Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
-
Size
380KB
-
MD5
639e527998e0506714a7a8d6506c11da
-
SHA1
a776bb9887b916beb52ee968de4d82b1dd300acf
-
SHA256
b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde
-
SHA512
aada1a38ed5946e066fe98ac664c9e4f73e9a1a9dee4eb70075e729d667fa1db13b0451f31559103746e98457789a31e12ab686f0756321945bf541509823296
-
SSDEEP
3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0005000000022abf-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023378-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023415-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023419-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002341f-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023419-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341f-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023419-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002341f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023419-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002341f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023419-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54} {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}\stubpath = "C:\\Windows\\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe" {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}\stubpath = "C:\\Windows\\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe" {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}\stubpath = "C:\\Windows\\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe" {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BD120C-1179-4046-8CFF-8F510F97F13A}\stubpath = "C:\\Windows\\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe" {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}\stubpath = "C:\\Windows\\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe" 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1} {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}\stubpath = "C:\\Windows\\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe" {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A} {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412} {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}\stubpath = "C:\\Windows\\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe" {00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453} {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0682648-5076-4a18-839D-42E038D33B6F} {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0682648-5076-4a18-839D-42E038D33B6F}\stubpath = "C:\\Windows\\{A0682648-5076-4a18-839D-42E038D33B6F}.exe" {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6} {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}\stubpath = "C:\\Windows\\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe" {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A727C33E-4FDF-4de3-AFC0-3F73366A649D} {00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231B97E5-3155-4a33-91FF-67B9D6BD38B2} 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0FD9FF2-EED9-4305-83F9-7551F00DB565} {A0682648-5076-4a18-839D-42E038D33B6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}\stubpath = "C:\\Windows\\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe" {A0682648-5076-4a18-839D-42E038D33B6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}\stubpath = "C:\\Windows\\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe" {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BD120C-1179-4046-8CFF-8F510F97F13A} {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A1DFFC-1605-476c-A93E-8129AA56AF29} {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A1DFFC-1605-476c-A93E-8129AA56AF29}\stubpath = "C:\\Windows\\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe" {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe -
Executes dropped EXE 12 IoCs
pid Process 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe 1212 {00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe 2220 {A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe File created C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe File created C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe File created C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe File created C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe {00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe File created C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe {A0682648-5076-4a18-839D-42E038D33B6F}.exe File created C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe File created C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe File created C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe File created C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe File created C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe File created C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Token: SeIncBasePriorityPrivilege 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe Token: SeIncBasePriorityPrivilege 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe Token: SeIncBasePriorityPrivilege 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe Token: SeIncBasePriorityPrivilege 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe Token: SeIncBasePriorityPrivilege 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe Token: SeIncBasePriorityPrivilege 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe Token: SeIncBasePriorityPrivilege 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe Token: SeIncBasePriorityPrivilege 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe Token: SeIncBasePriorityPrivilege 