Analysis
-
max time kernel
149s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
-
Size
168KB
-
MD5
0a5b152cb8c16f9ca55148f4565cb954
-
SHA1
28e8a9135e60e20862496f0007c9dc69c20a74ad
-
SHA256
9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689
-
SHA512
986751a468cd12a2a53bada435e623937e33c581f151621a89ed0aac7f2df300df9f7aefa48ee5952f770c21f1af64875ca071d092460f9db6c094b68930fe0d
-
SSDEEP
1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023227-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023220-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002322f-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002314b-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002322f-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f00000002314b-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002322f-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002314b-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002322f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002314b-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002322c-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001200000002314b-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}\stubpath = "C:\\Windows\\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe" {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}\stubpath = "C:\\Windows\\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe" {109E3B1E-9226-460f-9A30-02585EE25206}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5} {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09} {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}\stubpath = "C:\\Windows\\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe" {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE} {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6} {109E3B1E-9226-460f-9A30-02585EE25206}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA985F33-A890-4b4a-A3BF-ECAF2F340068} {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4} 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}\stubpath = "C:\\Windows\\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe" 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}\stubpath = "C:\\Windows\\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe" {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}\stubpath = "C:\\Windows\\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe" {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BE3E2C-4B07-4bd0-9D63-9641B4310803} {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109E3B1E-9226-460f-9A30-02585EE25206} {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}\stubpath = "C:\\Windows\\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe" {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}\stubpath = "C:\\Windows\\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe" {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C1A391-9417-4250-B837-D94ACF5F76E8} {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C1A391-9417-4250-B837-D94ACF5F76E8}\stubpath = "C:\\Windows\\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe" {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB} {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E} {617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C94FCB-2BA1-467c-8D4E-C477667EF06E} {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109E3B1E-9226-460f-9A30-02585EE25206}\stubpath = "C:\\Windows\\{109E3B1E-9226-460f-9A30-02585EE25206}.exe" {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}\stubpath = "C:\\Windows\\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe" {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}\stubpath = "C:\\Windows\\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe" {617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe -
Executes dropped EXE 12 IoCs
pid Process 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe 4240 {617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe 1600 {C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe File created C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe File created C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe {109E3B1E-9226-460f-9A30-02585EE25206}.exe File created C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe File created C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe File created C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe File created C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe {617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe File created C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe File created C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe File created C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe File created C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe File created C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe Token: SeIncBasePriorityPrivilege 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe Token: SeIncBasePriorityPrivilege 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe Token: SeIncBasePriorityPrivilege 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe Token: SeIncBasePriorityPrivilege 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe Token: SeIncBasePriorityPrivilege 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe Token: SeIncBasePriorityPrivilege 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe Token: SeIncBasePriorityPrivilege 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe Token: SeIncBasePriorityPrivilege 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe Token: SeIncBasePriorityPrivilege 