Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
-
Size
204KB
-
MD5
75d172b074cfb2f8092b21b0cb1417b8
-
SHA1
27016bc58f7ed03a6a012f653f84282547c89a03
-
SHA256
a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc
-
SHA512
2561cacb93cb9dc2976b4d0f808fc957efc7df9f46acbcf5e7816b0e38e2fe124a5c57752c8b400508c4626d4ea2b69bd8fbc4cebfe60b39e11940311b6d0705
-
SSDEEP
1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0004000000022d20-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002325e-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002326b-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002325e-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002326b-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00020000000219e9-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00020000000219ea-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000000026-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000507-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493} 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B} {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC49627F-2E9A-4d49-BFAF-235B2C826019}\stubpath = "C:\\Windows\\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe" {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134EC873-14C7-4224-A6CE-00ACF8741AC0} {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}\stubpath = "C:\\Windows\\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe" {CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}\stubpath = "C:\\Windows\\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe" {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3} {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8} {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0} {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}\stubpath = "C:\\Windows\\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe" {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{134EC873-14C7-4224-A6CE-00ACF8741AC0}\stubpath = "C:\\Windows\\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe" {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC49627F-2E9A-4d49-BFAF-235B2C826019} {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436} {CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}\stubpath = "C:\\Windows\\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe" 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58713D09-73AC-4eda-A452-AEC46CE74E13} {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58713D09-73AC-4eda-A452-AEC46CE74E13}\stubpath = "C:\\Windows\\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe" {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}\stubpath = "C:\\Windows\\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe" {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3273E874-44BD-4edd-B26C-2744E3FAB38F} {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3273E874-44BD-4edd-B26C-2744E3FAB38F}\stubpath = "C:\\Windows\\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe" {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352} {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}\stubpath = "C:\\Windows\\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe" {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}\stubpath = "C:\\Windows\\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe" {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}\stubpath = "C:\\Windows\\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe" {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29A60B6-4A70-4c08-9EAB-9B89A863D987} {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe -
Executes dropped EXE 12 IoCs
pid Process 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe 3712 {CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe 2384 {51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe File created C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe File created C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe File created C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe File created C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe File created C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe File created C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe {CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe File created C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe File created C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe File created C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe File created C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe File created C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe Token: SeIncBasePriorityPrivilege 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe Token: SeIncBasePriorityPrivilege 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe Token: SeIncBasePriorityPrivilege 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe Token: SeIncBasePriorityPrivilege 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe Token: SeIncBasePriorityPrivilege 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe Token: SeIncBasePriorityPrivilege 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe Token: SeIncBasePriorityPrivilege 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe Token: SeIncBasePriorityPrivilege 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe Token: SeIncBasePriorityPrivilege 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe Token: SeIncBasePriorityPrivilege 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe Token: SeIncBasePriorityPrivilege 3712 {CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 1392 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 95 PID 2724 wrote to memory of 1392 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 95 PID 2724 wrote to memory of 1392 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 95 PID 2724 wrote to memory of 4012 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 96 PID 2724 wrote to memory of 4012 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 96 PID 2724 wrote to memory of 4012 2724 2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe 96 PID 1392 wrote to memory of 1864 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 104 PID 1392 wrote to memory of 1864 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 104 PID 1392 wrote to memory of 1864 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 104 PID 1392 wrote to memory of 3084 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 105 PID 1392 wrote to memory of 3084 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 105 PID 1392 wrote to memory of 3084 1392 {FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe 105 PID 1864 wrote to memory of 3268 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 107 PID 1864 wrote to memory of 3268 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 107 PID 1864 wrote to memory of 3268 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 107 PID 1864 wrote to memory of 3396 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 108 PID 1864 wrote to memory of 3396 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 108 PID 1864 wrote to memory of 3396 1864 {B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe 108 PID 3268 wrote to memory of 4752 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 110 PID 3268 wrote to memory of 4752 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 110 PID 3268 wrote to memory of 4752 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 110 PID 3268 wrote to memory of 4204 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 111 PID 3268 wrote to memory of 4204 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 111 PID 3268 wrote to memory of 4204 3268 {58713D09-73AC-4eda-A452-AEC46CE74E13}.exe 111 PID 4752 wrote to memory of 3796 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 112 PID 4752 wrote to memory of 3796 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 112 PID 4752 wrote to memory of 3796 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 112 PID 4752 wrote to memory of 2872 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 113 PID 4752 wrote to memory of 2872 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 113 PID 4752 wrote to memory of 2872 4752 {8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe 113 PID 3796 wrote to memory of 4180 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 114 PID 3796 wrote to memory of 4180 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 114 PID 3796 wrote to memory of 4180 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 114 PID 3796 wrote to memory of 924 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 115 PID 3796 wrote to memory of 924 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 115 PID 3796 wrote to memory of 924 3796 {89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe 115 PID 4180 wrote to memory of 4720 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 116 PID 4180 wrote to memory of 4720 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 116 PID 4180 wrote to memory of 4720 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 116 PID 4180 wrote to memory of 3392 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 117 PID 4180 wrote to memory of 3392 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 117 PID 4180 wrote to memory of 3392 4180 {A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe 117 PID 4720 wrote to memory of 1400 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 118 PID 4720 wrote to memory of 1400 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 118 PID 4720 wrote to memory of 1400 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 118 PID 4720 wrote to memory of 4320 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 119 PID 4720 wrote to memory of 4320 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 119 PID 4720 wrote to memory of 4320 4720 {312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe 119 PID 1400 wrote to memory of 3396 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 120 PID 1400 wrote to memory of 3396 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 120 PID 1400 wrote to memory of 3396 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 120 PID 1400 wrote to memory of 1952 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 121 PID 1400 wrote to memory of 1952 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 121 PID 1400 wrote to memory of 1952 1400 {B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe 121 PID 3396 wrote to memory of 4484 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 122 PID 3396 wrote to memory of 4484 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 122 PID 3396 wrote to memory of 4484 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 122 PID 3396 wrote to memory of 892 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 123 PID 3396 wrote to memory of 892 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 123 PID 3396 wrote to memory of 892 3396 {3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe 123 PID 4484 wrote to memory of 3712 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe 124 PID 4484 wrote to memory of 3712 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe 124 PID 4484 wrote to memory of 3712 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe 124 PID 4484 wrote to memory of 224 4484 {134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exeC:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exeC:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exeC:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exeC:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exeC:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exeC:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exeC:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exeC:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exeC:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exeC:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exeC:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exeC:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe13⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC496~1.EXE > nul13⤵PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{134EC~1.EXE > nul12⤵PID:224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3273E~1.EXE > nul11⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B29A6~1.EXE > nul10⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{312CE~1.EXE > nul9⤵PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A6E48~1.EXE > nul8⤵PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89503~1.EXE > nul7⤵PID:924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B7BB~1.EXE > nul6⤵PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{58713~1.EXE > nul5⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B2A7F~1.EXE > nul4⤵PID:3396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FABE5~1.EXE > nul3⤵PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD567a9b676c2a33d31a29b44294e841505
SHA1768ef1b50fd193f1d1170e448da0139f1b964127
SHA256c0bd39f11f9d3a568c107094a6804a5b0eca2274b079313c911593c9c205f8a2
SHA5129738ce91a09f65f433e2f459eb61cb189e4e1f709827c6a059a383794f5637d05a0c11ee94f5569b6c933bf72a57f985fa96fe07584b3e05e98aac6d52399fb6
-
Filesize
204KB
MD5ec4af289c61c289d6098753668b2170f
SHA1228774804e1f74a660dba9107f337448831e1df7
SHA2566475da04b8bbd6a0be87c4cc682b499f18f2c5bf32d2e0703b39f9f87c7296b2
SHA5127377b3c2adca235c404645d767c43b5427d9a06c3281745d4e1e75727a8bb2e0f47525264cb4abd9a29712ed38fe07e408606bfe0b80a80c53487fe9fe8a343e
-
Filesize
204KB
MD5407110a478ef158962a99ad11c8b4a2a
SHA13af48962c5ecc0e2321ae388d0c8203ec13bfcda
SHA256106c6c418a4ffcce6443c673994765c56b9713b79b4d18684ce8e7ebab6f7f05
SHA512465773220871c8b207bbc7c643eddafe52cbf717d603deaa3463577018e7f4f0563b89b61fb270964f8e08b3605010f55e2208f393f5bd1e5e8dcd63fd9fd42b
-
Filesize
204KB
MD5b328a2946e09bb4293f535fa4c86db4d
SHA16a29e7fdc13c2e799e70d311a2cd3fe393770325
SHA256e83368b1da504eefb132b35b615b56fad788fc8dc0f55df2fc21d528a92b8770
SHA5125f6049be238773536e409566f7c69d202562a815a073271f19c8693cf9e9e2dba638949569e8f92d3ce39cde3df5436d1e79e0ea379662a9824b04934c906ac2
-
Filesize
204KB
MD5fb286c9ab84cea71bf8f7782df0c2786
SHA1d27aeeb9165a88cddf33cd522ec24d8b17e50f39
SHA2564dcaf0464314cdacb6a0fc0329a01008e8acd9c8f4739add2d7efd76ef41630d
SHA512a7e2ccb4b6995c76eb83d92ae2b7a5e6ef2fc450cf239f1c93da8e92d80161e5f1cab9daec2c9f529ec6703cbd2a38fcbb6a51ad6a23333b0534b5bcadf86739
-
Filesize
204KB
MD54ef4b1bb048e2366cca9888888845065
SHA1fd90bca1781a8ab43827d38fb63b4104c0a38f85
SHA2568046e03a15521890fcfde48929dc5d1bcf42df6ec58ebb3eaf64c032b1a26c64
SHA5124b15f79cc7abb515975593ee701d6166e2feea69cec07dea7cf8a14569efeade836de844421c78c938267400ccec77a3b8322fc27f4d2033ed37e675ebd6d058
-
Filesize
204KB
MD59c23c000ff24d2de75f109d08b7b5717
SHA19ccf169df18dd046e2140d13861eadbf6672fe9a
SHA256e10d42099f1f2162fc42d3212295334a3580a81ba9a9835208c40cf1cab8a235
SHA512cc1fc7ee863521037eaed556b33f2d5df935485073d7112a3ded7fce848488ea191abc0f6fe10c0eb97298976a7defb3b2d13b44e8112def89eedd61371b2c32
-
Filesize
204KB
MD5efdd2ed4c8eb69b467fe63489da18f7c
SHA1d00006428cdd92377a94e7b3ddffb3efbc4a0720
SHA25607a130aad3469a8fe520a963409f04d0d2c741a1a2e0147a8efd775051f848be
SHA512ad6d8811c55c35d0c76d1ceb68e6d335503e83be7ea7231835cbe56ba62ff3381e582324ffc913c27ad5f7923abc19656368a2db00cba7568693025181a4be17
-
Filesize
204KB
MD554f891e79fb1113bfafb9a7920f58f7b
SHA1cad301e4ad54bd74facd6305b1346725e6a70500
SHA256b664a416a29b36a123dd8e3a2c60c81dd7f5c6fed8fe47adcbea0625715f3f92
SHA512122edeb009466bb45036092da15a72765c8fa903e577516fac1e075cf24efd88aa566b0616c3ba8cf129af40497d87b8c53d47300365c37aabda6931d558d337
-
Filesize
204KB
MD5a2b469acc741ff446ed07b19c9fe2086
SHA19ebaca265e9a8079971731d103405817c96dc5f3
SHA2565c25a4e27277a720be1c29023447bec5bd576a2e34220a59680512a8f8f56afb
SHA51212c24b7063f373aebd8456614806e8efad6f41be8b79daa641cf839a31596b172c9fcf906e07ec0078abf7e7d13167fe57dbbcc4ef3691d780f06aa1d5f5a8ed
-
Filesize
204KB
MD51accfb19b813188153da23bf2eb1fd36
SHA14bacc4e3faadff2dc8ed75a7e9cc87b185ced2ea
SHA25660546a252eb2dbb75eee4c638236b8d743142519cfad6288b8bed3d383ec1177
SHA51204197b451cb32c357d60f2d82345912ec1d21aadae15826cef023e9b27b5056b7e9f54c249d2710470a5467315423e46d53f7d1cdda5abfd8702568335f9eb4b
-
Filesize
204KB
MD57fa99a1b13dcfdf38860fe66096360f5
SHA1c5d6f11e99928902aa2efa8794ea0c7930809ae3
SHA2560f49c54332066c3fbbfa36e8c6e9561877ebb1c4076eb619172dd6120a5fdf60
SHA512dc34abf652e104d42cdea2e8393f2d9d62e41410f92ce725541f378f26b1b1a7777de402c92ca3f143212591f64d857123e651b38d8113f20c336cde47c0ddff