Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
-
Size
180KB
-
MD5
566aa4cd67f4c3337a1d128c0ee66d87
-
SHA1
82125716a0fd42b24ac14bf8543439bd02b3cc6c
-
SHA256
a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168
-
SHA512
97123beefeeadfb7a7e2c09fdcfcfeb98246313bf4e3853c683403eeb158f37d9ff0b0962a5cb9f57dfc5a56e3cd89c63755a366a8b369626e30581d2c22c98e
-
SSDEEP
3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00070000000231fd-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00130000000231f6-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023204-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00140000000231f6-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d05-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d06-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021d05-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}\stubpath = "C:\\Windows\\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe" {35484110-B1A4-4d27-9253-3280CE901D5D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA}\stubpath = "C:\\Windows\\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe" {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871}\stubpath = "C:\\Windows\\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe" {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5}\stubpath = "C:\\Windows\\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe" {55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C} {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D} {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D}\stubpath = "C:\\Windows\\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe" {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}\stubpath = "C:\\Windows\\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe" {C7130592-EB19-432c-8743-F6518207F74C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390C9A1B-9B35-4239-A904-10A1964FE03C}\stubpath = "C:\\Windows\\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe" {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}\stubpath = "C:\\Windows\\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe" 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63}\stubpath = "C:\\Windows\\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe" {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}\stubpath = "C:\\Windows\\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe" {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35484110-B1A4-4d27-9253-3280CE901D5D} {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB} {35484110-B1A4-4d27-9253-3280CE901D5D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096}\stubpath = "C:\\Windows\\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe" {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49} {C7130592-EB19-432c-8743-F6518207F74C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2} 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873C61E7-5308-4f16-8BD3-2232578478D5} {55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9967B6DF-6E76-4864-8162-FA5765D15FFA} {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B397FE2-71BA-4ed6-907B-9C03DE349096} {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C} {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7130592-EB19-432c-8743-F6518207F74C}\stubpath = "C:\\Windows\\{C7130592-EB19-432c-8743-F6518207F74C}.exe" {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FB73E9-1C65-4546-AB2D-6009EFC63871} {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC3D849-FE60-4701-BD89-ACEB95804B63} {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe -
Executes dropped EXE 12 IoCs
pid Process 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe 8 {55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe 4820 {873C61E7-5308-4f16-8BD3-2232578478D5}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe File created C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe File created C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe {C7130592-EB19-432c-8743-F6518207F74C}.exe File created C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe File created C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe File created C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe File created C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe File created C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe File created C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe {55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe File created C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe File created C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe File created C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe {35484110-B1A4-4d27-9253-3280CE901D5D}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Token: SeIncBasePriorityPrivilege 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe Token: SeIncBasePriorityPrivilege 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe Token: SeIncBasePriorityPrivilege 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe Token: SeIncBasePriorityPrivilege 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe Token: SeIncBasePriorityPrivilege 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe Token: SeIncBasePriorityPrivilege 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe Token: SeIncBasePriorityPrivilege 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe Token: SeIncBasePriorityPrivilege 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe Token: SeIncBasePriorityPrivilege 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe Token: SeIncBasePriorityPrivilege 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe Token: SeIncBasePriorityPrivilege 8 {55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3412 wrote to memory of 5092 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 97 PID 3412 wrote to memory of 5092 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 97 PID 3412 wrote to memory of 5092 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 97 PID 3412 wrote to memory of 4024 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 98 PID 3412 wrote to memory of 4024 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 98 PID 3412 wrote to memory of 4024 3412 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 98 PID 5092 wrote to memory of 3508 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 99 PID 5092 wrote to memory of 3508 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 99 PID 5092 wrote to memory of 3508 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 99 PID 5092 wrote to memory of 60 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 100 PID 5092 wrote to memory of 60 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 100 PID 5092 wrote to memory of 60 5092 {C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe 100 PID 3508 wrote to memory of 1428 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 102 PID 3508 wrote to memory of 1428 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 102 PID 3508 wrote to memory of 1428 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 102 PID 3508 wrote to memory of 1416 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 103 PID 3508 wrote to memory of 1416 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 103 PID 3508 wrote to memory of 1416 3508 {390C9A1B-9B35-4239-A904-10A1964FE03C}.exe 103 PID 1428 wrote to memory of 4220 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 104 PID 1428 wrote to memory of 4220 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 104 PID 1428 wrote to memory of 4220 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 104 PID 1428 wrote to memory of 4172 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 105 PID 1428 wrote to memory of 4172 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 105 PID 1428 wrote to memory of 4172 1428 {4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe 105 PID 4220 wrote to memory of 1796 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 106 PID 4220 wrote to memory of 1796 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 106 PID 4220 wrote to memory of 1796 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 106 PID 4220 wrote to memory of 1628 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 107 PID 4220 wrote to memory of 1628 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 107 PID 4220 wrote to memory of 1628 4220 {6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe 107 PID 1796 wrote to memory of 2072 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 108 PID 1796 wrote to memory of 2072 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 108 PID 1796 wrote to memory of 2072 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 108 PID 1796 wrote to memory of 5080 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 109 PID 1796 wrote to memory of 5080 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 109 PID 1796 wrote to memory of 5080 1796 {35484110-B1A4-4d27-9253-3280CE901D5D}.exe 109 PID 2072 wrote to memory of 4924 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 110 PID 2072 wrote to memory of 4924 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 110 PID 2072 wrote to memory of 4924 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 110 PID 2072 wrote to memory of 4524 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 111 PID 2072 wrote to memory of 4524 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 111 PID 2072 wrote to memory of 4524 2072 {77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe 111 PID 4924 wrote to memory of 1600 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 112 PID 4924 wrote to memory of 1600 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 112 PID 4924 wrote to memory of 1600 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 112 PID 4924 wrote to memory of 4640 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 113 PID 4924 wrote to memory of 4640 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 113 PID 4924 wrote to memory of 4640 4924 {6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe 113 PID 1600 wrote to memory of 1832 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 114 PID 1600 wrote to memory of 1832 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 114 PID 1600 wrote to memory of 1832 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 114 PID 1600 wrote to memory of 4264 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 115 PID 1600 wrote to memory of 4264 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 115 PID 1600 wrote to memory of 4264 1600 {C7130592-EB19-432c-8743-F6518207F74C}.exe 115 PID 1832 wrote to memory of 4340 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 116 PID 1832 wrote to memory of 4340 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 116 PID 1832 wrote to memory of 4340 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 116 PID 1832 wrote to memory of 404 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 117 PID 1832 wrote to memory of 404 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 117 PID 1832 wrote to memory of 404 1832 {65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe 117 PID 4340 wrote to memory of 8 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe 118 PID 4340 wrote to memory of 8 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe 118 PID 4340 wrote to memory of 8 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe 118 PID 4340 wrote to memory of 5064 4340 {9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exeC:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exeC:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exeC:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exeC:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exeC:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exeC:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exeC:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exeC:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exeC:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exeC:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exeC:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exeC:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe13⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{55FB7~1.EXE > nul13⤵PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9967B~1.EXE > nul12⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65EEE~1.EXE > nul11⤵PID:404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C7130~1.EXE > nul10⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B397~1.EXE > nul9⤵PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77B3B~1.EXE > nul8⤵PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35484~1.EXE > nul7⤵PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E889~1.EXE > nul6⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4AC3D~1.EXE > nul5⤵PID:4172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{390C9~1.EXE > nul4⤵PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C0C22~1.EXE > nul3⤵PID:60
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD50fc5bc411ec863b8ef31b6105aaea5a5
SHA1fb310ee022b23cbc48a7e7dde5834419aaa0ddbb
SHA256c98f63875a59f1c63dd73bd0d0e1c0b10ed0d364b6562d3e8573de188cd7cc91
SHA512a416e6f4036d1bb4ae13d1296f4b674a141c24f84853aeab059224f5490bb48d65dca0d0aba50610a88b863f7171a46a95b1e4a47604372e91d8442361c923f5
-
Filesize
180KB
MD5e526e4a2593f59769311affc3b0b02d2
SHA16cd30dfb0653a25cc40c42e277f1a88fcab3d281
SHA2560543db4016a12599366efb1db45e8ec74a4c9b7cfa327c0fa21a81492c9ec718
SHA5126d98799e34814e9bb9740511775c99887deebb680db862516b9b6808cd99a0d1a7818f52fd59ff50d28a1de79655f12fb7ee47a8f6d01cbea3338d4ed373d1fd
-
Filesize
180KB
MD5844d50c4c89bede9dd276f51c24af53f
SHA1965852716b051501f6eaf7138c1ff81a211e0288
SHA256c91720460de24e0a068b17c1268527ee68b94a72baa343a77a8cadb81452d440
SHA512d40600664461506fbe5f92c31828a17b33ef6247fc5e3007b7b283d3f9be7ba0803482ce3cff257131802d02e3683d3a5aa8df91eb6cebdcf6e7b9a55c4a075c
-
Filesize
180KB
MD53d35c5ea4e2c7278f8952c282a3b946e
SHA1955cda7fef39bece44bbb5ee4e7d775715928657
SHA256a97378bafddac5e66e300a2f88874c459fa0aef360b0de4d4d079fb8fe464225
SHA512dee3c78a04cad2145c8537e712541ff89e4c84e2f79ce219b11b89358a3f0a424470fe04a18befaa1dbb34dd548eed425ab95d5cb49c5e8cf37e42699ff27289
-
Filesize
180KB
MD5a94caab3bd875a3af5ee1ea3d0df44c4
SHA11241f19ddbe7907ba77aa5d87d3c03c9cb7ebb59
SHA2565e25989b231fd4d3c3372b8c0f5b53883bb4212c108218a81263a7445cd0039e
SHA5122dbcd8c870ee8289180ca8167b5eb9f4a7aec3cd3abc4ad37dfdc8afecc96af8c05602d3d6f458bb1bea0fc8df5e46034b95364af81bd67b6f610e39f7ccc17e
-
Filesize
180KB
MD55ce82a24474f84095401df53af2c2f9d
SHA1f7cd20893e52f00561e983d2e5cc7e2f43727f57
SHA256f590d702b28b564c8f8163c4f78270b96d95afee5b9a400f0ecb6f98376c23c0
SHA51215b91f48403e6ceed4c85d760c0cd7927f2952d2fc776da31917c4e6379262cb6517421df3701a8706aef3280a08ba4d7fae32b1fc07fa8b610c7692a5756a1c
-
Filesize
180KB
MD535344cdd4fec8f2c620c6da727ed50ac
SHA11ac019fbb4242bd5881049b6333704eeb9dfcc49
SHA256fab9206fc22ca16e011794b1b55d7dcf1fffe13004a1241156e8126009827910
SHA5129006b18e4edacefc3eb56ef4442e4769c1064b1913f5500ae2ce31c584a5fdb1e30095b5a8de8103d8efd54718749ca579e37e3248ef7aaced72df04daf6ea38
-
Filesize
180KB
MD556136e7b56ee670856de4e9cb2190a22
SHA1e09af0e74ce9936050582e981a2323232ad82917
SHA256689fab017550d5934070365e508756dfe1363e4097f762f04661df00f298a185
SHA512e0a6abfd52de2836dac9a77d669b832e68020fc26a8e6c0c638e1f7f944cd7a0bc56f90ceeb0c9ebedc71fd65f913f935466d45f0a54babd5c8013131847adbf
-
Filesize
180KB
MD530f036fad0105ddd7dbbfc3d94e7be4b
SHA1c3145437d0bd8253bfc0316992673d117098cb9c
SHA256e5bd663b089d25e4d5022ab38afcc28d7f530e269e1e0b83947b013389d7574f
SHA512d36685449d3564c720d6f9d0d974978e58fb2739ea7003fbe65c7f497e9fa30f6989bbe6a78be1c6818d38828e92aaca475aa77e0e7ee7fd91c4543a6e9b6ca6
-
Filesize
180KB
MD5179a47cd9d052db77702998b9c38b260
SHA1c2166afb47f43c535cdeaeea91412730d48a86ed
SHA256ab62e9ad08bda5ed2e7694e081bf7798f2e0c532594692359e35ed6b116a3f25
SHA5126934cef31e3033f21808245b61ade6af6c698530770cbe8b18afe132ed2a278e40055be969e013f9fbda0cb6df92e12fb098c64481c4cb4bc7f3956a770771ea
-
Filesize
180KB
MD58265fb2d362699c97111cff330ad8e99
SHA1732b6e88493dfd42c8502a55a7ebd156d63c8d06
SHA256d666db23ac50e90cb6c6e1aae3dd6fd901ef87cadcc1b6e9c9c1a26f28c53be0
SHA512ee36c12d09b45ac823bb6ca59cd511209b1c0a8d72e28962acc02ba1eeef81d47892011fec4805b1252892692095d571af2c84c714b683617a5e9e2d692610bb
-
Filesize
180KB
MD5f2ed789e1fb177aab40e689a93be5694
SHA1c87de8d8c8285906c23102853853ab87da2e643c
SHA2561598692a5290601c6207a36251d20c67bd312e9f36a7d5f7b61a139ced3e7818
SHA51229ecf5451ff7f358747eb5ff76fcaf14883f7ebef0f6cc9b2beea86f68f5eeea387b8420067b91675eaff965b620c4584b39e945ba3cf91b2f7f8d84b2ffeec1