Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
-
Size
197KB
-
MD5
1b79f7a7b43252a50deeee1b37920bc6
-
SHA1
e5158a59de2e0641125a7dcf7583c63ce1ffca12
-
SHA256
f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5
-
SHA512
a5de5791da9c8448776fe315199155221c358472bb0388d052c056b15f25c4c1eb8167ddc21671f85f70b35a218b0ba0d960401425765ffc1b9140f141ef2947
-
SSDEEP
3072:jEGh0oYZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGWlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 14 IoCs
resource yara_rule behavioral2/files/0x0005000000022d26-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000022ea1-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000022ea1-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023286-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023139-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023286-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023139-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023139-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000001e3d2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023139-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000001e3d2-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023139-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002309a-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023139-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A16191BF-E242-4f12-A904-4E1736978238}\stubpath = "C:\\Windows\\{A16191BF-E242-4f12-A904-4E1736978238}.exe" {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A7F74-6948-4205-87DA-4508981A156D}\stubpath = "C:\\Windows\\{771A7F74-6948-4205-87DA-4508981A156D}.exe" {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}\stubpath = "C:\\Windows\\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe" {771A7F74-6948-4205-87DA-4508981A156D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F83CD59-DA86-481c-B635-0B85AD568669} 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDAB469-8DF8-4f29-AB7E-D515444040DD} {07067EAB-9D51-4841-9266-5A212058E859}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5} {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A16191BF-E242-4f12-A904-4E1736978238} {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7E64D7-194F-454e-8186-333C59E578F7} {7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}\stubpath = "C:\\Windows\\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe" {07067EAB-9D51-4841-9266-5A212058E859}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}\stubpath = "C:\\Windows\\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe" {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2} {771A7F74-6948-4205-87DA-4508981A156D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}\stubpath = "C:\\Windows\\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe" {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}\stubpath = "C:\\Windows\\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe" {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F} {A16191BF-E242-4f12-A904-4E1736978238}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}\stubpath = "C:\\Windows\\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe" {A16191BF-E242-4f12-A904-4E1736978238}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}\stubpath = "C:\\Windows\\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe" {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76EE2A53-169D-4fe2-88F1-FED477FCDF63} {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A7F74-6948-4205-87DA-4508981A156D} {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E} {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7E64D7-194F-454e-8186-333C59E578F7}\stubpath = "C:\\Windows\\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe" {7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F83CD59-DA86-481c-B635-0B85AD568669}\stubpath = "C:\\Windows\\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe" 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07067EAB-9D51-4841-9266-5A212058E859} {0F83CD59-DA86-481c-B635-0B85AD568669}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07067EAB-9D51-4841-9266-5A212058E859}\stubpath = "C:\\Windows\\{07067EAB-9D51-4841-9266-5A212058E859}.exe" {0F83CD59-DA86-481c-B635-0B85AD568669}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44} {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe -
Executes dropped EXE 12 IoCs
