Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
-
Size
380KB
-
MD5
837c0fd552356df3d2305046cc7d3d4b
-
SHA1
23cf430ffb0c039c39500fe2aa072dcdd34d9d93
-
SHA256
ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c
-
SHA512
d1a5e7fb6af1e81da050658b37c0d137eadb2ed8c7f033b4b25567f9bb88604724aa4d3f827ecf3acb3b1883aade945b5f3d8601025881de6f1db94421cc9939
-
SSDEEP
3072:mEGh0oFlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGzl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000600000002321a-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000023223-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023229-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023223-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f82-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f83-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021f82-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5873103-31D1-41b1-89DE-A08D98A4033E} {AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5873103-31D1-41b1-89DE-A08D98A4033E}\stubpath = "C:\\Windows\\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe" {AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBE1B83-E263-48be-B221-FF8B6966EEDC} 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB} {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C} {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A3783E-94BD-4885-A11C-C39147543A1E}\stubpath = "C:\\Windows\\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe" {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}\stubpath = "C:\\Windows\\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe" {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}\stubpath = "C:\\Windows\\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe" {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C} {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}\stubpath = "C:\\Windows\\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe" {62A3783E-94BD-4885-A11C-C39147543A1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643B98-6781-4d9f-B07D-D48BE14C3EFD} {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}\stubpath = "C:\\Windows\\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe" {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBC5147-3ADE-4a23-9190-916DE8470E1C} {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}\stubpath = "C:\\Windows\\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe" {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}\stubpath = "C:\\Windows\\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe" {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4} {62A3783E-94BD-4885-A11C-C39147543A1E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}\stubpath = "C:\\Windows\\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe" 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}\stubpath = "C:\\Windows\\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe" {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96} {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58074FD-FD34-4583-B801-BEF67A2C0E23} {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}\stubpath = "C:\\Windows\\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe" {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58074FD-FD34-4583-B801-BEF67A2C0E23}\stubpath = "C:\\Windows\\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe" {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9B2563-BE57-46b0-BE42-3F10123ECA81} {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A3783E-94BD-4885-A11C-C39147543A1E} {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe -
Executes dropped EXE 12 IoCs
pid Process 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe 4368 {AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe 3968 {A5873103-31D1-41b1-89DE-A08D98A4033E}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe File created C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe File created C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe File created C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe File created C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe File created C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe File created C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe File created C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe File created C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe File created C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe {62A3783E-94BD-4885-A11C-C39147543A1E}.exe File created C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe {AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe File created C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe Token: SeIncBasePriorityPrivilege 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe Token: SeIncBasePriorityPrivilege 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe Token: SeIncBasePriorityPrivilege 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe Token: SeIncBasePriorityPrivilege 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe Token: SeIncBasePriorityPrivilege 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe Token: SeIncBasePriorityPrivilege 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe Token: SeIncBasePriorityPrivilege 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe Token: SeIncBasePriorityPrivilege 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe Token: SeIncBasePriorityPrivilege 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe Token: SeIncBasePriorityPrivilege 