Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
-
Size
344KB
-
MD5
be846c3f6acf2fab3192cdc122e35a47
-
SHA1
74fc9fc49b650a1987babe47a65df7288df1a69e
-
SHA256
ac82d9ed35eb5b8d86515b3b02e3523bc79b4907ced33a7ad99f0e5051276929
-
SHA512
61f44853bbd9853de66d2bd0f4b7d36d005d9c44e55bd81c09545126f605123f0f9c57eb065cc22f3db1bb055f74bf56146c8a75ee964d02a142319ace4bc13a
-
SSDEEP
3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGHlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a00000002338b-1.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023377-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002340e-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000022965-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000200000002163b-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000022965-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000002163b-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000022965-29.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000002163b-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000022965-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c0000000234b7-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000022965-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}\stubpath = "C:\\Windows\\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe" {14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}\stubpath = "C:\\Windows\\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe" {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F85363B-E707-4c4b-96C9-785B4C79ACAC} {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0} {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C5D8A84-2D67-42e8-AE3B-637C247A1099} {14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C83BC6-0E12-4287-8DE9-0C271F637851} {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}\stubpath = "C:\\Windows\\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe" {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F} 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7} {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D9A78AE-AA93-46d2-9A41-094B44CE9816} {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}\stubpath = "C:\\Windows\\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe" {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{580EE2EA-1726-4e23-A380-6B5DF043CA52} {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{580EE2EA-1726-4e23-A380-6B5DF043CA52}\stubpath = "C:\\Windows\\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe" {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C83BC6-0E12-4287-8DE9-0C271F637851}\stubpath = "C:\\Windows\\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe" {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}\stubpath = "C:\\Windows\\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe" 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}\stubpath = "C:\\Windows\\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe" {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68549392-BD97-4df2-94C0-C395BA4E57A1} {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}\stubpath = "C:\\Windows\\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe" {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA} {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68549392-BD97-4df2-94C0-C395BA4E57A1}\stubpath = "C:\\Windows\\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe" {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7} {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}\stubpath = "C:\\Windows\\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe" {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28BC0BC7-C246-424e-B4C2-92AB222EB60F} {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}\stubpath = "C:\\Windows\\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe" {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe -
Executes dropped EXE 12 IoCs
pid Process 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe 1748 {14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe 1680 {3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe File created C:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe File created C:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe File created C:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe {14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe File created C:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe File created C:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe File created C:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe File created C:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe File created C:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe File created C:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe File created C:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe File created C:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe Token: SeIncBasePriorityPrivilege 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe Token: SeIncBasePriorityPrivilege 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe Token: SeIncBasePriorityPrivilege 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe Token: SeIncBasePriorityPrivilege 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe Token: SeIncBasePriorityPrivilege 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe Token: SeIncBasePriorityPrivilege 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe Token: SeIncBasePriorityPrivilege 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe Token: SeIncBasePriorityPrivilege 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe Token: SeIncBasePriorityPrivilege 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe Token: SeIncBasePriorityPrivilege 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe Token: SeIncBasePriorityPrivilege 1748 {14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4372 wrote to memory of 3100 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 92 PID 4372 wrote to memory of 3100 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 92 PID 4372 wrote to memory of 3100 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 92 PID 4372 wrote to memory of 2536 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 93 PID 4372 wrote to memory of 2536 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 93 PID 4372 wrote to memory of 2536 4372 2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe 93 PID 3100 wrote to memory of 3856 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 94 PID 3100 wrote to memory of 3856 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 94 PID 3100 wrote to memory of 3856 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 94 PID 3100 wrote to memory of 3476 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 95 PID 3100 wrote to memory of 3476 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 95 PID 3100 wrote to memory of 3476 3100 {0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe 95 PID 3856 wrote to memory of 3632 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 98 PID 3856 wrote to memory of 3632 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 98 PID 3856 wrote to memory of 3632 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 98 PID 3856 wrote to memory of 3532 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 99 PID 3856 wrote to memory of 3532 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 99 PID 3856 wrote to memory of 3532 3856 {635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe 99 PID 3632 wrote to memory of 2860 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 101 PID 3632 wrote to memory of 2860 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 101 PID 3632 wrote to memory of 2860 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 101 PID 3632 wrote to memory of 3876 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 102 PID 3632 wrote to memory of 3876 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 102 PID 3632 wrote to memory of 3876 3632 {50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe 102 PID 2860 wrote to memory of 4108 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 103 PID 2860 wrote to memory of 4108 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 103 PID 2860 wrote to memory of 4108 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 103 PID 2860 wrote to memory of 1936 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 104 PID 2860 wrote to memory of 1936 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 104 PID 2860 wrote to memory of 1936 2860 {28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe 104 PID 4108 wrote to memory of 1376 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 105 PID 4108 wrote to memory of 1376 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 105 PID 4108 wrote to memory of 1376 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 105 PID 4108 wrote to memory of 4340 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 106 PID 4108 wrote to memory of 4340 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 106 PID 4108 wrote to memory of 4340 4108 {B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe 106 PID 1376 wrote to memory of 760 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 107 PID 1376 wrote to memory of 760 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 107 PID 1376 wrote to memory of 760 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 107 PID 1376 wrote to memory of 3496 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 108 PID 1376 wrote to memory of 3496 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 108 PID 1376 wrote to memory of 3496 1376 {68549392-BD97-4df2-94C0-C395BA4E57A1}.exe 108 PID 760 wrote to memory of 1368 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 109 PID 760 wrote to memory of 1368 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 109 PID 760 wrote to memory of 1368 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 109 PID 760 wrote to memory of 3344 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 110 PID 760 wrote to memory of 3344 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 110 PID 760 wrote to memory of 3344 760 {8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe 110 PID 1368 wrote to memory of 4600 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 111 PID 1368 wrote to memory of 4600 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 111 PID 1368 wrote to memory of 4600 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 111 PID 1368 wrote to memory of 4612 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 112 PID 1368 wrote to memory of 4612 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 112 PID 1368 wrote to memory of 4612 1368 {580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe 112 PID 4600 wrote to memory of 1624 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 113 PID 4600 wrote to memory of 1624 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 113 PID 4600 wrote to memory of 1624 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 113 PID 4600 wrote to memory of 3396 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 114 PID 4600 wrote to memory of 3396 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 114 PID 4600 wrote to memory of 3396 4600 {5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe 114 PID 1624 wrote to memory of 1748 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe 115 PID 1624 wrote to memory of 1748 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe 115 PID 1624 wrote to memory of 1748 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe 115 PID 1624 wrote to memory of 2204 1624 {B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exeC:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exeC:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exeC:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exeC:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exeC:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exeC:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exeC:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exeC:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exeC:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exeC:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exeC:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exeC:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe13⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{14AD1~1.EXE > nul13⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B3C83~1.EXE > nul12⤵PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F853~1.EXE > nul11⤵PID:3396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{580EE~1.EXE > nul10⤵PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D9A7~1.EXE > nul9⤵PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68549~1.EXE > nul8⤵PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B6393~1.EXE > nul7⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{28BC0~1.EXE > nul6⤵PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50C81~1.EXE > nul5⤵PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{635D8~1.EXE > nul4⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D18C~1.EXE > nul3⤵PID:3476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1008,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:81⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD567941803da5b3969b915ead4f2a62662
SHA15df55deffcb66cb7e4fbcd1f7ab5be20f90ac38b
SHA256cfe3cd586719c60fb7e99817807050d4a7645ee433f2ab8550023e25b39c6102
SHA512e44b33809674ac25f8595a836ece1a6e7673bee4cf0cc4d6bb42ba85c38a2cda519137ab7e3603ba59cf427868557abc1195285d780519bbaeae6d6c5c4d6262
-
Filesize
344KB
MD524e149a634bf7b1526c9aa52e6f173fe
SHA1583c24990628698944be8c4c86b1f7ff432879d4
SHA2565ff8eb670be892198e8c0b103911c85a6d78be522fbf56d58dddba806c058f35
SHA512f1e5018b13b47451d07d6114a59a675c28bacb887aa74f5de2869c219f5d1a55ef0948f875443686becf923b9db245a01de15a38cedd79f28fcae8fc1d295a2f
-
Filesize
344KB
MD5d8c5c5fd3e202467755e19405b0a5e48
SHA166a89a0a8aac288a7fe2ed842e7a9a6a27d041d0
SHA256f62e8944003bd580be317da592719f7e21e3357e36caaeb97f96f9dd93ac80b2
SHA512a57c003dcbe8cf0a78d2c6b0f295cc07620b78f7594deff343148290fb6bdd51fceb70eb7567145248e3f54e71775436f45ec8328623fcdd7833382d26d7faf7
-
Filesize
344KB
MD50cc55712b7bdbebcc95e44a28c2c701a
SHA196d876c3f7595f7680a195cc09ee0aefb79b7b0b
SHA256f55ea4f62377df54f05806acde9900daead317fd98861865f1ee99a3fb50e06e
SHA512f91183078a978fd3826e2941890db63ee22449db46fda9d335fff9e23683d22c1317fc6f7d28a00433c5f168002338971048376d0227ec08e3943b4137d7802d
-
Filesize
344KB
MD51178842d53413b2ded51f6533d80c9b9
SHA1f30587191c05dd6bfaf57573367fda797b17448c
SHA2568ab1e71d2cecd13b9a3f55ef1bf1b1f789e399bb321da57af6795f25dcc48c95
SHA512794b829298111ace0d9da4e9db9a9766697890ba5b1aa329356ca9b585b1acac686012ac1baeb608901a07bccdb15392ec33f5b6ca96779b3491d7973d47978a
-
Filesize
344KB
MD52e1cc328a7a8553e6480d804d0f48440
SHA1ee76969c85591e4f01509862e135597d6e4ce5b8
SHA256667fe57cc48ceb144ce361808d50ed060681c53cf8dba0b855dfff29814d89b7
SHA5126905ffdb858031c889d1ac554b6f819a77d073032fd4f5b1348d0b67e1c5886abd6d20dcfc3c4b0501f8ff6baf44cbf6b79705cc9a973f1cabac066e8edafa5a
-
Filesize
344KB
MD5d8d4b15449e687b1348e6204dfb85009
SHA17096a713f2bce3579a5b8d82e1271da3ffc808df
SHA256c34529157654d780e9df2ccd994d4e513aacee3b6036003115cb3e2e601e9d99
SHA51244a32cfa1760298b11e44f4483e20dd66bd749de43e226bc294f3fe06b9ea0f8389db3201475e7d5f760a9a6a5799e3c7bcf446c6ac9415c186909343351e935
-
Filesize
344KB
MD5a0936d97a84c492130bd31cd9aa53777
SHA143bdd3fb05c90ca56667ba06ba88503c01c8bcf3
SHA2566e3b0b0306e0195426acc9b13284de598480309d2ec80681f97a1491796149f2
SHA5127f1ac23b79076c7e7fa5c777a88b5161daee891718faf23ea086a4db9155df335d746a01a27f61ad05a7e67ca21b5bcb56a33a9c2c3d8dd757767eeaf3904c4f
-
Filesize
344KB
MD535f2a3b2948feb56838df5c20403f3c0
SHA1eba6bee9771d6f8085702a195caee495d55a7c74
SHA256d5384e9554c0277f4e6e66012e538030cf3b4ed93f250e8e98af3fa258cd335c
SHA5122e676b93281b53871e7116335af20b5b506710733a7847c794f422d735a57f93364084fb12e76bb2716fda829aa821b48f44b65849130d9f07306dbece7e5206
-
Filesize
344KB
MD596a7d2e9c0bb0dcf61eb00fcb94aae65
SHA1e7a0bd6d0663654d038bfe366b6ffcec36eedf5b
SHA256965e6b9bea4b322aaea5f4f19212009e5100b09171ad6a0d57335e5080052adb
SHA51225d4ab11ce7a1293b5801c6a8445c3690dbf862027b3468fa04709deec0c722b0e3a65ca0b616a893056b46dd8f8a7bbbfd881bc84b11bf31e0cd89ebd5cedec
-
Filesize
344KB
MD5a50a10b91727eb9645fd8ca3da2cf70f
SHA1f998343b85b43ab254bfe09c95532ca6480cafcf
SHA256a9a7b70acebe05f2f4ad8d6bda7522af6fbdbb96a2146718a37ab1c53ff3effd
SHA5122f0fb52544b101ca3c89262f6497c2386c1d21b1e609add66d7b88fb0f8388250d61e15ae7b7c766f454b1c9d964d6536ab944620ed4ceb062d8644dd1e8ec38
-
Filesize
344KB
MD500abfb36be4b4fad503a9059377fb378
SHA1942196636d849036aafb7ff17fdc671d6004eabe
SHA256f145951ad369a077b904f5cd80e62514f7c638880c8d77de01768ca81d106902
SHA5123108d1a69052a2fba7610c13b814b349b704379422d51644c9a015c67359bf44be2c57d5b003a19120028deb3e7ae69ef0a20d00adc98adb3b161a86473fbaf1