Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe
-
Size
380KB
-
MD5
72b5ec8cb5d376250ba151702695f3be
-
SHA1
9e558c9f16989e1a00fd28c0b2f81b1fcdd24bbe
-
SHA256
520d338b11bfbf340d06acb11adce78059ffbf3807b7b9de0ad240a7ecdf1c93
-
SHA512
b567798375578adb3a89178447e59c64e401d73c18df28136ba9bfc25e02e27f1562a203a5086b8ae3fa3e4d027d462983ce42c7621eb8a9f5e817f8b4033351
-
SSDEEP
3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00060000000231fe-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0010000000023207-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002320d-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0011000000023207-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c00000002177b-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002177d-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002177b-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070b-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070b-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-41.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000717-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08837F0-F69A-4e61-82B1-AA63AEABD39C} {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}\stubpath = "C:\\Windows\\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe" {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17851244-D249-429f-9ED5-BA7FB3F58C9C}\stubpath = "C:\\Windows\\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe" {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F} {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}\stubpath = "C:\\Windows\\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe" {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4} {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}\stubpath = "C:\\Windows\\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe" {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F35082D-9E16-4e07-8772-E96441572C47} {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F35082D-9E16-4e07-8772-E96441572C47}\stubpath = "C:\\Windows\\{0F35082D-9E16-4e07-8772-E96441572C47}.exe" {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11F71B3F-13B4-47c1-B701-750F29C5BB9D} {0F35082D-9E16-4e07-8772-E96441572C47}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34470C41-B55C-4e05-927E-7A37C1CA48DE}\stubpath = "C:\\Windows\\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe" {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81905B33-D031-42b4-BD3D-8ACE28B47E38} {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81905B33-D031-42b4-BD3D-8ACE28B47E38}\stubpath = "C:\\Windows\\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe" {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA45C61-63D1-4286-B657-67203CB3ABDF} {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17851244-D249-429f-9ED5-BA7FB3F58C9C} {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5} {3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}\stubpath = "C:\\Windows\\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe" {0F35082D-9E16-4e07-8772-E96441572C47}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34470C41-B55C-4e05-927E-7A37C1CA48DE} {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}\stubpath = "C:\\Windows\\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe" {3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1} 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}\stubpath = "C:\\Windows\\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe" 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}\stubpath = "C:\\Windows\\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe" {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528D5A00-4804-46b3-ADB2-8EA1B2341C38} {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA45C61-63D1-4286-B657-67203CB3ABDF}\stubpath = "C:\\Windows\\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe" {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe -
Executes dropped EXE 12 IoCs
pid Process 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe 456 {3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe 2084 {BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe {0F35082D-9E16-4e07-8772-E96441572C47}.exe File created C:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe File created C:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe File created C:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe File created C:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe File created C:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe {3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe File created C:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe File created C:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe File created C:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe File created C:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe File created C:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe File created C:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exe {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe Token: SeIncBasePriorityPrivilege 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe Token: SeIncBasePriorityPrivilege 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe Token: SeIncBasePriorityPrivilege 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe Token: SeIncBasePriorityPrivilege 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe Token: SeIncBasePriorityPrivilege 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe Token: SeIncBasePriorityPrivilege 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe Token: SeIncBasePriorityPrivilege 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe Token: SeIncBasePriorityPrivilege 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe Token: SeIncBasePriorityPrivilege 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe Token: SeIncBasePriorityPrivilege 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe Token: SeIncBasePriorityPrivilege 456 {3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1236 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 88 PID 2508 wrote to memory of 1236 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 88 PID 2508 wrote to memory of 1236 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 88 PID 2508 wrote to memory of 4856 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 89 PID 2508 wrote to memory of 4856 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 89 PID 2508 wrote to memory of 4856 2508 2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe 89 PID 1236 wrote to memory of 2016 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 93 PID 1236 wrote to memory of 2016 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 93 PID 1236 wrote to memory of 2016 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 93 PID 1236 wrote to memory of 3484 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 94 PID 1236 wrote to memory of 3484 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 94 PID 1236 wrote to memory of 3484 1236 {224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe 94 PID 2016 wrote to memory of 4528 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 96 PID 2016 wrote to memory of 4528 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 96 PID 2016 wrote to memory of 4528 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 96 PID 2016 wrote to memory of 2584 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 97 PID 2016 wrote to memory of 2584 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 97 PID 2016 wrote to memory of 2584 2016 {0F35082D-9E16-4e07-8772-E96441572C47}.exe 97 PID 4528 wrote to memory of 4184 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 98 PID 4528 wrote to memory of 4184 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 98 PID 4528 wrote to memory of 4184 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 98 PID 4528 wrote to memory of 4832 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 99 PID 4528 wrote to memory of 4832 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 99 PID 4528 wrote to memory of 4832 4528 {11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe 99 PID 4184 wrote to memory of 2268 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 100 PID 4184 wrote to memory of 2268 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 100 PID 4184 wrote to memory of 2268 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 100 PID 4184 wrote to memory of 4064 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 101 PID 4184 wrote to memory of 4064 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 101 PID 4184 wrote to memory of 4064 4184 {F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe 101 PID 2268 wrote to memory of 1364 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 102 PID 2268 wrote to memory of 1364 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 102 PID 2268 wrote to memory of 1364 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 102 PID 2268 wrote to memory of 4032 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 103 PID 2268 wrote to memory of 4032 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 103 PID 2268 wrote to memory of 4032 2268 {34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe 103 PID 1364 wrote to memory of 4808 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 104 PID 1364 wrote to memory of 4808 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 104 PID 1364 wrote to memory of 4808 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 104 PID 1364 wrote to memory of 3288 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 105 PID 1364 wrote to memory of 3288 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 105 PID 1364 wrote to memory of 3288 1364 {81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe 105 PID 4808 wrote to memory of 2716 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 106 PID 4808 wrote to memory of 2716 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 106 PID 4808 wrote to memory of 2716 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 106 PID 4808 wrote to memory of 3972 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 107 PID 4808 wrote to memory of 3972 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 107 PID 4808 wrote to memory of 3972 4808 {528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe 107 PID 2716 wrote to memory of 4008 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 108 PID 2716 wrote to memory of 4008 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 108 PID 2716 wrote to memory of 4008 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 108 PID 2716 wrote to memory of 4868 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 109 PID 2716 wrote to memory of 4868 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 109 PID 2716 wrote to memory of 4868 2716 {DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe 109 PID 4008 wrote to memory of 820 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 110 PID 4008 wrote to memory of 820 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 110 PID 4008 wrote to memory of 820 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 110 PID 4008 wrote to memory of 2500 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 111 PID 4008 wrote to memory of 2500 