Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
-
Size
180KB
-
MD5
7797130fb4e98aab4021671402741353
-
SHA1
4d73edec6762a49079032ecf3c4a1782aab754d8
-
SHA256
8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc
-
SHA512
8257b9fa76823847bdb0c7ac98ba5a9bcafd585a033d45982c4921df1b82e6e7f5cbe992e93de4fd1e7573e886d42989a66e971a6f9dd10e19187616cc8fb6ba
-
SSDEEP
3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023210-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0014000000023205-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023217-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0015000000023205-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df7-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df8-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021df7-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000707-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}\stubpath = "C:\\Windows\\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe" {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE68C556-2AA5-435d-A805-A18ACEA765AB}\stubpath = "C:\\Windows\\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe" {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED177511-98E0-4335-9B3F-E7A560115E6E}\stubpath = "C:\\Windows\\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe" {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}\stubpath = "C:\\Windows\\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe" 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9} {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}\stubpath = "C:\\Windows\\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe" {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}\stubpath = "C:\\Windows\\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe" {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E} {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9} {3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943DE360-9E0A-4ce1-947A-CB6C9B63413D} {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07} {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83} {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}\stubpath = "C:\\Windows\\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe" {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE68C556-2AA5-435d-A805-A18ACEA765AB} {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80B0CB7-6FE6-4650-B1C8-766FB1754837} {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}\stubpath = "C:\\Windows\\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe" {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED177511-98E0-4335-9B3F-E7A560115E6E} {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF} 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}\stubpath = "C:\\Windows\\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe" {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}\stubpath = "C:\\Windows\\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe" {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA} {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}\stubpath = "C:\\Windows\\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe" {3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F9756-6101-4e5d-92B0-A173F53D34DB} {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}\stubpath = "C:\\Windows\\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe" {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe -
Executes dropped EXE 12 IoCs
pid Process 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe 1528 {3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe 1976 {4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe File created C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe File created C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe File created C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe File created C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe File created C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe File created C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe File created C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe {3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe File created C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe File created C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe File created C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe File created C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Token: SeIncBasePriorityPrivilege 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe Token: SeIncBasePriorityPrivilege 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe Token: SeIncBasePriorityPrivilege 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe Token: SeIncBasePriorityPrivilege 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe Token: SeIncBasePriorityPrivilege 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe Token: SeIncBasePriorityPrivilege 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe Token: SeIncBasePriorityPrivilege 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe Token: SeIncBasePriorityPrivilege 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe Token: SeIncBasePriorityPrivilege 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe Token: SeIncBasePriorityPrivilege 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe Token: SeIncBasePriorityPrivilege 1528 {3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4000 