Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
Resource
win10v2004-20240319-en
General
-
Target
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
-
Size
372KB
-
MD5
5dafa0615125a3ba50e55994a49633fa
-
SHA1
8e9722fa468434a42a756be6e92b8193a73282db
-
SHA256
69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354
-
SHA512
db0e0ecf2dda507800c456cefd6a62f6fd42d63158e0682b2dee300e841bd71420e0b5cf48441524f738000c4e4f947e95bbc1b7260d517217736e4da596508f
-
SSDEEP
3072:CEGh0omlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002332b-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023341-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00040000000167e1-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000234b1-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000234c9-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000235c6-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000234c9-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000235c6-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000235e0-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000230db-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000230dc-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000235e7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325} {0337974D-4A2E-41cf-A858-73B338422D3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}\stubpath = "C:\\Windows\\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe" {0337974D-4A2E-41cf-A858-73B338422D3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}\stubpath = "C:\\Windows\\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe" {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666} 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}\stubpath = "C:\\Windows\\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe" {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3}\stubpath = "C:\\Windows\\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe" {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6} {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}\stubpath = "C:\\Windows\\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe" {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}\stubpath = "C:\\Windows\\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe" {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561} {00FB8A83-1929-4527-B482-52FE748E1DA8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77394D0A-5BA4-4714-9358-AB426C82E561}\stubpath = "C:\\Windows\\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe" {00FB8A83-1929-4527-B482-52FE748E1DA8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}\stubpath = "C:\\Windows\\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe" {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D}\stubpath = "C:\\Windows\\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe" {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8} {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2229C46-9145-4bf0-BB56-3FC1C8820666}\stubpath = "C:\\Windows\\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe" 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69FCB09-3716-4af5-9A80-2AA2C2F02467} {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77D935-85C1-44f4-AB99-A3D881D025B3} {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B}\stubpath = "C:\\Windows\\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe" {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56499838-EC57-437d-ABE0-DD03CAEBB0B3} {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FB8A83-1929-4527-B482-52FE748E1DA8}\stubpath = "C:\\Windows\\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe" {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943ACD8F-78FF-46cc-A15F-A2983D3F4965} {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0337974D-4A2E-41cf-A858-73B338422D3B} {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B} {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191B3F71-7970-4902-B7A3-EFE70330C04D} {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe -
Executes dropped EXE 12 IoCs
pid Process 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe 2288 {00FB8A83-1929-4527-B482-52FE748E1DA8}.exe 3176 {77394D0A-5BA4-4714-9358-AB426C82E561}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe File created C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe File created C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe File created C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe File created C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe {0337974D-4A2E-41cf-A858-73B338422D3B}.exe File created C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe File created C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe File created C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe {00FB8A83-1929-4527-B482-52FE748E1DA8}.exe File created C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe File created C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe File created C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe File created C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Token: SeIncBasePriorityPrivilege 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe Token: SeIncBasePriorityPrivilege 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe Token: SeIncBasePriorityPrivilege 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe Token: SeIncBasePriorityPrivilege 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe Token: SeIncBasePriorityPrivilege 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe Token: SeIncBasePriorityPrivilege 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe Token: SeIncBasePriorityPrivilege 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe Token: SeIncBasePriorityPrivilege 