pid Process 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe 4348 {7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe 1096 {3D7E64D7-194F-454e-8186-333C59E578F7}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe File created C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe File created C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe {0F83CD59-DA86-481c-B635-0B85AD568669}.exe File created C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe {07067EAB-9D51-4841-9266-5A212058E859}.exe File created C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe File created C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe File created C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe File created C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe {A16191BF-E242-4f12-A904-4E1736978238}.exe File created C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe File created C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe {771A7F74-6948-4205-87DA-4508981A156D}.exe File created C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe File created C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe {7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe Token: SeIncBasePriorityPrivilege 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe Token: SeIncBasePriorityPrivilege 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe Token: SeIncBasePriorityPrivilege 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe Token: SeIncBasePriorityPrivilege 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe Token: SeIncBasePriorityPrivilege 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe Token: SeIncBasePriorityPrivilege 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe Token: SeIncBasePriorityPrivilege 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe Token: SeIncBasePriorityPrivilege 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe Token: SeIncBasePriorityPrivilege 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe Token: SeIncBasePriorityPrivilege 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe Token: SeIncBasePriorityPrivilege 4348 {7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3596 wrote to memory of 1220 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 97 PID 3596 wrote to memory of 1220 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 97 PID 3596 wrote to memory of 1220 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 97 PID 3596 wrote to memory of 4896 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 98 PID 3596 wrote to memory of 4896 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 98 PID 3596 wrote to memory of 4896 3596 2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe 98 PID 1220 wrote to memory of 2672 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 99 PID 1220 wrote to memory of 2672 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 99 PID 1220 wrote to memory of 2672 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 99 PID 1220 wrote to memory of 832 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 100 PID 1220 wrote to memory of 832 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 100 PID 1220 wrote to memory of 832 1220 {0F83CD59-DA86-481c-B635-0B85AD568669}.exe 100 PID 2672 wrote to memory of 768 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 103 PID 2672 wrote to memory of 768 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 103 PID 2672 wrote to memory of 768 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 103 PID 2672 wrote to memory of 4508 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 104 PID 2672 wrote to memory of 4508 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 104 PID 2672 wrote to memory of 4508 2672 {07067EAB-9D51-4841-9266-5A212058E859}.exe 104 PID 768 wrote to memory of 3704 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 107 PID 768 wrote to memory of 3704 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 107 PID 768 wrote to memory of 3704 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 107 PID 768 wrote to memory of 3164 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 108 PID 768 wrote to memory of 3164 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 108 PID 768 wrote to memory of 3164 768 {9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe 108 PID 3704 wrote to memory of 2992 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 109 PID 3704 wrote to memory of 2992 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 109 PID 3704 wrote to memory of 2992 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 109 PID 3704 wrote to memory of 1216 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 110 PID 3704 wrote