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 96 PID 1528 wrote to memory of 4000 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 96 PID 1528 wrote to memory of 4000 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 96 PID 1528 wrote to memory of 4996 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 97 PID 1528 wrote to memory of 4996 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 97 PID 1528 wrote to memory of 4996 1528 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 97 PID 4000 wrote to memory of 1228 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 98 PID 4000 wrote to memory of 1228 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 98 PID 4000 wrote to memory of 1228 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 98 PID 4000 wrote to memory of 1792 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 99 PID 4000 wrote to memory of 1792 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 99 PID 4000 wrote to memory of 1792 4000 {2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe 99 PID 1228 wrote to memory of 444 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 101 PID 1228 wrote to memory of 444 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 101 PID 1228 wrote to memory of 444 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 101 PID 1228 wrote to memory of 1616 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 102 PID 1228 wrote to memory of 1616 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 102 PID 1228 wrote to memory of 1616 1228 {943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe 102 PID 444 wrote to memory of 2240 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 103 PID 444 wrote to memory of 2240 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 103 PID 444 wrote to memory of 2240 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 103 PID 444 wrote to memory of 996 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 104 PID 444 wrote to memory of 996 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 104 PID 444 wrote to memory of 996 444 {8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe 104 PID 2240 wrote to memory of 316 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 105 PID 2240 wrote to memory of 316 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 105 PID 2240 wrote to memory of 316 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 105 PID 2240 wrote to memory of 3964 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 106 PID 2240 wrote to memory of 3964 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 106 PID 2240 wrote to memory of 3964 2240 {98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe 106 PID 316 wrote to memory of 3228 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 107 PID 316 wrote to memory of 3228 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 107 PID 316 wrote to memory of 3228 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 107 PID 316 wrote to memory of 1960 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 108 PID 316 wrote to memory of 1960 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 108 PID 316 wrote to memory of 1960 316 {AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe 108 PID 3228 wrote to memory of 3392 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 109 PID 3228 wrote to memory of 3392 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 109 PID 3228 wrote to memory of 3392 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 109 PID 3228 wrote to memory of 3280 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 110 PID 3228 wrote to memory of 3280 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 110 PID 3228 wrote to memory of 3280 3228 {B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe 110 PID 3392 wrote to memory of 1808 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 111 PID 3392 wrote to memory of 1808 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 111 PID 3392 wrote to memory of 1808 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 111 PID 3392 wrote to memory of 4100 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 112 PID 3392 wrote to memory of 4100 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 112 PID 3392 wrote to memory of 4100 3392 {6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe 112 PID 1808 wrote to memory of 1208 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 113 PID 1808 wrote to memory of 1208 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 113 PID 1808 wrote to memory of 1208 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 113 PID 1808 wrote to memory of 3020 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 114 PID 1808 wrote to memory of 3020 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 114 PID 1808 wrote to memory of 3020 1808 {ED177511-98E0-4335-9B3F-E7A560115E6E}.exe 114 PID 1208 wrote to memory of 4932 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 115 PID 1208 wrote to memory of 4932 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 115 PID 1208 wrote to memory of 4932 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 115 PID 1208 wrote to memory of 944 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 116 PID 1208 wrote to memory of 944 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 116 PID 1208 wrote to memory of 944 1208 {6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe 116 PID 4932 wrote to memory of 1528 