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe Token: SeIncBasePriorityPrivilege 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe Token: SeIncBasePriorityPrivilege 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe Token: SeIncBasePriorityPrivilege 2288 {00FB8A83-1929-4527-B482-52FE748E1DA8}.exe Token: SeManageVolumePrivilege 1288 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3224 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 106 PID 2460 wrote to memory of 3224 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 106 PID 2460 wrote to memory of 3224 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 106 PID 2460 wrote to memory of 1584 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 107 PID 2460 wrote to memory of 1584 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 107 PID 2460 wrote to memory of 1584 2460 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 107 PID 3224 wrote to memory of 2900 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 110 PID 3224 wrote to memory of 2900 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 110 PID 3224 wrote to memory of 2900 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 110 PID 3224 wrote to memory of 2532 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 111 PID 3224 wrote to memory of 2532 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 111 PID 3224 wrote to memory of 2532 3224 {C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe 111 PID 2900 wrote to memory of 3376 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 114 PID 2900 wrote to memory of 3376 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 114 PID 2900 wrote to memory of 3376 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 114 PID 2900 wrote to memory of 3236 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 115 PID 2900 wrote to memory of 3236 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 115 PID 2900 wrote to memory of 3236 2900 {943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe 115 PID 3376 wrote to memory of 1584 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 117 PID 3376 wrote to memory of 1584 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 117 PID 3376 wrote to memory of 1584 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 117 PID 3376 wrote to memory of 4092 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 118 PID 3376 wrote to memory of 4092 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 118 PID 3376 wrote to memory of 4092 3376 {F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe 118 PID 1584 wrote to memory of 3208 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 119 PID 1584 wrote to memory of 3208 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 119 PID 1584 wrote to memory of 3208 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 119 PID 1584 wrote to memory of 4588 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 120 PID 1584 wrote to memory of 4588 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 120 PID 1584 wrote to memory of 4588 1584 {AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe 120 PID 3208 wrote to memory of 3032 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 122 PID 3208 wrote to memory of 3032 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 122 PID 3208 wrote to memory of 3032 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 122 PID 3208 wrote to memory of 2500 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 123 PID 3208 wrote to memory of 2500 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 123 PID 3208 wrote to memory of 2500 3208 {A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe 123 PID 3032 wrote to memory of 660 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 124 PID 3032 wrote to memory of 660 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 124 PID 3032 wrote to memory of 660 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 124 PID 3032 wrote to memory of 532 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 125 PID 3032 wrote to memory of 532 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 125 PID 3032 wrote to memory of 532 3032 {0337974D-4A2E-41cf-A858-73B338422D3B}.exe 125 PID 660 wrote to memory of 2288 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 126 PID 660 wrote to memory of 2288 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 126 PID 660 wrote to memory of 2288 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 126 PID 660 wrote to memory of 1912 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 127 PID 660 wrote to memory of 1912 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 127 PID 660 wrote to memory of 1912 660 {44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe 127 PID 2288 wrote to memory of 3592 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 132 PID 2288 wrote to memory of 3592 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 132 PID 2288 wrote to memory of 3592 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 132 PID 2288 wrote to memory of 3916 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 133 PID 2288 wrote to memory of 3916 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 133 PID 2288 wrote to memory of 3916 2288 {064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe 133 PID 3592 wrote to memory of 3236 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 137 PID 3592 wrote to memory of 3236 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 137 PID 3592 wrote to memory of 3236 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 137 PID 3592 wrote to memory of 4176 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 138 PID 3592 wrote to memory of 4176 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 138 PID 3592 wrote to memory of 4176 3592 {56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe 138 PID 3236 wrote to memory of 2288 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe 139 PID 3236 wrote to memory of 2288 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe 139 PID 3236 wrote to memory of 2288 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe 139 PID 3236 wrote to memory of 1828 3236 {191B3F71-7970-4902-B7A3-EFE70330C04D}.exe 140
