Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
-
Size
408KB
-
MD5
63674177d321bd82d8149f48e69fd53a
-
SHA1
d0a3b27b8a3d3a82241d7c13dfda65cbdcb8fb4a
-
SHA256
9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b
-
SHA512
b8fd7f95eb163002cd765f4059122813ab7193a0c6cda577b9e6cb97e881c001767e71005c76f3251b68509304f762f7e04f63f679855ee39b33d2601194fada
-
SSDEEP
3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a000000023187-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002320a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023211-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001200000002320a-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d05-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d06-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021d05-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC} 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C} {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}\stubpath = "C:\\Windows\\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe" {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F} {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C} {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97B0985-0F06-4b52-992B-F31C88FB01B7}\stubpath = "C:\\Windows\\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe" {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3F62D-3199-460e-9EEB-D130135ABDF1} {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CB1547-B572-45f8-9406-159F82C674BF} {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}\stubpath = "C:\\Windows\\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe" {18CB1547-B572-45f8-9406-159F82C674BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6} {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D} {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D3F62D-3199-460e-9EEB-D130135ABDF1}\stubpath = "C:\\Windows\\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe" {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA9E892-03F8-4e26-A4C5-F564798DACD9} {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}\stubpath = "C:\\Windows\\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe" {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA} {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}\stubpath = "C:\\Windows\\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe" {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}\stubpath = "C:\\Windows\\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe" {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}\stubpath = "C:\\Windows\\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe" {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}\stubpath = "C:\\Windows\\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe" {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97B0985-0F06-4b52-992B-F31C88FB01B7} {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CB1547-B572-45f8-9406-159F82C674BF}\stubpath = "C:\\Windows\\{18CB1547-B572-45f8-9406-159F82C674BF}.exe" {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}\stubpath = "C:\\Windows\\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe" 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}\stubpath = "C:\\Windows\\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe" {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B} {18CB1547-B572-45f8-9406-159F82C674BF}.exe -
Executes dropped EXE 12 IoCs
pid Process 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe 2504 {18CB1547-B572-45f8-9406-159F82C674BF}.exe 2448 {B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe File created C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe File created C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe {18CB1547-B572-45f8-9406-159F82C674BF}.exe File created C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe File created C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe File created C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe File created C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe File created C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe File created C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe File created C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe File created C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe File created C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe Token: SeIncBasePriorityPrivilege 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe Token: SeIncBasePriorityPrivilege 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe Token: SeIncBasePriorityPrivilege 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe Token: SeIncBasePriorityPrivilege 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe Token: SeIncBasePriorityPrivilege 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe Token: SeIncBasePriorityPrivilege 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe Token: SeIncBasePriorityPrivilege 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe Token: SeIncBasePriorityPrivilege 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe Token: SeIncBasePriorityPrivilege 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe Token: SeIncBasePriorityPrivilege 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe Token: SeIncBasePriorityPrivilege 2504 {18CB1547-B572-45f8-9406-159F82C674BF}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2984 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 95 PID 3112 wrote to memory of 2984 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 95 PID 3112 wrote to memory of 2984 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 95 PID 3112 wrote to memory of 3472 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 96 PID 3112 wrote to memory of 3472 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 96 PID 3112 wrote to memory of 3472 3112 2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe 96 PID 2984 wrote to memory of 1456 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 97 PID 2984 wrote to memory of 1456 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 97 PID 2984 wrote to memory of 1456 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 97 PID 2984 wrote to memory of 872 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 98 PID 2984 wrote to memory of 872 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 98 PID 2984 wrote to memory of 872 2984 {A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe 98 PID 1456 wrote to memory of 1672 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 100 PID 1456 wrote to memory of 1672 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 100 PID 1456 wrote to memory of 1672 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 100 PID 1456 wrote to memory of 680 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 101 PID 1456 wrote to memory of 680 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 101 PID 1456 wrote to memory of 680 1456 {49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe 101 PID 1672 wrote to memory of 4172 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 102 PID 1672 wrote to memory of 4172 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 102 PID 1672 wrote to memory of 4172 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 102 PID 1672 wrote to memory of 3400 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 103 PID 1672 wrote to memory of 3400 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 103 PID 1672 wrote to memory of 3400 1672 {C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe 103 PID 4172 wrote to memory of 2700 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 104 PID 4172 wrote to memory of 2700 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 104 PID 4172 wrote to memory of 2700 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 104 PID 4172 wrote to memory of 1012 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 105 PID 4172 wrote to memory of 1012 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 105 PID 4172 wrote to memory of 1012 4172 {45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe 105 PID 2700 wrote to memory of 4400 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 106 PID 2700 wrote to memory of 4400 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 106 PID 2700 wrote to memory of 4400 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 106 PID 2700 wrote to memory of 2056 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 107 PID 2700 wrote to memory of 2056 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 107 PID 2700 wrote to memory of 2056 2700 {38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe 107 PID 4400 wrote to memory of 400 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 108 PID 4400 wrote to memory of 400 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 108 PID 4400 wrote to memory of 400 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 108 PID 4400 wrote to memory of 3356 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 109 PID 4400 wrote to memory of 3356 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 109 PID 4400 wrote to memory of 3356 4400 {CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe 109 PID 400 wrote to memory of 4832 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 110 PID 400 wrote to memory of 4832 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 110 PID 400 wrote to memory of 4832 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 110 PID 400 wrote to memory of 4324 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 111 PID 400 wrote to memory of 4324 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 111 PID 400 wrote to memory of 4324 400 {E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe 111 PID 4832 wrote to memory of 3768 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 112 PID 4832 wrote to memory of 3768 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 112 PID 4832 wrote to memory of 3768 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 112 PID 4832 wrote to memory of 2168 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 113 PID 4832 wrote to memory of 2168 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 113 PID 4832 wrote to memory of 2168 4832 {E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe 113 PID 3768 wrote to memory of 2668 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 114 PID 3768 wrote to memory of 2668 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 114 PID 3768 wrote to memory of 2668 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 114 PID 3768 wrote to memory of 4980 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 115 PID 3768 wrote to memory of 4980 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 115 PID 3768 wrote to memory of 4980 3768 {46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe 115 PID 2668 wrote to memory of 2504 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe 116 PID 2668 wrote to memory of 2504 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe 116 PID 2668 wrote to memory of 2504 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe 116 PID 2668 wrote to memory of 1028 2668 {3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exeC:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exeC:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exeC:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exeC:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exeC:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exeC:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exeC:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exeC:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exeC:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exeC:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exeC:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exeC:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe13⤵
- Executes dropped EXE
PID:2448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18CB1~1.EXE > nul13⤵PID:4308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3EA9E~1.EXE > nul12⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46D3F~1.EXE > nul11⤵PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E97B0~1.EXE > nul10⤵PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E2CEC~1.EXE > nul9⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFEEA~1.EXE > nul8⤵PID:3356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{38BCA~1.EXE > nul7⤵PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45D87~1.EXE > nul6⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6F85~1.EXE > nul5⤵PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49C48~1.EXE > nul4⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A9FFE~1.EXE > nul3⤵PID:872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD59015a189a2c9209eb3cac4c88bace808
SHA188738743a2164dde6e3792ef7a12bdfe3bfd89f3
SHA25616bb6b6c39c58c7c977c71cdd5f25b73f1bb0a9c0e76a44db754d4f22f6dfa18
SHA5123acc57a9cd725d8d0e523e1fc64ebece16371ac2ea8916737d2b4d1cad56bd62a2bd96aaf01d84aaf78bea9ddf5a4fc3e16c604f2576f48f8ccef9d272f5c9eb
-
Filesize
408KB
MD5a586f376f66a51ce3a5df320aa88fe91
SHA11999eab26f7a6341127ed6e834171ee2d94f5c10
SHA25623feb323c0690bb181cf9881bcf53b8599e981e83964191a76ac78083a767929
SHA512c9971f38b7da2a6f5b58214466931dc814166d2c1c006b9b0588a007f7c94ec42db880c118833e4f93e981b688ae24d746e8259938b74dd2a4f664f5589e3054
-
Filesize
408KB
MD5ed815b92164f512a165474248b68cbd5
SHA16743c9a8095776e228270f297efee01a80d3ed7c
SHA256bffb20c14c55e6a6a502e512b97497d956d2131be4eee4f3303ac1be981c9b4a
SHA512d53af2f2739787c0f5b2bf5d7f68e66a133d7e74c060f9fdec7fdbcfbb5e9bb69b69fa1b014600be6d4e745c61340d20335bcf0d02f04ca15643cbdceda6ade8
-
Filesize
408KB
MD5d96d6e0303a8b12143690387ab509f40
SHA152cf0707b9466e592d8ecd2781517a1b7b26aa79
SHA256f7bf77c8763af2f3af4919fd772895d57f31386dd9c5a7c7975ad9ddbb02cdbb
SHA512dd39e2443ffb810c0ce0f90d6b692bd96a074f650218deac413569a21c85dbae32a47fb02c2ac142b5b7d27d218339ce24ac018cc047ba819b5f49eb793d3543
-
Filesize
408KB
MD535e03af470e05036187935b09d6872c2
SHA12c0d880eb44475b8c82f3b65aab7c894028a308f
SHA256d58202711d6dc54f9dbca6c178033b59890ec7193b09774cc0bbc473dd1e3daa
SHA51213e681a7aa6970ae52092ea978075582734c0519355ea1ef901a3bf1065c72f73ad5473e026a852761ca93731eccb7274af090037386a7280b1705da917ae2ed
-
Filesize
408KB
MD541abaddbe122caf9d89cf44b9faddd29
SHA1ef97b0a981120981b7c1bcecd5505cb4406c73cd
SHA256f1b706c722e58810795a2e37d9bea13b20437dce9640438558843f72213277f0
SHA51269d097ae22815aed606cccdb227adc083129bb4fec3cf056b4faf02a1261ce81eee595a1b1beda38c00e7852c3819c0c649630c56552b7b9d23f60066c946e3f
-
Filesize
408KB
MD555556e162fec5b2baac0e2b2abec3536
SHA198cdec607f1be48561b4c3b8dd13fc5395c65fd5
SHA2563c2c0707201e587d6d3be7a88f8dd5395dfabe369202312adaf7d5ebe32ca1f2
SHA5122126cbf2805da9acc6f100701d4d87a72a69d91234749c353c2f882a1bbde5ec76689c93bb32322fd768acf7db897f5b966e725c4cc8c659730bbe64ed14144f
-
Filesize
408KB
MD57b81fdee2b0ae4184841aa56bdc551da
SHA11e85ecac4fae1860a0e4397e0c5ac69d1d400b55
SHA256b1d9f5a3137695c84051168e1b56d308989be8542e4821379151e68932088a36
SHA5127c74f39ed2ec6ef8a6cb51bcbb27a40e05d24f874d0bc53251d500bdca057f78afe2a20f96781db575d027b8304588b65e18e23e104f96ffd5bd7fbdac6104d1
-
Filesize
408KB
MD5ec37941a1f6f4c73308eec43bf5b2b63
SHA1a84a804e0103dcc7fa31494a3c4d6bacc68bd197
SHA25652e01ac0e00af9cdad1ad05910ff7ac2a33c79e656a76fe1f37afaadcbad6447
SHA51230b6cb8d1adec4eddd36c7596a8504f03c0d1118d50872e1f67d5e5e592f933988c3c80cc88830658020316f5d3ca089f52ed8e173d3ef556506eb8c7279808f
-
Filesize
408KB
MD5f641110b9e2a9d1ecf636d46ede57924
SHA1347e56cc4c368e4427b9ba6fc78fd82c7cf86b0d
SHA2563aa89df73bd9f5736d21b382101f37debd1a510f08324a3110e7176fccd6186d
SHA51200a55cefff25212f10e3d18944cec4fc712c38016be49e334709cd325e77ca5e90247a88628a8ba1dcdc30c24c623c8ec45c50564d3eee9ee06daaf0956150b6
-
Filesize
408KB
MD5c8360b1436c2b0047e2c25b7ad72870a
SHA1ca8330b9fd785edd2a6a0b16bd827b23fe0c2037
SHA256ec85f8630387720b9682a3962b84ae0ef37313019a8ce596af352d24acaec793
SHA512c0bd7a95061183a9d8a95340b839ef81794691e3ac53dfde7629a1d1c37a6fc1052d73e47c79c4a82d88a197caa7f052b1a7c6ef8f164bd86b35a04341de8e6e
-
Filesize
408KB
MD5d7ce8c90469ad670259beebebf291545
SHA1f49cbb10de78b4aacbe6186b98224631b50e9059
SHA2567dc41607f57490a1b289fbcbdaa2e89c001497589a23ab545bb88815703438e6
SHA512ef97a7aebe9c0d88269bd17c8490b5996cc9977c0bdaac1cbb7c7f89b6f98a7b208eb75ef6e73c9ef410b7fa0067bb92bfc208b793635a3a4dacba615fd70de0