Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
-
Size
204KB
-
MD5
221640e16ccbe316d47a545bce65c559
-
SHA1
64c89a18baebfc0d26f7d03b3598ec9e14ab9ed1
-
SHA256
c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4
-
SHA512
afe12282d65791f3e2fdafcbe3d47758e1e38a82f7987e7bebbb649d554ec8971506b75a2d09ad2f9eda45304f51260867a75aeb40928384acc3462fd0c130ad
-
SSDEEP
1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002321a-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002321e-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023225-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001200000002321e-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000001db36-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021b3f-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000001db36-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-29.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070b-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070b-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000737-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B} {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD4718F-DFD8-4e8d-A430-A5910225632B}\stubpath = "C:\\Windows\\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe" {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C} {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}\stubpath = "C:\\Windows\\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe" {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD}\stubpath = "C:\\Windows\\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe" {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}\stubpath = "C:\\Windows\\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe" {A5C39642-7E80-4915-9849-A1701B2010BD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6} {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}\stubpath = "C:\\Windows\\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe" {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE} {D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}\stubpath = "C:\\Windows\\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe" {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513} {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23} {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5C39642-7E80-4915-9849-A1701B2010BD} {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5418BA-A135-45eb-A083-2712413D9EB6}\stubpath = "C:\\Windows\\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe" {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44} {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}\stubpath = "C:\\Windows\\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe" {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769} {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}\stubpath = "C:\\Windows\\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe" {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74D5BCD8-4A15-4ba7-B133-96855A169513}\stubpath = "C:\\Windows\\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe" {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24E5F35-436E-41cd-8F59-7A1DB6655D24} {A5C39642-7E80-4915-9849-A1701B2010BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5}\stubpath = "C:\\Windows\\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe" 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB} {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6117CA-4E93-4463-821A-17DBCE4325C5} 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}\stubpath = "C:\\Windows\\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe" {D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe -
Executes dropped EXE 12 IoCs
pid Process 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe 3324 {D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe 1344 {85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe File created C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe File created C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe File created C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe {D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe File created C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe File created C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe {A5C39642-7E80-4915-9849-A1701B2010BD}.exe File created C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe File created C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe File created C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe File created C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe File created C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe File created C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe Token: SeIncBasePriorityPrivilege 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe Token: SeIncBasePriorityPrivilege 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe Token: SeIncBasePriorityPrivilege 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe Token: SeIncBasePriorityPrivilege 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe Token: SeIncBasePriorityPrivilege 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe Token: SeIncBasePriorityPrivilege 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe Token: SeIncBasePriorityPrivilege 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe Token: SeIncBasePriorityPrivilege 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe Token: SeIncBasePriorityPrivilege 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe Token: SeIncBasePriorityPrivilege 