to memory of 1216 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 110 PID 3704 wrote to memory of 1216 3704 {4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe 110 PID 2992 wrote to memory of 4404 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 111 PID 2992 wrote to memory of 4404 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 111 PID 2992 wrote to memory of 4404 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 111 PID 2992 wrote to memory of 3300 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 112 PID 2992 wrote to memory of 3300 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 112 PID 2992 wrote to memory of 3300 2992 {20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe 112 PID 4404 wrote to memory of 380 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 113 PID 4404 wrote to memory of 380 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 113 PID 4404 wrote to memory of 380 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 113 PID 4404 wrote to memory of 3316 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 114 PID 4404 wrote to memory of 3316 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 114 PID 4404 wrote to memory of 3316 4404 {A16191BF-E242-4f12-A904-4E1736978238}.exe 114 PID 380 wrote to memory of 3564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 115 PID 380 wrote to memory of 3564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 115 PID 380 wrote to memory of 3564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 115 PID 380 wrote to memory of 4564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 116 PID 380 wrote to memory of 4564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 116 PID 380 wrote to memory of 4564 380 {EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe 116 PID 3564 wrote to memory of 532 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 117 PID 3564 wrote to memory of 532 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 117 PID 3564 wrote to memory of 532 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 117 PID 3564 wrote to memory of 4508 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 118 PID 3564 wrote to memory of 4508 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 118 PID 3564 wrote to memory of 4508 3564 {76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe 118 PID 532 wrote to memory of 4640 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 119 PID 532 wrote to memory of 4640 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 119 PID 532 wrote to memory of 4640 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 119 PID 532 wrote to memory of 4388 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 120 PID 532 wrote to memory of 4388 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 120 PID 532 wrote to memory of 4388 532 {771A7F74-6948-4205-87DA-4508981A156D}.exe 120 PID 4640 wrote to memory of 4348 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe 121 PID 4640 wrote to memory of 4348 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe 121 PID 4640 wrote to memory of 4348 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe 121 PID 4640 wrote to memory of 2304 4640 {84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exeC:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exeC:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exeC:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exeC:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exeC:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exeC:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exeC:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exeC:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exeC:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exeC:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exeC:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exeC:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe13⤵
- Executes dropped EXE
PID:1096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7AE8B~1.EXE > nul13⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{84C53~1.EXE > nul12⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{771A7~1.EXE > nul11⤵PID:4388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76EE2~1.EXE > nul10⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB0A5~1.EXE > nul9⤵PID:4564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A1619~1.EXE > nul8⤵PID:3316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20A2D~1.EXE > nul7⤵PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4BBEC~1.EXE > nul6⤵PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DDAB~1.EXE > nul5⤵PID:3164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07067~1.EXE > nul4⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F83C~1.EXE > nul3⤵PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4224 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5cca51e7dfaa5f27a249469af368a4655
