory of 1644	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	111
PID 4384 wrote to memory of 636	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	112
PID 4384 wrote to memory of 636	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	112
PID 4384 wrote to memory of 636	4384	{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe	112
PID 1644 wrote to memory of 4232	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	115
PID 1644 wrote to memory of 4232	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	115
PID 1644 wrote to memory of 4232	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	115
PID 1644 wrote to memory of 2744	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	116
PID 1644 wrote to memory of 2744	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	116
PID 1644 wrote to memory of 2744	1644	{D28CE91B-466E-44e6-A868-B20E4F244246}.exe	116
PID 4232 wrote to memory of 4404	4232	{0A774860-574A-4bac-A560-056153816336}.exe	122
PID 4232 wrote to memory of 4404	4232	{0A774860-574A-4bac-A560-056153816336}.exe	122
PID 4232 wrote to memory of 4404	4232	{0A774860-574A-4bac-A560-056153816336}.exe	122
PID 4232 wrote to memory of 4028	4232	{0A774860-574A-4bac-A560-056153816336}.exe	123
PID 4232 wrote to memory of 4028	4232	{0A774860-574A-4bac-A560-056153816336}.exe	123
PID 4232 wrote to memory of 4028	4232	{0A774860-574A-4bac-A560-056153816336}.exe	123
PID 4404 wrote to memory of 3648	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	124
PID 4404 wrote to memory of 3648	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	124
PID 4404 wrote to memory of 3648	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	124
PID 4404 wrote to memory of 4832	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	125
PID 4404 wrote to memory of 4832	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	125
PID 4404 wrote to memory of 4832	4404	{C21EA190-B528-472b-BE8B-31734F304D9C}.exe	125
PID 3648 wrote to memory of 4988	3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe	126
PID 3648 wrote to memory of 4988	3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe	126
PID 3648 wrote to memory of 4988	3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe	126
PID 3648 wrote to memory of 2720	3648	{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
  C:\Windows\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
    C:\Windows\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
      C:\Windows\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
        
        C:\Windows\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
        
        C:\Windows\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
        
        C:\Windows\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
        
        C:\Windows\{D28CE91B-466E-44e6-A868-B20E4F244246}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{0A774860-574A-4bac-A560-056153816336}.exe
        
        C:\Windows\{0A774860-574A-4bac-A560-056153816336}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
        
        C:\Windows\{C21EA190-B528-472b-BE8B-31734F304D9C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
        
        C:\Windows\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
        
        C:\Windows\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\{09D6918A-8558-433b-B17B-E0FACDF47798}.exe
        
        C:\Windows\{09D6918A-8558-433b-B17B-E0FACDF47798}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C9E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFFBD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21EA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A774~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D28CE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FEDE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE39~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB10C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{708D1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D045E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB20F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09D6918A-8558-433b-B17B-E0FACDF47798}.exe

Filesize
408KB

MD5
682927fde2792f8d1f3a5ff592f9c91e

SHA1
f67f615e987558bca240c88f45bf722348ed9dc8

SHA256
b9730ad3344ccda22566d4f376e53286a2b4cb1b344a62810ed069f1f73614cf

SHA512
05ea27cf0afcb32a13dd49d15f53ef904018287a89feb3b19dfbbbe1f743ad57afdad06a7448b1ba9b6c0234f29da076165a51fb5ca3516905789502bbedd987

Download Submit
C:\Windows\{0A774860-574A-4bac-A560-056153816336}.exe

Filesize
408KB

MD5
216602150218c5eafb92e25d7f0bb952

SHA1
ab5ffb6cd5cce07af9761bdcb3eac8c2db2b9a1d

SHA256
4fa68caa4112880e630747418419051ed0c6f4e1ee567146a3efd1697537ff8e

SHA512
49f2501b82881f613b14d2e7d27adf56c14155e1d58abc6a635079dbb53c47d73a874bf07214101e30aa4170d2676dc7bbdf5ff856341f02539f41fb35242e20

Download Submit
C:\Windows\{2FEDE442-A5F9-4dfd-A86A-6EDAEE1F2AD4}.exe

Filesize
408KB

MD5
6331735940beed4980d8dd7405f54f76

SHA1
a3f8422a7e59f5d24601f64f6b708809349a07a3

SHA256
b19c05a68d7f463d41edb85b6f8f642ff7060a09201e6ffd07f152b0c06cc162

SHA512
1b22abfe069b21404d24b51aa8d9c26f3604c7d75aff7c3de7274b18896a8692f1019021d35dd2c5ea32f86413b55c169e998da2f6e6d927e76407961db62132

Download Submit
C:\Windows\{708D1A3E-1667-4cc7-8835-933C4ECDC5AF}.exe

Filesize
408KB

MD5
c4b4acc6da935fdf477aa020fa851676

SHA1
5d7bfab11cb9c92a4a72b12ad72dd1efbd56691e

SHA256
9c8959f71584fd2935a7d29957df021d754bf24a7fb54effd09958084fb19a68

SHA512
ed139a2d10ac56f9043402dfa7384940e363d4784e9756d5d179e054d94bcb91b663f1dde966b96f5c3be12b2e509c4bfe86468a75dffca25de437588ffb6169