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe Token: SeIncBasePriorityPrivilege 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe Token: SeIncBasePriorityPrivilege 4240 {617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4228 wrote to memory of 208 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 95 PID 4228 wrote to memory of 208 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 95 PID 4228 wrote to memory of 208 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 95 PID 4228 wrote to memory of 1328 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 96 PID 4228 wrote to memory of 1328 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 96 PID 4228 wrote to memory of 1328 4228 2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe 96 PID 208 wrote to memory of 5000 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 97 PID 208 wrote to memory of 5000 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 97 PID 208 wrote to memory of 5000 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 97 PID 208 wrote to memory of 4868 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 98 PID 208 wrote to memory of 4868 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 98 PID 208 wrote to memory of 4868 208 {107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe 98 PID 5000 wrote to memory of 3780 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 101 PID 5000 wrote to memory of 3780 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 101 PID 5000 wrote to memory of 3780 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 101 PID 5000 wrote to memory of 4424 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 102 PID 5000 wrote to memory of 4424 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 102 PID 5000 wrote to memory of 4424 5000 {93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe 102 PID 3780 wrote to memory of 2568 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 104 PID 3780 wrote to memory of 2568 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 104 PID 3780 wrote to memory of 2568 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 104 PID 3780 wrote to memory of 2992 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 105 PID 3780 wrote to memory of 2992 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 105 PID 3780 wrote to memory of 2992 3780 {631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe 105 PID 2568 wrote to memory of 3044 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 106 PID 2568 wrote to memory of 3044 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 106 PID 2568 wrote to memory of 3044 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 106 PID 2568 wrote to memory of 4036 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 107 PID 2568 wrote to memory of 4036 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 107 PID 2568 wrote to memory of 4036 2568 {12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe 107 PID 3044 wrote to memory of 1220 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 108 PID 3044 wrote to memory of 1220 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 108 PID 3044 wrote to memory of 1220 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 108 PID 3044 wrote to memory of 4520 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 109 PID 3044 wrote to memory of 4520 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 109 PID 3044 wrote to memory of 4520 3044 {109E3B1E-9226-460f-9A30-02585EE25206}.exe 109 PID 1220 wrote to memory of 3168 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 110 PID 1220 wrote to memory of 3168 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 110 PID 1220 wrote to memory of 3168 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 110 PID 1220 wrote to memory of 1116 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 111 PID 1220 wrote to memory of 1116 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 111 PID 1220 wrote to memory of 1116 1220 {D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe 111 PID 3168 wrote to memory of 3448 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 112 PID 3168 wrote to memory of 3448 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 112 PID 3168 wrote to memory of 3448 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 112 PID 3168 wrote to memory of 4176 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 113 PID 3168 wrote to memory of 4176 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 113 PID 3168 wrote to memory of 4176 3168 {3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe 113 PID 3448 wrote to memory of 1764 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 114 PID 3448 wrote to memory of 1764 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 114 PID 3448 wrote to memory of 1764 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 114 PID 3448 wrote to memory of 2128 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 115 PID 3448 wrote to memory of 2128 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 115 PID 3448 wrote to memory of 2128 3448 {EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe 115 PID 1764 wrote to memory of 1920 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 116 PID 1764 wrote to memory of 1920 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 116 PID 1764 wrote to memory of 1920 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 116 PID 1764 wrote to memory of 2468 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 117 PID 1764 wrote to memory of 2468 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 117 PID 1764 wrote to memory of 2468 