798279cd9b40881770fb830dedad8b8a67ae363077969c94b07931c89f9fcd59

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
Size

197KB
MD5

4a9ce7d3fb2debcf17f5b177268f9250
SHA1

8082b7ec27208104022ba6e32adf58ac7d5256b0
SHA256

798279cd9b40881770fb830dedad8b8a67ae363077969c94b07931c89f9fcd59
SHA512

e4925014e63a1c843325a88c957c49933784c3e7c4386c2e452c488b7a316a50f63e0e3a9dceb8f97b711ddb897a5b31a706a0a783161c6b38926a85a2ffe6a9
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGYlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43E4C57-9415-4051-87EE-15B81F2D7A23}	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F139A741-C8A2-4bd2-8297-3496D69993BA}	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061498EB-F2DF-4178-A697-329E366D4957}	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDB8335-A47A-4d15-B691-E6BFB503638F}\stubpath = "C:\\Windows\\{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe"	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A50DEF5-4672-4152-A51B-F26E6744878B}\stubpath = "C:\\Windows\\{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe"	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}\stubpath = "C:\\Windows\\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe"	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}\stubpath = "C:\\Windows\\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe"	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A50DEF5-4672-4152-A51B-F26E6744878B}	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C717C496-0758-4369-8B51-CA2D7FE5B370}	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061498EB-F2DF-4178-A697-329E366D4957}\stubpath = "C:\\Windows\\{061498EB-F2DF-4178-A697-329E366D4957}.exe"	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}\stubpath = "C:\\Windows\\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe"	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43E4C57-9415-4051-87EE-15B81F2D7A23}\stubpath = "C:\\Windows\\{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe"	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F139A741-C8A2-4bd2-8297-3496D69993BA}\stubpath = "C:\\Windows\\{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe"	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}\stubpath = "C:\\Windows\\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe"	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C717C496-0758-4369-8B51-CA2D7FE5B370}\stubpath = "C:\\Windows\\{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe"	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}	{061498EB-F2DF-4178-A697-329E366D4957}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}\stubpath = "C:\\Windows\\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe"	{061498EB-F2DF-4178-A697-329E366D4957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDB8335-A47A-4d15-B691-E6BFB503638F}	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D1B62CB-E080-448c-8222-7B62C5F50002}\stubpath = "C:\\Windows\\{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe"	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D1B62CB-E080-448c-8222-7B62C5F50002}	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe

Executes dropped EXE 12 IoCs

pid	Process
2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe
4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
788	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
2744	{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{061498EB-F2DF-4178-A697-329E366D4957}.exe	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
File created	C:\Windows\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	{061498EB-F2DF-4178-A697-329E366D4957}.exe
File created	C:\Windows\{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
File created	C:\Windows\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
File created	C:\Windows\{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
File created	C:\Windows\{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
File created	C:\Windows\{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
File created	C:\Windows\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
File created	C:\Windows\{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
File created	C:\Windows\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
File created	C:\Windows\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
File created	C:\Windows\{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{061498EB-F2DF-4178-A697-329E366D4957}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
Token: SeIncBasePriorityPrivilege	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
Token: SeIncBasePriorityPrivilege	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
Token: SeIncBasePriorityPrivilege	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
Token: SeIncBasePriorityPrivilege	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
Token: SeIncBasePriorityPrivilege	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
Token: SeIncBasePriorityPrivilege	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
Token: SeIncBasePriorityPrivilege	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe
Token: SeIncBasePriorityPrivilege	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
Token: SeIncBasePriorityPrivilege	3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
Token: SeIncBasePriorityPrivilege	788	{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2932	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	86
PID 1448 wrote to memory of 2932	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	86
PID 1448 wrote to memory of 2932	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	86
PID 1448 wrote to memory of 3052	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	87
PID 1448 wrote to memory of 3052	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	87
PID 1448 wrote to memory of 3052	1448	2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe	87
PID 2932 wrote to memory of 628	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	91
PID 2932 wrote to memory of 628	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	91
PID 2932 wrote to memory of 628	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	91
PID 2932 wrote to memory of 1736	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	92
PID 2932 wrote to memory of 1736	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	92
PID 2932 wrote to memory of 1736	2932	{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe	92
PID 628 wrote to memory of 1396	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	95
PID 628 wrote to memory of 1396	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	95
PID 628 wrote to memory of 1396	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	95
PID 628 wrote to memory of 532	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	96
PID 628 wrote to memory of 532	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	96
PID 628 wrote to memory of 532	628	{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe	96
PID 1396 wrote to memory of 1900	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	97
PID 1396 wrote to memory of 1900	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	97
PID 1396 wrote to memory of 1900	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	97
PID 1396 wrote to memory of 4728	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	98
PID 1396 wrote to memory of 4728	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	98
PID 1396 wrote to memory of 4728	1396	{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe	98
PID 1900 wrote to memory of 3880	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	99
PID 1900 wrote to memory of 3880	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	99
PID 1900 wrote to memory of 3880	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	99
PID 1900 wrote to memory of 2312	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	100
PID 1900 wrote to memory of 2312	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	100
PID 1900 wrote to memory of 2312	1900	{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe	100
PID 3880 wrote to memory of 4876	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	101
PID 3880 wrote to memory of 4876	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	101
PID 3880 wrote to memory of 4876	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	101
PID 3880 wrote to memory of 1284	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	102
PID 3880 wrote to memory of 1284	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	102
PID 3880 wrote to memory of 1284	3880	{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe	102
PID 4876 wrote to memory of 4588	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	103
PID 4876 wrote to memory of 4588	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	103
PID 4876 wrote to memory of 4588	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	103
PID 4876 wrote to memory of 400	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	104
PID 4876 wrote to memory of 400	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	104
PID 4876 wrote to memory of 400	4876	{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe	104
PID 4588 wrote to memory of 4332	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	105
PID 4588 wrote to memory of 4332	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	105
PID 4588 wrote to memory of 4332	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	105
PID 4588 wrote to memory of 1428	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	106
PID 4588 wrote to memory of 1428	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	106
PID 4588 wrote to memory of 1428	4588	{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe	106
PID 4332 wrote to memory of 4356	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	107
PID 4332 wrote to memory of 4356	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	107
PID 4332 wrote to memory of 4356	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	107
PID 4332 wrote to memory of 4380	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	108
PID 4332 wrote to memory of 4380	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	108
PID 4332 wrote to memory of 4380	4332	{061498EB-F2DF-4178-A697-329E366D4957}.exe	108
PID 4356 wrote to memory of 3560	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	109
PID 4356 wrote to memory of 3560	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	109
PID 4356 wrote to memory of 3560	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	109
PID 4356 wrote to memory of 1808	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	110
PID 4356 wrote to memory of 1808	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	110
PID 4356 wrote to memory of 1808	4356	{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe	110
PID 3560 wrote to memory of 788	3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe	111
PID 3560 wrote to memory of 788	3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe	111
PID 3560 wrote to memory of 788	3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe	111
PID 3560 wrote to memory of 112	3560	{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-11_4a9ce7d3fb2debcf17f5b177268f9250_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
  C:\Windows\{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
    C:\Windows\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
      C:\Windows\{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
        