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe Token: SeIncBasePriorityPrivilege 4368 {AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4784 wrote to memory of 3000 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 87 PID 4784 wrote to memory of 3000 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 87 PID 4784 wrote to memory of 3000 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 87 PID 4784 wrote to memory of 5088 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 88 PID 4784 wrote to memory of 5088 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 88 PID 4784 wrote to memory of 5088 4784 2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe 88 PID 3000 wrote to memory of 4316 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 92 PID 3000 wrote to memory of 4316 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 92 PID 3000 wrote to memory of 4316 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 92 PID 3000 wrote to memory of 1192 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 93 PID 3000 wrote to memory of 1192 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 93 PID 3000 wrote to memory of 1192 3000 {8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe 93 PID 4316 wrote to memory of 628 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 95 PID 4316 wrote to memory of 628 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 95 PID 4316 wrote to memory of 628 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 95 PID 4316 wrote to memory of 4104 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 96 PID 4316 wrote to memory of 4104 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 96 PID 4316 wrote to memory of 4104 4316 {94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe 96 PID 628 wrote to memory of 3388 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 97 PID 628 wrote to memory of 3388 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 97 PID 628 wrote to memory of 3388 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 97 PID 628 wrote to memory of 5100 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 98 PID 628 wrote to memory of 5100 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 98 PID 628 wrote to memory of 5100 628 {4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe 98 PID 3388 wrote to memory of 2128 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 99 PID 3388 wrote to memory of 2128 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 99 PID 3388 wrote to memory of 2128 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 99 PID 3388 wrote to memory of 696 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 100 PID 3388 wrote to memory of 696 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 100 PID 3388 wrote to memory of 696 3388 {10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe 100 PID 2128 wrote to memory of 784 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 101 PID 2128 wrote to memory of 784 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 101 PID 2128 wrote to memory of 784 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 101 PID 2128 wrote to memory of 4668 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 102 PID 2128 wrote to memory of 4668 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 102 PID 2128 wrote to memory of 4668 2128 {59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe 102 PID 784 wrote to memory of 4240 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 103 PID 784 wrote to memory of 4240 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 103 PID 784 wrote to memory of 4240 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 103 PID 784 wrote to memory of 2872 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 104 PID 784 wrote to memory of 2872 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 104 PID 784 wrote to memory of 2872 784 {D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe 104 PID 4240 wrote to memory of 4976 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 105 PID 4240 wrote to memory of 4976 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 105 PID 4240 wrote to memory of 4976 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 105 PID 4240 wrote to memory of 4232 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 106 PID 4240 wrote to memory of 4232 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 106 PID 4240 wrote to memory of 4232 4240 {A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe 106 PID 4976 wrote to memory of 1620 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 107 PID 4976 wrote to memory of 1620 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 107 PID 4976 wrote to memory of 1620 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 107 PID 4976 wrote to memory of 392 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 108 PID 4976 wrote to memory of 392 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 108 PID 4976 wrote to memory of 392 4976 {BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe 108 PID 1620 wrote to memory of 1584 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 109 PID 1620 wrote to memory of 1584 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 109 PID 1620 wrote to memory of 1584 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 109 PID 1620 wrote to memory of 3524 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 110 PID 1620 wrote to memory of 3524 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 110 PID 1620 wrote to memory of 3524 1620 {0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe 110 PID 1584 wrote to memory of 4368 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe 111 PID 1584 wrote to memory of 4368 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe 111 PID 1584 wrote to memory of 4368 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe 111 PID 1584 wrote to memory of 1500 1584 {62A3783E-94BD-4885-A11C-C39147543A1E}.