Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
-
Size
344KB
-
MD5
808dd2fd506c4d92529be8ef0b673040
-
SHA1
183ed54749759b2c0bd66ef19e1b7eeb5b87b8c7
-
SHA256
572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce
-
SHA512
93daf1fbf909e3967c6c9171ee2abdd699bb5a1a5dd1f24deaa6b3c273fef7c0f8b353e225d997f9d3553199104a7cfd72e7e962126eace0084d8d146a304f4b
-
SSDEEP
3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000f0000000232f5-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000232f7-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000235db-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000235df-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000235e5-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000235df-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000235e5-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000235df-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000235e5-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000000002f-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000713-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000000002f-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE} {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5837A597-461B-4a8f-A9D8-49D44A9311B2}\stubpath = "C:\\Windows\\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe" {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EAD84-7173-4299-AB65-6C900D8DCB73}\stubpath = "C:\\Windows\\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe" {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B851E686-75BC-4092-BC1A-2433BB1F0176} {1B476960-3C08-450b-B0C3-5552F3692FE5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B} 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}\stubpath = "C:\\Windows\\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe" 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AE891E-3A43-4164-811A-D03F47D183E5}\stubpath = "C:\\Windows\\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe" {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D11098-9169-482f-BF38-52CEF81E2947} {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D11098-9169-482f-BF38-52CEF81E2947}\stubpath = "C:\\Windows\\{81D11098-9169-482f-BF38-52CEF81E2947}.exe" {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}\stubpath = "C:\\Windows\\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe" {81D11098-9169-482f-BF38-52CEF81E2947}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD5C137-36C1-41ac-B9FE-18A316C3608B} {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AE891E-3A43-4164-811A-D03F47D183E5} {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EAD84-7173-4299-AB65-6C900D8DCB73} {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B476960-3C08-450b-B0C3-5552F3692FE5} {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B851E686-75BC-4092-BC1A-2433BB1F0176}\stubpath = "C:\\Windows\\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe" {1B476960-3C08-450b-B0C3-5552F3692FE5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52} {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}\stubpath = "C:\\Windows\\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe" {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}\stubpath = "C:\\Windows\\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe" {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6} {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}\stubpath = "C:\\Windows\\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe" {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}\stubpath = "C:\\Windows\\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe" {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12} {81D11098-9169-482f-BF38-52CEF81E2947}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5837A597-461B-4a8f-A9D8-49D44A9311B2} {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B476960-3C08-450b-B0C3-5552F3692FE5}\stubpath = "C:\\Windows\\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe" {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe -
Executes dropped EXE 12 IoCs
pid Process 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe 3848 {1B476960-3C08-450b-B0C3-5552F3692FE5}.exe 4692 {B851E686-75BC-4092-BC1A-2433BB1F0176}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe File created C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe File created C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe File created C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe File created C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe File created C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe File created C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe File created C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe {81D11098-9169-482f-BF38-52CEF81E2947}.exe File created C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe {1B476960-3C08-450b-B0C3-5552F3692FE5}.exe File created C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe File created C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe File created C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Token: SeIncBasePriorityPrivilege 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe Token: SeIncBasePriorityPrivilege 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe Token: SeIncBasePriorityPrivilege 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe Token: SeIncBasePriorityPrivilege 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe Token: SeIncBasePriorityPrivilege 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe Token: SeIncBasePriorityPrivilege 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe Token: SeIncBasePriorityPrivilege 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe Token: SeIncBasePriorityPrivilege 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe Token: SeIncBasePriorityPrivilege 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe Token: SeIncBasePriorityPrivilege 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe Token: SeIncBasePriorityPrivilege 3848 {1B476960-3C08-450b-B0C3-5552F3692FE5}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 3900 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 95 PID 4036 wrote to memory of 3900 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 95 PID 4036 wrote to memory of 3900 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 95 PID 4036 wrote to memory of 3144 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 96 PID 4036 wrote to memory of 3144 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 96 PID 4036 wrote to memory of 3144 4036 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 96 PID 3900 wrote to memory of 968 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 97 PID 3900 wrote to memory of 968 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 97 PID 3900 wrote to memory of 968 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 97 PID 3900 wrote to memory of 1484 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 98 PID 3900 wrote to memory of 1484 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 98 PID 3900 wrote to memory of 1484 3900 {B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe 98 PID 968 wrote to memory of 3420 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 101 PID 968 wrote to memory of 3420 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 101 PID 968 wrote to memory of 3420 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 101 PID 968 wrote to memory of 2612 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 102 PID 968 wrote to memory of 2612 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 102 PID 968 wrote to memory of 2612 968 {45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe 102 PID 3420 wrote to memory of 4904 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 107 PID 3420 wrote to memory of 4904 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 107 PID 3420 wrote to memory of 4904 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 107 PID 3420 wrote to memory of 3156 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 108 PID 3420 wrote to memory of 3156 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 108 PID 3420 wrote to memory of 3156 3420 {5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe 108 PID 4904 wrote to memory of 4128 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 110 PID 4904 wrote to memory of 4128 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 110 PID 4904 wrote to memory of 4128 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 110 PID 4904 wrote to memory of 2796 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 111 PID 4904 wrote to memory of 2796 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 111 PID 4904 wrote to memory of 2796 4904 {60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe 111 PID 4128 wrote to memory of 2436 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 112 PID 4128 wrote to memory of 2436 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 112 PID 4128 wrote to memory of 2436 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 112 PID 4128 wrote to memory of 4552 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 113 PID 4128 wrote to memory of 4552 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 113 PID 4128 wrote to memory of 4552 4128 {B4AE891E-3A43-4164-811A-D03F47D183E5}.exe 113 PID 2436 wrote to memory of 3336 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 114 PID 2436 wrote to memory of 3336 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 114 PID 2436 wrote to memory of 3336 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 114 PID 2436 wrote to memory of 952 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 115 PID 2436 wrote to memory of 952 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 115 PID 2436 wrote to memory of 952 2436 {8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe 115 PID 3336 wrote to memory of 4020 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 116 PID 3336 wrote to memory of 4020 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 116 PID 3336 wrote to memory of 4020 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 116 PID 3336 wrote to memory of 1476 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 117 PID 3336 wrote to memory of 1476 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 117 PID 3336 wrote to memory of 1476 3336 {81D11098-9169-482f-BF38-52CEF81E2947}.exe 117 PID 4020 wrote to memory of 4336 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 118 PID 4020 wrote to memory of 4336 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 118 PID 4020 wrote to memory of 4336 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 118 PID 4020 wrote to memory of 4512 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 119 PID 4020 wrote to memory of 4512 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 119 PID 4020 wrote to memory of 4512 4020 {9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe 119 PID 4336 wrote to memory of 4788 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 120 PID 4336 wrote to memory of 4788 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 120 PID 4336 wrote to memory of 4788 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 120 PID 4336 wrote to memory of 1688 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 121 PID 4336 wrote to memory of 1688 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 121 PID 4336 wrote to memory