        C:\Windows\{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
        
        C:\Windows\{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
        
        C:\Windows\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
        
        C:\Windows\{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{061498EB-F2DF-4178-A697-329E366D4957}.exe
        
        C:\Windows\{061498EB-F2DF-4178-A697-329E366D4957}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
        
        C:\Windows\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
        
        C:\Windows\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
        
        C:\Windows\{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe
        
        C:\Windows\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D1B6~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1A0A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5FC1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06149~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C717C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E916B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F139A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F43E4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDB8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B84C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A50D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{061498EB-F2DF-4178-A697-329E366D4957}.exe

Filesize
197KB

MD5
c407aba295dd0acf3afe91ac7d8be66d

SHA1
2267efe3e91a7cf6c3470050ea7d5d7ec935143c

SHA256
9f23a4158e21159f901f9268ac0f692e533f1049a184fafbdd758beacd1a02c3

SHA512
e667240c175ca25bc7b9d99fd874950b673919c7f363f4a3862b499bacc9451534a9bdaffa448966087f9afdbe5e7879f4aeb5341ae9a58dd3833f366c96dd3a

Download Submit
C:\Windows\{0B84C016-C42D-4e2a-8A30-251F10DE4E38}.exe

Filesize
197KB

MD5
bdc8ada708035eca227c1eeeb1d0cdb3

SHA1
a5540374af0ae27f76990f59844eaf8bf630c4d2

SHA256
43b738c1e37d06a84ce82ec84244b80c1339565c9a2ed9bd641fa588f4c438a7

SHA512
6c6c2ae510e25ee33a84d88f9f76a9d22e5cfe8da05e023b127f14716e9b2c2d30ecd46f6f0fb7f03244b5c8b7158809c67a968cf62aafb0ec7748b42358d890

Download Submit
C:\Windows\{3F67CE33-18D2-4896-8A15-9FA66F8A5162}.exe

Filesize
197KB

MD5
8eb53234b6f9c2199d98f7458edbaccc

SHA1
bef04e36e6717a5a74ebdf7cc4c4444bdac5ca04

SHA256
8a69ac0b0ab17b1b05160d7a666857db3116e88c1f4ec3ecdaf02dfebc95b11b

SHA512
2d659aeb7fd25e3f029211609884417c14a84b8af923cfae74243e5547569b92b4238b3a6ef6d4f4af775ac4d903f038e75b662020846239b5c05fd8d4d22483

Download Submit
C:\Windows\{5A50DEF5-4672-4152-A51B-F26E6744878B}.exe

Filesize
197KB

MD5
3b587d505c6fcc9d11e8d8e157f373aa

SHA1
4b36056f8fd955c49189b00758bc7af436890a17

SHA256
640bd45e51ed281f8f17207690bb1580263a9f67c341d6be0d70d7c3923c7cbe

SHA512
bad2281617b9ba0c8cce7ebc787b4adfd08ff3da64d21b5376cd0769e03d0c246c4a5e9b30eb5f55803b6d3d7a33e847d9884b901467a26642766f7734dcbed8

