Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
-
Size
408KB
-
MD5
37f14fbc75ba06a427b0a6e6bbffa3d1
-
SHA1
c99c0798797da7dcb3bc89e8d096b51b4c334912
-
SHA256
0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285
-
SHA512
012b98d01a2743d78daa3722e8aa8db7c6ddebf887f257e640e5c48c75c060d78bbf96b66ae88aca34a56daa27d0627f66cb4c4637026717ee915a9a4b5ac13f
-
SSDEEP
3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000d00000002314b-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023237-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002323e-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023237-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000021838-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000021841-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000021838-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000000037-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000000037-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072f-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}\stubpath = "C:\\Windows\\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe" {582093A3-ED38-4802-98BE-9BD36E38E564}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C} {548D2A58-2777-4aee-8D81-6656009C40B0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A} {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0} {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0805CE4-B146-49b0-82BD-44D9E3444EAB} {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21B419-79AF-4538-B643-83E7C65C1CB5} {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A21B419-79AF-4538-B643-83E7C65C1CB5}\stubpath = "C:\\Windows\\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe" {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{582093A3-ED38-4802-98BE-9BD36E38E564} {902AA2BB-3774-4f1e-A002-1591C8266969}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{582093A3-ED38-4802-98BE-9BD36E38E564}\stubpath = "C:\\Windows\\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe" {902AA2BB-3774-4f1e-A002-1591C8266969}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8} {582093A3-ED38-4802-98BE-9BD36E38E564}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}\stubpath = "C:\\Windows\\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe" {548D2A58-2777-4aee-8D81-6656009C40B0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}\stubpath = "C:\\Windows\\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe" {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9} {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}\stubpath = "C:\\Windows\\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe" {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902AA2BB-3774-4f1e-A002-1591C8266969}\stubpath = "C:\\Windows\\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe" 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88} {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}\stubpath = "C:\\Windows\\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe" {2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902AA2BB-3774-4f1e-A002-1591C8266969} 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{548D2A58-2777-4aee-8D81-6656009C40B0} {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{548D2A58-2777-4aee-8D81-6656009C40B0}\stubpath = "C:\\Windows\\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe" {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}\stubpath = "C:\\Windows\\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe" {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}\stubpath = "C:\\Windows\\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe" {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9} {2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}\stubpath = "C:\\Windows\\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe" {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe -
Executes dropped EXE 12 IoCs
pid Process 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe 2984 {2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe 868 {2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe {902AA2BB-3774-4f1e-A002-1591C8266969}.exe File created C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe File created C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe File created C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe File created C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe File created C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe {582093A3-ED38-4802-98BE-9BD36E38E564}.exe File created C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe File created C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe File created C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe {548D2A58-2777-4aee-8D81-6656009C40B0}.exe File created C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe File created C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe File created C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe {2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe Token: SeIncBasePriorityPrivilege 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe Token: SeIncBasePriorityPrivilege 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe Token: SeIncBasePriorityPrivilege 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe Token: SeIncBasePriorityPrivilege 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe Token: SeIncBasePriorityPrivilege 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe Token: SeIncBasePriorityPrivilege 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe Token: SeIncBasePriorityPrivilege 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe Token: SeIncBasePriorityPrivilege 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe Token: SeIncBasePriorityPrivilege 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe Token: SeIncBasePriorityPrivilege 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe Token: SeIncBasePriorityPrivilege 2984 {2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 716 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 94 PID 2156 wrote to memory of 716 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 94 PID 2156 wrote to memory of 716 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 94 PID 2156 wrote to memory of 4316 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 95 PID 2156 wrote to memory of 4316 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 95 PID 2156 wrote to memory of 4316 2156 2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe 95 PID 716 wrote to memory of 1452 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 96 PID 716 wrote to memory of 1452 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 96 PID 716 wrote to memory of 1452 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 96 PID 716 wrote to memory of 1956 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 97 PID 716 wrote to memory of 1956 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 97 PID 716 wrote to memory of 1956 716 {902AA2BB-3774-4f1e-A002-1591C8266969}.exe 97 PID 1452 wrote to memory of 4940 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 99 PID 1452 wrote to memory of 4940 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 99 PID 1452 wrote to memory of 4940 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 99 PID 1452 wrote to memory of 3116 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 100 PID 1452 wrote to memory of 3116 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 100 PID 1452 wrote to memory of 3116 1452 {582093A3-ED38-4802-98BE-9BD36E38E564}.exe 100 PID 4940 wrote to memory of 4704 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 101 PID 4940 wrote to memory of 4704 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 101 PID 4940 wrote to memory of 4704 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 101 PID 4940 wrote to memory of 4352 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 102 PID 4940 wrote to memory of 4352 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 102 PID 4940 wrote to memory of 4352 4940 {0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe 102 PID 4704 wrote to memory of 4144 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 103 PID 4704 wrote to memory of 4144 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 103 PID 4704 wrote to memory of 4144 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 103 PID 4704 wrote to memory of 2068 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 104 PID 4704 wrote to memory of 2068 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 104 PID 4704 wrote to memory of 2068 4704 {56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe 104 PID 4144 wrote to memory of 3760 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 105 PID 4144 wrote to memory of 3760 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 105 PID 4144 wrote to memory of 3760 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 105 PID 4144 wrote to memory of 3516 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 106 PID 4144 wrote to memory of 3516 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 106 PID 4144 wrote to memory of 3516 4144 {548D2A58-2777-4aee-8D81-6656009C40B0}.exe 106 PID 3760 wrote to memory of 4868 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 107 PID 3760 wrote to memory of 4868 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 107 PID 3760 wrote to memory of 4868 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 107 PID 3760 wrote to memory of 3584 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 108 PID 3760 wrote to memory of 3584 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 108 PID 3760 wrote to memory of 3584 3760 {A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe 108 PID 4868 wrote to memory of 832 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 109 PID 4868 wrote to memory of 832 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 109 PID 4868 wrote to memory of 832 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 109 PID 4868 wrote to memory of 1404 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 110 PID 4868 wrote to memory of 1404 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 110 PID 4868 wrote to memory of 1404 4868 {1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe 110 PID 832 wrote to memory of 4476 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 111 PID 832 wrote to memory of 4476 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 111 PID 832 wrote to memory of 4476 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 111 PID 832 wrote to memory of 3196 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 112 PID 832 wrote to memory of 3196 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 112 PID 832 wrote to memory of 3196 832 {DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe 112 PID 4476 wrote to memory of 1984 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 113 PID 4476 wrote to memory of 1984 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 113 PID 4476 wrote to memory of 1984 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 113 PID 4476 wrote to memory of 4180 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 114 PID 4476 wrote to memory of 4180 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 114 PID 4476 wrote to