of 1688 4336 {5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe 121 PID 4788 wrote to memory of 3848 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe 122 PID 4788 wrote to memory of 3848 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe 122 PID 4788 wrote to memory of 3848 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe 122 PID 4788 wrote to memory of 1912 4788 {E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exeC:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exeC:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exeC:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exeC:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exeC:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exeC:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exeC:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exeC:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exeC:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exeC:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exeC:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exeC:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe13⤵
- Executes dropped EXE
PID:4692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B476~1.EXE > nul13⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E63EA~1.EXE > nul12⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5837A~1.EXE > nul11⤵PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9EBAF~1.EXE > nul10⤵PID:4512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81D11~1.EXE > nul9⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D1FC~1.EXE > nul8⤵PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4AE8~1.EXE > nul7⤵PID:4552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60436~1.EXE > nul6⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5DD5C~1.EXE > nul5⤵PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45CC5~1.EXE > nul4⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B27C5~1.EXE > nul3⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4272,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:81⤵PID:632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5dbf7461fd5839cedb9405c47c9f30e46
SHA132b5da2f00b239e1e386e18918bfea787a7286af
SHA2564c2ead10aa02b2be3cce00f2de29558c761fb3148bfac2d0728ce49d681e343d
SHA5125c6b55d2e035aa1d22e677374ca608f509c83bfe2063a3500ea412c1f48d47ecc767c64b3256e61fa5d3d3b404dba3e6b749db10016021d59cff6193733a20d7
-
Filesize
344KB
MD559ef2810097875e233b0ead9b40d23cb
SHA1166503cec8a4e77cdf7ac0729389243f6eae4afb
SHA2567c47687f0f97147f63905518c78d6708fcb4463e95c44fe0566f5a42bb0a1992
SHA5124ad9a95e53282df49885263f57ae8dff21ba07e4e888fbb7f95368fbb3579d344f8a19b0e67779ff515afd91079ab5be82f20af0cfabc522ae287ab814c09e86
-
Filesize
344KB
MD53924b39d3adc7612033ffcd312c3d1e2
SHA1045551653c42c327cfd03f0c26979e13e2bf6cdf
SHA256ef17338a4ab70d428f5fe17be422b123490833f7742f1d1a1ec12fea6a4456d1
SHA5125da9a8807197660678590d8ccb9ffcaf51646c4ae416117e69694e80d5e12d15a67542f9e8aa1812c1a9b7e5b479a3402c5e6c111f80025e8dd37b3a1c539fe6
-
Filesize
344KB
MD5166b5eaae9d5b3756cd28ed9d9b3161e
SHA113e502dab36c34ac18a20374aee82cb205db7aa7
SHA256300734407bc65bb23b8c6adfebf2006661fc462b0b3af2e748e3911b7a35c313
SHA51243d78a4e7a97b5d3029de4b2d02241edbafb391761273b87bfb1b8fb0527be8908adf50e0548808081f2191c18d6bab376a9ecbf5aa777147c6e8c8c21144ecf
-
Filesize
344KB
MD5ae4ba5c8ce27e086ca6a7a8f65776171
SHA1cb6d8a28fbca3a0c3b8d2502a2edbaf501f3506a
SHA256946c0bb531d095be4bf7f30fb98c1fb8ca7611e0cc5aec011f4055a5e53db76a
SHA51210c9f81fe0c388430063b840b9024240e30fe08c2871382bd9ed86cad6ce893b2ab73695851151cd985fc592dcdad8a4f4908262ba625f79f9c136d155e797ad
-
Filesize
344KB
MD5a81a71b2f0d83401f9e8b7e590d077fd
SHA1e0d72060eb651e02901e5d428bd8f8644961a510
SHA2562a46a6e2c4b3032f7baf56c665a08dbb73de0834f5eedc3b2240d352c09165cc
SHA5122242d365e9262fe2c3a4324db39b1dddad95c3b62d35e3957e0a61d25589bfb561fe3d947e968d77ae659daef54d4148c3438333848b7a2d21e02b9c9c9a62e9
-
Filesize
344KB
MD5de046aed84640e0dc35ff53bb273665f
SHA1e7fc0e5f270db3461040bc7b46c1f3763ea25e6f
SHA25656a82456cc39f240b3dda2173328190e289b464325483d5d7c9f44188a430ea3
SHA512eeb310dffb88037e92793bd9dd5314e4d09e4c29c90c9d0f9fefae960d1b42a971d13fc9ca116491719034aeec4a001953975e11d9e3336f26e2de3a5b14e2e5
-
Filesize
344KB
MD5cf16d470f24707bdb25b7015564dced8
SHA1aabbb4333d2c2a05a1b90ef272511be90b41e807
SHA256a4923e55e323ed771a26136404378d85e823b42004d9d66b53d611b5b4803f36
SHA512aa6b1ae44ad64620719674beda4418fd4fd9dbfd5a3759888aaf0cbb631aa4d476763a572a07275a802506b2c026976341fd890d01d6fe601e0c18a7f6bb2011
-
Filesize
344KB
MD58d2f52f913abeab6c755be40f125a396
SHA1e27e83c5f427fd226aa6d93f7173ac533e2f7852
SHA2560ff46febdccf66e8da26a47ee734835512b144227b776214f06c49f3da06b2de
SHA5123270394c6722fcab40674c5090556d97108fe26bac915e13bb891c1a72b4426318970e3380d3dd9a7cd1e70dc0f50f108fea5b2871cd51c1e719bbb59a1e8f20
-
Filesize
344KB
MD5ccde5ac447ac759ec753fc9edb3ca7a8
SHA189e06dcd329dc797b82defc2086073915f66f624
SHA256dddefa08c82b94f2b5fef36183fff270cac12e6648e6b25f48f1416fa07a3649
SHA512b8458f4462d8c7e2e28c18b9823c43b58a311c59222c5d2c286eee9141932ce47e60a792a0ca4dbef6070deb2bcaad4eb1d3fdef8ea8eb76fab080f864708808
-
Filesize
344KB
MD50a7060902691fd20bee43ad7a3e519c0
SHA1cb90eb0d935cebfd85380cbba717c4e1a71feb06
SHA25624c81bfaf6eec2a2dc80a05ab870508b7a193d40ba80a1075d441e1fc3f6876a
SHA512b211439b1b3ac8c8ed99cbf7ab1e950bc2a58aa91c7a42b047bbc16daed6a270b121d635bcda0f23e1f867c4120d55792420ee8e569464ab6ea1c5a67d775aeb
-
Filesize
344KB
MD57c4be8786c00c05681b0925e7b208d77
SHA1b365df9469965472abd06ae6e04fa6e3316e9d4a
SHA25631b1f829e8c982d9cd79f4422c925807967a8d9c93602aeffd381b06e0603b15
SHA512872a2e3f5c147925391a8baabc508c5bce81bf413e2143f6471441420c959f9c2008f5ff7c1eadd80b484099f7c07981893603258ddd70bdd45717dd52249c83