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe Token: SeIncBasePriorityPrivilege 3324 {D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 4080 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 96 PID 2584 wrote to memory of 4080 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 96 PID 2584 wrote to memory of 4080 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 96 PID 2584 wrote to memory of 3588 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 97 PID 2584 wrote to memory of 3588 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 97 PID 2584 wrote to memory of 3588 2584 2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe 97 PID 4080 wrote to memory of 4344 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 98 PID 4080 wrote to memory of 4344 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 98 PID 4080 wrote to memory of 4344 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 98 PID 4080 wrote to memory of 3972 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 99 PID 4080 wrote to memory of 3972 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 99 PID 4080 wrote to memory of 3972 4080 {6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe 99 PID 4344 wrote to memory of 4740 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 101 PID 4344 wrote to memory of 4740 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 101 PID 4344 wrote to memory of 4740 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 101 PID 4344 wrote to memory of 1052 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 102 PID 4344 wrote to memory of 1052 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 102 PID 4344 wrote to memory of 1052 4344 {BE5418BA-A135-45eb-A083-2712413D9EB6}.exe 102 PID 4740 wrote to memory of 3092 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 103 PID 4740 wrote to memory of 3092 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 103 PID 4740 wrote to memory of 3092 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 103 PID 4740 wrote to memory of 2840 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 104 PID 4740 wrote to memory of 2840 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 104 PID 4740 wrote to memory of 2840 4740 {97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe 104 PID 3092 wrote to memory of 3076 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 105 PID 3092 wrote to memory of 3076 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 105 PID 3092 wrote to memory of 3076 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 105 PID 3092 wrote to memory of 552 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 106 PID 3092 wrote to memory of 552 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 106 PID 3092 wrote to memory of 552 3092 {9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe 106 PID 3076 wrote to memory of 5092 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 107 PID 3076 wrote to memory of 5092 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 107 PID 3076 wrote to memory of 5092 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 107 PID 3076 wrote to memory of 564 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 108 PID 3076 wrote to memory of 564 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 108 PID 3076 wrote to memory of 564 3076 {3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe 108 PID 5092 wrote to memory of 5028 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 109 PID 5092 wrote to memory of 5028 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 109 PID 5092 wrote to memory of 5028 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 109 PID 5092 wrote to memory of 3552 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 110 PID 5092 wrote to memory of 3552 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 110 PID 5092 wrote to memory of 3552 5092 {731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe 110 PID 5028 wrote to memory of 1520 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 111 PID 5028 wrote to memory of 1520 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 111 PID 5028 wrote to memory of 1520 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 111 PID 5028 wrote to memory of 4876 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 112 PID 5028 wrote to memory of 4876 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 112 PID 5028 wrote to memory of 4876 5028 {1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe 112 PID 1520 wrote to memory of 1592 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 113 PID 1520 wrote to memory of 1592 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 113 PID 1520 wrote to memory of 1592 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 113 PID 1520 wrote to memory of 5056 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 114 PID 1520 wrote to memory of 5056 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 114 PID 1520 wrote to memory of 5056 1520 {74D5BCD8-4A15-4ba7-B133-96855A169513}.exe 114 PID 1592 wrote to memory of 2468 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 115 PID 1592 wrote to memory of 2468 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 115 PID 1592 wrote to memory of 2468 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 115 PID 1592 wrote to memory of 1236 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 116 PID 1592 wrote to memory of 1236 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 116 PID 1592 wrote to memory of 1236 1592 {D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe 116 PID 2468 wrote to memory of 3324 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe 117 PID 2468 wrote to memory of 3324 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe 117 PID 2468 wrote to memory of 3324 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe 117 PID 2468 wrote to memory of 3048 2468 {A5C39642-7E80-4915-9849-A1701B2010BD}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exeC:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exeC:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exeC:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exeC:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exeC:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exeC:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exeC:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exeC:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exeC:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exeC:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exeC:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exeC:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe13⤵
- Executes dropped EXE
PID:1344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D24E5~1.EXE > nul13⤵PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5C39~1.EXE > nul12⤵PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D66CE~1.EXE > nul11⤵PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74D5B~1.EXE > nul10⤵PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D39D~1.EXE > nul9⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{731A3~1.EXE > nul8⤵PID:3552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3EC00~1.EXE > nul7⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AD47~1.EXE > nul6⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{97DFC~1.EXE > nul5⤵PID:2840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE541~1.EXE > nul4⤵PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E611~1.EXE > nul3⤵PID:3972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5e1ec5576b20a13658443e14c6c6adb56
SHA1d94cd4c7f55dbecb2d8688778187296a0ffc5c44
SHA25663096ba7627d00121ea67aa626f702c73cf5b93d327cabad82cba475b2c0919d
SHA512f3f2e1e3fe0542eab8ae0f024563d1214d850fdac49488ddb0185cc92d6bbefb7bcd89a84ae9968f00b79667701ddc452bda520f8765fe4d7c5ea8ac391164af
-
Filesize
204KB
MD55dd7407d6fae8ee099e912cf5740f447
SHA16f25130954f4e1ee37150f0916757b60cfdfcef1
SHA2568c7e7d5928d73f09453f10f980293ba7eb100dc46824ad03e51270c27ed1ce22
SHA512b723d0459cbdecc303e6c3f2e8e9978126ea6460776ba323074aaefcf2870c0cfa142472685170e2a04b05c0aee857ad7ab606e02296b85ed6e73a4953ee7534
-
Filesize
204KB
MD5aec8cf401e00a93dbac3ddccf835711b
SHA14befd17b1a0d5a0127d30764a1b951b3959bc4ee
SHA25641c969952982ad9f5f319fdd5f53ac027a3d9c6bb16fa4982e01188201ce4dbe
SHA5125d5af8424654e2b71b5e697cb4d7168301c0fcba036975fd9177b450ad5ba289c368d486ac4197133083137f5a3d28317daea74809dc20585425a0a0cf3b8d0d
-
Filesize
204KB
MD59dcec0b191d36bb6cd02f520357b2424
SHA1fea7cb6f4bca9b889155dc019963e08d2c6ddd4a
SHA2562177d5eb4a66271ad3c97e9ea70ae4dda82a743c3aabf4a01a0922e3abaac584
SHA512a1cf968dadee6b7a510a4439207f7a97ec3dab5b028dc3309d0b62d1d67274e4b3da5099e352f4b5bb76789d52b7b7b5e4a579f81304bf5327560bc7341343cd
-
Filesize
204KB
MD5b8563aee3afd588b58e3c7c4f326e0f9
SHA1312845128d5790331358fdd828f409ea6f6aeaa6
SHA256512b02fa0373f5b97ffc5bb70566b27815e6d605ae398d14c7c86c2b8dac8ea6
SHA5120e04e599cfdafa8a890d5bcaf81e271eea2fe4532a0fde5ad5feea02ec96284e950cb2b1935c0737d4fb8ca28a18d3d458ceb2f350df920b294c9a79de382c04
-
Filesize
204KB
MD54fe93c9ff5ee0b3669367d86679eff00
SHA16eb824aa7671268b2ace0f77eedb2ae2215d8e48
SHA256c90b92a3b8c4d4bebd166a0e9c56cd175116fdc66cddec7093ec7b1f058d3b99
SHA512543aea64aa985b64d20351619f937f3af196a3b0cc3a3e671b0d00bea28ddad77d7e14974de3fa6dcbbdd4ab760f2d498acf9e4445b54527fb59f50421f555eb
-
Filesize
204KB
MD5e58f237c1885f63ca1ae73b28c25c4d9
SHA15c04a39b10544be8e8aa3ff793af9ddfeda7c931
SHA25656b07c07a6ae7ef36a023bc1b0f6ece216ed0980746b0f24876cd430509431b3
SHA51288818aac94ac07f69f7186705c800f42ce912876b46d4b81575afed84195b85ebba8bffa6e6a9d02c554a733317c38270fcb8fa172a89ce1b1a11e27c6c39548
-
Filesize
204KB
MD5e2907e946b074e715ffc35ada0113ee3
SHA12683ff522689464cc5951ebeb33994855582a906
SHA256e4732e855cebd3856d0155e36531fef5afbbbbd50b25dd2dd17298710ef45704
SHA512776a3ba089f7cd6d7ae1f5dded8080c54b6c6d3234d6bc7c17af18711238687460958daacb741aaaf60bf85f7f5c7ea5d451f58add373e874c9316a3ba63797d
-
Filesize
204KB
MD528e8a46d7ef3af17b2e3653ee6904f58
SHA1790a670d48ec99bb00a9118a9b7ad0944292a86b
SHA256ef89305cd943a920bb7a739102ed0f1e609f86a19faca905aee7a22cabd97cab
SHA512e1304a7ed071d97eee2256a08b85f196c6418f25d9caccd8cb8c9c85aecdd54f13e71831fbc39cd08918fe369620aea50d9eb2c96a3f9178038d566830c10337
-
Filesize
204KB
MD513259300e9740eadc52ed287d433ca5f
SHA1d97c6382212103401528929d37ab21873dc7f785
SHA256fc24549fafb70d1d56496b2c3b6ab9274e86e7421a62cfe96f3025ac9e5da8dd
SHA512d8ec5147f5da1b16f64b49535628ad47c1e262b1b08acb08cd3cefc4d73146dc45ab0a700a6e93bb5a65dc65bab3edeb5f99ee89168cba328dce3ed563e699e0
-
Filesize
204KB
MD54c8a1541c140c78ec03c3babef52cb14
SHA1aeb65bc977a08a1ac6b57ab0034b942e472eec28
SHA256e1d49183187c66b37ce0b6398387dffa75d6b9db26f303d8acd5499e9d6ddda2
SHA512931bd1d3aa9a85d19facb8da04d14e5406c2cf118465ef70e534ebafaa3dac2aa7b45b39de37004aaa2eec8284a7be4211a421ded4f4773683d781ef322e370d
-
Filesize
204KB
MD5f06e5fab6f63c8e7298173696f1f8477
SHA1ae16f5021180860c1834bd17166990e6c3c648ad
SHA2568913917cb2386c305c148a16f154d55dfe77af19a14e94e56c618256594f4c75
SHA512516121830a46ddd8eb490f1f1057145f76ae7e1fa2116898704f2d72556125b4864c92891ed2a05b050b3382512fdcb639b89f901152ff4520602d31675d35b3