Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
-
Size
197KB
-
MD5
7700691d1d8ba6023d1d9bbaa3de7429
-
SHA1
d6e1723304c1fea09129871ff9e6fe1cb83ef91a
-
SHA256
e48951fb1eb66395f19027038718abafe06697d96adda70534ba15c0cc7ac7a8
-
SHA512
c0e6f62e9bc01b77fa423855f382da849b4718cc6cc55696cc08a5b554ebcd0d82a92248d99f8733f08bb0a166004b12c8e0061fa0cb0f8018cb9273263fc5be
-
SSDEEP
3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0009000000023225-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023227-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002322f-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023122-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002321d-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f000000023122-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002321d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0010000000023122-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f00000002321d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0011000000023122-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002321d-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0012000000023122-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F3B260-ECB9-419f-A6E0-75228242B783} {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F3B260-ECB9-419f-A6E0-75228242B783}\stubpath = "C:\\Windows\\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe" {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}\stubpath = "C:\\Windows\\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe" 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}\stubpath = "C:\\Windows\\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe" {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD4879C-A249-48a3-A27A-C43BB29809A3} {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E} {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23165439-5507-40d0-87E0-44DA67AD8BBA} {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23165439-5507-40d0-87E0-44DA67AD8BBA}\stubpath = "C:\\Windows\\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe" {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45CC08-B088-4182-9AF2-5EFB265E37F3} 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC} {EF94757C-4601-43e2-95FB-3473002162AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}\stubpath = "C:\\Windows\\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe" {3918B111-817E-44b2-B903-8496C332C94B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF94757C-4601-43e2-95FB-3473002162AD} {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}\stubpath = "C:\\Windows\\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe" {EF94757C-4601-43e2-95FB-3473002162AD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}\stubpath = "C:\\Windows\\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe" {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6} {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}\stubpath = "C:\\Windows\\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe" {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3918B111-817E-44b2-B903-8496C332C94B}\stubpath = "C:\\Windows\\{3918B111-817E-44b2-B903-8496C332C94B}.exe" {68F3B260-ECB9-419f-A6E0-75228242B783}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29C7468-FA74-4bd9-8F20-7290C473AA9E} {3918B111-817E-44b2-B903-8496C332C94B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2} {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF94757C-4601-43e2-95FB-3473002162AD}\stubpath = "C:\\Windows\\{EF94757C-4601-43e2-95FB-3473002162AD}.exe" {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD4879C-A249-48a3-A27A-C43BB29809A3}\stubpath = "C:\\Windows\\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe" {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4} {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}\stubpath = "C:\\Windows\\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe" {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3918B111-817E-44b2-B903-8496C332C94B} {68F3B260-ECB9-419f-A6E0-75228242B783}.exe -
Executes dropped EXE 12 IoCs
pid Process 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe 4704 {3918B111-817E-44b2-B903-8496C332C94B}.exe 116 {B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe File created C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe File created C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe File created C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe File created C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe File created C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe {68F3B260-ECB9-419f-A6E0-75228242B783}.exe File created C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe {3918B111-817E-44b2-B903-8496C332C94B}.exe File created C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe File created C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe File created C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe {EF94757C-4601-43e2-95FB-3473002162AD}.exe File created C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe File created C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Token: SeIncBasePriorityPrivilege 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe Token: SeIncBasePriorityPrivilege 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe Token: SeIncBasePriorityPrivilege 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe Token: SeIncBasePriorityPrivilege 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe Token: SeIncBasePriorityPrivilege 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe Token: SeIncBasePriorityPrivilege 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe Token: SeIncBasePriorityPrivilege 