Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
-
Size
197KB
-
MD5
7301feddda6b25fa3a7b33330cbcf8a5
-
SHA1
9b609736c4b860903ce25b43d2cc8558ce5e5dd3
-
SHA256
a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6
-
SHA512
673df0ba7a4f69b842599a0d4f3bdb72c8984afec15c32ce5a02ed7c751838c6debc3b6b547793c310e09176a44144b4a0072fc956e85d6455a1a93941f53f30
-
SSDEEP
3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000d0000000232d6-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00040000000006d1-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002351f-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023523-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023529-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023523-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023529-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023523-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023529-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000000002f-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000713-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000000002f-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AB625-E491-462d-8270-736D06A74AED} {745A7151-D33A-42d6-8100-84C40E16808C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE} {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}\stubpath = "C:\\Windows\\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe" {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA} {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{203CB95E-55E7-403e-86DE-B31D77DA65B9}\stubpath = "C:\\Windows\\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe" {6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40816058-FC3B-4b2b-9998-C3C35FF02714} 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AB625-E491-462d-8270-736D06A74AED}\stubpath = "C:\\Windows\\{C85AB625-E491-462d-8270-736D06A74AED}.exe" {745A7151-D33A-42d6-8100-84C40E16808C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}\stubpath = "C:\\Windows\\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe" {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207} {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}\stubpath = "C:\\Windows\\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe" {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82807A2-D1FA-4700-B5A6-8137FD08D78D} {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7151-D33A-42d6-8100-84C40E16808C}\stubpath = "C:\\Windows\\{745A7151-D33A-42d6-8100-84C40E16808C}.exe" {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC37446-A826-46d9-A9D5-7BED0927E3A8} {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}\stubpath = "C:\\Windows\\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe" {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9} {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}\stubpath = "C:\\Windows\\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe" {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}\stubpath = "C:\\Windows\\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe" {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{203CB95E-55E7-403e-86DE-B31D77DA65B9} {6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40816058-FC3B-4b2b-9998-C3C35FF02714}\stubpath = "C:\\Windows\\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe" 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7151-D33A-42d6-8100-84C40E16808C} {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B} {C85AB625-E491-462d-8270-736D06A74AED}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}\stubpath = "C:\\Windows\\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe" {C85AB625-E491-462d-8270-736D06A74AED}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}\stubpath = "C:\\Windows\\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe" {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA} {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe -
Executes dropped EXE 12 IoCs
pid Process 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe 3132 {6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe 1812 {203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe File created C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe File created C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe File created C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe {C85AB625-E491-462d-8270-736D06A74AED}.exe File created C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe File created C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe File created C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe File created C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe File created C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe {745A7151-D33A-42d6-8100-84C40E16808C}.exe File created C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe File created C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe File created C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe {6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Token: SeIncBasePriorityPrivilege 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe Token: SeIncBasePriorityPrivilege 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe Token: SeIncBasePriorityPrivilege 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe Token: SeIncBasePriorityPrivilege 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe Token: SeIncBasePriorityPrivilege 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe Token: SeIncBasePriorityPrivilege 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe Token: SeIncBasePriorityPrivilege 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe Token: SeIncBasePriorityPrivilege 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe Token: SeIncBasePriorityPrivilege 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe Token: SeIncBasePriorityPrivilege 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe Token: SeIncBasePriorityPrivilege 3132 {6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4604 wrote to memory of 444 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 96 PID 4604 wrote to memory of 444 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 96 PID 4604 wrote to memory of 444 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 96 PID 4604 wrote to memory of 4580 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 97 PID 4604 wrote to memory of 4580 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 97 PID 4604 wrote to memory of 4580 4604 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 97 PID 444 wrote to memory of 4172 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 98 PID 444 wrote to memory of 4172 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 98 PID 444 wrote to memory of 4172 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 98 PID 444 wrote to memory of 1132 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 99 PID 444 wrote to memory of 1132 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 99 PID 444 wrote to memory of 1132 444 {40816058-FC3B-4b2b-9998-C3C35FF02714}.exe 99 PID 4172 wrote to memory of 3220 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 102 PID 4172 wrote to memory of 3220 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 102 PID 4172 wrote to memory of 3220 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 102 PID 4172 wrote to memory of 400 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 103 PID 4172 wrote to memory of 400 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 103 PID 4172 wrote to memory of 400 4172 {745A7151-D33A-42d6-8100-84C40E16808C}.exe 103 PID 3220 wrote to memory of 1384 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 108 PID 3220 wrote to memory of 1384 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 108 PID 3220 wrote to memory of 1384 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 108 PID 3220 wrote to memory of 780 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 109 PID 3220 wrote to memory of 780 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 109 PID 3220 wrote to memory of 780 3220 {C85AB625-E491-462d-8270-736D06A74AED}.exe 109 PID 1384 wrote to memory of 2448 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 111 PID 1384 wrote to memory of 2448 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 111 PID 1384 wrote to memory of 2448 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 111 PID 1384 wrote to memory of 2952 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 112 PID 1384 wrote to memory of 2952 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 112 PID 1384 wrote to memory of 2952 1384 {B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe 112 PID 2448 wrote to memory of 3608 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 113 PID 2448 wrote to memory of 3608 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 113 PID 2448 wrote to memory of 3608 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 113 PID 2448 wrote to memory of 3932 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 114 PID 2448 wrote to memory of 3932 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 114 PID 2448 wrote to memory of 3932 2448 {3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe 114 PID 3608 wrote to memory of 3484 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 115 PID 3608 wrote to memory of 3484 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 115 PID 3608 wrote to memory of 3484 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 115 PID 3608 wrote to memory of 1716 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 116 PID 3608 wrote to memory of 1716 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 116 PID 3608 wrote to memory of 1716 3608 {1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe 116 PID 3484 wrote to memory of 2228 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 117 PID 3484 wrote to memory of 2228 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 117 PID 3484 wrote to memory of 2228 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 117 PID 3484 wrote to memory of 3540 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 118 PID 3484 wrote to memory of 3540 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 118 PID 3484 wrote to memory of 3540 3484 {2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe 118 PID 2228 wrote to memory of 2800 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 119 PID 2228 wrote to memory of 2800 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 119 PID 2228 wrote to memory of 2800 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 119 PID 2228 wrote to memory of 1992 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 120 PID 2228 wrote to memory of 1992 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 120 PID 2228 wrote to memory of 1992 2228 {3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe 120 PID 2800 wrote to memory of 5004 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 121 PID 2800 wrote to memory of 5004 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 121 PID 2800 wrote to memory of 5004 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 121 PID 2800 wrote to memory of 1116 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 122 PID 2800 wrote to memory of 1116 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 122 PID 2800 