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 111 PID 4008 wrote to memory of 2500 4008 {4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe 111 PID 820 wrote to memory of 456 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe 112 PID 820 wrote to memory of 456 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe 112 PID 820 wrote to memory of 456 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe 112 PID 820 wrote to memory of 4756 820 {17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exeC:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exeC:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exeC:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exeC:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exeC:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exeC:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exeC:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exeC:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exeC:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exeC:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exeC:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exeC:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe13⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C0EA~1.EXE > nul13⤵PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{17851~1.EXE > nul12⤵PID:4756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4AA45~1.EXE > nul11⤵PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE68A~1.EXE > nul10⤵PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{528D5~1.EXE > nul9⤵PID:3972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81905~1.EXE > nul8⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34470~1.EXE > nul7⤵PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0883~1.EXE > nul6⤵PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{11F71~1.EXE > nul5⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F350~1.EXE > nul4⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{224A3~1.EXE > nul3⤵PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD53558f84eaea99dc026fa5f4c6f538066
SHA1700e1eac9eafe8b3292b2cdea948bc9758863fa4
SHA256e13ff50f6f3d397af48ad8c3919e6d7c5fccf77d875e72ce44698c8fa94df2ee
SHA51292878db92a45c8b982502ec0318cc3d0ff6cfcb2af60cbed79aac74f1d24200192a71bfea0a5da5e97df931e7b1a844f5fabe372922930a57a726fd3e165fd61
-
Filesize
380KB
MD5f9a399f851a1ccfeb4a69e1b27d1a7b9
SHA19b9b8fb49809a2bbf4348abf5b3c8b46aeb4a54e
SHA2563fe55b8cf9b28fe1c490860bc2e00fe35cc499727b1d9a5c19253e1874dbc9b8
SHA5129ea4e9ad1c16dac5247b4e0ed061f03937f99e9649eff7dddfd524c094eb0057ce86fddc945c419a25baf23388ee4b8adfd7e0976ff550c2722e47377dead69b
-
Filesize
380KB
MD5bd359737d5cf020551676be172c832ee
SHA1c2b28b7fd5854696c64fd45f04aa2bf3a0469708
SHA256b5119970b60597b1aa811fd2cdc841b94dbea859a47795a7be74cfd1339c6f46
SHA51273755395fd5c74d78f2df776949b7d5f89c11972dea2a4628a4ca019b04a0a5b933b54ccaa3976f39b81a08012add3563667b6bc50f973971486a5c330e5ce2b
-
Filesize
380KB
MD551bae7b447c103e3b6d5d6fc026ef6d0
SHA1f590d5e912a9155eb6de9686987a9bd6e69e73c9
SHA2569faa4ed3e976c874c85dc48e46092bf8850d13eac74a47b254367a05964e92d1
SHA5127009d9ac2de7141cc138a19285cef3561fc695953fb8e5b3d2023ec0231c11663938969d28132c8783462f8bcfe21e390f2de309e8ec806bd02c81055211b115
-
Filesize
380KB
MD50a9604bab8044f6ab9ce1e94dde88305
SHA13ce6b51d0617fe46e440d06fc4fb711debb2745e
SHA256cc241883b24594e9c5b3380aa25e98fb74c1ea8743188d70f2bc820351a9c078
SHA5129cbac406f287d33685bf7c890a1ad5de9799702e990258e600f26f03b17a6a179745a278926ab1e66c720d9ef962ea01429face2726655bcb3932d3beca66379
-
Filesize
380KB
MD5aab8398fe819ae134561853977fab8b2
SHA13c724305350e6e545ccd9728fcca71f27f673f83
SHA256cc89069b6b6faa77cace2df44be846b440a65983355a5581cbbcf0e27aa50dbb
SHA512887d0d6d7a3b5c382a3e45bfcabb22a9942e38056837ab726b750401f2c302ec9bb8f24756c89242c33bcabb35940e6df8ff37db379767ad4e4171996d16611d
-
Filesize
380KB
MD5d3c6c441dcbc8ddd5beb33d299f771df
SHA14587a909283eeb82b9e3ccdd3b65ae557ce0c702
SHA2568e5512c4891988abd8cfa9266e6bf6f89552aafd282e3c36c274eb24bb3946fc
SHA51293829c74835f01c4d923ad5ab7b228ede3c3029a1523f156981f5780b369afb2b80ce66c087b47c40edfe735d1487f3db82c8a2e2399c7f3fc6be48ec53bbd65
-
Filesize
380KB
MD5bf81637ab72daaee8909aa91ad17ef67
SHA1eb65a15c7d5bd532a7a493ae5bcd5d5dcbe2c544
SHA2562566b2462120420f447006b2517437588536e0eb3a76a839b3565ba54990e8b1
SHA512ca7005f045713d52eaa9d72e1427f484a5f0ae832073dd431096bf18d8f33b2e9fdfd471fe662ac6aa3c701c4bdd614d1da26b19dad042d82e1bee841c7b7433
-
Filesize
380KB
MD5834403435c8d66c52f92c03c099ea193
SHA119e4b9c8d02fe0ca01fc0f325a2a62e1b9fbcc5c
SHA2567030ccf9b2cbe504085c00c3604665915e000a7747441a7ef32707041681f9d4
SHA512993ee4fbb2c1bd2411670c9f5966e3f4ebe1556ff8129321aa1439f820ce22763a5485c7a776c938dd61c2c053ab6640e277086fdb9e61349a5161fa1253f6a2
-
Filesize
380KB
MD5a639491dfa7bc927e81363bd36e88db8
SHA1f862a1d5ff827aecb78f05bc024e9a2adf6ca972
SHA2561329080a15393bc90257a438794307d459502644149c71c190992c70e0ffb26a
SHA512f8eff2c2c90c8cb2da5ffd903d3a32a59a1f323176f4bff2852302799f2e297384d27ff5ff821abc3809836277b1f0b192aa720c177a61c04ab28f86d7c8337e
-
Filesize
380KB
MD519fc701d1700ed4aaae6ed44a4deb623
SHA197e00c141bc683bda1e0418e3618a68023a02997
SHA256b0f6ba3f75fb4616ba69bde7bca773a00ca34dbe6c218fa7ecda2c40d021e7df
SHA512e4951993561a717c8c8d5d7de2050e06a841934b0d556fd7a04ddd8315f30c1a78fb1532589dd7412936b14fba0a064825aee116cd049add39faca416d739238
-
Filesize
380KB
MD5da70c9d163329a2b0695b87a9fe92889
SHA1703986ea48ba7084eb5f7057f21ddfc4bbf1258e
SHA2568b2cc30a925f2ada9e500e012e181a2f52f4312aa3d8ef67d5b55c25b05afea1
SHA512c907fad6affc4856ff96467bb3d25f41b2439cfeb4884d90b3de133782a820145864b9f1d190c893db071155d8a4553965c3333ccd381781c673ec2ddf873cfd