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe Token: SeIncBasePriorityPrivilege 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe Token: SeIncBasePriorityPrivilege 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe Token: SeIncBasePriorityPrivilege 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe Token: SeIncBasePriorityPrivilege 4704 {3918B111-817E-44b2-B903-8496C332C94B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4692 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 91 PID 5100 wrote to memory of 4692 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 91 PID 5100 wrote to memory of 4692 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 91 PID 5100 wrote to memory of 5104 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 92 PID 5100 wrote to memory of 5104 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 92 PID 5100 wrote to memory of 5104 5100 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 92 PID 4692 wrote to memory of 3084 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 93 PID 4692 wrote to memory of 3084 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 93 PID 4692 wrote to memory of 3084 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 93 PID 4692 wrote to memory of 3400 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 94 PID 4692 wrote to memory of 3400 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 94 PID 4692 wrote to memory of 3400 4692 {AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe 94 PID 3084 wrote to memory of 2976 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 97 PID 3084 wrote to memory of 2976 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 97 PID 3084 wrote to memory of 2976 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 97 PID 3084 wrote to memory of 5072 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 98 PID 3084 wrote to memory of 5072 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 98 PID 3084 wrote to memory of 5072 3084 {8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe 98 PID 2976 wrote to memory of 2572 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 100 PID 2976 wrote to memory of 2572 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 100 PID 2976 wrote to memory of 2572 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 100 PID 2976 wrote to memory of 408 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 101 PID 2976 wrote to memory of 408 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 101 PID 2976 wrote to memory of 408 2976 {EF94757C-4601-43e2-95FB-3473002162AD}.exe 101 PID 2572 wrote to memory of 3252 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 102 PID 2572 wrote to memory of 3252 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 102 PID 2572 wrote to memory of 3252 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 102 PID 2572 wrote to memory of 4048 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 103 PID 2572 wrote to memory of 4048 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 103 PID 2572 wrote to memory of 4048 2572 {8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe 103 PID 3252 wrote to memory of 3220 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 104 PID 3252 wrote to memory of 3220 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 104 PID 3252 wrote to memory of 3220 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 104 PID 3252 wrote to memory of 3256 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 105 PID 3252 wrote to memory of 3256 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 105 PID 3252 wrote to memory of 3256 3252 {4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe 105 PID 3220 wrote to memory of 5044 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 106 PID 3220 wrote to memory of 5044 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 106 PID 3220 wrote to memory of 5044 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 106 PID 3220 wrote to memory of 4068 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 107 PID 3220 wrote to memory of 4068 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 107 PID 3220 wrote to memory of 4068 3220 {134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe 107 PID 5044 wrote to memory of 4956 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 108 PID 5044 wrote to memory of 4956 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 108 PID 5044 wrote to memory of 4956 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 108 PID 5044 wrote to memory of 2180 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 109 PID 5044 wrote to memory of 2180 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 109 PID 5044 wrote to memory of 2180 5044 {86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe 109 PID 4956 wrote to memory of 1420 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 110 PID 4956 wrote to memory of 1420 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 110 PID 4956 wrote to memory of 1420 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 110 PID 4956 wrote to memory of 3564 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 111 PID 4956 wrote to memory of 3564 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 111 PID 4956 wrote to memory of 3564 4956 {E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe 111 PID 1420 wrote to memory of 3140 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 112 PID 1420 wrote to memory of 3140 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 112 PID 1420 wrote to memory of 3140 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 112 PID 1420 wrote to memory of 2440 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 113 PID 1420 wrote to memory of 2440 