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exeC:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exeC:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exeC:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exeC:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exeC:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exeC:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exeC:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exeC:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exeC:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exeC:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exeC:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exeC:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe13⤵
- Executes dropped EXE
PID:3968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA87B~1.EXE > nul13⤵PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{62A37~1.EXE > nul12⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A1DB~1.EXE > nul11⤵PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE9B2~1.EXE > nul10⤵PID:392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A1C22~1.EXE > nul9⤵PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5807~1.EXE > nul8⤵PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59FA6~1.EXE > nul7⤵PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10A33~1.EXE > nul6⤵PID:696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FBC5~1.EXE > nul5⤵PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94643~1.EXE > nul4⤵PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8DBE1~1.EXE > nul3⤵PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD58df644c8ce934f0658a1b090a8b60135
SHA190c195f26893a62c79f35845176c46ad6246784b
SHA2566f6adb49282080df9fed16035d647fffdabc5a2d1b824e52939186a98ce3b741
SHA512d3e22bff79035845da04b048293e7a61428e73a0ea64780ee20931b82d14cccff645a43d416c108d48cfde6c95bb55dba5c0f2776a2e2a0844f166606f9c3a33
-
Filesize
380KB
MD576e2c9c89fc9018b6341ce6703d90972
SHA1839ae26f4a7ce6da90075f04fa9a0e13a71339a1
SHA256fc58a08dd58c46f829e56f6c5509fbfbf8cec6a4a1ef55af138973372d0508df
SHA5121a60858f8204c90a89a654b3afdef6686318ff015320cd2546355a1a65f686d9caad525c07b9eaab105f1a802fb6ab84ef322b28bcd91bbe98b240199c062074
-
Filesize
380KB
MD58640c6e630e04837db90d4b7d3e52ea4
SHA1f796f43766f1f754d0908f87c709a50e552971a9
SHA2561df5b4c69186780d93a1565c3106ab961490d8cfad06b15009dcf8b1f4d5b3ca
SHA51228dfb9ff2571dcc3429c61fea867cf35687ab11cc84b6631c04255cc7948257e93880adee3486a5924ef84de461491229b4425e0fa455eabbaedcfb1e1435c36
-
Filesize
380KB
MD58b404d9b600bcc1ee62c08d77167c396
SHA1dc75790484692817320bfc9da1eb9d3c0a7ea4e1
SHA256deaa14017d304d5db3b6986c691220a779b28fca32a5954b21abb9e005e5e35f
SHA5129a252da99de9190fd0fc9cb0144e02bfd633255ba46583f4628de384b59be8dbb4f1ad32a42a5903d2c8a207db8f3b2e7ee17952acd94cf193df98484d43142a
-
Filesize
380KB
MD56e6fb211f921abf8d847ecb17e993ee6
SHA15c5e3fa624a0aa875476f3818fe041656506e365
SHA25610b8478d7cabaca7738c776a9bc25d321a3390cc478cda6e4587a50982d1395c
SHA5128c4317df5c8136a12a058e7151569bcb0ddb78afd53530af209c88ff832c821b961dee66f74f9e34f8aefab030015cb4e8b1f1b1d83a1bcd18659946e6c2c8a9
-
Filesize
380KB
MD57569f0e99dcc1f8dfaf49a4b81e30b19
SHA190b3674e924d0777d75dc2a2e63292a6fc09561b
SHA256e2add24ad35a517f1d97e3add6470db553238771d20644685888a8ed46aaf6e6
SHA5122f9e0bebbb9a0710a33eaacc4b6acf3c95e40a38370b830bd7878453e8909c01ef5e4b3692eb71c6b4c7ab2c8a0e5c886f3a72d7e345e6ef673451b28aba92bb
-
Filesize
380KB
MD5cd12d9f7fa73b6e961ecd6a3a3cc48ff
SHA1938c651111b14c13ecb04a00458532a66bde57ad
SHA2566cae6410e5f5b84ecf2d119a8f8faa3588cc1c61f1bbadf6041e656615485679
SHA5122299c5cc17ce951f44d26ab16734e7900075f432ece5fbaed8e22bd5670f56bac9ec40f3d882d8fea5e0a84bd701ef2a99abf514674c6eb11e185ad3ecc5bde1
-
Filesize
380KB
MD5fc44709c80b4b0ea239262396eaeda8f
SHA112e22c6e7128675c65ee0973bfad44aed5084e0a
SHA2560591e33c93f4ad1490d9c3fcf82e0d9031a403434de9233e499eac493939cbd2
SHA51299b131beeb4eff75d45b4f11b7f7ec04cb97857fba9f837715f77af6c592adac6567a17a24f36db5990d794f89291691ae4aa7c5460835c36c50052f4d2e9758
-
Filesize
380KB
MD50a2d7fb2800e4328e0835ed84484b856
SHA16db18d268702f1d755f5a669be3e843670f8f076
SHA2568addf6dd0acac8521ebd55d7dc7e86ac381f4d61d66918beb5ab36c3386fc640
SHA512c71bedc69d7689da7d717c9baec39457f05857e8f091ef93fe41b42243e7f01f05340e6dad2b169fb28dd7711118d665eca4774b161766ebbef39fc268e90d6c
-
Filesize
380KB
MD59a5ae08cfbfaab489aec55b628da0ef0
SHA1030dc45a77c4cd3c18195a37688c93540d48e191
SHA256a96caaa577c50660a489477668259175b94162b1b3960b4b6cab83cd0898c9f9
SHA5121f2e6af11391fd8098a6af5c5a8407d2311f73d775d46e9bcba5e8f3d8d16b0801a3f3073653e555394cada3af7d5b4d1c9c099629c1d4e20037a1775c64c0a2
-
Filesize
380KB
MD543b4263342c96c25c18673876c7bd1a6
SHA1e4ac2781bee86ecee7ca17897721fb26be4b63f0
SHA2566e44ae73bd44288eba7203d1af38364dea3a15d811ab4fd16a5cbd09d8db4137
SHA512557c0a63036cde0a440d0528bd9bd22ab043c39d272f5bca8f8b2ac18a1e523f38feb6dd0458016ce86a13cd990121ce70d27a55be5bc2cc62a17bd5d2c84d8d
-
Filesize
380KB
MD513ebe2192a03339802aa57a6a91e9ac0
SHA1f4605319e28d45594b16be3c3e8a5819ee3b6ad4
SHA256a58bab623c4aee6ffc0acd3aa3d071b9d83332523fea3ca4d2a4318a3065bba5
SHA512867f5dfc6dff9157893ab6260f64abbbc0e07c10baa019402114ded4681810beff0c47a5094af8563b802caa35f85d0c27d87ba08ece9ff2849140f21d415435