Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
-
Size
180KB
-
MD5
8b0d6362c5339021cf7bf8c3335b3656
-
SHA1
5edcdcbc300c263a93bad82d0e3c9a58eaa1df6d
-
SHA256
bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb
-
SHA512
e9ae3dbcb28949cb6af1ec184d3b9b71086afa2ddc3762a8b9425fd8b0ba5eb44b7907304da312ac0600ef6ef4ade589fd21133d5f7d6d447e2b3b892a8e6177
-
SSDEEP
3072:jEGh0oVlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0002000000022853-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002335a-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002335d-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002335a-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021166-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021960-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000000022-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000000022-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070b-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000038-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92} {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}\stubpath = "C:\\Windows\\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe" {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85} {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9} {C02D84D4-482B-4001-82EA-403C637B3A85}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}\stubpath = "C:\\Windows\\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe" {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD} 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F6747F-F8C9-4298-8588-D9659C9693DD}\stubpath = "C:\\Windows\\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe" 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3} {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B} {4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}\stubpath = "C:\\Windows\\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe" {4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D} {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02D84D4-482B-4001-82EA-403C637B3A85}\stubpath = "C:\\Windows\\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe" {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}\stubpath = "C:\\Windows\\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe" {C02D84D4-482B-4001-82EA-403C637B3A85}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2} {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A} {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89}\stubpath = "C:\\Windows\\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe" {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05964B4-1D80-482f-A6F7-1222A98F013A}\stubpath = "C:\\Windows\\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe" {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86}\stubpath = "C:\\Windows\\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe" {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A} {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719367C5-57DE-4bc7-AF55-5C07042C35E3}\stubpath = "C:\\Windows\\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe" {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}\stubpath = "C:\\Windows\\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe" {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D38C02C-5582-48c9-A3F0-5F04547529B2}\stubpath = "C:\\Windows\\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe" {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A667538-DBCA-42ff-9E90-7B1A03348C86} {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C94FE4-A674-4342-B33F-0C3AA010BD89} {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe -
Executes dropped EXE 12 IoCs
pid Process 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe 2068 {4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe 1192 {2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe File created C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe File created C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe File created C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe File created C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe File created C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe {C02D84D4-482B-4001-82EA-403C637B3A85}.exe File created C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe File created C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe File created C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe File created C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe File created C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe {4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe File created C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Token: SeIncBasePriorityPrivilege 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe Token: SeIncBasePriorityPrivilege 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe Token: SeIncBasePriorityPrivilege 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe Token: SeIncBasePriorityPrivilege 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe Token: SeIncBasePriorityPrivilege 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe Token: SeIncBasePriorityPrivilege 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe Token: SeIncBasePriorityPrivilege 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe Token: SeIncBasePriorityPrivilege 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe Token: SeIncBasePriorityPrivilege 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe Token: SeIncBasePriorityPrivilege 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe Token: SeIncBasePriorityPrivilege 2068 {4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2008 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 94 PID 3848 wrote to memory of 2008 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 94 PID 3848 wrote to memory of 2008 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 94 PID 3848 wrote to memory of 1352 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 95 PID 3848 wrote to memory of 1352 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 95 PID 3848 wrote to memory of 1352 3848 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 95 PID 2008 wrote to memory of 3144 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 103 PID 2008 wrote to memory of 3144 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 103 PID 2008 wrote to memory of 3144 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 103 PID 2008 wrote to memory of 1084 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 104 PID 2008 wrote to memory of 1084 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 104 PID 2008 wrote to memory of 1084 2008 {E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe 104 PID 3144 wrote to memory of 1272 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 106 PID 3144 wrote to memory of 1272 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 106 PID 3144 wrote to memory of 1272 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 106 PID 3144 wrote to memory of 4764 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 107 PID 3144 wrote to memory of 4764 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 107 PID 3144 wrote to memory of 4764 3144 {1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe 107 PID 1272 wrote to memory of 680 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 109 PID 1272 wrote to memory of 680 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 109 PID 1272 wrote to memory of 680 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 109 PID 1272 wrote to memory of 3348 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 110 PID 1272 wrote to memory of 3348 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 110 PID 1272 wrote to memory of 3348 1272 {F05964B4-1D80-482f-A6F7-1222A98F013A}.exe 110 PID 680 wrote to memory of 3236 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 111 PID 680 wrote to memory of 3236 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 111 PID 680 wrote to memory of 3236 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 111 PID 680 wrote to memory of 3700 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 112 PID 680 wrote to memory of 3700 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 112 PID 680 wrote to memory of 3700 680 {6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe 112 PID 3236 wrote to memory of 2556 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 113 PID 3236 wrote to memory of 2556 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 113 PID 3236 wrote to memory of 2556 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 113 PID 3236 wrote to memory of 3788 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 114 PID 3236 wrote to memory of 3788 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 114 PID 3236 wrote to memory of 3788 3236 {54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe 114 PID 2556 wrote to memory of 4824 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 115 PID 2556 wrote to memory of 4824 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 115 PID 2556 wrote to memory of 4824 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 115 PID 2556 wrote to memory of 4316 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 116 PID 2556 wrote to memory of 4316 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 116 PID 2556 wrote to memory of 4316 2556 {719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe 116 PID 4824 wrote to memory of 4740 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 117 PID 4824 wrote to memory of 4740 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 117 PID 4824 wrote to memory of 4740 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 117 PID 4824 wrote to memory of 2144 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 118 PID 4824 wrote to memory of 2144 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 118 PID 4824 wrote to memory of 2144 4824 {AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe 118 PID 4740 wrote to memory of 2748 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 119 PID 4740 wrote to memory of 2748 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 119 PID 4740 wrote to memory of 2748 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 119 PID 4740 wrote to memory of 2320 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 120 PID 4740 wrote to memory of 2320 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 120 PID 4740 wrote to memory of 2320 4740 {2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe 120 PID 2748 wrote to memory of 4436 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 121 PID 2748 wrote to memory of 4436 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 121 PID 2748 wrote to memory of 4436 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 121 PID 2748 wrote to memory of 3816 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 122 PID 2748 wrote to memory of 3816 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 122 PID 2748 wrote to memory of 3816 2748 {C02D84D4-482B-4001-82EA-403C637B3A85}.exe 122 PID 4436 wrote to memory of 2068 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe 123 PID 4436 wrote to memory of 2068 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe 123 PID 4436 wrote to memory of 2068 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe 123 PID 4436 wrote to memory of 2884 4436 {5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exeC:\Windows\{E5F6747F-F8C9-4298-8588-D9659C9693DD}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exeC:\Windows\{1D38C02C-5582-48c9-A3F0-5F04547529B2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exeC:\Windows\{F05964B4-1D80-482f-A6F7-1222A98F013A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exeC:\Windows\{6A667538-DBCA-42ff-9E90-7B1A03348C86}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exeC:\Windows\{54C94FE4-A674-4342-B33F-0C3AA010BD89}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exeC:\Windows\{719367C5-57DE-4bc7-AF55-5C07042C35E3}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exeC:\Windows\{AF3128AF-4935-4ace-9C58-61F6DA5C9F92}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exeC:\Windows\{2A52E8A8-A254-4b21-84B4-6E18E0C6363D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exeC:\Windows\{C02D84D4-482B-4001-82EA-403C637B3A85}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exeC:\Windows\{5ADD6913-B0D0-4d05-B4D9-AE6D1D5444C9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exeC:\Windows\{4E3F10B0-4DD0-4cd8-9121-E8BC42DCE38A}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exeC:\Windows\{2A3DC0AB-82D0-445a-9D31-F018E5D8C43B}.exe13⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E3F1~1.EXE > nul13⤵PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5ADD6~1.EXE > nul12⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C02D8~1.EXE > nul11⤵PID:3816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A52E~1.EXE > nul10⤵PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF312~1.EXE > nul9⤵PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71936~1.EXE > nul8⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{54C94~1.EXE > nul7⤵PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A667~1.EXE > nul6⤵PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0596~1.EXE > nul5⤵PID:3348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D38C~1.EXE > nul4⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E5F67~1.EXE > nul3⤵PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:81⤵PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5285b2768c7711416ebf74c8aacae5cfd
SHA175756931c440c41cdffa0097200abc0c78bdb478
SHA25683e28d0d2cb27fbc20c549906e9590ca1eb29124f126fcaeb9340597c77ad7c1
SHA5122a131d67b795912304972b9a2c04304bb025ea1be31ef6511d7be69788099f1d09e8dfb04ce6660c728067bb71361edde979e65e151f621299029465abf960ef
-
Filesize
180KB
MD54c4f6507127de70ef1ab0c80824a8d09
SHA17670d55eacfc561fe0272fe6bf63e519069fd179
SHA2560bd47a3ca69cdaa174de4877ab17bb3b5b78f0bf2f54d29edb8c169662bd47cc
SHA512c8cf455e13da10affdeacd917cf757eaa215d1e4b905119abf9a6b0c49a3744a1d99048664d6eaf494c350e6a9f7f4202765d49ffcc31c776aed46967662c481
-
Filesize
180KB
MD542f4d1fed021ca9a392605f8a171e3c5
SHA15883da9b09aa4ca2a7503f733779dc262f5bd323
SHA2560eb1fb50f988383196a39b52a00ce9191e358edd652ad62d3067829696bff486
SHA5127e7d67654c0d4575c261ba54567cbe1bcc4276b92ba389df5e343efa95dd4bf3c3706e62e3cd92695735899e663c384968a14d85e9de82fc13c3c6006e4767fc
-
Filesize
180KB
MD5552ba3b676000103b683b1816832d3d6
SHA11879bee58f94c903515ac1b67953f0337d5a2914
SHA2563737c3904ef925754eee91c036c164ef8aefbee35ed462bc740b3dd37832aa1f
SHA5122d56ab5b2e9ca8b86de8b27df138b32acab3a1fd3f40df61169ae548e52a6df9c9bbdbedd956a35da37c9c0049cd5e1208204317424447d9d76a46153d21dccb
-
Filesize
180KB
MD5366373eb32a66bc1475f99a76f7b6e0f
SHA195353d57e3b405d1ef49dd289f406af830615ec8
SHA25679b4874e6b4bafe432b1551013f82de30265040054164ee165daf2a00a7298ce
SHA512d4aa152983156180a6f372557d6c31098c2f4736177ba0972ba07b226770dfb5933e3a3433b5b75635776a0259646a31bc774404e70b20a19c0968222ad5bb0c
-
Filesize
180KB
MD5cfee9fffc6e1d72f482da1f494267319
SHA185eb7a0346ac34642e13d8480f468e5deef73a70
SHA256d44374ff9148a9025d58ade52d6b37ff7be7e1ec8d62f3e599f34347b3324432
SHA51260fba8cff74d25b1f075d7e4a512dd6224393598f1898f7dc17777c2247546615505b41ff3f2dae9a23518d18876e633a3bad5276452ea93bf93d0563238190c
-
Filesize
180KB
MD5a01988c7c6e58597b4a3172b98bf5f0c
SHA1aa9f9c4523e9b0eb6f383fa384622c4f39b4fb24
SHA2561720adedf684c3287c524cd2ab876e64af6681c9d7878e3520d9d6eeb74766ff
SHA51271e602a0a1bbf8944381e7bd35099e50b091fa9e58414fc0c356d28d36a6d278ebfa9e28d59c7b2ee7377fcf0be0c7834995c638aa7a07ee1a22b8eec7ad0c4e
-
Filesize
180KB
MD5560fe80261ec77ddb3cdbbc6765fa9ca
SHA15fb88a6eb607884a20563c572417740f1d31b615
SHA2563614f55976d8952cb78b88a1598df89e037cec763b69279b08da6441410d43f3
SHA512a3b450426542721b481f722ff5b4e3f1e79b72968d75dc0d09a439d97384afdad9a1b581db3671b4c37b91fa5d73eb335de868db7eed8f63f1883419bf5c7801
-
Filesize
180KB
MD503a4b468b27ae81ee11ca6f9bf654c25
SHA15b6cc702a4070ca817dcf6ffc9da1472417da0ec
SHA25601e7b6014516cd8a6974c3a40fb7125bbf65e7c1b7191bc83e16621d6124e256
SHA512e4f319300ad7f1f7021a7b10916903599f8ee060654b0942700b80c1f4e638e6116c30aec57750a62f5187a51188c8157482c5537a400b8759bb3a86ff7edaff
-
Filesize
180KB
MD51af5e07bd92ee0fb4ffa34c18da6343a
SHA1b59f6e7b3495a9ef78541db64a345ee46aab7f08
SHA2567ddb33b8cd22962182659346c8de4ce268d7198273a9ad2b34f854fb01d8999f
SHA512949ebc74c681c9ec111b50cee65d0b3a55c8ff68fa87e83b4243291867076dc1a0debbbeb56d40d7e92f7c6272dd8c2ad0db01ad0cec76e980b8189060af2be7
-
Filesize
180KB
MD52fa53ac77d584319fb682bf4a5257a34
SHA1be1ed2b18952627e2a623d07912418b18f90790d
SHA256d64ef68becfeed01dfc3bbad27f6e1c6302784e2739e9dc7890a96d1826b54c9
SHA512523a8d10bab10e0af6f13c1e23ff8015132ba08931875388948781631cb5bc13dd8d38ef27f1662299dfac36af6bef90177aaa55d11261ce94828d72dc895bbd
-
Filesize
180KB
MD50d248fe2b7c379e3a81a524d8aa48e27
SHA1535b884585f705900d5bc4934773b4bc8374b5a2
SHA25692a57033f65dec9510e5a94c176c137b93e09050e66dd59da0675fdd603a9245
SHA512a42dbc65dc668de8b6b12cb9faf18c863051d6e16033a9063d394cb10e5eed896e754a344d67ded837f93bab2b35a466b5743735fcebb728e85197a9dc8dc92f