Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
-
Size
344KB
-
MD5
d2870f7b5a459697e1b6a421e12d8a50
-
SHA1
d33410acdd657f540f563698f5fbb9a2aeb911ab
-
SHA256
ecbaa4fe41e85e722a341cb586ad28a7f5daf6c6f2b9ef03cea5d60d06404ed5
-
SHA512
9d5722d807eaf8ec7066ce749a2d2d05f1bf63f9f32b463c9da48420d3c9fcd775f3261680add1db79d45760533b52320357dd3a8c1dc5ae9dca607e5cea7fbe
-
SSDEEP
3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGElqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023252-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002325a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023266-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002311a-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023266-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002311a-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023266-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002311a-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023266-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000022d09-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000022d0c-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000022d09-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE00071B-04A5-4caf-B26E-2C430F6450C5}\stubpath = "C:\\Windows\\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe" {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B} {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}\stubpath = "C:\\Windows\\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe" {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{059ED1C0-71E2-427d-BEF3-89328632CF6C} 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{059ED1C0-71E2-427d-BEF3-89328632CF6C}\stubpath = "C:\\Windows\\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe" 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B} {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}\stubpath = "C:\\Windows\\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe" {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC93223E-897A-408f-8ACA-0F9F0402C698} {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4181357-336A-40ed-A226-F5AA10FA273E} {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374360A8-4E51-4934-8C9A-72A94CF992C2}\stubpath = "C:\\Windows\\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe" {22930C02-6C4A-4e3e-8906-563C59296853}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9} {B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}\stubpath = "C:\\Windows\\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe" {B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}\stubpath = "C:\\Windows\\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe" {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324} {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10} {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}\stubpath = "C:\\Windows\\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe" {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22930C02-6C4A-4e3e-8906-563C59296853} {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22930C02-6C4A-4e3e-8906-563C59296853}\stubpath = "C:\\Windows\\{22930C02-6C4A-4e3e-8906-563C59296853}.exe" {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374360A8-4E51-4934-8C9A-72A94CF992C2} {22930C02-6C4A-4e3e-8906-563C59296853}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4181357-336A-40ed-A226-F5AA10FA273E}\stubpath = "C:\\Windows\\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe" {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC93223E-897A-408f-8ACA-0F9F0402C698}\stubpath = "C:\\Windows\\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe" {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE00071B-04A5-4caf-B26E-2C430F6450C5} {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7} {F4181357-336A-40ed-A226-F5AA10FA273E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}\stubpath = "C:\\Windows\\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe" {F4181357-336A-40ed-A226-F5AA10FA273E}.exe -
Executes dropped EXE 12 IoCs
pid Process 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe 4356 {B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe 644 {FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe {22930C02-6C4A-4e3e-8906-563C59296853}.exe File created C:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe File created C:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe {F4181357-336A-40ed-A226-F5AA10FA273E}.exe File created C:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe {B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe File created C:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe File created C:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe File created C:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe File created C:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe File created C:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe File created C:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe File created C:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe File created C:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exe {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe Token: SeIncBasePriorityPrivilege 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe Token: SeIncBasePriorityPrivilege 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe Token: SeIncBasePriorityPrivilege 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe Token: SeIncBasePriorityPrivilege 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe Token: SeIncBasePriorityPrivilege 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe Token: SeIncBasePriorityPrivilege 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe Token: SeIncBasePriorityPrivilege 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe Token: SeIncBasePriorityPrivilege 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe Token: SeIncBasePriorityPrivilege 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe Token: SeIncBasePriorityPrivilege 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe Token: SeIncBasePriorityPrivilege 4356 {B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 5032 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 98 PID 3512 wrote to memory of 5032 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 98 PID 3512 wrote to memory of 5032 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 98 PID 3512 wrote to memory of 3244 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 99 PID 3512 wrote to memory of 3244 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 99 PID 3512 wrote to memory of 3244 3512 2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe 99 PID 5032 wrote to memory of 4640 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 109 PID 5032 wrote to memory of 4640 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 109 PID 5032 wrote to memory of 4640 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 109 PID 5032 wrote to memory of 2260 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 110 PID 5032 wrote to memory of 2260 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 110 PID 5032 wrote to memory of 2260 5032 {059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe 110 PID 4640 wrote to memory of 4420 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 112 PID 4640 wrote to memory of 4420 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 112 PID 4640 wrote to memory of 4420 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 112 PID 4640 wrote to memory of 1012 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 113 PID 4640 wrote to memory of 1012 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 113 PID 4640 wrote to memory of 1012 4640 {D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe 113 PID 4420 wrote to memory of 1644 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 116 PID 4420 wrote to memory of 1644 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 116 PID 4420 wrote to memory of 1644 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 116 PID 4420 wrote to memory of 2748 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 117 PID 4420 wrote to memory of 2748 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 117 PID 4420 wrote to memory of 2748 4420 {BC93223E-897A-408f-8ACA-0F9F0402C698}.exe 117 PID 1644 wrote to memory of 2248 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 118 PID 1644 wrote to memory of 2248 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 118 PID 1644 wrote to memory of 2248 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 118 PID 1644 wrote to memory of 3244 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 119 PID 1644 wrote to memory of 3244 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 119 PID 1644 wrote to memory of 3244 1644 {FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe 119 PID 2248 wrote to memory of 4288 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 120 PID 2248 wrote to memory of 4288 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 120 PID 2248 wrote to memory of 4288 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 120 PID 2248 wrote to memory of 3992 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 121 PID 2248 wrote to memory of 3992 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 121 PID 2248 wrote to memory of 3992 2248 {4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe 121 PID 4288 wrote to memory of 3532 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 123 PID 4288 wrote to memory of 3532 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 123 PID 4288 wrote to memory of 3532 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 123 PID 4288 wrote to memory of 4420 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 124 PID 4288 wrote to memory of 4420 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 124 PID 4288 wrote to memory of 4420 4288 {4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe 124 PID 3532 wrote to memory of 2444 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 125 PID 3532 wrote to memory of 2444 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 125 PID 3532 wrote to memory of 2444 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 125 PID 3532 wrote to memory of 1004 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 126 PID 3532 wrote to memory of 1004 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 126 PID 3532 wrote to memory of 1004 3532 {C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe 126 PID 2444 wrote to memory of 1788 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 128 PID 2444 wrote to memory of 1788 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 128 PID 2444 wrote to memory of 1788 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 128 PID 2444 wrote to memory of 4264 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 129 PID 2444 wrote to memory of 4264 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 129 PID 2444 wrote to memory of 4264 2444 {22930C02-6C4A-4e3e-8906-563C59296853}.exe 129 PID 1788 wrote to memory of 1640 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 137 PID 1788 wrote to memory of 1640 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 137 PID 1788 wrote to memory of 1640 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 137 PID 1788 wrote to memory of 2756 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 138 PID 1788 wrote to memory of 2756 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 138 PID 1788 wrote to memory of 2756 1788 {374360A8-4E51-4934-8C9A-72A94CF992C2}.exe 138 PID 1640 wrote to memory of 4356 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe 139 PID 1640 wrote to memory of 4356 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe 139 PID 1640 wrote to memory of 4356 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe 139 PID 1640 wrote to memory of 3248 1640 {F4181357-336A-40ed-A226-F5AA10FA273E}.exe 140