1764 {BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe 117 PID 1920 wrote to memory of 4240 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe 118 PID 1920 wrote to memory of 4240 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe 118 PID 1920 wrote to memory of 4240 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe 118 PID 1920 wrote to memory of 1204 1920 {73C1A391-9417-4250-B837-D94ACF5F76E8}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exeC:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exeC:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exeC:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exeC:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exeC:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exeC:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exeC:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exeC:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exeC:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exeC:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exeC:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exeC:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe13⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{617B6~1.EXE > nul13⤵PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73C1A~1.EXE > nul12⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA985~1.EXE > nul11⤵PID:2468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EC9D3~1.EXE > nul10⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3DC9B~1.EXE > nul9⤵PID:4176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D9ACC~1.EXE > nul8⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{109E3~1.EXE > nul7⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{12BE3~1.EXE > nul6⤵PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{631AE~1.EXE > nul5⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93C94~1.EXE > nul4⤵PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{107DA~1.EXE > nul3⤵PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD543c51fb80aa0f1b98433899f89f4d71e
SHA1fd1fbf6b87fd46d8a18ec8ad0e864b56767adabd
SHA25618df50f2ce0960e9e7fad557e167a11bf46f526c286062878d7101a4040cc278
SHA512ecb1a2dfd387a26dbc680254545a2ef3d239a7ee040a8795ef613123024cdf61ce26d7a4ebbc2089a122414380e7f92bca9a28648def9465cf3d8539f6e0fa69
-
Filesize
168KB
MD54ef422f3c6ea451cbd7f971d43438ec6
SHA19dba89ea587070541976b092fbe10d2a8d49762c
SHA256fe0050c1edc122ebae968a569a2eb81bb56066d30f4fcd605a5e4a71603f74a2
SHA5129cfaf34d79b03de6e1b0019a43670390ee0cd55360a856c9f69988aaaa506b835fba1e2072f370dba25fd0c0506e8583f7889e35db8f8db7d4d8690f7c35b3f8
-
Filesize
168KB
MD5305179d79c8a0a123bc347f0b5f78514
SHA1abb329fa8a8553f2c26de2167ca7ef682c396961
SHA256b53918adb8a367a68a8c9c06b87fd11547876a523a43ebf8ed51a86b2ec56691
SHA512a6e4ab3a98050933fd02afcfbb68506b614ecf524c06580bb1cec0d70ef74f9a4e569edd881472e41927f1048d8ba8c5db6928568eea1c2a69819deac734b8c5
-
Filesize
168KB
MD5c1d84ce1e59d84f86f591cd4350a92a0
SHA1631bf32ee6b8fb35751bd8f30beddf48d7ea6b28
SHA256ffb21f2f2473b8f5224f962accb68e6e81dfacb3649973cd9cde8f92dd6ddb8a
SHA512b8d24e06210843c81d4a117a5324e070f6554ed9ebee071a10fe69db56cdf43644a7b98bcc5b9d75345be7a92c0fa778b59a89806c5983a6888f35b4c804a259
-
Filesize
168KB
MD5f8c6bfc1ca17850ab1e93c840b43cb12
SHA1b28d58891efafc179e6c2dd5dc4391e7d1443f9c
SHA256e8d0520d79cd021da29481539bfb060eceb51cf36f305355cfba58a48dd306f3
SHA512b1b36fa6bad64c256fe12152355e41167fb60cd6f2ae2195a16e01bd4caf55979f63451c168f39ab705fc3a950ccbedf08a6ae22cad1c8dbe5713f82424d2051
-
Filesize
168KB
MD571d7b31990b462bb393f2aecaea242ca
SHA1a32c811de9fe796958490c9810d55057c1154679
SHA2561daf8c3747ff15b89552892ee1e578fd91650468a00d71b6f8d5a7cf10673609
SHA5121784ab495c6a52841a6fb6ece79189eb665b8ba3a415c185d6e14da0465675be4a031a9f7902ccbe9cdc5725f8568292a781b93829bcf1740e1ea0cc454673d4
-
Filesize
168KB
MD549981d61550d1aec9f5e9f95bf5748b9
SHA13d9050140d444dfbb9b22ecc205a62524a36ee08
SHA2565272be0e013813e77e4c5e669052c9f07d520c38873bc2fdad5940d135d24a80
SHA512c91cd8b9f3b108e251ff94b0153ec1d71f282f1a7d427335d9a6adffb2c73bd103d5b67b604f50bacd1f7840df7176a7320cc091c441490beb0b31d4786d74c7
-
Filesize
168KB
MD530e80dbf239022baa7758140027b69b3
SHA1d71995f2fe021cb43223380e888f0db927df0054
SHA256edc08cbaf3d253d487197c32435e239beb7f657fec5a62669c65fea90e713e48
SHA5123ea61115282b0af959893450d8a013cebbf406d3f1aaef300ee4ac28715130237cc34cb17d406bad5014ae48f4b43c45f57c45234596aadf317e1a2da03e123e
-
Filesize
168KB
MD54a83304a2fcf1cf9f889abf336627014
SHA176c180301ff84936f432ed911433ce115aecf027
SHA2560f2d9ce68653305ed3b62873b23e642ed4c88e46fc8c91ee304a1f0bcdb3f123
SHA512a5c8967703ad1d4066751e6a693f7cb051fc2e841c9a5a72167dfa70ae69e6f5f8ee82fef4d19630a7143877ae0e94ca61fe1239437b9c4677d736e91237c9d4
-
Filesize
168KB
MD5bd8a36809420d2233a8f715b66cc6617
SHA1a2f012e9d416d8258192d3278b81c4797c7ad3c7
SHA2564aadc32865d6b031d939a549eb62300a0ff00f6098b191632b514d964513e1d2
SHA512d945aed1344adfe5b7fe6124ea0e1a12003538cd36335255cc117afb385e7f6626d4e430c24ee92b20a66e0c43f2dab9d21981113ac50197730808fb4a1df8e1
-
Filesize
168KB
MD5747c3d1729a4c12f15cb6da39b9de5ed
SHA1eb0065e3975ecb42d65eb145aa21adc630ba478b
SHA25605846db44b80ed07decb1f7de7f4ded561e7b98cde5147505c4febb6894b0ff4
SHA512796e48c210ae614c3a2265d5e5a98a0a0544153400d63608561f034d5ae8d7dee103754369bb374aec756dbb63dece689d12784303231f5d7e63558d8d18fc2a
-
Filesize
168KB
MD5eed948192399c02bdb84db40bbbcb8d6
SHA1930020cf008b9f925eaf8a90b024711d4861b1b4
SHA256ad3e996a28996afc9c22d1b441b5254a64e87bf122cb71a68ed5507120c26c06
SHA51217642ff2c53ebb7498ff0c6aebd36b164051ea1fb029d620445f54d0140844fb01d4362814a0799d09b88cb2e93d4e66e0893023fb8622fc07258602a376eec9