Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
-
Size
204KB
-
MD5
97860f63b56a11a2225fb7e0eae2928f
-
SHA1
2869cb06f8fa1d11467034ee6d8ff34961169169
-
SHA256
0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9
-
SHA512
471d03f24bee300bc67bff010241872d5a2c7b33276bf764107d3ff377f110af5357f8b30f0cafd15d1b08c18d0c4c6de59656a71b2c9ab4528c1fc2ebc35ff4
-
SSDEEP
1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002340e-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023403-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023414-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023403-13.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fbd-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fbe-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021fbd-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000717-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6637B389-4DF6-4011-903A-9067E6D3537F}\stubpath = "C:\\Windows\\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe" {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}\stubpath = "C:\\Windows\\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe" {EF4D370F-EF84-417f-A850-C48194A23B68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BA756E-3FA1-472d-83DB-CCA960A2D447} {7DC397DE-0841-48d1-8751-CC0E16F24771}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0616B9E9-57E0-48b9-8B57-580031C8D141}\stubpath = "C:\\Windows\\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe" {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}\stubpath = "C:\\Windows\\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe" {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E246F3FF-1943-42a7-A797-C3A54A99D3DC} {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC397DE-0841-48d1-8751-CC0E16F24771}\stubpath = "C:\\Windows\\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe" {637A2255-BE5F-451d-AF77-820B161257AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE} 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5} {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0616B9E9-57E0-48b9-8B57-580031C8D141} {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}\stubpath = "C:\\Windows\\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe" {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6637B389-4DF6-4011-903A-9067E6D3537F} {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4D370F-EF84-417f-A850-C48194A23B68} {6637B389-4DF6-4011-903A-9067E6D3537F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637A2255-BE5F-451d-AF77-820B161257AB} {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637A2255-BE5F-451d-AF77-820B161257AB}\stubpath = "C:\\Windows\\{637A2255-BE5F-451d-AF77-820B161257AB}.exe" {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}\stubpath = "C:\\Windows\\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe" 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}\stubpath = "C:\\Windows\\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe" {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B} {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B} {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}\stubpath = "C:\\Windows\\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe" {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4D370F-EF84-417f-A850-C48194A23B68}\stubpath = "C:\\Windows\\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe" {6637B389-4DF6-4011-903A-9067E6D3537F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD} {EF4D370F-EF84-417f-A850-C48194A23B68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC397DE-0841-48d1-8751-CC0E16F24771} {637A2255-BE5F-451d-AF77-820B161257AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}\stubpath = "C:\\Windows\\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe" {7DC397DE-0841-48d1-8751-CC0E16F24771}.exe -
Executes dropped EXE 12 IoCs
pid Process 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe 4344 {7DC397DE-0841-48d1-8751-CC0E16F24771}.exe 4868 {C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe File created C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe File created C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe {EF4D370F-EF84-417f-A850-C48194A23B68}.exe File created C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe {637A2255-BE5F-451d-AF77-820B161257AB}.exe File created C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe {7DC397DE-0841-48d1-8751-CC0E16F24771}.exe File created C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe File created C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe File created C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe File created C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe File created C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe File created C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe {6637B389-4DF6-4011-903A-9067E6D3537F}.exe File created C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Token: SeIncBasePriorityPrivilege 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe Token: SeIncBasePriorityPrivilege 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe Token: SeIncBasePriorityPrivilege 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe Token: SeIncBasePriorityPrivilege 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe Token: SeIncBasePriorityPrivilege 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe Token: SeIncBasePriorityPrivilege 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe Token: SeIncBasePriorityPrivilege 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe Token: SeIncBasePriorityPrivilege 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe Token: SeIncBasePriorityPrivilege 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe Token: SeIncBasePriorityPrivilege 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe Token: SeIncBasePriorityPrivilege 4344 {7DC397DE-0841-48d1-8751-CC0E16F24771}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1212 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 87 PID 1840 wrote to memory of 1212 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 87 PID 1840 wrote to memory of 1212 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 87 PID 1840 wrote to memory of 2312 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 88 PID 1840 wrote to memory of 2312 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 88 PID 1840 wrote to memory of 2312 1840 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 88 PID 1212 wrote to memory of 2828 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 89 PID 1212 wrote to memory of 2828 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 89 PID 1212 wrote to memory of 2828 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 89 PID 1212 wrote to memory of 224 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 90 PID 1212 wrote to memory of 224 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 90 PID 1212 wrote to memory of 224 1212 {3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe 90 PID 2828 wrote to memory of 1592 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 92 PID 2828 wrote to memory of 1592 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 92 PID 2828 wrote to memory of 1592 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 92 PID 2828 wrote to memory of 4800 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 93 PID 2828 wrote to memory of 4800 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 93 PID 2828 wrote to memory of 4800 2828 {5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe 93 PID 1592 wrote to memory of 4920 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 94 PID 1592 wrote to memory of 4920 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 94 PID 1592 wrote to memory of 4920 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 94 PID 1592 wrote to memory of 4560 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 95 PID 1592 wrote to memory of 4560 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 95 PID 1592 wrote to memory of 4560 1592 {0616B9E9-57E0-48b9-8B57-580031C8D141}.exe 95 PID 4920 wrote to memory of 840 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 96 PID 4920 wrote to memory of 840 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 96 PID 4920 wrote to memory of 840 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 96 PID 4920 wrote to memory of 544 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 97 PID 4920 wrote to memory of 544 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 97 PID 4920 wrote to memory of 544 4920 {3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe 97 PID 840 wrote to memory of 4716 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 98 PID 840 wrote to memory of 4716 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 98 PID 840 wrote to memory of 4716 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 98 PID 840 wrote to memory of 4972 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 99 PID 840 wrote to memory of 4972 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 99 PID 840 wrote to memory of 4972 840 {EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe 99 PID 4716 wrote to memory of 1580 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 100 PID 4716 wrote to memory of 1580 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 100 PID 4716 wrote to memory of 1580 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 100 PID 4716 wrote to memory of 2724 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 101 PID 4716 wrote to memory of 2724 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 101 PID 4716 wrote to memory of 2724 4716 {E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe 101 PID 1580 wrote to memory of 464 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 102 PID 1580 wrote to memory of 464 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 102 PID 1580 wrote to memory of 464 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 102 PID 1580 wrote to memory of 3136 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 103 PID 1580 wrote to memory of 3136 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 103 PID 1580 wrote to memory of 3136 1580 {6637B389-4DF6-4011-903A-9067E6D3537F}.exe 103 PID 464 wrote to memory of 3640 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 104 PID 464 wrote to memory of 3640 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 104 PID 464 wrote to memory of 3640 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 104 PID 464 wrote to memory of 4656 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 105 PID 464 wrote to memory of 4656 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 105 PID 464 wrote to memory of 4656 464 {EF4D370F-EF84-417f-A850-C48194A23B68}.exe 105 PID 3640 wrote to memory of 4544 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 106 PID 3640 wrote to memory of 4544 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 106 PID 3640 wrote to memory of 4544 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 106 PID 3640 wrote to memory of 4356 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 107 PID 3640 wrote to memory of 4356 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 107 PID 3640 wrote to memory of 4356 3640 {D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe 107 PID 4544 wrote to memory of 4344 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe 108 PID 4544 wrote to memory of 4344 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe 108 PID 4544 wrote to memory of 4344 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe 108 PID 4544 wrote to memory of 4104 4544 {637A2255-BE5F-451d-AF77-820B161257AB}.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exeC:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exeC:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exeC:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exeC:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exeC:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exeC:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exeC:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exeC:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exeC:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exeC:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exeC:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exeC:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe13⤵
- Executes dropped EXE
PID:4868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7DC39~1.EXE > nul13⤵PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{637A2~1.EXE > nul12⤵PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0B66~1.EXE > nul11⤵PID:4356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF4D3~1.EXE > nul10⤵PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6637B~1.EXE > nul9⤵PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E246F~1.EXE > nul8⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF9DA~1.EXE > nul7⤵PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B0D9~1.EXE > nul6⤵PID:544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0616B~1.EXE > nul5⤵PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D2B4~1.EXE > nul4⤵PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3CC0F~1.EXE > nul3⤵PID:224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD575c59107af92dcf89165c131ce744329
SHA175cdc91b01093ac07de1f45873d28db8710ac647
SHA256dd7505560cf1c8d31ae177731438a95710b40213279a583df6fef509139de6a0
SHA51203c94d15306bb7567191a65edb35cf57e03897d7dddc9e17e9ec1e2775dadaf3bb554c8b5d702971ed17ac89a5171c3647683ead90935c3fd195b3a130341ac2
-
Filesize
204KB
MD570a5a8c106a0413b101f09a0540f6c58
SHA13b82e1b13539786c1f06897d915bf42ba07d97c8
SHA256afc38917ab9e8c32188e4dadc125c3fdf8457848dadf61f14f154185535cf8e9
SHA512e2f0120d3450cef209df2a8aede7341c487738d0b214a7f4079081a29e6208a79a6f1c1be649f43da0aac69cdb7f6c11481d3a652b93b5f0488c82714b57b06a
-
Filesize
204KB
MD54a9f295f12361b31a2be8d9e1874ba6c
SHA1fdad61ae6432bfb98103f158afb2ec34b6869d52
SHA2565cd30a713122bd08c173a59f5d46e11ae7a96990fa115257b24f06d1d80220db
SHA512b3181e6058e9aff2c3bb4dd30f471b6e4605890bc176be3632fcae3990df483f967b219c88ef806e536ef91982dbfb85c3dc8c51a70a3d0f83142ede0db88ef1
-
Filesize
204KB
MD554c49d60d7db3b5adbe0a228f8e4544e
SHA1606d64a86f5ee780e798b076188cd39c797f9de9
SHA256abbaa5d7a02b4edca40d8c68e69fb96aaf9ec2c31b24b18e95ec1b91046f4042
SHA5128b3fcd20fd018ac95386062e4e60d1b4408609f8dc0d0884c0029a8ba34633737f26c45d4a94e8d47108a51f7cf1d9ba410387f2167c1e74144eec1d3d136c91
-
Filesize
204KB
MD5dac83364b9dc8f2a6c4903af5a5fd70d
SHA11c10aa8798ca717e160fce55ccc4e80d913e66d4
SHA256c4a7f7e5b104ce8c58448da18b79224dbc1f6d0110dbc6be6d23b9e922e3973a
SHA512ca1ab2e46816c7cff05ab076f391e7d496946abbee1e4f89f2980171c0ba599ab8a6a985235c1371a1e03ab88e58fa5bf0dea11cf3b0aae830994eacbb300fca
-
Filesize
204KB
MD5ff393d52f8fb0c76737e38d234ec86f1
SHA15055310a968e21c205e51d775dc4b6987f29e78d
SHA25695d81901257aa1779a1d6333b639db7483934042d3be474f311fedbc738ee1c6
SHA512a70c8d77b70d45c29d063de796205c08bbb05ce4559f951167ab27d5e5139d37419aa134d4a4cd0ceede56800a650bfa889693e6080ce06882a5e5a02066f9c6
-
Filesize
204KB
MD54e8cbe8777372e30faa652861db31a0e
SHA1fc8016316acdee379902c555be3d5b846cce02f4
SHA256becf8d4df316bfa5745344ab15d64b8153c9eb9097317fa9486a773eebc3863d
SHA51206a8a6e1f38e888a7e9031438cb668e18a8ff47c0d1655bf2551267f2dfa14b86d4fcca780cb923f44b4edfa606918b334e0f87cffc1a07ae4f0abe2b779ff94
-
Filesize
204KB
MD58d88eaf96f85c6740be57c213c610769
SHA12e88adb866f12e14d743c370a4565bd3be8af96c
SHA256c9478e768a735b5bb33b64ffaf4119e7c296d7e21e01f61891b14566b1ddb7ed
SHA512810278758452830e4e96e1e08e1e3293c48a32e6a5c1c6ca5b418d06fe46d958022c480857d2d0fb6cd7f30f4c05b712441c7bdbc8d4b69cbdcf5025cca00903
-
Filesize
204KB
MD5d7c46603a6f76f15955d4ea38b504dab
SHA132a00578fd77278bd9b6c7597707d4c8efbab5a3
SHA2561ef87b990b6c1ed496161fc6142b1b1051436a66bfa8823be0fb3f7f8d2a78da
SHA512d03d866c6e3772053dfb1c0d91ddb85507c2f3fc9db242760067d91562568bb16ff9b2e3637f47574dd88b6a312beefb70abcce1c3d496c944f04b24f4917c29
-
Filesize
204KB
MD535940dc33e05c586e209f0aa0c5b53e4
SHA199af0e8808164db6b99231b37e7139241821a028
SHA2562c62ec96836f6ceecf118774ac83fbe2270a89a08d46ac4e83c84123cd8460a9
SHA512a66fa9bce69ec36e6a5902bc831c8644c44d2941e00fb0cd88d5834021de20aff759ab8dca3dda288fbd51ce14be9fd7c31f58086f7d2e4966fc886cc84eb5ac
-
Filesize
204KB
MD572c6d65afdb9caa5c2371709c2cbb292
SHA1b7469549f81ee1d6d4fc0e783b2cf1cff2791852
SHA256dc999c0ad01083542f5a4c1888daa8444dd2c61f907ca501fcd3126acaa11ea6
SHA512085727ae3be52eb8bc9594bbb9f33c5eb34929fb53610e85b79baa5ee433049e85b9349a724ddec6da8f41db215b2231877906af1d0c5c20b999ef0fca7a223f
-
Filesize
204KB
MD51a19e4de92906450edb23801f7d77d91
SHA152127d6dfaf3a065c83b38bc8e609724715d9eb8
SHA2564166747fe72ca40f3f0a407157ee2c7e8d348391b3ace545d2ff232a01ece2cb
SHA5126b806c89f7a588a16ea787793fa7642df00e95d1813157430757fc650509de88b5c1595ae882fa6070a724f914d950710ad94f51abe694013d03c81f7f07ab9f