SHA104a872c7d638dcddaec7cead1dc401c95ac9d07c
SHA25625470cabaa697c40591c0332085586b324c6e5c877694960b9a4a1f03094f17b
SHA51244be8af59519f28038e2f8f5c66cba7a6b6fae5f46e44e83a976b3309f4bd9594ac85cfa96107064c534ebf31f4e913eb48a2b3f8f7e1af620b4a32ec244e1c8
-
Filesize
197KB
MD52993494add3e412e3c5c56b8d200c2a2
SHA14923e8042c5bc177f5f373681784eafa685f6da7
SHA2569b0cfdf648cd75d6ecfe4ac19b2ab48e9e1b49b3cd547d0449a028a60fcf6ddd
SHA512b898bcf0ff87ee4655b696860c41c21de41ab415001f61ccfd956e2eda19af1c1cc94e09dceb57cbca1704a978532b326f3613ad5b7d31ea92211b73400b389f
-
Filesize
197KB
MD5548ea5db646c24f49b5eb3bea5fd7458
SHA11bdd14dcf16cc43126aec5fadd5da574cb39ed41
SHA256393d73f09757daceb5f9331b67579fcee6af09107b6b65a505f1d0f5ed8f6576
SHA51240fcbd1fee864722e3b2cc01f8fd9c600ddea25c4937208dbde38f2070eebf116e33dd3366dbfa3b67c274941e29f007b93adcf3e0e5bf1d1831ce3f99e2a110
-
Filesize
197KB
MD5f49a5f3fc71e272472d342c3b38f193c
SHA1732ef5f2244ce298f4b19d97152d5581bbd23302
SHA256dce6a251f87a3f11353d02310d421393528d1993c90853f87aa5faa03a349504
SHA51271d73ff2f18e2116b8a0120551300eb43caa9af5b4b012f88299439926abc1d4b65c26fa49933c57ba624fed83e084c0e21e49f7c4ff84efc9bd43274d6f6044
-
Filesize
197KB
MD555b35606901ddb9001d7aecf35d66491
SHA1da77a85ce0445f7e89e7a98289ee267bc38935f9
SHA256f5604da47d608512f1dc6eb6e5db666590e5998801220d346c298caccd222c65
SHA512ddbca9e5b605fdef2439f2fc0bb7b76b9620dc113e012ddeaf4d76b2e3cf70174ec4fa272e81f9f50c81f20669995fe49851c2848e5f0dee1c56e8967bd2766e
-
Filesize
197KB
MD54b86245c0a3e54d5b4bd7e69f15de39c
SHA1aede20f0b579147b04111789db5c0ce6c9c4d48f
SHA25622083a09eff09101ab166ffa48524c249b1b1d7fd4d0f16d73f4bd1f3f5e73c2
SHA51273aedd80eb1172e393998430dc0f8aae54ba759a29bad7dadb2629c0bf9ad743c0960374d1dbd7460ff3f21c449d3e2b712b4515897c3ee7ef5a6823c489ef1c
-
Filesize
197KB
MD5417ee8f1429e9367853267d5fc0328ee
SHA1800651ed04339a8b1894b1dfff42adacdd7c5bc1
SHA256648f072119e72e117308f13c35271f090a59943417cdbbd03a243e860ed986e2
SHA512f7886a02b56d0ebf9b8c24a66d3a2c7230d7561d24820a0b1b2294fd53a8ffa61182314f6a1540c25197a8039cfc6b2a759fb782977dbbae279fd356a03c29b2
-
Filesize
197KB
MD5c9537d3be1791e3f08c11ef9cd04577c
SHA17be77506a41daf0bbac3491ae0118d4c960913f3
SHA256b903599cf6010d7873ef204c20d2460876a56355af8e3384354387a85c940a53
SHA512e2984d264b2ab70306491aeea6e0ceefd7ae5920a24a11136e4b8b39110b107881b9a2da9bb6a8165b5193b2ef44cc2beb6cf446256b7e86c4bd3d451b176348
-
Filesize
197KB
MD563c1bf58fa9612eb1f6a5798be2ebcf7
SHA12727ce40684db0fdd50b8f17f44971c3a6dc42c8
SHA25624ef24706c91f85de202ee1013b1da312ae5d3851523c7fc00c6af8c82ffc7e7
SHA512008b98656fd829fe4fa925574ec870cd6c2650bf7d01a7ac9f24e2b3dac7b357a78af0fdeba730d81fbbc89f95bcb079beccd1fdfe0b504ab1225df4ed71acda
-
Filesize
197KB
MD5a38d7338dacc42228b21e01d03fcb93c
SHA1ee7225abf8ee23f802185edb8a0f5acea7e84e35
SHA256f7481e04575040664c113f2cdc513e494bfc70529e97bad3c1cc1c94060ea488
SHA512d4dee547aa5846439fdd3825fb2480c9a1189ff234595b3cf44d92f3ac7c1ee90a7dd04af9c1d4680a9cc6fdb0f41462b139b811dbca5d7140311b0ed4e811d5
-
Filesize
197KB
MD5d757dacdcb362e0ce3af605dc8618600
SHA1d7dda4a940408ce62324ee13be8a0a5e0bf560ff
SHA2568aa8b06052a649ebe0c998ac11111ebf29ad2d7ff89a850153644b1c9d9b7a0e
SHA5129da3daab4dc9a41f533fc0b4ce55767eae211e916233d9072d7f4a321951751c4a2cd68d2950e5eb481543b6bba033afdfc4b2f7212c35a9aec4e4b92bde29b4
-
Filesize
197KB
MD5fbc51456463e31bca13898a39887a643
SHA10d1c41b396847662a3fcd0434b3b9002feab89c6
SHA25685a9946e6a217e9a2f7fc4074965e7a22e20a76ca7ba7b9746ea003979cffb38
SHA512a4a1147af7721a1893627c1dd1a4cb5a403fd63245493a3e45a978060ad6ea335dfecd14c8153eff26db6701cfcee5537213083b0c3f2f90ca58bdda0bad757d
-
Filesize
136KB
MD5b1a9f29bff49b339b30fc32f4c86ced1
SHA18690ff1d4fd76b76c38d4199ff7247899952ca7b
SHA25692189e99592c76fc19b240c7d644a1290afb1967eab181523261369f17821fc4
SHA512ee3f438dc62457462dab5f5d068382f84d3561fa043309afb91d2786bd79542efa5248ca2df9ff49e14f90e9b8234554fb04eb1371656db554fedbf4b467ca76
-
Filesize
197KB
MD59ef53047d8e6c14e7e67491137a0b4d9
SHA1fa3bbca105e3b8e1094860e7b727dcfd2377f4bd
SHA2569e7fc29ef0ae93271150677db1db2efaadfa1c86c9e603c9efec2c6c979ac5b6
SHA512673bc129a064a7bbf82204b8b89875f2a1ace2fafc18323ff5a9adf994c0793ef9076bc9e0bc0cfbc47fe3a66e348ac51a1e0a6009896841e289dc5f8d9946f4