Download Submit
C:\Windows\{9BE39154-1E24-479d-A4BD-51C13D60CA5C}.exe

Filesize
408KB

MD5
7e8a736f5adce74d049c68a61ae43aad

SHA1
f1f96fdd70ede9a002e15d3a8522af1e5d6ff77c

SHA256
60632e6908da981d5895a78164ed85b21e5d65e193cdded90f4c0343ab234164

SHA512
424af2e13634eb38ad4a0961dfd3b203c21f312e252ed8cb0620fa136b48a2e76ffe5ecedb3b30bcf8e0e48929f52ed02fbb729e1f0b6a3b595f09b87cbaf82f

Download Submit
C:\Windows\{AFFBDAB9-7213-44ac-8B52-C8F0ACCA9596}.exe

Filesize
408KB

MD5
a6e43b0899a5f1909e01685ac50fb019

SHA1
8836e8325e02c8a53fe29f00afefda96db8c57bf

SHA256
fb81525067a7646b375f406c6b057728e5dc2048ea6fa8b6ebfb2572eab91165

SHA512
4a95f5c11a9757198770cb2c6402d15b09654bc56ea73ec89edb3989d5803b3f18b4613049d8e4f13c596e4011c2b35f4a269e38224006584d842d012775a151

Download Submit
C:\Windows\{C21EA190-B528-472b-BE8B-31734F304D9C}.exe

Filesize
408KB

MD5
35544c34b38af55c7de1475648cc73c5

SHA1
2ed925b215dcb8901bc00f44d6618addeff6fa58

SHA256
214c9e688935ff44484c9991674c845750af5812def343538cbd500795a6bf49

SHA512
04b3a473ea4c553c63b30537c7782a8722fc8cb6357a7cfa79901c2f8fe418324405c9655a3bc8678b3399990dbe8da76f87311d0d5abe5b894ba69b86c14bcf

Download Submit
C:\Windows\{CB10C8CC-235E-4670-87C4-2AC46E9BBDED}.exe

Filesize
408KB

MD5
8760e7e5b32abf80aad6d7dab1b36873

SHA1
5b38043ceb1e03a5ea9d427d658d77e1773de26d

SHA256
7022185ef749e47462ddec016d95bda23bd9194e7c4e542f88fc24698765e037

SHA512
3e6fc1d1a4dd9e9a2abd93d942cbf37fc5002456380eb919e09efc0e95e56de38a1ea2840b539e7620b80973d8b7ec649f61d9623b65be692d625138236a5a86

Download Submit
C:\Windows\{D045E048-6A1D-449a-A4FD-C932B9E2EEFA}.exe

Filesize
408KB

MD5
87129918cfaffcee8dcb00cfd519ec7a

SHA1
2600015b0ea6a13e60f592c7627380c8100e77d7

SHA256
2477428790f3dabbc6536b97836e0650081c363340ee116559df879de8638ec6

SHA512
f4477746061af043007ec4ca16714985c1d92c3a9f0ec5fa21d725edb4e05fac06d030a5e310da21486ceefa79455e9d6ff4273c51c3a14909cd0777c723e3e7

Download Submit
C:\Windows\{D28CE91B-466E-44e6-A868-B20E4F244246}.exe

Filesize
408KB

MD5
80c2c86270f8dacf118db3cb45fa3813

SHA1
2c0881fa802da0efd165981afa22f4fa33f0252f

SHA256
b892ca81481f50d3a6600a44caa6eab78feabcab70bdb0d6f9064c2502851383

SHA512
52930676fa760d8ac2f18355f89b8a1ee1cddc81c27df734d4882e68aa1c084d558ceb0bac0e1af8c115387f72c3475b918d98f174320cf0c8a5eb4b4fb1f8ea

Download Submit
C:\Windows\{DB20F9E1-9880-41fd-A4B8-2CD61AB68BF2}.exe

Filesize
408KB

MD5
55c32047db60fbbceea2e68124018109

SHA1
3f78eace1ae15180b208bd8cd2fd60d0c0390ca2

SHA256
18a790d162f9e73bfe8aacfde71fcd0d54f9608c9e6acb2c03ea52496e402e9b

SHA512
8f4c0000dbcaa0ba392c8df11656b2c8069bf731ff236876e8573329cf36fb6c21596133d69c20dec926cb6e71af97a4b37195d89a82fdc2ee3687af088ac201

Download Submit
C:\Windows\{F1C9E1D9-E2ED-4195-A2CA-CF9142E1DA45}.exe

Filesize
408KB

MD5
44830da513680f2b5c3f13a5bb3c31eb

SHA1
b5fd3ecdd88cf7ecac146d0b9caffa912e6a7939

SHA256
51aba62ceb1cfcb21be6a65b0ab6f87c3be7ca5b4f4731de728803cd6e0d27a3

SHA512
e9d43d1690ed788ee72dda04abd9228e0e7595a89ae3568d7d9f6cee1912436c4318cdab813e7611d33096785e296289b3a2379a2e50dc031c360b5f15fe47b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads