Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
-
Size
344KB
-
MD5
24eadd4d609b1d0fc674c021cf1144f9
-
SHA1
82d210e775bab311ee3214f13bd6a18dbcd46ef1
-
SHA256
16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175
-
SHA512
785456e14279dcf1192070dbfb4e06fe7904377e501a314e42987a3766991a4ea9d3b91a9dfc2f6a5b2105654eed3c6ef12a2159caeb5578e705f1260bf71bba
-
SSDEEP
3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a000000023366-3.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023415-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002341e-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023415-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002341e-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023415-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f00000002341e-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023415-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002341e-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023415-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002341e-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023415-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46848500-0E00-4449-BDF7-A66C703A28F0} 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46848500-0E00-4449-BDF7-A66C703A28F0}\stubpath = "C:\\Windows\\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe" 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BAE1876-E743-415f-8237-B09D7EDACB1F} {E8E1456F-6660-496f-9657-416278A0ABCB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BAE1876-E743-415f-8237-B09D7EDACB1F}\stubpath = "C:\\Windows\\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe" {E8E1456F-6660-496f-9657-416278A0ABCB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56808A0A-68F6-47b8-9246-2767CF8C15F7}\stubpath = "C:\\Windows\\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe" {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E1456F-6660-496f-9657-416278A0ABCB} {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06BD1F7-41BB-492e-9606-6C40580821F6}\stubpath = "C:\\Windows\\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe" {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F22BC1-8921-4322-A9BD-D9731D705996} {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F22BC1-8921-4322-A9BD-D9731D705996}\stubpath = "C:\\Windows\\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe" {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}\stubpath = "C:\\Windows\\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe" {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE2271D-99BA-41a5-8CA8-522714A8D969} {56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE2271D-99BA-41a5-8CA8-522714A8D969}\stubpath = "C:\\Windows\\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe" {56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9} {46848500-0E00-4449-BDF7-A66C703A28F0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}\stubpath = "C:\\Windows\\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe" {46848500-0E00-4449-BDF7-A66C703A28F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06BD1F7-41BB-492e-9606-6C40580821F6} {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476} {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}\stubpath = "C:\\Windows\\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe" {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}\stubpath = "C:\\Windows\\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe" {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5} {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E1456F-6660-496f-9657-416278A0ABCB}\stubpath = "C:\\Windows\\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe" {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCCAD1C-7D6E-482d-802A-F4376215EF34} {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}\stubpath = "C:\\Windows\\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe" {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481C70F3-8DBC-4a4d-B218-8944C058DEBA} {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56808A0A-68F6-47b8-9246-2767CF8C15F7} {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe -
Executes dropped EXE 12 IoCs
pid Process 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe 2320 {56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe 4804 {7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe File created C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe File created C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe File created C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe {56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe File created C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe {46848500-0E00-4449-BDF7-A66C703A28F0}.exe File created C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe File created C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe {E8E1456F-6660-496f-9657-416278A0ABCB}.exe File created C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe File created C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe File created C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe File created C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe File created C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Token: SeIncBasePriorityPrivilege 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe Token: SeIncBasePriorityPrivilege 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe Token: SeIncBasePriorityPrivilege 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe Token: SeIncBasePriorityPrivilege 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe Token: SeIncBasePriorityPrivilege 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe Token: SeIncBasePriorityPrivilege 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe Token: SeIncBasePriorityPrivilege 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe Token: SeIncBasePriorityPrivilege 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe Token: SeIncBasePriorityPrivilege 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe Token: SeIncBasePriorityPrivilege 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe Token: SeIncBasePriorityPrivilege 2320 {56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2832 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 85 PID 2960 wrote to memory of 2832 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 85 PID 2960 wrote to memory of 2832 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 85 PID 2960 wrote to memory of 4264 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 86 PID 2960 wrote to memory of 4264 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 86 PID 2960 wrote to memory of 4264 2960 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 86 PID 2832 wrote to memory of 2316 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 87 PID 2832 wrote to memory of 2316 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 87 PID 2832 wrote to memory of 2316 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 87 PID 2832 wrote to memory of 5088 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 88 PID 2832 wrote to memory of 5088 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 88 PID 2832 wrote to memory of 5088 2832 {46848500-0E00-4449-BDF7-A66C703A28F0}.exe 88 PID 2316 wrote to memory of 1568 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 92 PID 2316 wrote to memory of 1568 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 92 PID 2316 wrote to memory of 1568 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 92 PID 2316 wrote to memory of 4404 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 93 PID 2316 wrote to memory of 4404 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 93 PID 2316 wrote to memory of 4404 2316 {53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe 93 PID 1568 wrote to memory of 3476 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 94 PID 1568 wrote to memory of 3476 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 94 PID 1568 wrote to memory of 3476 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 94 PID 1568 wrote to memory of 456 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 95 PID 1568 wrote to memory of 456 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 95 PID 1568 wrote to memory of 456 1568 {E8E1456F-6660-496f-9657-416278A0ABCB}.exe 95 PID 3476 wrote to memory of 3368 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 96 PID 3476 wrote to memory of 3368 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 96 PID 3476 wrote to memory of 3368 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 96 PID 3476 wrote to memory of 1680 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 97 PID 3476 wrote to memory of 1680 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 97 PID 3476 wrote to memory of 1680 3476 {8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe 97 PID 3368 wrote to memory of 2352 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 98 PID 3368 wrote to memory of 2352 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 98 PID 3368 wrote to memory of 2352 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 98 PID 3368 wrote to memory of 2772 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 99 PID 3368 wrote to memory of 2772 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 99 PID 3368 wrote to memory of 2772 3368 {B06BD1F7-41BB-492e-9606-6C40580821F6}.exe 99 PID 2352 wrote to memory of 4320 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 100 PID 2352 wrote to memory of 4320 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 100 PID 2352 wrote to memory of 4320 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 100 PID 2352 wrote to memory of 3408 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 101 PID 2352 wrote to memory of 3408 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 101 PID 2352 wrote to memory of 3408 2352 {4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe 101 PID 4320 wrote to memory of 2468 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 102 PID 4320 wrote to memory of 2468 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 102 PID 4320 wrote to memory of 2468 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 102 PID 4320 wrote to memory of 432 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 103 PID 4320 wrote to memory of 432 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 103 PID 4320 wrote to memory of 432 4320 {B4F22BC1-8921-4322-A9BD-D9731D705996}.exe 103 PID 2468 wrote to memory of 4464 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 104 PID 2468 wrote to memory of 4464 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 104 PID 2468 wrote to memory of 4464 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 104 PID 2468 wrote to memory of 4212 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 105 PID 2468 wrote to memory of 4212 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 105 PID 2468 wrote to memory of 4212 2468 {1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe 105 PID 4464 wrote to memory of 3420 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 106 PID 4464 wrote to memory of 3420 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 106 PID 4464 wrote to memory of 3420 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 106 PID 4464 wrote to memory of 4412 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 107 PID 4464 wrote to memory of 4412 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 107 PID 4464 wrote to memory of 4412 4464 {481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe 107 PID 3420 wrote to memory of 2320 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe 108 PID 3420 wrote to memory of 2320 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe 108 PID 3420 wrote to memory of 2320 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe 108 PID 3420 wrote to memory of 4644 3420 {DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exeC:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exeC:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exeC:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exeC:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exeC:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exeC:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exeC:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exeC:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exeC:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exeC:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exeC:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exeC:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe13⤵
- Executes dropped EXE
PID:4804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56808~1.EXE > nul13⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DB3AB~1.EXE > nul12⤵PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{481C7~1.EXE > nul11⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1BCCA~1.EXE > nul10⤵PID:4212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4F22~1.EXE > nul9⤵PID:432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4DF9E~1.EXE > nul8⤵PID:3408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B06BD~1.EXE > nul7⤵PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8BAE1~1.EXE > nul6⤵PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8E14~1.EXE > nul5⤵PID:456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53C0F~1.EXE > nul4⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46848~1.EXE > nul3⤵PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD589bc1fdc570ddd668954fdac05fae0c7
SHA1bdfcb5fc2071b8be252bf70ea4286abdaf26f367
SHA2564c64e535c7ec1778db20433f798209525368c5f7d7c870b687a3bff27cfe7430
SHA512f72aca269bfe99cd51177da17fb5c34592c041f2ac820fd2106ee2cbc06bfc93e59a2f1cd2e2f48881f4a862f1b6536a85538eed71698e8b45a74ff1fd937d8d
-
Filesize
344KB
MD56330e82b17dba974b7da345b07b8eb9d
SHA190bff3b8cb6b75426d9587133af92e7350337016
SHA2566bcaa6a1a93d769946638dee71a51c791d9e5095dba52a708bb8360bca50a9ae
SHA5126b03eddf2a5f1f73ddda8699253af825fe9478cbc34938a53f9f64e14f19385834bbfc0846759c38ac7e4b39f06f5499b0466f184adec9c21623fab57e73a783
-
Filesize
344KB
MD5d3696475b1bea8af8ae23b281a9fba38
SHA1cec6c6f87f1a011c6e6ed882b8fa62d9af9eb376
SHA256598503bd08ee9a709f6d7d338b8947f5cc70a1620d7bd61f1ddb20f00387ca5a
SHA512715dd4d7aca7161f70c71b421625e4d8533e2b25c6ac831714a010c2f0397d91fe452ebcbcc8c6183e4157219fe7eb5a353e708a3e83bf16e23be1ca21a9bea3
-
Filesize
344KB
MD58c410f82059069f48c5d8412f3d1ff6b
SHA15311c7a63b716e7ec7dadab5c70553aae69f4889
SHA256639f06c6cc5d3f8cc5774fa515f54f52a1e1ee682f916d587ea265dff234e8dd
SHA512b221455b9165ee45c41d89c09dc0ad68f2eda8839ec48caf710d41c566806e7474f738d83f0d9d431a916564adec80d2d211704d719b668c9ffcf30764bf15ca
-
Filesize
344KB
MD5b18394bf6b68e3bc4951dc885d9389e4
SHA1566132d2844982f4f45ddfcbe25a364cddc4e2e1
SHA2563cae102e44729c752ae612a837abe95d703df08cf82e32f3860f01d6d6f4d3a1
SHA512139fc49e0bef6aefeb2077d3855703f0d93016494643831f79668081ca79dfbbdf1c99f8bf0d3906ec4f088f6a6e1b705019ea87b914ecb1ac6519638e04ae21
-
Filesize
344KB
MD5fe0744636adf1b2d83ca574cff49393d
SHA12ee8880c3e08124e15c5eaaacc825153c4d74041
SHA2564427e477161a3a56cc340733ddca46c2c96a2610d722fbf38b73fc52090c8ff3
SHA512223fa35598639c4a16287a66e8730cd32fca82bdd5dcbec751aba66ced86470713ac3d2c202db9a816551c025893dad74810c9bf48a91443752b5795b52cbecd
-
Filesize
344KB
MD5c1a96e40801bcc856fe401ff5a3edfa3
SHA1b5b952378ecef2cc0e5c57bea030c96584cadbf3
SHA256167af03c569b595cc015a2af6d5efd1cdc37573520b9aaade1aa1ba60b86a191
SHA512d3d79d7d670f5fcd28a40f6ebceef270faa38c8e824eb91060800186a00be1d18868ca944897fc575a82c7ab03c9751c78e6aaf548ff33f7c838a8ab6d5c84f1
-
Filesize
344KB
MD552818b3ec6105da335c74ed4583ef945
SHA12899a4610b90acf422bc6c563fb307ecd650c3cb
SHA256113143a3bf4f2cab5c14210ffc823c5a6b65ea668f7e1a0670be2bcc71165579
SHA51242433027b6684ed811006451259673197d5369b5639cd66b905f146da2455681d7c1641e19e82a651e5f70bbd30ca13658d1c24844a260ed08ae7f038e2bd022
-
Filesize
344KB
MD5d1561b08d909bc5a8ae5ca232e2a390d
SHA19b3458caaa276aa77e45a9ce138cf9e72e9b239d
SHA2567e6f111c6afedfe9cf2d562e01d4afa3c60ca2eb1093b462a3f5a06517305abf
SHA5127a1ea5e424809bb9925755e2392bfc09a18dc22bac2848e9df1c71932ff129f9cff6f1f4c70c5fd108490ad6330d1c4327306163757d6b4494e72d0474cc4d9c
-
Filesize
344KB
MD52ab91ea56329d55276ddbdc2dddae5f2
SHA19029a23e6c049bccc224c9fd9d833872ae086f0a
SHA2560d3b0626e425fefb3b792d65f5b6325640ed3ee3a7338035b3834eba87b7d45e
SHA51237906f3e5a72ba3b3cb74b80a8512b052624c1fb650b219dfbd3023a6d4147b1178e9fccf050047ce20d62f53a7d89dff06a16151ca488cd33017dfcbd3d29ee
-
Filesize
344KB
MD50851e42f69a0cdd92b311181b1e83f86
SHA1eda6f27da237e41114ccdf41889402b7c24425be
SHA2566e08abca14bcdd3e6de675159b6494c03252d32de1ca354863caabdfeb7680d5
SHA5127524aee80b418f8f50782c1086dbe96ace304e6f8d0b7d6ec0a6a4da9b8ea49af8a6169b67a540eba9f8e0298e878610d4f1b2d716e00b087501a80668d69a50
-
Filesize
344KB
MD55d8a60b5e2d25aae3ab95d664964346a
SHA1730733ae14d90d6c0501f2ce9827680396ce2b27
SHA25673bc6a740c5c5ae48e18ce6c7b3d7a04017ec1b3c6e4e7635729fd15c0120632
SHA5121663d34d89a8fad5aaea48869a93c2ae0e922c4627b1c313f6300df488cf9c6fc9e1a2a604dad06a257035fea482b649fa4c5aad0d2d9f7828660f60a2b40ca3