Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
-
Size
380KB
-
MD5
886c0ff26e3a5079f29bc8a6e2c25646
-
SHA1
61538066cc38d86ffd79c935f8054fc33923ef3e
-
SHA256
32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd
-
SHA512
a5db5a8ea4985a1ead82537b16c1daaac00c315b1e7ed9a84743edec07c33a2515d794e9ba67b5f888c0db1c131dd02cf93d00c462c208a444ce7d050ac72061
-
SSDEEP
3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002341e-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002341f-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023425-11.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341f-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023425-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002341f-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023425-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072f-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000072d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000072f-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000000072d-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A}\stubpath = "C:\\Windows\\{06DB9891-8343-4caa-822E-60B5E012922A}.exe" {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD} {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}\stubpath = "C:\\Windows\\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe" {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}\stubpath = "C:\\Windows\\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe" {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}\stubpath = "C:\\Windows\\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe" {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704} {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}\stubpath = "C:\\Windows\\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe" {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DB9891-8343-4caa-822E-60B5E012922A} {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9} {06DB9891-8343-4caa-822E-60B5E012922A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}\stubpath = "C:\\Windows\\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe" {6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31} 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9} {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E} {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6109D2F-6362-4280-9F69-8D09CDA2408E}\stubpath = "C:\\Windows\\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe" {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}\stubpath = "C:\\Windows\\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe" {06DB9891-8343-4caa-822E-60B5E012922A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BAF376-0BA0-4a30-8EB2-895B4927877E} {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0104825-97CA-4d65-9868-E9DD53927D31}\stubpath = "C:\\Windows\\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe" 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1} {F0104825-97CA-4d65-9868-E9DD53927D31}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}\stubpath = "C:\\Windows\\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe" {F0104825-97CA-4d65-9868-E9DD53927D31}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811} {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6} {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}\stubpath = "C:\\Windows\\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe" {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129BE98C-B259-4ae0-8C01-0C29B501F704}\stubpath = "C:\\Windows\\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe" {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2} {6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe -
Executes dropped EXE 12 IoCs
pid Process 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe 4056 {6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe 4772 {74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe File created C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe File created C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe File created C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe File created C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe File created C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe File created C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe {F0104825-97CA-4d65-9868-E9DD53927D31}.exe File created C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe File created C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe File created C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe {06DB9891-8343-4caa-822E-60B5E012922A}.exe File created C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe {6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe File created C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Token: SeIncBasePriorityPrivilege 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe Token: SeIncBasePriorityPrivilege 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe Token: SeIncBasePriorityPrivilege 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe Token: SeIncBasePriorityPrivilege 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe Token: SeIncBasePriorityPrivilege 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe Token: SeIncBasePriorityPrivilege 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe Token: SeIncBasePriorityPrivilege 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe Token: SeIncBasePriorityPrivilege 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe Token: SeIncBasePriorityPrivilege 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe Token: SeIncBasePriorityPrivilege 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe Token: SeIncBasePriorityPrivilege 4056 {6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4032 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 93 PID 5060 wrote to memory of 4032 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 93 PID 5060 wrote to memory of 4032 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 93 PID 5060 wrote to memory of 4444 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 94 PID 5060 wrote to memory of 4444 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 94 PID 5060 wrote to memory of 4444 5060 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 94 PID 4032 wrote to memory of 4188 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 95 PID 4032 wrote to memory of 4188 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 95 PID 4032 wrote to memory of 4188 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 95 PID 4032 wrote to memory of 3196 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 96 PID 4032 wrote to memory of 3196 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 96 PID 4032 wrote to memory of 3196 4032 {F0104825-97CA-4d65-9868-E9DD53927D31}.exe 96 PID 4188 wrote to memory of 2088 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 98 PID 4188 wrote to memory of 2088 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 98 PID 4188 wrote to memory of 2088 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 98 PID 4188 wrote to memory of 1636 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 99 PID 4188 wrote to memory of 1636 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 99 PID 4188 wrote to memory of 1636 4188 {C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe 99 PID 2088 wrote to memory of 3680 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 100 PID 2088 wrote to memory of 3680 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 100 PID 2088 wrote to memory of 3680 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 100 PID 2088 wrote to memory of 2716 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 101 PID 2088 wrote to memory of 2716 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 101 PID 2088 wrote to memory of 2716 2088 {CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe 101 PID 3680 wrote to memory of 3092 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 102 PID 3680 wrote to memory of 3092 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 102 PID 3680 wrote to memory of 3092 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 102 PID 3680 wrote to memory of 3900 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 103 PID 3680 wrote to memory of 3900 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 103 PID 3680 wrote to memory of 3900 3680 {E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe 103 PID 3092 wrote to memory of 4892 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 104 PID 3092 wrote to memory of 4892 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 104 PID 3092 wrote to memory of 4892 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 104 PID 3092 wrote to memory of 4224 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 105 PID 3092 wrote to memory of 4224 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 105 PID 3092 wrote to memory of 4224 3092 {F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe 105 PID 4892 wrote to memory of 3744 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 106 PID 4892 wrote to memory of 3744 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 106 PID 4892 wrote to memory of 3744 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 106 PID 4892 wrote to memory of 4688 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 107 PID 4892 wrote to memory of 4688 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 107 PID 4892 wrote to memory of 4688 4892 {253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe 107 PID 3744 wrote to memory of 1708 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 108 PID 3744 wrote to memory of 1708 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 108 PID 3744 wrote to memory of 1708 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 108 PID 3744 wrote to memory of 2612 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 109 PID 3744 wrote to memory of 2612 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 109 PID 3744 wrote to memory of 2612 3744 {129BE98C-B259-4ae0-8C01-0C29B501F704}.exe 109 PID 1708 wrote to memory of 112 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 110 PID 1708 wrote to memory of 112 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 110 PID 1708 wrote to memory of 112 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 110 PID 1708 wrote to memory of 1888 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 111 PID 1708 wrote to memory of 1888 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 111 PID 1708 wrote to memory of 1888 1708 {D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe 111 PID 112 wrote to memory of 2636 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 112 PID 112 wrote to memory of 2636 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 112 PID 112 wrote to memory of 2636 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 112 PID 112 wrote to memory of 4856 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 113 PID 112 wrote to memory of 4856 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 113 PID 112 wrote to memory of 4856 112 {E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe 113 PID 2636 wrote to memory of 4056 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe 114 PID 2636 wrote to memory of 4056 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe 114 PID 2636 wrote to memory of 4056 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe 114 PID 2636 wrote to memory of 2604 2636 {06DB9891-8343-4caa-822E-60B5E012922A}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exeC:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exeC:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exeC:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exeC:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exeC:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exeC:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exeC:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exeC:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exeC:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exeC:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exeC:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exeC:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe13⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6FA2E~1.EXE > nul13⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06DB9~1.EXE > nul12⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6109~1.EXE > nul11⤵PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0BAF~1.EXE > nul10⤵PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{129BE~1.EXE > nul9⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{253CE~1.EXE > nul8⤵PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F50FC~1.EXE > nul7⤵PID:4224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8825~1.EXE > nul6⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD4CB~1.EXE > nul5⤵PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2A68~1.EXE > nul4⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0104~1.EXE > nul3⤵PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD552a6508c83201961279cffdf15166ad8
SHA1687a35703df12796f771fff8871ba46448c24078
SHA256a413c57847b54e725f79c6ef322f32472c6cd044d2c915ee7005db360dab5638
SHA512e3d1f2288733650e712f227bbe6025d3ac2dca8a517291adb89ae7b7e3273478be631a27d32cbd5a779d75ed04370035db06340e8494b53556323b392020805a
-
Filesize
380KB
MD54c9fa31fb9b23340cb293ee6b19fc12f
SHA1d5615a2162383b95855c0aff123f18d9fed1cd0e
SHA256fc1dfe89163ec96026341b5b996383eae1657bf4382b49ecd3a0c846850dbc99
SHA512b17ab89450460e92c85ab5a67b63fe803faa74ee344f4690c9c81e31a2ae09633f1f1ae09dc6b2b1652bec46c5c6306b3400e623fbc3be923b4ab52ac3ecb3a4
-
Filesize
380KB
MD5d91e159db83f6e991d2edbc75100c43d
SHA13becb2fd7b4f4a141f542daec824c05c799cadc0
SHA256e288847f94b9561f60b82b35856a51caca76ad381baf38afd2c75d49f3e72d71
SHA5125e0cfbdc4f45a1b8329fa76946931d32f2f4a044f1b97a8513f9f4fbc51dd9134c7491c2c29433e15da9f2fe979d4cb956c8d198e91de7fd0773777209eeb7e5
-
Filesize
380KB
MD5849aafc33d8e9e9f802ae9635d93271c
SHA1f9431ed1c778401aa507d428a490da841c6dc935
SHA256cc61ec33126ff3adcd4c6000bf49c7efe0ed19ce92e56c69ed82d1da0eb25dda
SHA512d5f3669f7639ad4cb4cdc8fe59c60fe6308a080cfd4132337a9adde3f79030ea7e636bb409e17fece7e77a7334e882ae0af92d8081b8a70b7e634b875067740b
-
Filesize
380KB
MD56620dcf96063862d0c76038b19b90ce8
SHA19b459e3c57b50816220ed43c35dc3ba366179de0
SHA2564ac32cc2406c9d8b7c7686654c0a89968412a4f588c76b61e2f3f7ddf59a5180
SHA512708230c1661ed1b7acde2b33b48423d3cb2eaeef7680b1c8c83a710064ffa9a03952bcb0c1dcbaaf1b439556b264ac13b27cda04fbbd47d450e4b595e5d971fd
-
Filesize
380KB
MD5e01abea8d50e1c91c18d6887bed33a29
SHA1ff616546bee9aa5047a998dc5cd65951ce4d113f
SHA256025fda0d9a27a811ac20b7a46f664103039557180c09c3789e4ed8e3e04218ff
SHA512fe79362bcf8c7850f6b0c757a34cee48012cc90801dac27d37e173be234b32a156338fbb903f38473b14de02f938d41f654eaa02bda29fb208a8d821cb97ac68
-
Filesize
380KB
MD55a3c70114c8e0edc502fc16b02391be7
SHA133840bb2840bd2385a6e789a7a1849130732ec3f
SHA256285d27c2154ae895a14f7a2fbbd2c748fec1eacc1ad0274f316979b81f3c0d3d
SHA5123168e07d23932c7302f7d8af9b8e3fba7317f2ccca7e8252b8b98732eb7add542173e41fab0d4bea8ad1a38569455ab0b0eec2ca285a7103c7ef17c10d42ab4b
-
Filesize
380KB
MD5cb56216678cbe1c8c04bb174cf61b548
SHA1270bf37f78b17bce6a4879f44c8a77a662ba98ab
SHA256210e1065f01360794b86cf66364007d4fd17d48c9881d8768d52ab1da28a0e75
SHA51278b46053e59fb442a1cb7a51bad0e9aa6c8cdc992a54fd5d0f41e3152cc23810c584a9e164f9d81bf848b521b65a1cc5976db02503e1c4d9c099021f82629fd3
-
Filesize
380KB
MD54b8cb53c1cd076eaf9f05ac1e4e3f397
SHA12abe56f609844b6bfea3922ad253c4e76eb61b80
SHA2560024cb315cefe4140677100db5468c87557aaa9715b268e8f91a2201aa12f708
SHA5121867f03639a99b6a8bf67b2e1626dd40ea2b73ac52ff6c65c1a544d534254d6c9c20d19ed3e3d4041228d464ffada615d18056e9a6c3faea96a1e3acc33c59e5
-
Filesize
380KB
MD563496a663cf80c04bd1a8013932051db
SHA1cabef2e745be4f0bf42dd6e345c0fd3d9b9d958c
SHA25676121bd0b5afc4f021707461b552c137b6c628d33bc2e5ea9a47ef317811df93
SHA5129273206fdfaed99724beb9396188de24d15bba788e4df1ab22e129cc6449a93da22add947aa67029dbf7d281e8ab67b2cba19d5cb507e9b55f31c118eb568a54
-
Filesize
380KB
MD5d2b566b208dd8db8a9d12bc97169351f
SHA129feb60c0598ada5572c70ea3084c66ff1935519
SHA256142899008b4852574767770070a70ff208310acf32cc381a43dfce5ce67b734f
SHA51295fdc3806e0ca1a089df41227f87cfb321d0fb3fb861786ee90aac7cf7ac835272bc979ef87dbd85232c7f91e3b95237d134f6143e062fbf3b1e297649439a1d
-
Filesize
380KB
MD52de345ffaa5fc9a54cf8d203651457d3
SHA129649874ef298e5977266d2172bbffc344274e61
SHA256015ee27a72650314b90084ff0b97955f1d80b864728390b3d93477fc7bd413dd
SHA512529381786394afc1d7c71ef8058a939e7ea3c1c3584c4836dd2b02ade2b8705362015a22eb94638dc06d55e6b5f667057a0af1086aa329b4724d88a6d1152fe4