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exeC:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exeC:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exeC:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exeC:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exeC:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exeC:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exeC:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exeC:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exeC:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exeC:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exeC:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exeC:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe13⤵
- Executes dropped EXE
PID:3176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00FB8~1.EXE > nul13⤵PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{191B3~1.EXE > nul12⤵PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56499~1.EXE > nul11⤵PID:4176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{064EE~1.EXE > nul10⤵PID:3916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{44B3F~1.EXE > nul9⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03379~1.EXE > nul8⤵PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A4691~1.EXE > nul7⤵PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AD77D~1.EXE > nul6⤵PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F69FC~1.EXE > nul5⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{943AC~1.EXE > nul4⤵PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2229~1.EXE > nul3⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:81⤵PID:4788
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD557aa700d1116b61bfa5b237c9382ae99
SHA1173bd07bc03fa86308ed3550b34a84294bab1896
SHA2560fe9bd515988976da82e09658fbb54c2a2f45d3250f18c94b31646cc2924e58f
SHA51286d1a78b4739f309546b69a09449cb5f19e47af22a099d341d118e306eb28da5a9dc6a2602026c37a3cdfa566c76507c790bb4630d24c17bc9b52c4f23acc74d
-
Filesize
372KB
MD53b4e8a1f6e1c8a12c43e381f22598686
SHA12ad0890605c9cbbba060dff691790d5df8865de4
SHA2564130b91efd72fe0259b4a95626aead81b4145b993cffee596179e75efd34d8cb
SHA5129bd671449c3169602019e03d7637c1c0d8e5a3895fa06c1e628bedb53f26163a3e8489602dfd82f1019347d25c3d7c7d1ee4d2eaaa940e401f4e381bfa0986ae
-
Filesize
372KB
MD5c24b48c3ac6557e15815464a42254674
SHA18d18b56971fe377748aa151b9b74a727f9b66fbc
SHA25648969e88f95432f3672bbdfbb5909b89824100182edcafe5e4c1ce1cde93239b
SHA512d5587ef12d68c514963ca5c106aa13ec5b9e1df0dfc41f1e05d57e2eca8760f708032ba8d83be004976f3bfb043da498116db86f27d3e146bb1719072ba6f646
-
Filesize
372KB
MD52b272c690240919495450b3427dc3e9a
SHA1720f1f228cab367707bca34677fbfaa53ec938db
SHA2567fa542690232729d30b8fd23d37a7e5e11c90cb8fa63841862290b6bb34cde82
SHA5123c20c5efd2d0050630d21eba534b4ddd8f270d7441158568a96166fa117dd0bdd902ce82c847093420fb6cc3267c53c6694f52594904417c90f702f9bbcf2889
-
Filesize
372KB
MD5570ab4b81dcf8c188a6c19d79fb7c2e3
SHA1618059626acf1427e916ae1850a1cd29400db13c
SHA25682bb9d7f5aa73aba450673caaf69d722e80e0d5bf754b2087a3ed5fde20c2887
SHA51298089631a444adc5807847d6616958cd460da98d68538490db3d8eddac61835958b931c95820cc6535d31287061d81f4be4e5b6955023dd3b86efebd12a63553
-
Filesize
372KB
MD57025e0b7edfcea9cdd346bcd3a991665
SHA1ade87526547148340fb4dbf6071630494e033d84
SHA256e47da23c2fcea4847aaff9d1fc615fc23ec9aeb0c11f2fe587643834ddd72f67
SHA512cecb3a0e5c72b3f072e9538fc31c02c47cf1e645f0b0f8cc02041fb44c33bf35b17731a33aab77bd5cf81ef44564db4b6e77ea914cc92115067d2fb352c0218d
-
Filesize
372KB
MD5e1debc602b8ddfec01bc2adb2deec164
SHA178777ff37514a55cccd358022a2f889c6eda6337
SHA2565861226d0b0eee913159d43f6d4ead3f984b56ac89be272a5470ae94e326a697
SHA512fd52a9ad79da533bbcbcd333ddb1e8ee7cf97f73a7d288cb7f039c0edefca715555b21e9675ca24c2b6735ddf5aaa09e06dd7bcb91d41b0284475d47a3a584f2
-
Filesize
372KB
MD573c5337ac5141449eb55bc204317912a
SHA1319227bf9b4d978bbfe496802a67df4cc6af9fd3
SHA2567b18ef2fb540e9682432f1ce02059e635106a48deee17a1f20826e23c2682f0d
SHA5122968530b0ef244649b40f0e674df9caf408ef04318fe16482ada6087bfb77d0785811a4534dfda40c430a1c9507a66216ddc69b80f4c290f9b5ce09330f43907
-
Filesize
372KB
MD57d9205e27d90261aa3cea7df75708474
SHA1674912209c7815c755cfae75357743347abc3f42
SHA256383a1a0add457c8c07affc7d42c7350a8474808a25c94ad10c5372343bbfcf11
SHA51285979df49c5f17789d940b8c924c719b1fa93dc2e7e83497332a4fba9beca4616ae2ecb913c2b2a63750e16d8b5bed653d45c392eff0cd3635cc8b20c08546b6
-
Filesize
372KB
MD5ff01f72e93b9c1784531e3755fedce3c
SHA132e600631fd9a9de8d76691c60a9f4923a2a447e
SHA2565405e3e974a000fab114d71fd42eb6f9a63070a3db0fb1065f266d084bbf7331
SHA5127b9c5c989824a0a8d1b192588ea7b6886825ed7b539b3f32eabe74f5b5c9c2015785f9fc168dbff2e0c98875db6a6dff1162575624b8436ce4b9d38ac151ab14
-
Filesize
372KB
MD5887611bb37aaefc95bab4d078d051c62
SHA1d01d8b6c5b76900d1c23c2cbab1b323adc1b3f6b
SHA25633d518d02a0150de36d2a5c64d5f1f50234e48ea190052edbba574a375399073
SHA5122229485b5c791dc117b6439d1e94b81d086ca5472db9390aad79e433c8234173ef458ef6a79ff6cf6a715e30d33e64e0b743426ac00c6095a9c73a4b782ff6c1
-
Filesize
372KB
MD59390f36d7e90fe0eace05edc032af3f9
SHA19c0cee219a4bbd44862e8c884a0eec997b75e5d1
SHA2560eff6419b35c29231ef363908bc3ab496032a513b1b8f8f5a6aee035331051a5
SHA512d541c03ee435c7824d8c8266fb386591eb35a591e6021a61051bb37d8efd70adf16c596bc722238d3d4cd1b340484af34e08e666596e8c66a940915a7e3dcf09