Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
-
Size
192KB
-
MD5
41a3bfd84351468cb374b10e6bc69476
-
SHA1
251255420d7c9a4f63a904db85c1df31f5464c11
-
SHA256
a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e
-
SHA512
d9da1e919e6c09cee37c34ad6c19232790d46651bc9b92f79514718dd7eee04c7ab2f945ebdb20b4fdeb0da13575addc8d942ed9c18fa9bae017227e93823d5b
-
SSDEEP
1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 14 IoCs
resource yara_rule behavioral2/files/0x0008000000023224-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023225-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002322d-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e759-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e759-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002322d-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e759-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002322d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e759-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002322d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002322d-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e759-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023229-41.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e759-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077} {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361BD565-F520-4a0c-AC81-3EB5639A041A}\stubpath = "C:\\Windows\\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe" {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}\stubpath = "C:\\Windows\\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe" {2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42358362-7D64-474d-B848-4EC07CD85593} {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D39418-887F-4c99-8E18-114FBBF96294} {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D39418-887F-4c99-8E18-114FBBF96294}\stubpath = "C:\\Windows\\{74D39418-887F-4c99-8E18-114FBBF96294}.exe" {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4BA13-0E52-4031-A865-893C625108D4} {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4BA13-0E52-4031-A865-893C625108D4}\stubpath = "C:\\Windows\\{35C4BA13-0E52-4031-A865-893C625108D4}.exe" {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}\stubpath = "C:\\Windows\\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe" {35C4BA13-0E52-4031-A865-893C625108D4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E} {2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}\stubpath = "C:\\Windows\\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe" 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}\stubpath = "C:\\Windows\\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe" {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42358362-7D64-474d-B848-4EC07CD85593}\stubpath = "C:\\Windows\\{42358362-7D64-474d-B848-4EC07CD85593}.exe" {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5} {42358362-7D64-474d-B848-4EC07CD85593}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CC1E98-DAB9-4620-9657-880BF5F522DA} {74D39418-887F-4c99-8E18-114FBBF96294}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8917BC4-4EAF-41f3-931A-6A775500B0A6} 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60652E29-8BED-404e-8F02-F4FBE2CD08EF} {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}\stubpath = "C:\\Windows\\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe" {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361BD565-F520-4a0c-AC81-3EB5639A041A} {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}\stubpath = "C:\\Windows\\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe" {42358362-7D64-474d-B848-4EC07CD85593}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CC1E98-DAB9-4620-9657-880BF5F522DA}\stubpath = "C:\\Windows\\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe" {74D39418-887F-4c99-8E18-114FBBF96294}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3} {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}\stubpath = "C:\\Windows\\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe" {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD} {35C4BA13-0E52-4031-A865-893C625108D4}.exe -
Executes dropped EXE 12 IoCs
pid Process 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe 2084 {2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe 1432 {CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe {35C4BA13-0E52-4031-A865-893C625108D4}.exe File created C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe File created C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe {42358362-7D64-474d-B848-4EC07CD85593}.exe File created C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe File created C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe File created C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe File created C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe {74D39418-887F-4c99-8E18-114FBBF96294}.exe File created C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe File created C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe File created C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe File created C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe File created C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe {2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe Token: SeIncBasePriorityPrivilege 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe Token: SeIncBasePriorityPrivilege 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe Token: SeIncBasePriorityPrivilege 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe Token: SeIncBasePriorityPrivilege 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe Token: SeIncBasePriorityPrivilege 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe Token: SeIncBasePriorityPrivilege 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe Token: SeIncBasePriorityPrivilege 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe Token: SeIncBasePriorityPrivilege 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe Token: SeIncBasePriorityPrivilege 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe Token: SeIncBasePriorityPrivilege 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe Token: SeIncBasePriorityPrivilege 2084 {2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4308 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 91 PID 5108 wrote to memory of 4308 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 91 PID 5108 wrote to memory of 4308 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 91 PID 5108 wrote to memory of 2128 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 92 PID 5108 wrote to memory of 2128 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 92 PID 5108 wrote to memory of 2128 5108 2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe 92 PID 4308 wrote to memory of 2912 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 93 PID 4308 wrote to memory of 2912 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 93 PID 4308 wrote to memory of 2912 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 93 PID 4308 wrote to memory of 452 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 94 PID 4308 wrote to memory of 452 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 94 PID 4308 wrote to memory of 452 4308 {A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe 94 PID 2912 wrote to memory of 2324 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 97 PID 2912 wrote to memory of 2324 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 97 PID 2912 wrote to memory of 2324 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 97 PID 2912 wrote to memory of 5116 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 98 PID 2912 wrote to memory of 5116 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 98 PID 2912 wrote to memory of 5116 2912 {60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe 98 PID 2324 wrote to memory of 1308 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 100 PID 2324 wrote to memory of 1308 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 100 PID 2324 wrote to memory of 1308 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 100 PID 2324 wrote to memory of 572 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 101 PID 2324 wrote to memory of 572 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 101 PID 2324 wrote to memory of 572 2324 {388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe 101 PID 1308 wrote to memory of 3656 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 102 PID 1308 wrote to memory of 3656 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 102 PID 1308 wrote to memory of 3656 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 102 PID 1308 wrote to memory of 4716 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 103 PID 1308 wrote to memory of 4716 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 103 PID 1308 wrote to memory of 4716 1308 {361BD565-F520-4a0c-AC81-3EB5639A041A}.exe 103 PID 3656 wrote to memory of 4816 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 104 PID 3656 wrote to memory of 4816 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 104 PID 3656 wrote to memory of 4816 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 104 PID 3656 wrote to memory of 4704 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 105 PID 3656 wrote to memory of 4704 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 105 PID 3656 wrote to memory of 4704 3656 {42358362-7D64-474d-B848-4EC07CD85593}.exe 105 PID 4816 wrote to memory of 3908 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 106 PID 4816 wrote to memory of 3908 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 106 PID 4816 wrote to memory of 3908 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 106 PID 4816 wrote to memory of 2868 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 107 PID 4816 wrote to memory of 2868 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 107 PID 4816 wrote to memory of 2868 4816 {2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe 107 PID 3908 wrote to memory of 3192 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 108 PID 3908 wrote to memory of 3192 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 108 PID 3908 wrote to memory of 3192 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 108 PID 3908 wrote to memory of 1976 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 109 PID 3908 wrote to memory of 1976 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 109 PID 3908 wrote to memory of 1976 3908 {74D39418-887F-4c99-8E18-114FBBF96294}.exe 109 PID 3192 wrote to memory of 4416 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 110 PID 3192 wrote to memory of 4416 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 110 PID 3192 wrote to memory of 4416 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 110 PID 3192 wrote to memory of 1956 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 111 PID 3192 wrote to memory of 1956 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 111 PID 3192 wrote to memory of 1956 3192 {49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe 111 PID 4416 wrote to memory of 1456 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 112 PID 4416 wrote to memory of 1456 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 112 PID 4416 wrote to memory of 1456 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 112 PID 4416 wrote to memory of 4220 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 113 PID 4416 wrote to memory of 4220 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 113 PID 4416 wrote to memory of 4220 4416 {56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe 113 PID 1456 wrote to memory of 2084 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe 114 PID 1456 wrote to memory of 2084 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe 114 PID 1456 wrote to memory of 2084 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe 114 PID 1456 wrote to memory of 3060 1456 {35C4BA13-0E52-4031-A865-893C625108D4}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exeC:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exeC:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exeC:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exeC:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exeC:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exeC:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exeC:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exeC:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exeC:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exeC:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exeC:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exeC:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe13⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2443B~1.EXE > nul13⤵PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35C4B~1.EXE > nul12⤵PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56A8B~1.EXE > nul11⤵PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49CC1~1.EXE > nul10⤵PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74D39~1.EXE > nul9⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2AF6C~1.EXE > nul8⤵PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{42358~1.EXE > nul7⤵PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{361BD~1.EXE > nul6⤵PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{388B8~1.EXE > nul5⤵PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60652~1.EXE > nul4⤵PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8917~1.EXE > nul3⤵PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5c7d92ee3be68f611ec3f16bfb9c050b5
SHA1552622e8670500582f035564e83f3c5853ae2e61
SHA256fdce9c01927dc47795e839c0dc5436941dd50fbcc698df34b077a6ac6dcca968
SHA51281e90887aa1606656dd37414306b98dfda57ca2b4202af1e762d30b26f00b76c62d778fd86d4dc3c4c1e7df49c9200188fc87f7535d59706746ba85cac795aad
-
Filesize
192KB
MD5f16e770826ff4462e8ea7f16866df9aa
SHA17dfe5b0cef9c89c8458e3bbec9c7a51726dbc17d
SHA25648e73a899456d636f5340d964c7880a21b56627027a2b5357e0ce4f33077b789
SHA5125371a2ff27a53a73b192f87d43e009d64b0508a32b7a93ef71b4f3676a9b6cdd020d2744621396c535a64c58e8be8ddb78f8ffc5eb7c1049b4e69b7aeccfb79e
-
Filesize
192KB
MD53ca176834e19e1fcce55c4459ee3aa32
SHA17b29dbbb64e26fa4512219ebac4d8b67e54831e4
SHA256aaa31616c2d975d821d8b8aebbfce02551aaca01f73b6bc9e41e5bbe31ece0e3
SHA512e842cfa02da49db2c9cc624ec17fa2f81a1dabb4044912ea433e6dc5bbc1c157b19f79bf5d14f2c3c7eac2914035f289879bf665d8005e67a9d61790f0184164
-
Filesize
128KB
MD53b7d8f06765878c2cb7b078747241cc1
SHA1a0a8c8bbe92d748a31f4ff8ad40132ba358e1374
SHA2566656cf24b62ddfdf95a992ac09f61d8c7a7a5c2cbe583bb4628757c07bf855e8
SHA5128fb430796439f07302ada65c7573c3b2e33bbc3db7113bcda1aafa7de4e0cb496f864e201eab862ab2c6f096e1a8a76eebac40f16b0fd58778e2a352ebe45884
-
Filesize
58KB
MD55701e1f2ed0c0f911de0286dba777765
SHA19e51219ae9a105d9f6e8ed41613e74dbb4d8bf87
SHA25630eb511bace46334394f6e7acc3801b46056429dd8b32a3ecad7f9348d2214bf
SHA512d99d12eb449ed25a412b3f3dcb033f6407a0201111c5305f158d6b63548797dfa671f8b78a7f90d0db78066f265f6097fe772fa886417744d30c6d5e6dc795ce
-
Filesize
192KB
MD50f16dd0befdc1566ef7ac383b39c69f5
SHA134a2bf4bbbfccb33722a7cf4dee2fa236027f414
SHA256ea22e918411991f5c954918fb8745fa3294e96f8e78968a737b828263b5a014a
SHA51268c8dbfa465e5a59f4ff84486994e8457aca7b373c59e5bb88fe49955aaa32e3649e9af532ef5d91c109787236f1303037023ec986125addaedee0e6cd9cee3d
-
Filesize
192KB
MD5a3b7c939e1e66c91de21258e1a47a3ea
SHA10520697cc09b555a251b23e542507bd0eaf731a9
SHA256a4f3fb6da4121f3122eb0a06664747307e55137c22c40a3f832239922d3db0ef
SHA512951b39a0f30dd3686eddbde4e15322d0444744af504bff286c8c579dfe6fbfce084cdee4a90b8c6c8656606fcbee6e4c838e0b3a4f68481849480769030bde99
-
Filesize
192KB
MD54400866ebd747de0f8ee31efbd45a142
SHA12bee6dc889dbcc5603a72035a375268b22e2614c
SHA25676c35aa9552bb2765f3cc88c0b1bd9c8ae872f66950a2e30613c8876c647e141
SHA5121f9683dfdadad10dc5e8cea251b5dcf044dda3d7b2a5ab9dc0de3395a4b117baa3808b2ca5d03abc29f4b11795395ed62d81b8757194ea0a762aa7c4e8e1cf8d
-
Filesize
165KB
MD5ad6196546a8f3d314f1b1abece0037b5
SHA1e8fc2843f287980e4d694e6ee9f7acb8753cf746
SHA256953330cd1265fded3b3ef3c02000701408e968c67ff641fa93161e8d1643dc44
SHA512db48e077d4a3bfd017b8b9f8abe774cb93457f2f5c5ee8c21c5ad19a2cdabeadeb7b04b17bb33adea4249bb5a0b8c61db2d12ed974248fffc6ec4e0b8f3ba56a
-
Filesize
192KB
MD553a9770db007d1d593fb65817fb49e09
SHA1b82608c523b289bc5441d4b8c8a02f3c5b891019
SHA256c1120b4d6ebc4a7791a78e30b432d825425d3e44589926eed4b6ac43e7257382
SHA51219c91614b9b69fb239fee8e3109e5e089751bdaea05d1e473fcb84e0233f69e97d276835873c4d9be8c917c17d15159da9b5ab932e15d83db9789131bd9723a5
-
Filesize
192KB
MD586418327961cf4c1db1179b6553baf6c
SHA140b7e6c2d7561f7b471c62bab3b3cb160359fbae
SHA256eb1603ada95fe6bcc61a6a7924db6f4350526a19971a406284dc54106d45f1b7
SHA512ed7e4074955432a2327b96048b5e36ec573d3681cfa2ffa7ed5724d7d524bf038c4d841df55b255cf64341f2883dfd1e9b89d9d16e58cc202ef6f8da79d925a8
-
Filesize
192KB
MD500299874b0236e63b864946a74b883b2
SHA101bc8acdebfc8b18d70d9a9f963d406dbf911007
SHA2568054743345aa2dd9b2883008ad3923ed27820451be67f300584f28fc40168b84
SHA512b2f9c6a01c718e0c1793d9c77e2c13ef440d17d39ddafc46d19c8bcb83601096c6da7910ec3cc7fcb40d8164d6ee7de7f4b29979aae0b9798a7ed315ccbecdaf
-
Filesize
192KB
MD5a7c118031f79e3996b1c156417d67b50
SHA160d3cd7a6004ccba9ed10b8a531fd2c78bbe0af4
SHA256cc3eb543bf767c7a2e5379612d1eb36357f902479ee80c05935edbd1c747bded
SHA5123a90735e6001246c6b57ba229f0dd5e79da608fa2500492632a18c993d5146f39e9bb312a6531ffd067b06d59baf445cb47c507528efb3834129ba1861c3ce8b
-
Filesize
192KB
MD5d7675d543077f692bc244a8842998afc
SHA15a991601e4e59211cdb933c1c5312e71810023a8
SHA2565b985511687f7d186172b5f4eb368d80be565cde0bfaf1240abcc4bb93ecec60
SHA512fa8234ec01b23137389432e458ea0e015f70ba239d0324e98f16cc3b396e3362636d3d680284a5a93916e5eb3ddc4ea4085a4efc4ca1d61079b0f532ef5b5c5b