wrote to memory of 1116 2800 {A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe 122 PID 5004 wrote to memory of 3132 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe 123 PID 5004 wrote to memory of 3132 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe 123 PID 5004 wrote to memory of 3132 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe 123 PID 5004 wrote to memory of 1884 5004 {D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exeC:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exeC:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exeC:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exeC:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exeC:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exeC:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exeC:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exeC:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exeC:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exeC:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exeC:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exeC:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe13⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6AACC~1.EXE > nul13⤵PID:3204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8280~1.EXE > nul12⤵PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5BAC~1.EXE > nul11⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B5A6~1.EXE > nul10⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2C47E~1.EXE > nul9⤵PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DC37~1.EXE > nul8⤵PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A6A4~1.EXE > nul7⤵PID:3932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B54D7~1.EXE > nul6⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C85AB~1.EXE > nul5⤵PID:780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{745A7~1.EXE > nul4⤵PID:400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{40816~1.EXE > nul3⤵PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:81⤵PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD51c225a8e30c24c177a42dbab35099dae
SHA1f360de89f0134703cb8c73405af13f3090bb54fc
SHA256430351d777aeb1a634f2ccf707a2436ca67f4a56d3c4eb2e1422609116a6f8ab
SHA512cf2ba9abd27977f84e64bf1a98285fd4a107d459c7b304e7601a2c286fe6b9b6f4b5dc7d55061509295e8745f8fb4ee3eef745d531709f96f33d746796af8dbe
-
Filesize
197KB
MD5295a4d9fea30d8fec0781c449055b887
SHA1c8ea3984d8418df944753efc66109ce2488bbbf9
SHA2560a5ee3395a0b588c0c38ec5e341b5f33dd6708625b1eb06c83ca73c3d5364956
SHA5123c4781bebea903b065a0e376ead21464b61e74af428bb46abcee65922f2f796eac62b16cde7228b161884c01c5778205a2bc81ec3d25bacbc7b50b387aa924e3
-
Filesize
197KB
MD5b7ff04d1ecf7739b4593fe4402d76940
SHA165bd588410af4558689c5da2d578af2045ff7fa1
SHA2561c3b48cfd02eba2560857467f8d6a69fad18128ddd77f5465f9d5eacd6705787
SHA5125808c73d113705c397e957c1845532b353a57879b98f4ec62dac92f24b9cfb6102877943e0946807b33d88101252e443d4b6d642ea5f8908b8c65c44c46f71cc
-
Filesize
197KB
MD5bb0d7dbf70fcb3eb7c2aab1910544c1b
SHA1f7f79bdba230bfb424d1b78bb009c381f36c51f6
SHA25682dd2512b9531a82a1667c5527653b3ff9a5bae4ba504321053c65affe2aaa7b
SHA512b2e97388d8300bd38c1d1dfc7b0db1e4ed8f065831ba2b597e542ab40063dc58a4c7c5e3c7e45a89550d1066d53289473ebf9a1db82eea517ad75f8e73c319d0
-
Filesize
197KB
MD501fac01c77833bd82e7445f312315e48
SHA1d9c44f78728ae715433f26dd1601e1056604f72d
SHA2565c2304b380a30c52abd02d435bb1e5c94074fd1f5ab3841d3dd14aca1d1c9901
SHA512ccd58cd150913cba37b75919f8739dc3c0b1034149859ebc4126d8383ad19c6c6827228c11db64bd939ecfba89087a976d7209ce2a184b68f583e08ad287eb4a
-
Filesize
197KB
MD58bab5288e28d67b1c98b12c26d18aaa7
SHA1f251f0800f3e5249de34ba817128035e4c4ab8b9
SHA256f09a1dff2659c4ba32bb90209718996eddc5058d92e836587939677c48a5953a
SHA512228e5923396551da85e6e52ff5f573efb3222b633243cecefe7343c3d98db0e89be0a3d597a48cd85500a137101134eceb926c46dad40ee913a89d49f9f6b55f
-
Filesize
197KB
MD59bc42c076954695fb15dd6d0503cac2d
SHA106d20b5c9cdbdd700d92cd99328f6286c3e38f5a
SHA2561968c6aae22c19b23b0066b5e783bb646eb739c80777b58f859dd752174d3a35
SHA51228e994732161bd9f1b87800d355fe464aed37dd696822ab931e269143f538882ee1a22b50e947b3818aa169fbe85dec4208328fb3708362b990e9b7bd90332b3
-
Filesize
197KB
MD5560f3773250f57a82e78bb3d693d3fee
SHA1cdb02f767cfbf083000a2e92a6fa4cf91e0efb4d
SHA256966666210ed4962cddaa2afba0d0311817040591e85d6ef760a35950bc2cd8f3
SHA51265a8422fc6ea4e742bdaf9a00bcf4eee5b0abb2ea98e83fa1569ea46144df29536d8381359ab88d12ae881f8feab270e2f0a134c48c667be4b948a78466f5506
-
Filesize
197KB
MD5b08ecfb098d70aa9fc7f0715193384e2
SHA1b1253f1c7a427629a172b31f06c53a04687bcb24
SHA2567cb446dcedd5b6476f37383596c6d3002ee808b77ac65a267778853936766b61
SHA512c1e6816f8ee0c5d27baa1555bf589eee95eec1df51e18ee38faa40a51285ff98dc3d4ad2253fc96b8626b663ded00b3ef41a8639105e7e7f1587473341b3a46f
-
Filesize
197KB
MD5c0023af99790eb659bbc943690811a1a
SHA1c87423a6c86833052a1018a9b54e7f5b862c4ff6
SHA25692dc5ecb773a66f3ae79a15e9458104eb07fe28c1c4c48b8f8f771b2c71d9ae3
SHA5126a92a4943b3ae9edc78e540dd263896256428d99ecc242f74deebdcfa0b5b3ca59b69f2abb55751f049de0a6e472fd0ef4ae5475d0d6f40014d6bb83077d71ca
-
Filesize
197KB
MD5b188edbb6479739588ca079ba1fc1906
SHA1794e84f9f49f0beb3a62a66d61c639ed168657c5
SHA2564366eb8132ba93034efe7c0c830510e14338044dafeed1a36ce2c872d7d553e1
SHA51267cb3e1c83160054d4634cd9e25871a63b634c5e15e3b1be6ca1962ba4f458498d410cd31b036fce1b8da96faf9f31e4955f0ee68f506b6ac662fc43931bee2e
-
Filesize
197KB
MD57ebc1dd71550ffb5ceff19135ea43cc0
SHA1121e975c1ec13ae8bd5ef1e464f1de2a6a48c13a
SHA256cf46f1c071151757163ca2897ad7db84222b744d8261630e4709ccbf626246ba
SHA512612c82f5ef01e72ab5e570ffc41c2394d3815953fba27ec2288c5050a65132d86c4de0b6fa8e03dcbeb6bc139c327c03b16766ad05fa86bfc5be1edf5f32ddf5