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe Token: SeIncBasePriorityPrivilege 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe Token: SeIncBasePriorityPrivilege 1212 {00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4884 wrote to memory of 3244 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 85 PID 4884 wrote to memory of 3244 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 85 PID 4884 wrote to memory of 3244 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 85 PID 4884 wrote to memory of 2720 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 86 PID 4884 wrote to memory of 2720 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 86 PID 4884 wrote to memory of 2720 4884 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 86 PID 3244 wrote to memory of 2288 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 87 PID 3244 wrote to memory of 2288 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 87 PID 3244 wrote to memory of 2288 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 87 PID 3244 wrote to memory of 3224 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 88 PID 3244 wrote to memory of 3224 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 88 PID 3244 wrote to memory of 3224 3244 {231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe 88 PID 2288 wrote to memory of 1448 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 91 PID 2288 wrote to memory of 1448 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 91 PID 2288 wrote to memory of 1448 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 91 PID 2288 wrote to memory of 1380 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 92 PID 2288 wrote to memory of 1380 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 92 PID 2288 wrote to memory of 1380 2288 {9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe 92 PID 1448 wrote to memory of 3596 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 97 PID 1448 wrote to memory of 3596 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 97 PID 1448 wrote to memory of 3596 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 97 PID 1448 wrote to memory of 2984 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 98 PID 1448 wrote to memory of 2984 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 98 PID 1448 wrote to memory of 2984 1448 {F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe 98 PID 3596 wrote to memory of 1544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 100 PID 3596 wrote to memory of 1544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 100 PID 3596 wrote to memory of 1544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 100 PID 3596 wrote to memory of 3544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 101 PID 3596 wrote to memory of 3544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 101 PID 3596 wrote to memory of 3544 3596 {C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe 101 PID 1544 wrote to memory of 1880 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 102 PID 1544 wrote to memory of 1880 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 102 PID 1544 wrote to memory of 1880 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 102 PID 1544 wrote to memory of 3672 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 103 PID 1544 wrote to memory of 3672 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 103 PID 1544 wrote to memory of 3672 1544 {A0682648-5076-4a18-839D-42E038D33B6F}.exe 103 PID 1880 wrote to memory of 4424 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 104 PID 1880 wrote to memory of 4424 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 104 PID 1880 wrote to memory of 4424 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 104 PID 1880 wrote to memory of 4284 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 105 PID 1880 wrote to memory of 4284 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 105 PID 1880 wrote to memory of 4284 1880 {E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe 105 PID 4424 wrote to memory of 2124 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 106 PID 4424 wrote to memory of 2124 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 106 PID 4424 wrote to memory of 2124 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 106 PID 4424 wrote to memory of 3524 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 107 PID 4424 wrote to memory of 3524 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 107 PID 4424 wrote to memory of 3524 4424 {3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe 107 PID 2124 wrote to memory of 4332 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 108 PID 2124 wrote to memory of 4332 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 108 PID 2124 wrote to memory of 4332 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 108 PID 2124 wrote to memory of 4440 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 109 PID 2124 wrote to memory of 4440 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 109 PID 2124 wrote to memory of 4440 2124 {DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe 109 PID 4332 wrote to memory of 5028 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 110 PID 4332 wrote to memory of 5028 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 110 PID 4332 wrote to memory of 5028 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 110 PID 4332 wrote to memory of 984 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 111 PID 4332 wrote to memory of 984 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 111 PID 4332 wrote to memory of 984 4332 {6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe 111 PID 5028 wrote to memory of 1212 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe 112 PID 5028 wrote to memory of 1212 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe 112 PID 5028 wrote to memory of 1212 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe 112 PID 5028 wrote to memory of 4820 5028 {64BD120C-1179-4046-8CFF-8F510F97F13A}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exeC:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exeC:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exeC:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exeC:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exeC:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exeC:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exeC:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exeC:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exeC:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exeC:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exeC:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exeC:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe13⤵
- Executes dropped EXE
PID:2220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00A1D~1.EXE > nul13⤵PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64BD1~1.EXE > nul12⤵PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A9DC~1.EXE > nul11⤵PID:984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DFE61~1.EXE > nul10⤵PID:4440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AE9F~1.EXE > nul9⤵PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E0FD9~1.EXE > nul8⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0682~1.EXE > nul7⤵PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6140~1.EXE > nul6⤵PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F4D80~1.EXE > nul5⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9EBB1~1.EXE > nul4⤵PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{231B9~1.EXE > nul3⤵PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD53c0edf1105696366387247409c66cc39
SHA16b7e3fd367840fd8a76b59ad931552f129501b01
SHA25641aa5c602ab07d1bcf25844dc44c2c977c73f7645d3b5cc309d1333f7be355e2
SHA512e9b7d9c353bedc2f1a431d82aab6c28285c4908357de6b368b2edbff3ff2ec15cc59ef27419acafa2d69534d8859fa0fd3a0b00f4b348698280f78d40214d239
-
Filesize
380KB
MD5410af7607bfc3432230eb71a982d8404
SHA1c7c510cf47a19f3c15831eb224d5843561da6725
SHA2563fe948f4e7efb35eb9b4414c754c50c43e13d341dbe0bfcc769fda16f4f82326
SHA51213a8d2c151594c925639f2875c8373a672ebb89316f832b2af4a8f906f28ef0629bc5873cab62c53e99fc33d260f09e0931022217570518506da0aeb3cf6b8d0
-
Filesize
380KB
MD59c3bc8f82589bc9860c847dc8b80ae3f
SHA1f342af00ab44c49848aa4a8878702789be39ab00
SHA256d9c1810759063b4500b4fdbd3dd78dc960b1078110f896c7f429ccc2bde44ba0
SHA5122ba8c8fb1b3e0fd6b62102925fe808968e3366c1a99ac259a0a74042444e842e41bf6b9c043db72b8220f854675376ed70d7d0e500b388cdad24cba2649ce128
-
Filesize
380KB
MD5b94da8d8f6e3ce00e3008980150cad83
SHA1dddd806e4966c20fc0739b90b56ef372d519b9cc
SHA25631bedfb5de2b7fb88d0af6812f0b0c512b7d4962eb85f5869b288c0e01e94336
SHA51293fd2395eeff00026cf2e69466eaaa0e5e32eefd9742076f672b76a17885d43494b649be129723bcbcc76a1d959dcbe39ee79cb47397e071739390e5bfff71a4
-
Filesize
380KB
MD5fdf85048a2ead13d006f1753aa771e6e
SHA1c8a49d429e02dcce8874c4732d2df45b88be3fe6
SHA2568c0b7ae850d1f061e48be7e30593d58cb0360845935f15a319987bdb11dc70a2
SHA5124a3c64b342e04202ccae6b2a0842e89e6f3a61d77503ea0e85895ce28d99b968ad8cc125f8af762e51f39975b6a3129be8fea0f470c8c4482ad4d1bbd9456bd4
-
Filesize
380KB
MD5cbb2d351da7ed421c24fb4106c7cd5a0
SHA13495402f93b920b42e44437981d28b30651207c9
SHA2562d567a891db89a236c4d49ab6dacf26b1338323816bfa4818a42826efffd3748
SHA5120b22cd2a95b883a2c5613f4e0a611aeeeaf20dbda4b19ab6c96764b32f4071bfe748d7e20dd29515afc8ce9586cc85a422dec33e1a97cf1209fc811593dd8582
-
Filesize
380KB
MD59a8e7d304a80c819a1241abe1fbbcca2
SHA1724001a55cf61088f6a548df0644e8d829491fd3
SHA256b2db87a72f4761be2a181a3ee5abc5f3c5e6f1799aa0b757153a4e8031124c3a
SHA512507014f7c9bf55cf05c4560afe09097e4687483906ea0cdd93fadebe5cded46249427b1d54a6362a0ae53dbbd208bdb6cd278edd7ad6e587dc369f37beffbdb4
-
Filesize
380KB
MD5d855b92f1618fdd920d58541811b81c8
SHA109a3ca856f2a8eb3aa92af329a645392b1df926e
SHA25668ecb3eb5bb6d7299f85bccb6881d84fd1fba931f0c809cdb2a4702f10368660
SHA5129de1ea190dfbdf229b6a0fecd3996207d5706dbd9335ece9c599d6da64be5d3f8667ffe568ea7a1b0c8a0f8810ad718206ab94c3b8ae0f0651cdd7fdfaa0cf03
-
Filesize
380KB
MD5e99553f009dbe58e3b40fd1a4f1d487f
SHA1842e152258612bf8e2bf5fb6267b65115ef5d3b6
SHA256f8dacba201525994d53287d68102478ed857b5ea011366ec7c4914e0f13060bd
SHA5128de9acec0b9fe33171189371998a15375ecdb343b73fb43f445192a5ef7bcc360e4bbd77a7d172a1f5e29a66e03a8af59a3f0194f889bf0bc68004bfcd9669f3
-
Filesize
380KB
MD5bda2d5eee7ef400a496c69bc489ce46a
SHA158d8730882a53c906898b72b7b39705a43082e75
SHA2569d6e3f0cd7074ab75a120f39590e15f26f722b22d8d1974cb7cb37b86c92c688
SHA51245dbed3121d5321c35f6d223a4601229067469c77142f33f0dec30cb9fdf75dc9d42a52965b85b35a582647ff4d18d632b5b6ee2ea202b73e410322b178a399a
-
Filesize
380KB
MD54982c143e36bffd74aa5ac747b167b12
SHA1d12e649b71b25e8b1bfd602f9705d4b5944897b1
SHA25607a8b77cc17512ffbd04305883d1b89d216ed2b16218aa05d8f0a72d53b7da08
SHA512fae561d1d28bd57a82f01409a7ae1c805163d6e1a80074889779d96aa95dae432d97e405e995784aa94fae96aaca3d154288f071cc412a642a2e1ca2c4819f61
-
Filesize
380KB
MD5950068227f4b7f0bb1f0fe4543163683
SHA1e6268f5bed7e8a1c64dd99c94130690f5cff746b
SHA2563cff5306dfd71e587771f1dc608457d0ca9847de894fda26d3f6cf08f8c95980
SHA512dedeba053fd4ae7355ed987ca5f3eb17365a7967f56875fac31dc1d705b8d3f8b638e43097980ec818bc7df2ea38c490af6043d4b43ff19195089cc4307a028b