memory of 4180 4476 {D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe 114 PID 1984 wrote to memory of 2984 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe 115 PID 1984 wrote to memory of 2984 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe 115 PID 1984 wrote to memory of 2984 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe 115 PID 1984 wrote to memory of 4952 1984 {AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exeC:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exeC:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exeC:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exeC:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exeC:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exeC:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exeC:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exeC:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exeC:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exeC:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exeC:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exeC:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe13⤵
- Executes dropped EXE
PID:868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A21B~1.EXE > nul13⤵PID:716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AEA53~1.EXE > nul12⤵PID:4952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0805~1.EXE > nul11⤵PID:4180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DCC26~1.EXE > nul10⤵PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1CEA9~1.EXE > nul9⤵PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2295~1.EXE > nul8⤵PID:3584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{548D2~1.EXE > nul7⤵PID:3516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56BDC~1.EXE > nul6⤵PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0AF1C~1.EXE > nul5⤵PID:4352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{58209~1.EXE > nul4⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{902AA~1.EXE > nul3⤵PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD52640e945f1ab332267dc03dd264bbf5b
SHA1d8e8e2b9094208a008653800a7aa8893f2eba5c7
SHA256f106f77dbdba2b91f65152cdfa083dc713e547fc1b7ca0f1ba6b64bf79a698af
SHA5125713ffc950005feef210b1e9d6091456502dd530d03973b30cb384e76bc5d37aa0551adfed33275c87e692ef4e380962f36477e83a43d9f361ccff40c730b237
-
Filesize
408KB
MD548b93c069cb8b65de95e7bfc7c8bfd45
SHA172d5c048d1cb2b9bf61dbf9fc897e44012d38739
SHA2569b00215f4d5a1aa13118680d076bcc687dd5cb15ac9d09c28f3166c35a9f41eb
SHA5126b612b7ae8da146e57985233b4e2958d4707324cc78019cfa69b07ab09b110eb0a98208e658fd4c73566ad47f0d5aaea99f7567d35c600d4e39116010d0c7d82
-
Filesize
408KB
MD5a8e7e63dd2e7cdb3337d8818ad61f465
SHA109c232a7ebbaf4a7f93835d4aacc47413746f6e3
SHA256a7292be80d9a57a60ef55905f9be44f5ba0d9ddabd26276b69f5f10f1039bbf6
SHA512279fdaef1093854e80bedb4310555257f6a4c78d5f99b155d35342a32ea13f9b21056608aa68f9dc12778fc23789f45c8ab058cd5ae0a0809096a42d72887554
-
Filesize
408KB
MD5a8f266f091a11853ec78930e1eb125f9
SHA19f9a34165c568e53ecfa9039edf8d92a04b11cff
SHA2565d22c6265992fda014ebb3532a90c972bf2f14e94b145820d3caf3bfa32d8bad
SHA51296ff3c659d6beb82f5632b2992f0adb086230788be679a5cb42a6a978527d59e5250f73ac5349ea2ed9ab91e2fde7100fc8bb6403a5611140ef56ee6c26e5a98
-
Filesize
408KB
MD5da40be5853bc60ad215406d5cd94fd3b
SHA10d35259c7f7c90e4b85eed4f3b2808318792b5e2
SHA256e22a5f5e0c6fa9d72dcb958ca855683359a4146586e5720e99d985469fb7497c
SHA5127dba0e477ae44ef13894de78f54c9e987eb0d17746e3b1ffaa196f0c146a7e48f71b3c417b107690d952095dfa5415bbd0ec981fcd9d346806a1139367a83796
-
Filesize
408KB
MD5ded34ab414e98684a678de6aa638cd84
SHA128cbe97c92f43a4bbdfc90bba35fe4a4b2c89a34
SHA256844c133a9db791837bd96a87fb909aafb1f0288df88cae983592cbdfd72854cf
SHA5124e7ebdc1fcfbb6b56fe066d36d4bb653c4ca31a2303e53e3b8a69cfb70793e9f943dc8536e06c0301192c45ab367607562b34633274ce9a02afd52bd7fc0cc9c
-
Filesize
408KB
MD532ac4ec35baf5cfa3a5900c79d00a036
SHA173a4465a66ee096e05ac60ebd0240a2628b8aec1
SHA256ce7953372321a2c164c65647b1f5ad6787f7ffac883bd3e767f29567bd7a94ba
SHA5129f7e3fd0adb6dd8870c9c0289413e65eb34b1afe35870d5a2b44ea6ffba06611e7440eece48ecd0157b7aa558c3c889c8a63c0cc4bd3a9b2e2e9567328916284
-
Filesize
408KB
MD516a7b73d2c73fd08215e90727d29d38e
SHA1e63c99a592bf630e5df938ccd009b66dfb44d589
SHA256b5ddc3dc92e6da2f370c8ffa00b049f12900edba3bce7379974ebe480553022f
SHA5121dcf6fbe05ea1ab0574475282a751af96bcf7231c9240fcbc8760563c8804c783d09500fe738e27900e8be4a840f747ae1e034fe3f1c2984f0c930273ba11f4b
-
Filesize
408KB
MD5235e803a92d9a27b636e61f08e0bdb3d
SHA11541bece82604eddc1a7f4bd8a7a65e014ae3d13
SHA25691e42240aff224ae114426cb7cdfa0dd167f345503e52419ae5ddbc637f2512c
SHA512f873851a88ea3fc71ad2d46bf40cc5ac3b5749fe6fe44cfd3bd129814a2029d299bc35ddebc72742692d00ff357f400aa70625b76bdcb5d93e93e63033d9ae92
-
Filesize
408KB
MD515cb0337e01710db1c895fa861c5111b
SHA1f1c4e0e8996f9aa89c85283a14f3c2e8543c814f
SHA25661dcf5f83c78f60cfe1601a3f628f3547d88b7735f40959fa6ff2524021d2ad5
SHA51240c47650ebadba4f21616e37f954a9989a9c6bdd3041ed484ff8ff6762762b810f998bd3e8cf59bcb02bf22abfacdf635ee66f522435c947a83e36887b80786b
-
Filesize
408KB
MD5460bf4434d28eb429bdb61ff2ea043d5
SHA15e8c26fdda90c6968bbbb619b7ccef3c1c71db3e
SHA25662769621c703e1144f8f6bc63d77afcafc0d27280a1e527f834245bb30f6ac3d
SHA5121aa74921404cffbbdd700d5a3feeb2b63a8d07438af14c134bf6f7cabcefa541a10006092adf7d8d2fbe52ec18b2678f3f4332f10ead349935044739ad5450ce
-
Filesize
408KB
MD5814b4b91ecdb0b335975a70ba7e7cc7e
SHA135c99d1226a74711ecf85c529e071a9001ae5624
SHA256090554f10ae2b8bb34f0f3a5bfe2067cefbe83c74ce4b40341e41cc4f39a080c
SHA5126287f56b9e9b8b9608d02d54ddf23061c834d10b5cece2577d4e474a019ff22abedc1c7c6fb0b20a947a311ee5fd7266225a0c6e861d544e2ff67c2b38841eb4