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe 117 PID 4932 wrote to memory of 1528 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe 117 PID 4932 wrote to memory of 1528 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe 117 PID 4932 wrote to memory of 3104 4932 {EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exeC:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exeC:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exeC:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exeC:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exeC:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exeC:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exeC:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exeC:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exeC:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exeC:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exeC:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exeC:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe13⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3E952~1.EXE > nul13⤵PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DF~1.EXE > nul12⤵PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C30C~1.EXE > nul11⤵PID:944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED177~1.EXE > nul10⤵PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E3F9~1.EXE > nul9⤵PID:4100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B80B0~1.EXE > nul8⤵PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE68C~1.EXE > nul7⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98A3E~1.EXE > nul6⤵PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AECB~1.EXE > nul5⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{943DE~1.EXE > nul4⤵PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BA95~1.EXE > nul3⤵PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD566eecf4d401cc2718de59b9e225f164d
SHA120a421429315b8d67b7b516b82e1471f695063f9
SHA2563037e2178f243b78f299e4b5f75781ec819a285c94c0562c641c1d30ce2716e3
SHA5121c1934155138418667f456c4a89a1845284c0816faafabaf6613e16471206000cf5993599b8da8d0f204ad6c69d3931c90f0433beff52cb254eb5efd0daebfd8
-
Filesize
180KB
MD5e307704289028fb784de1db813f66783
SHA134e3932ed4153bebae990430b1003ed8e8d23beb
SHA2563e1c608abb879529464271e94b5112b424fce00e803a6b3237f91ae4acc3bd7e
SHA512369780a57f5f4b40aa6f3f553d59a250ae14571425ad1f1d6712b09c71626624f0b451ca4ae1978ad41a8f1fb782cec4000b444aecd54578253b606d3c454f2a
-
Filesize
180KB
MD52531d19880f913c9921642937494bf0a
SHA1d942afb92c4d29a91cc592e4fe79e590a788bdac
SHA256485b6c9b4f4a3f4f05400905fdc4b401eba9ed143585a8dde92495006b8531f1
SHA51221f38c05cb466e2127eaf4a1926253ee67f84a724d8205b8e7ab9d9c9ea23875fe3fd59d9fd6ec93cddd49762f128467924a2466d384ab02035d0e4dfbbde6e2
-
Filesize
180KB
MD5a8d036e89feb6b0765a27ac67325dc03
SHA131b3d343f53b2e98fbfced37d2875d6baa9e21f5
SHA256d3a46413b6406856a57d1a70aa5a1c58e64073057bd8327869dc05504324f9fd
SHA5128df5769ccfecf6fab534f9188d3df089c6a3e35eb1308ae4a8d805cbeaa586a96bc222f7d50b92310fa644bfd1ca351a62775a0de45627cf021fcb81fe67def6
-
Filesize
180KB
MD5d18737345fb01022d0a7eaae66263216
SHA1a52d9a2b0cb5a58df0489fb39ff9c7df0e6142e1
SHA2563344280daba79487c6994273cf4f66f46a11b11d4993383507d721370ad79435
SHA512af826e2d6d2b1329a468c4bdd507e0a10b0b399424ec6cede32972c504fb1772f5e2d0d38b3d562db31700eb35ceb1583e187c3341ac735d2afc6824754d62f3
-
Filesize
180KB
MD5e30828cefcb9c56b1c483c9bdaf13b34
SHA17fcfa18e0b17cd7046248a641158ef0a1da25c65
SHA256227c87434478730831fc4b648cfe1cc3acd33bd97241025a1f8572dfd12b4b17
SHA5120e04dedf1772715d5fe7ff96a024de1f3eb96d2c03974022825741e976f6ee9b862926a2e0b61cf6e7f8da1dcbc487386d3152ac2853408c7ce24783fe61d810
-
Filesize
180KB
MD5af44ceec6e77a99373e44367a12a160c
SHA1e898d18f9097495ed274dc9f33822de8175d2b29
SHA2563df5dec7b25321840d6e85577c7a5bb72ddf206b43f3fc04dea9c90547967fbf
SHA5121d01a2ce45edeaeff86c74bf4df520bbfad450638132597b3fc777888c6468d633609112641f2ec511e9c008385b33a6221d31ccba00a1cf6170b4381f2a96c4
-
Filesize
180KB
MD5cdffa5a0ded1161dd098fb6ea3702e37
SHA1367b5561f2341c162bc1b3e14074f935f580b4a0
SHA256f3697e35376252d73c4b701d79a98521ec8a6e2f7d1483c814f2fe6daf376c26
SHA512622920ebf0202557e61027c5ee464a6727518a5919914769c63474724fc210e900b606ae2cb34d4dabd5b0a220ed1a8ad527f85400fe8a4135c48702ef037790
-
Filesize
180KB
MD5111162c84d901bc212885dc8f249cf4e
SHA19208a50843e3912ec6d85ca169bbb85e27d04f92
SHA25669832c4561393c61ee8e18838c196ad28c17aceda0b98d2f26dafd5f4c2f85bd
SHA5121e7974f7e35c98ef99d22ecd7f932d8edfe39511dd17e64cc2d2889a81a5ef589fa25dce2aa7e5b9d7f4ee9cc976fd934e9ebce5ab0e19ce9c59889dd1be4bb9
-
Filesize
180KB
MD5b6088433a1e8736b2b36cc234083d9a0
SHA1a8da3b01587d46be5fa37f05756da964cb9f098f
SHA256f0d13d6787d356e68963a958c65975c39896496c951eff14548f8ebb650abbdb
SHA512083f4a48073c3aed476d1eee438cde4567d22b41635b110a4b525cecd9061de6f5a419e65ce05e5dcb540129fa1bd0580417a79af915c4d7b89e4b093d462083
-
Filesize
180KB
MD53ae4ebd7b33f8eafb4ea748023eadd55
SHA14f9d0f146f707acb7af22dfe67579a9a9fc78af3
SHA2569bd6c4e20f92720a9dd433b9ea370e9e3cddb939d8fed79692b64c12afc72037
SHA5127eac2da62a105c16fbc905405766e813cf76a083a0916c2f58508ee6717d296926d4fb54d017616aa16a567e42755e10a1c47929c6ae9391587c8f8e6d2c69f7
-
Filesize
180KB
MD547b667981450518d2c8e9f0ff892c062
SHA1504897c7fd300c4e466b684a8d53500aeb74eefd
SHA256e5e921c38f39004b7d39312d0eb83753ef3558fcebde3e32eae656ddd8cfe742
SHA512a3991942177ca9100aa0dd2eef0d16c1a6e52b219d482c7d4124fdc25208c65a6751569d8bc9c378e649147f955c1b51c0f717d008dc2da8b56170acf095b909