Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
-
Size
408KB
-
MD5
7c79d857b718bf5a5838505d3dbb615d
-
SHA1
2ac8774151e05d71183cd09b9435ca32a3d543f7
-
SHA256
8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6
-
SHA512
f00d505f2d255864a4332affc6d8c9fb83aa5501625ed0f2473d96c52cc121d37bcdb7b826299376f993d410c63df93f96d752ef54efaee6ac02b8165dbed84d
-
SSDEEP
3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023203-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002320a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023211-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001200000002320a-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021cfa-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021cfb-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021cfa-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072f-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182} 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E} {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9B1EA3-258E-47e9-9482-F33E461A8426} {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3CE716-1338-4ca2-A9AF-56151A556E65} {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}\stubpath = "C:\\Windows\\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe" {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E10020-54FE-4ef2-82AA-528F280B51B9} {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F} {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}\stubpath = "C:\\Windows\\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe" {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}\stubpath = "C:\\Windows\\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe" {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9B1EA3-258E-47e9-9482-F33E461A8426}\stubpath = "C:\\Windows\\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe" {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D979789-F38F-4b5b-BC2D-19478E84D207} {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667D4632-5CD2-41af-8AE4-C3431B1C70D5} {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}\stubpath = "C:\\Windows\\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe" {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AC986D-ECF3-45be-B750-D3D1110EDD66} {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AC986D-ECF3-45be-B750-D3D1110EDD66}\stubpath = "C:\\Windows\\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe" {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{092E74B0-8CA1-453b-9474-C9849FDD04D6} {66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{092E74B0-8CA1-453b-9474-C9849FDD04D6}\stubpath = "C:\\Windows\\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe" {66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}\stubpath = "C:\\Windows\\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe" 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B49C12-D985-40ae-87EF-8C9DB894EB6E} {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}\stubpath = "C:\\Windows\\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe" {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D979789-F38F-4b5b-BC2D-19478E84D207}\stubpath = "C:\\Windows\\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe" {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3CE716-1338-4ca2-A9AF-56151A556E65}\stubpath = "C:\\Windows\\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe" {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA} {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E10020-54FE-4ef2-82AA-528F280B51B9}\stubpath = "C:\\Windows\\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe" {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe -
Executes dropped EXE 12 IoCs
pid Process 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe 2804 {66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe 1244 {092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe {66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe File created C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe File created C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe File created C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe File created C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe File created C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe File created C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe File created C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe File created C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe File created C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe File created C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe File created C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Token: SeIncBasePriorityPrivilege 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe Token: SeIncBasePriorityPrivilege 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe Token: SeIncBasePriorityPrivilege 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe Token: SeIncBasePriorityPrivilege 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe Token: SeIncBasePriorityPrivilege 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe Token: SeIncBasePriorityPrivilege 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe Token: SeIncBasePriorityPrivilege 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe Token: SeIncBasePriorityPrivilege 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe Token: SeIncBasePriorityPrivilege 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe Token: SeIncBasePriorityPrivilege 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe Token: SeIncBasePriorityPrivilege 2804 {66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 3868 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 96 PID 1944 wrote to memory of 3868 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 96 PID 1944 wrote to memory of 3868 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 96 PID 1944 wrote to memory of 4496 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 97 PID 1944 wrote to memory of 4496 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 97 PID 1944 wrote to memory of 4496 1944 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 97 PID 3868 wrote to memory of 1136 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 98 PID 3868 wrote to memory of 1136 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 98 PID 3868 wrote to memory of 1136 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 98 PID 3868 wrote to memory of 960 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 99 PID 3868 wrote to memory of 960 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 99 PID 3868 wrote to memory of 960 3868 {E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe 99 PID 1136 wrote to memory of 684 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 101 PID 1136 wrote to memory of 684 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 101 PID 1136 wrote to memory of 684 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 101 PID 1136 wrote to memory of 2328 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 102 PID 1136 wrote to memory of 2328 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 102 PID 1136 wrote to memory of 2328 1136 {93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe 102 PID 684 wrote to memory of 3124 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 103 PID 684 wrote to memory of 3124 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 103 PID 684 wrote to memory of 3124 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 103 PID 684 wrote to memory of 2304 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 104 PID 684 wrote to memory of 2304 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 104 PID 684 wrote to memory of 2304 684 {057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe 104 PID 3124 wrote to memory of 2260 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 105 PID 3124 wrote to memory of 2260 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 105 PID 3124 wrote to memory of 2260 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 105 PID 3124 wrote to memory of 1696 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 106 PID 3124 wrote to memory of 1696 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 106 PID 3124 wrote to memory of 1696 3124 {6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe 106 PID 2260 wrote to memory of 5060 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 107 PID 2260 wrote to memory of 5060 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 107 PID 2260 wrote to memory of 5060 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 107 PID 2260 wrote to memory of 4084 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 108 PID 2260 wrote to memory of 4084 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 108 PID 2260 wrote to memory of 4084 2260 {EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe 108 PID 5060 wrote to memory of 228 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 109 PID 5060 wrote to memory of 228 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 109 PID 5060 wrote to memory of 228 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 109 PID 5060 wrote to memory of 4672 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 110 PID 5060 wrote to memory of 4672 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 110 PID 5060 wrote to memory of 4672 5060 {5D979789-F38F-4b5b-BC2D-19478E84D207}.exe 110 PID 228 wrote to memory of 3224 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 111 PID 228 wrote to memory of 3224 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 111 PID 228 wrote to memory of 3224 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 111 PID 228 wrote to memory of 3528 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 112 PID 228 wrote to memory of 3528 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 112 PID 228 wrote to memory of 3528 228 {CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe 112 PID 3224 wrote to memory of 3948 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 113 PID 3224 wrote to memory of 3948 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 113 PID 3224 wrote to memory of 3948 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 113 PID 3224 wrote to memory of 1464 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 114 PID 3224 wrote to memory of 1464 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 114 PID 3224 wrote to memory of 1464 3224 {667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe 114 PID 3948 wrote to memory of 5000 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 115 PID 3948 wrote to memory of 5000 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 115 PID 3948 wrote to memory of 5000 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 115 PID 3948 wrote to memory of 2612 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 116 PID 3948 wrote to memory of 2612 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 116 PID 3948 wrote to memory of 2612 3948 {AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe 116 PID 5000 wrote to memory of 2804 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe 117 PID 5000 wrote to memory of 2804 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe 117 PID 5000 wrote to memory of 2804 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe 117 PID 5000 wrote to memory of 908 5000 {B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exeC:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exeC:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exeC:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exeC:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exeC:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exeC:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exeC:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exeC:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exeC:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exeC:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exeC:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exeC:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe13⤵
- Executes dropped EXE
PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66AC9~1.EXE > nul13⤵PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B8E10~1.EXE > nul12⤵PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE339~1.EXE > nul11⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{667D4~1.EXE > nul10⤵PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE3CE~1.EXE > nul9⤵PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D979~1.EXE > nul8⤵PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EE9B1~1.EXE > nul7⤵PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A4E2~1.EXE > nul6⤵PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{057AC~1.EXE > nul5⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93B49~1.EXE > nul4⤵PID:2328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7C9C~1.EXE > nul3⤵PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5b812e8c07891bcf8e6705946fa913d71
SHA1c5b3b5ca65024da265a08dfbd5f459f37d45d55b
SHA256bf05ce008809de972af858d4b64500f910da2aabfc93b97f1d81e7ff1d7a3978
SHA512c2b0522d2a784151c21b6e930caf0d65bdfb483e0e4aea6f40325a0e363ccff2d0e331abe941e011f6309ae9689fd7e255b05a8dfa7541fff26201efe7e243fd
-
Filesize
408KB
MD5e3e4ca8fb903d13c21b49504eaf95157
SHA14357b3d701f20f7657c71e775a31d00229b05a22
SHA2566dee847731881d5e9298879cd535f7758862e28b67530a81675f4991b69a3f76
SHA5121b6a9d5fbb965dcc96bf32de25c66acbf63e823d892f2ce76ac961c7555041dd276e46a25e021f398830639ce889c23af57f06158c24c00810e515eccd32b733
-
Filesize
408KB
MD54dc2ea789329ad2178234de573bbef84
SHA1a71e9af490b9e4439d3e1058fabcafb2b39fac0b
SHA25625331edfbccf181ea520d2c986808f5515c85e176429f2f10498bdedf2ea9582
SHA512aea055da68103b41f868e6416035d3e6965d9fe8f70880fe58f846fc152755ec134882474bef572039ef02f8d9241d7179c0c88d16c57aa5c581b773f5daf06f
-
Filesize
408KB
MD5817cc53b342c9a1ec5fd9fb343d3ce8c
SHA1e429828629e60325dd34e9356dba54f52d8ad0d1
SHA2564f1930a2e1365fbf02528f3451062647333384394dee2dffe0e2544bf56f4a49
SHA512a2a029ccdef36704cabfb2aea835bdce2ba2eeabd65baa24fe7adca14a021f8323a8230ca0cffb683261da7cb188bb549098e661052808fde6546e8e6a0e605d
-
Filesize
408KB
MD5a4d3e2ee12857b7b662be60653af74e9
SHA111e1ae4ab46a9890bb58f374c41750edb812cfe2
SHA256f3e36653fe43082bde45f0c7b511e793d4ff73c8fa5ced1d1f5f53a744b15d29
SHA512e236e1cf707f3ea03b88e30b199768fdbd744ce4c4d37a4faeec3a4a792913ad9a0487546e4785f6ce77eeed617709151a3e831e4426c98dfb1f4799951cf907
-
Filesize
408KB
MD50e49ca9b2454e613cb41cde232c23b32
SHA110e8f4ca83f66e85fc14492d9fceb3dda37190f8
SHA256cca1e922da4c1a962a275d39dc5410a2a0f14382f40da40ef497d78180159d44
SHA5120da03b67de79a6f67efd7d567092949bb8fe33485f43e18f679fc27b8ec2c5df81e2e79266c0ffbc519140b1f525d6e3e3126721395ff9dd42f970262b96e136
-
Filesize
408KB
MD5b26f9d0cc20f089e6a1dd999b421c11e
SHA1d44204abc6c5e8e38ce25de210b0ebfa58f36123
SHA25639595f1d295f80908905a670a20252cd621e123455614dd367d6c1ec5756eb97
SHA5127d10856eef38524a06348701ebf494079849865f2af2ccfa4e07313f49f6e9a321d43f9b7e14b20341d4a764ec1aad0c4e7a23ac3eaae901d09cdb62ca7079e5
-
Filesize
408KB
MD5aefc4e8ce9a560a9b3f7be7cb8a5ed9f
SHA1336ebcc8e16e5ff458879f0e5e1e6273688e2fd0
SHA25643c7ab22ed6db1c732cb02112473a323b1f713d1c12786036e0cb24740e565c0
SHA51280da9337350a1b2804cbef69f0a3612fd5fe3ac4c683bc95ee4b39524e2abab735508cd83cd326d767ac1cc6f420742eb870ca4ecdb24a96ae4f2b2d782e5485
-
Filesize
408KB
MD5140ea78a1743d77d052a2b424df28335
SHA1ad2ab35bcec072709eb9cb2648c7628c9dad47b7
SHA256b2815ef9ae13c1494a68dcbf7bc99863c423980109c970f938e0b0422a89d869
SHA512a313676fe14dcb1b4435b18eacba68cad8492591d1ca9b08f378d24e0b8e722a0903f073f222a85180c35de095376e7ce6baa80933bca4a6f4dd938d58ecbda9
-
Filesize
408KB
MD580244c62aae49a587c36d162434a8faf
SHA12c9c0ee44ca9b047825a2ec72cfddcd49f6e3a21
SHA2563c804664cf2ad066e0c4e809b6011f8c71c0065bcc3b03f00ca8c512fe7f7553
SHA512e461fef0fa32e12e398b1e8bc499d81522ce44a0c00be32bc6e0b45af7dc7b994dadfbb3dc3ba9c3e44f4b9db98bc24c05f4f025e5c3ff6214364901597539a5
-
Filesize
408KB
MD5955ca86c0b5ebf9a90e7af5aa77918ff
SHA13a59ec0452d0e4e60b376c3a74281a2d214f15c3
SHA25684f1f15d00a4dfe6c7575f1eefb3373b8462f855ed85a159547d7850668454d4
SHA512edb78c2fd0a6393a474ad92fc22364dcb36b76fc87f04a01873febbcf4a5226b369e051ff6db28157d08b34cc1cbcfe93094c0990dcaf8905258b7d2011c1d08
-
Filesize
408KB
MD52db6cdfb9b530e7f031d2d559c812d6e
SHA1f94b2d82c451fe7bc0e4136efbe059a1ea689b3d
SHA256f5520f710cb388d1e8113c359e8377f427454eb51630735982285ea3806985cb
SHA51279160371e35bab305822b3204ebb1f0882dad8cdb1c7309c42b701539933d19d7862b07c4ad470bc2d785f821a1364f7e7a2a6eb4dff08a1ac9dec163fa955f0