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 113 PID 1420 wrote to memory of 2440 1420 {23165439-5507-40d0-87E0-44DA67AD8BBA}.exe 113 PID 3140 wrote to memory of 4704 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe 114 PID 3140 wrote to memory of 4704 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe 114 PID 3140 wrote to memory of 4704 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe 114 PID 3140 wrote to memory of 1992 3140 {68F3B260-ECB9-419f-A6E0-75228242B783}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exeC:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exeC:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exeC:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exeC:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exeC:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exeC:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exeC:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exeC:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exeC:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exeC:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exeC:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exeC:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe13⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3918B~1.EXE > nul13⤵PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68F3B~1.EXE > nul12⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23165~1.EXE > nul11⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E60F0~1.EXE > nul10⤵PID:3564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86F67~1.EXE > nul9⤵PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{134A5~1.EXE > nul8⤵PID:4068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4CD48~1.EXE > nul7⤵PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8CD40~1.EXE > nul6⤵PID:4048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF947~1.EXE > nul5⤵PID:408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B401~1.EXE > nul4⤵PID:5072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AB45C~1.EXE > nul3⤵PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD57ec7c296c9feaef5cbc79346743cc08e
SHA1b16c189a86b2b7543a24350452476514b3671c65
SHA256a9e1d5af92d131812381c439922923e5ebbe9203e155014e440d8baf979cc53d
SHA5122aa17c3f1569cbf7ac21964aff57346230749887316f4c768a7ce2aeb1a6195c7b5c152fb0f403604c0957ecb23db4255eab99e41ab3e12aca05c7bdc7a639ad
-
Filesize
197KB
MD5619ab951baafa425c0c8d262b30e262b
SHA1935fc17742754e40acff04720916acb08c7c9af5
SHA2563bbe74a70af9f84b5d928f6d0e91035d6449f922b83c15eb9d7bf7fee328be76
SHA5122a95be8fc84c0257a94bf66fd7fc158dccd9efcdd873e69053877198edc471508542bdfb30f26787dfd9c4393cf46cac30a93a7a60f61a3f208454760c666d72
-
Filesize
197KB
MD56cac860cfdb3ce2e185fc59a208181f7
SHA1072e612aa9ac14ccc8a6216836cd00b1c9f307ec
SHA2562dfd46c24e34892638bac5d02e69b7774398e705832a8da0a841be713829f2e4
SHA512742d06f7d29fd57dab9d0d9d96d54ad0877f6208e918804a11f649c9f514fc3d52a8e9edba04db4c1957c4073d8a40d9fe0fad57e1b70d8d0cd272f721f07ec0
-
Filesize
197KB
MD5374f07b6aa3ffcee853b7a554f790f4e
SHA1a7515baf9487bbe2b69c2fa2721240c34e822bfd
SHA25637e622ed28c4653e6f7fcc1d952cde18edd186b0b5e97a318e279e06ab58a6fe
SHA512fd210822fcc3bb79accc5a7df6499aa3a10b0b9e04a29c5ca892f7fb6c6d2003bd395477ebabb952329171b2fd29f8f2bc896f870fe6bb9c0e36b7af5c7e1b6a
-
Filesize
197KB
MD59c4ba614e06b949b1edd56220f24e012
SHA156e5b0d307478611c69eefed771aa0af025e2d01
SHA256e2c527cf97c7cf2bd4a656363af539f62158ed97f26592dc3ebfa7ac23087834
SHA51213942efe7ce4f18d11eeab435ebe9f290a57bd910d0c20ccd091fae10a58e072fb838580e0e84b7369c073105339c3a5a8e56cc0d310df8b240616c19ed6e298
-
Filesize
197KB
MD583110ba80eba22bd0239bd592b9e097b
SHA12ee014c4fbb6f0a64b8207bbe2dec283883bc504
SHA2568d69c02d00e871927ede6169e96a0ee30898f0cbf1316848bd18be9a1d6cc05b
SHA5124b968acf061e1b3437b3587a8087725b4a86071e7c42e7471b8ee451dc2b81f77a2bcdde9a654d08440ed89cf8b9602c6f73adbbfb955522a13e70f30fdffd4f
-
Filesize
197KB
MD5c82e97fa401f2f3daf68c9593ca9bf9c
SHA108971b20b19731c5e2a46b407016a6d09bb36d69
SHA256337a0eb0ba44d357255493bef374bf7768efd7781c9e0972bc11c0b83771f440
SHA512fa978af771c898c9a91651a8af00bcbb735ab67059632882be2b4e46c8b3871f124c26ab81bbff93ce2e30306c271502282e97551c54c82151b8be34088b500d
-
Filesize
197KB
MD5952897cbcbcad645036bca2cc9f3e356
SHA19d4bd55162e5589124adc580d23bd1f1c2af4feb
SHA2569f4dda4e49db472e95426c781e9d72ca12b7af5ef40df0842a3da9c84ff48baa
SHA512f7836f7961bd4c46290c3d2550fc1a1ab6e766c9eb42fdf0b186f73020d1fe07dcab0a2b8e165a8f983758188710b2b1eb26c124303b7a8410944707b7c3cc75
-
Filesize
197KB
MD5674a5393a2a376e1deec7a7ac7b537fe
SHA18c6028185affd9c5e4287319d2792104beeb460f
SHA256a14373251ede7656ba0e663c99d821125687e298e660c710761991ef509f92df
SHA51281ebba36583013dde926f5b83967f2355d1d9aab3f31b9610bc185d5c3174864af48c07c6dc50299620db406de29122f002190f89ec79d57264fd338d2f8e020
-
Filesize
197KB
MD50992fb00c2243a51cb78cce49361ca7d
SHA12e6814582d6e3906fdce032179c732c044559ecc
SHA256ea55c098f7bc16008ffbd505611c8d4764edef88f75972e59e4117e8950a064a
SHA5126f7a7d631ab6723c31801d7d8e0e730b911ee645d856e081c1346a4f2b914d3832a9799e8669c7df9276bc62bdb41367d3ece4080dcd42fc39c3011a8fc56168
-
Filesize
197KB
MD5c40dd394d23cffbb4672b76e41e23810
SHA1495c497c331d3872121c4b4a8108cc983c97e27c
SHA2569e43bba213842ebb58e3585e25d6217781de1f31ce252d2cef1532243b5ffb9b
SHA512fe318d1e018dcdbee9820ce28da16ba9d44217f32f82439f60329cda9897e2810bed3e5b0ed307d817d41cabf9ca86e1c4fe81af2ff57b99981c99f605e7ac44
-
Filesize
197KB
MD53bcfa94acb83c266ac12c9696fa2ed6c
SHA1f690fb244bdaddfc5d733e7870713cdb88d2a387
SHA256df3486fa77f1983b49a626e5284dd0264798e2fbcacc411d1460a32e1bcb55b0
SHA51249ddbe20318311244f69e5c3420259a8c815445b3284644dd0885144f56434337ede5e087218198bdf4a1949f6bf86b45934c8b03bcef29b149a5e5d012e8e3d