Download Submit
C:\Windows\{5D1B62CB-E080-448c-8222-7B62C5F50002}.exe

Filesize
197KB

MD5
c9a9ff95dfd61970e53d2b4b627957d8

SHA1
15562599a2e5d42bb4a493cb0cc4f769cebeb59a

SHA256
77b694bf6253c338e4fceed89372d820e4f2467aa3e5bba263ec7da6181cf3f0

SHA512
27d2ff2c5b4304b773f49f282156ec2d7c0c30349751ba755ef5695639eba819356d833b5978c351a20d6f9c710335c91ffff452a52a88e024582fa18f41a6aa

Download Submit
C:\Windows\{5DDB8335-A47A-4d15-B691-E6BFB503638F}.exe

Filesize
197KB

MD5
98548257745743073fd792eeb8582fd3

SHA1
0a71d5b445d774479d9bd9619855825be6946957

SHA256
1d680343f62343da01cf4ab1d264302a6e274a3427017de2592392ba34b2d84d

SHA512
0f98b29c7f0bab57fee668e1a6092373aa6c794623640f3f81af929df6020865daf4f2691c85fb499160f72b24bcbf6a238d5e8a1dc5cd2e410d27681265e788

Download Submit
C:\Windows\{A5FC1972-F6CE-4676-B042-51825E0AA0F2}.exe

Filesize
197KB

MD5
e1c6f3b842ec42d4d9c5b51825053dc4

SHA1
242112d1c00cc1c9765048cd3dd0b05045b439c2

SHA256
ed2b5168b41e5cc8a059b7c6c1e788173b8414603f54ca89793578c559ea1e53

SHA512
a42399c2c34acdd120f079e08ffe968e5831b1c471f993c079177778d1bbd20763851d46265c35d4cf03a064211b89f23458cc637e68d59e44497a91ee6250b2

Download Submit
C:\Windows\{C717C496-0758-4369-8B51-CA2D7FE5B370}.exe

Filesize
197KB

MD5
d00fc015705b288b148dca9f08aadf38

SHA1
4548c8baef2c6d100cb26646e55ae09f20d4d4c9

SHA256
426d8cbe25da82155e722fa8bc6bee7df2553ef80384aa4f64fcc2f78206d89f

SHA512
e437c0f9e99f42194d9e31868616e7c17d6b619b2052dc99d9fd26ce24cd2c2dd0e250e9f1ac65b6aa03ffabbb4b4eef9aa13506740b92c6af83c22cb83ab361

Download Submit
C:\Windows\{E1A0AD79-F0C8-4d80-8FB4-51CB4555E73E}.exe

Filesize
197KB

MD5
a8eb555e75e451a7e84cc87bfd7df213

SHA1
116557d995db6d4f1c502a6afef33c8935870372

SHA256
d6085cfd6b72e6c8ef5c65d0cbbbabea7f19b83292d5dd488308a1b4d56fe662

SHA512
694a9f6111cbb92548a350505c4e6f83de8fb84e107fc8c19b4002a620d0ed3d65652495e3d82f26c1a4e3ac7e4d234d1b62a945927526fc85472ff7cb61f50c

Download Submit
C:\Windows\{E916B0C3-92EE-4ca0-A08E-AE157CD80B53}.exe

Filesize
197KB

MD5
9a70e812178e485318ea8e350f89d499

SHA1
1b858e33ff089dc01380b0a5eb76ec68c5d6cbe1

SHA256
ea88b3ce8fda1d7aac6382bd37854d1fa22c0e4a80f6e03f9c0df4b2e636e2bf

SHA512
be774b2cd4d6c19b83bfd36fd00e21aa63c7bc3337a7924df760717bdd7c3fa9ad0f98b8bf4a7e66166bd3fd1e381c8deb373a73ee6519830a9664b0cfa640ce

Download Submit
C:\Windows\{F139A741-C8A2-4bd2-8297-3496D69993BA}.exe

Filesize
197KB

MD5
bcf2e237aeebd2e0fc6efd4730a6e231

SHA1
abd0fac06a4ef480a0c0d3bb3db0836d4ebe229d

SHA256
b4ff3ca0329d2f689340f91f6e68f5007597ecd301a5259a0183feb749525f1b

SHA512
f60eddedd9735f18dd43308ca5734c2079a53f8e9ac54f12f370090975778c87802fab01b87abc0ba72b3fbe5763e850205262fcf8d1d0be84502c0b765f4182

Download Submit
C:\Windows\{F43E4C57-9415-4051-87EE-15B81F2D7A23}.exe

Filesize
197KB

MD5
507758acc4608add3cbf68c929d5ee18

SHA1
ba3d1e71f71e8e6ed0bd9d05f44dc53336a15e0f

SHA256
c3fd1675e73b051e001f5447766884c60bc2dcee07afbcd20219d77288a83e86

SHA512
f2fb0c65e2cc1adf72f011a1286bd40d0c9d23f8fd7158161dbf41c3257305e2cefc401a084eb6744c1905bdf2b5b3f07c28cb5c44ee1c5e748d0fd6b754cefd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads