Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
-
Size
408KB
-
MD5
011e13009db147c44f349d7df4be4eb4
-
SHA1
f84399f6e29ddcbefc34d19c70a78b7fe4dd4dfa
-
SHA256
e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a
-
SHA512
8863b3d7391d1ef1550da7dcf666542cc4e239fd0d0bc623933658ea43f622ad706b87a3bffead1c7fb083870a260823c985e1c62f0e6a7117658054e8f2f679
-
SSDEEP
3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000800000002323b-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002322a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023243-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e76b-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023243-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e76b-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023243-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000001db36-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023243-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000001db36-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023240-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000001db36-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}\stubpath = "C:\\Windows\\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe" {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F}\stubpath = "C:\\Windows\\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe" 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367} {05A410A2-9AC7-424c-8545-254B84A6828F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}\stubpath = "C:\\Windows\\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe" {05A410A2-9AC7-424c-8545-254B84A6828F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}\stubpath = "C:\\Windows\\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe" {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}\stubpath = "C:\\Windows\\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe" {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00} {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC} {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069} {2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295}\stubpath = "C:\\Windows\\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe" {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280C34ED-193D-4e05-AD77-77DA8B2F88E7} {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC} {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1334345-3122-4ddc-AAFD-8DC5782574CC}\stubpath = "C:\\Windows\\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe" {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B698C8B8-DA09-49bd-9878-78397DEFAD00}\stubpath = "C:\\Windows\\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe" {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}\stubpath = "C:\\Windows\\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe" {2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}\stubpath = "C:\\Windows\\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe" {E114561B-0C00-415a-BAAC-206BA40D6295}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741286AF-A3C1-4e68-9963-B3A4D9D3B652} {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5} {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE} {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05A410A2-9AC7-424c-8545-254B84A6828F} 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E114561B-0C00-415a-BAAC-206BA40D6295} {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC} {E114561B-0C00-415a-BAAC-206BA40D6295}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}\stubpath = "C:\\Windows\\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe" {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}\stubpath = "C:\\Windows\\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe" {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe -
Executes dropped EXE 12 IoCs
pid Process 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe 3584 {2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe 2456 {CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe File created C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe File created C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe {E114561B-0C00-415a-BAAC-206BA40D6295}.exe File created C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe File created C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe File created C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe File created C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe File created C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe File created C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe {2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe File created C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe File created C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe {05A410A2-9AC7-424c-8545-254B84A6828F}.exe File created C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe Token: SeIncBasePriorityPrivilege 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe Token: SeIncBasePriorityPrivilege 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe Token: SeIncBasePriorityPrivilege 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe Token: SeIncBasePriorityPrivilege 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe Token: SeIncBasePriorityPrivilege 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe Token: SeIncBasePriorityPrivilege 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe Token: SeIncBasePriorityPrivilege 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe Token: SeIncBasePriorityPrivilege 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe Token: SeIncBasePriorityPrivilege 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe Token: SeIncBasePriorityPrivilege 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe Token: SeIncBasePriorityPrivilege 3584 {2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 4812 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 94 PID 4600 wrote to memory of 4812 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 94 PID 4600 wrote to memory of 4812 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 94 PID 4600 wrote to memory of 232 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 95 PID 4600 wrote to memory of 232 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 95 PID 4600 wrote to memory of 232 4600 2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe 95 PID 4812 wrote to memory of 4504 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 96 PID 4812 wrote to memory of 4504 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 96 PID 4812 wrote to memory of 4504 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 96 PID 4812 wrote to memory of 668 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 97 PID 4812 wrote to memory of 668 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 97 PID 4812 wrote to memory of 668 4812 {05A410A2-9AC7-424c-8545-254B84A6828F}.exe 97 PID 4504 wrote to memory of 1176 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 100 PID 4504 wrote to memory of 1176 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 100 PID 4504 wrote to memory of 1176 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 100 PID 4504 wrote to memory of 2544 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 101 PID 4504 wrote to memory of 2544 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 101 PID 4504 wrote to memory of 2544 4504 {EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe 101 PID 1176 wrote to memory of 2316 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 103 PID 1176 wrote to memory of 2316 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 103 PID 1176 wrote to memory of 2316 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 103 PID 1176 wrote to memory of 336 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 104 PID 1176 wrote to memory of 336 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 104 PID 1176 wrote to memory of 336 1176 {E114561B-0C00-415a-BAAC-206BA40D6295}.exe 104 PID 2316 wrote to memory of 3716 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 105 PID 2316 wrote to memory of 3716 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 105 PID 2316 wrote to memory of 3716 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 105 PID 2316 wrote to memory of 3880 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 106 PID 2316 wrote to memory of 3880 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 106 PID 2316 wrote to memory of 3880 2316 {D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe 106 PID 3716 wrote to memory of 412 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 107 PID 3716 wrote to memory of 412 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 107 PID 3716 wrote to memory of 412 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 107 PID 3716 wrote to memory of 3848 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 108 PID 3716 wrote to memory of 3848 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 108 PID 3716 wrote to memory of 3848 3716 {741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe 108 PID 412 wrote to memory of 2184 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 109 PID 412 wrote to memory of 2184 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 109 PID 412 wrote to memory of 2184 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 109 PID 412 wrote to memory of 3532 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 110 PID 412 wrote to memory of 3532 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 110 PID 412 wrote to memory of 3532 412 {280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe 110 PID 2184 wrote to memory of 2320 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 111 PID 2184 wrote to memory of 2320 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 111 PID 2184 wrote to memory of 2320 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 111 PID 2184 wrote to memory of 3304 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 112 PID 2184 wrote to memory of 3304 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 112 PID 2184 wrote to memory of 3304 2184 {F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe 112 PID 2320 wrote to memory of 1604 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 113 PID 2320 wrote to memory of 1604 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 113 PID 2320 wrote to memory of 1604 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 113 PID 2320 wrote to memory of 3184 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 114 PID 2320 wrote to memory of 3184 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 114 PID 2320 wrote to memory of 3184 2320 {B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe 114 PID 1604 wrote to memory of 3096 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 115 PID 1604 wrote to memory of 3096 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 115 PID 1604 wrote to memory of 3096 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 115 PID 1604 wrote to memory of 2424 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 116 PID 1604 wrote to memory of 2424 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 116 PID 1604 wrote to memory of 2424 1604 {EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe 116 PID 3096 wrote to memory of 3584 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe 117 PID 3096 wrote to memory of 3584 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe 117 PID 3096 wrote to memory of 3584 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe 117 PID 3096 wrote to memory of 3200 3096 {53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exeC:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exeC:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exeC:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exeC:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exeC:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exeC:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exeC:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exeC:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exeC:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exeC:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exeC:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exeC:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe13⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A44F~1.EXE > nul13⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53FCA~1.EXE > nul12⤵PID:3200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFCB0~1.EXE > nul11⤵PID:2424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B698C~1.EXE > nul10⤵PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1334~1.EXE > nul9⤵PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{280C3~1.EXE > nul8⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74128~1.EXE > nul7⤵PID:3848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D773D~1.EXE > nul6⤵PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1145~1.EXE > nul5⤵PID:336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF590~1.EXE > nul4⤵PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05A41~1.EXE > nul3⤵PID:668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5a7550814e5ceddba2d236c68c9db7b2f
SHA19480fc49bd0108653d69505669526dd7f0c3c22f
SHA256aeb3b20f58906aa5059e94ac0dc85cee0565b2ce0768b110989598c9bb94e543
SHA512c0d87b2d33f3306df59ea77bdd5e43789d247e237d3a10dbe0116cd60ee00491ebddb8ff5d814c76c8bec85bd12a97c0cee29718451451ded99520d06329c631
-
Filesize
408KB
MD56a2822ffd4ed5318b03dc9f758c229a2
SHA137b0da5f3dda82fd3dc472f8505dad6b265c4f91
SHA256970d921525c8283246ada37ac5d5bab8593f1ec1f529de75bd783c33905be603
SHA512fba191853b1cc5835401e6d43547bd717d7be4bcef9a66bc86ab7a7d107f55ebcc367beaddb30a370919e76606afbd6948b9b24586198271d99ffcb613b40d8b
-
Filesize
408KB
MD5b4a0ae726cfcb78fdf1f477b3e1522ae
SHA13aa62d0de78a84c0919124c725e341d61eb5a5da
SHA2567f81be6ee1fa4b10fc077eeceed4fbeae17c662aff9e935a44c82eae1110775c
SHA512cfb5beaa31f255d81ba5b51387311d8b96082e324604cf94e4129795260cf80b63c260f3021ec29b9f5f75206be003ce4dfff855903f5b2a1ef3390b56b8e04c
-
Filesize
408KB
MD58e53448751cfebff2ef7d89238e1acb5
SHA1fa4de38c2654d31d15cd20f5bc87b666435ae966
SHA256b18ffc49ec76934012fdabedef156aae6691d7de3d015a01b164b982e2aa4d4c
SHA512e10cf90e6c9da96f93dbf71d39eec7f114474d8744878dbfbb7f43266d1b747b6498ec54d6c47b8f421f4edd622e00e97aa34052097e8df462f66ced7e1ad1b0
-
Filesize
408KB
MD5cbd785abcf81395e5c6b35576e8aea1a
SHA17c775cd2c4e4f976caf2be3e661f846d33d9d0c5
SHA256b44ca5a968304e99877f1b27ed4113b7f0cc50ccf0981ead55138ea13ae9c6f0
SHA512829dee45d7a916248c9423a2686d76548b16be282d4659fcc63da0ade81b0e26c37eb5ac16feb7a916b29de041ab378b5d223e9c228ed8a17e8fdaf0f359f531
-
Filesize
408KB
MD5bf1fe7ac730308e273e3c764511d100c
SHA18f5c21e27a93de03b55e1b0c9db257bdc683e378
SHA25653b8b828e3243bbb8af7fb68aa92f1ea03abf8b5ed4b2066e014cad660b626f7
SHA5120d78c8a05a0d7ddcfe82adf0b8b2552c84540930d349c926a764e22a5d1c0b16b69df86c91ccabeaa554d2d44db57367b041c0101b59553f727f0e8f9c9493cf
-
Filesize
408KB
MD5347ca2aea7503c1720a6f089cfe52209
SHA13d63cdd15a388e8fd0950b1c1202679b93df4b22
SHA256422bae897342bd627003b08b0f458f50043c6088112aa70ada2d9aac4923ebf0
SHA51249b408ef889e18fc538aec0f1533f2f39e27ce2967b76e64e50d90e48bfd3889ddf53815a3b674018e0760e072afb7e7af70ec13b4f2ebd6c634ad0a907dc92f
-
Filesize
408KB
MD5d085c1f10ba21a7c895405764b136c45
SHA1b3c4aae5284965fb49ec57b3d96350cf0215c825
SHA25667f19e5a1685f6e5552203704cc24c6b11e57384df0a20c80b5a471eb7f215a9
SHA5122a9ed37f42b3e52e64228f49974a9b61a137904d6f55b2f04ffae568c3b98f41e89be7a0b78b5bd9a938acf6c25afde613d2aaa398a4042a471b4e08d1a6c8d2
-
Filesize
408KB
MD5476190ed351ec4740a1af77cb50ac150
SHA14e5ab03a8b389d03af222d3be1a31829be26962c
SHA2568ddeb6a3018c9cf9af0e63179133d1833adb478400de61c6f1166803f2df4270
SHA51289d186379ee8674945b827de393ebb6bdbe03d8dce1f831d8aeaf598614926f9ccae25c178493e3dd9e1774e949af2c7fa9e3cfad028e8753245a1e24dc23a32
-
Filesize
408KB
MD506556908af90a5bb64d4890210f92435
SHA172aa27784c401dabb2fbdb6ef9652fdbf38850f6
SHA2560ae4abb2d27b0995cf291fa97d3c59daa6612c21166113faeb90c2937f771f4f
SHA512446d944c14f77a1da669dc0173679df4a247fae36d6996e2f981da398a91e8eaa0f7f04ae47ddacec3c01a77a08621471418f576ee3b2db45e8f20e7137f0c91
-
Filesize
408KB
MD5926053ebf3c2f2d4c3d76ac70763063d
SHA196dab02f33ef525f6bc9ad76f948258e7350f133
SHA256e263634f8dbd02139ef290ca34069c6e0ebc60b18d39478702b5b2ea9025a8b5
SHA512b38a29c8bfa7e269ae68d3a2330a681a2e43bd7bbc313021a9ff82e6dc8b010bf94cdac71019341e02c9bdd30862fd60dc88afe5a95f9c8db21297ce1a41e2f0
-
Filesize
408KB
MD5809133b041504bf7f98e1490bfe4c547
SHA1d88348d7a20744e6cf63155fc23e981c57213071
SHA256ee9e4f0957467cb91fb75dbb89a98d076dea870d850fd850072f010aab9e6324
SHA5121a27bd55ae1506c5c3b8522295d53b43e80d7ae5bad4cf6fc6860e131068dcdbd29de25ddc5ccd65c8ce29910e88dbb34db4fbcd03b54fed451eb89bcfdb867f