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exeC:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exeC:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exeC:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exeC:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exeC:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exeC:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exeC:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exeC:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exeC:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exeC:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exeC:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exeC:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe13⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7641~1.EXE > nul13⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F4181~1.EXE > nul12⤵PID:3248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{37436~1.EXE > nul11⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{22930~1.EXE > nul10⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2D6D~1.EXE > nul9⤵PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4C9FB~1.EXE > nul8⤵PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F7CF~1.EXE > nul7⤵PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE000~1.EXE > nul6⤵PID:3244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC932~1.EXE > nul5⤵PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4771~1.EXE > nul4⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{059ED~1.EXE > nul3⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD512aa3d86dee22f7e9ac4d3be2fbb0414
SHA1a9b451724b0f492d8157e54ecd6c7aba9845684a
SHA2566d811f878a772fc57d1010b8fb1cb89db38b2a23dce061af6ed2f9b13502a67b
SHA512c8ef420acb591857b1035a00a37de2d9bb68d82c90aa0ea828c5e13aace00e819b4ae943c3711d1b10152f0b30039f97b1289aaa9cac03385acf107d45e51dfe
-
Filesize
344KB
MD5ea58f82c9cfa68daa8eef10b894e3bb0
SHA1abd519451ebcd1156f7938048123dba91ab4cf09
SHA2562db677d6863b54bb03d79cc95a6223a61e512e7d1f6073396f5502d7cf7cc5c8
SHA512d425ad536fce977361c6844a388ec40fb2f79f6bebd38fd4d76d6c2bab0d0e2c265758c4fe221251f4732ed85f26fce24c0d9c111fb737e8501d62cec90b4ca1
-
Filesize
344KB
MD589ab7538529653dc721bd20d80ec65b6
SHA1e556da648927dd816675b14b582b65ab4b95fedf
SHA2562e41163e1dec094a942e78ad7ee57120d77f99f995e586b67c30259615460df1
SHA512f8a37cb370317a74e0164638e4961c4594abe5d4de1c323520005ff296caf8ba054092037f0f8b631cdf12ea303be4eb94edbb35f6a7af2c0d027ff6fca2cb67
-
Filesize
344KB
MD5f866b6e71253523a4f45c9487cded020
SHA1f2cfbbd803d3af94394ad29944f5fc062f6f01f0
SHA2564dc7cf830d202e25c960abf84e02b09eaa1576b36ba7a9b07bdeb93c0ab245f3
SHA5121ac2d6f014459c7c785900041481ff4e132d0578891073595362e9cded4ab94af82ad6cdad92c71c5a0f0f95bab9a2a316f582463a88eb0f7d8a0069ef5874ad
-
Filesize
344KB
MD5404594b3e0282c633cd9e915d3866f6d
SHA117ed548a18d1adf2577a4f52d4050004c14eb9e2
SHA256976480a57e78cef310d0ea42189fcf94a6a3833394e7ec47a1991d0974bb3d9a
SHA512d241f420422c2b7df8fc278f60177550af81013560a1dfe3876fdf0802df1f4c8100e12c67e0f0a41231e57f233457e4756931bda4a709a6ff4271121db5d08e
-
Filesize
344KB
MD5199cbdfa26d904f0a2f5f245dc5f688c
SHA1b8dc7aa4a6f46695c55034b6f0d6f8620afac4eb
SHA2563f9a905ded11765293e7f3dbfcc78498b0faf907af757c37f54ce2cda6e77599
SHA512827eb1169f3a9f23a1a00f23f562a67bc84ed01bd5eb8ceba0b671a5af7ca77489c8a95c5b1b6e0c61370f4c122efbbb33548d1c370944ea5934aad8ef945396
-
Filesize
344KB
MD5e7146a894dd9675e1995cfa9fadce451
SHA13978869ef1e6a62d155e9f098739c58eb9704989
SHA2564d2a35a951eed6ce40efa0f60afe7ecbb7ddcfa265336ba8e4410f4fd8e09680
SHA51254483e9cb64043e0162efa019537a4b30691be643651daba3d5019f7a37eac0c0461492228cf6b51ac5da51c42025c69305e5d85bbde7ce2f006c028f8bc940e
-
Filesize
344KB
MD5830a31ac96453e7c51b24c44aaac912d
SHA1c00aeecd42f00b2a42b5be1d796f28774fd7644d
SHA25698d25c338cdf6ab1945b82382a7a579504fb6cbcfaecbf4fc9a5f4c39fdf308d
SHA5127ae2b8c480c5089b9329d6b77391774402a650e916fd23fa7a99f4dfffcdc70f4c86c6a6c92d00a18368c374e4fbd3429b6fcd3732d1a4738ecf29d604f4d7ca
-
Filesize
344KB
MD59710caf79e03b903309cdf7b6250f19e
SHA1c7d11332963b1125f370e65d28eb7d0625414164
SHA2564618fcae96ae6e4d8e75954a147620580ae25026e281d8dbe38d299e66cfe802
SHA5122151324768eaa5c8eef90ecbca74371a7e0a39f737250d02943308e0d1c534695ac194e2553bf5c24433c4d08adad2bf48936976aab198bc57026a9c49ce8152
-
Filesize
344KB
MD5f147a0b0b431e88f53899bdb99981426
SHA1217ddd1e4e71b11947060d1c8b6914a9db4913bf
SHA256b6ebbe75e10e51afc5ffb3c3433875c82019b141216c1e0a123070c846108573
SHA512547e75fbcfdc646a88f727fc8baac14c488846404b72e8ac09a8a533e22c3cc3daf4abf32739f1de16d73319e084878035150e34bf396b74b45c91495133e344
-
Filesize
344KB
MD5e14149bd8ba788a58a1671ca36e7cf4c
SHA1c8c8275c4d1296597ac3f187218a55dee3a7eaf8
SHA2566a9b68a888cadbd464da475e65ecd481d493f5fb7dbe40421cb7f4136096e2e2
SHA512a59d11474dd06901380651a1d2f8c844e71e3a25825f7735f7bb9b32136a9282ad89c38b5865ad572d64e06a98e8f6371d73f9929e7e9160dace66d0b0856008
-
Filesize
344KB
MD57f97bdc980fbec6ad9af3cd9c8adb5dd
SHA1562e209ed42a48a8ceda5c36775bc23454f01994
SHA2565480809f464c61206f6d7412287331542ba0f1a1d95f504bf31dcd35480cf733
SHA512fc13de3b60bb0b7d5a69fefb55e4e8fb5bed724b2b5c43a100be1f0f059eaac84ed12587023786c36e1269a1820a19a9c72b1b965a57c0635389bd421ed27297