Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
-
Size
408KB
-
MD5
346d60fa715d70c9f021f642ca8c062c
-
SHA1
80861531b692c44698e5e540d68070ab917444f8
-
SHA256
f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73
-
SHA512
cd46e07b06cd52f62b4825437d9016e5d3cdfe8f8a1b39bd7c9311a7d9fb3e031e80f2ea720355dc134cf5273bd3933f5d064b2b9ecfbe71356c1ae8c1f1ee36
-
SSDEEP
3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00060000000231ee-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00060000000231f7-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000231fd-11.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000231f7-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f82-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f83-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021f82-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246}\stubpath = "C:\\Windows\\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe" {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5} {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{570DF862-43E8-426d-8284-1BBFC22F34E5}\stubpath = "C:\\Windows\\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe" {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A} {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2} {D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23} {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}\stubpath = "C:\\Windows\\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe" {314C46C8-A4EC-499b-8809-8F09720846B7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC}\stubpath = "C:\\Windows\\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe" {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7}\stubpath = "C:\\Windows\\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe" {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}\stubpath = "C:\\Windows\\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe" {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7} {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314C46C8-A4EC-499b-8809-8F09720846B7}\stubpath = "C:\\Windows\\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe" {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05} {314C46C8-A4EC-499b-8809-8F09720846B7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923} 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BBADA1-963E-4f9e-8602-000E1E31D923}\stubpath = "C:\\Windows\\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe" 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4} {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}\stubpath = "C:\\Windows\\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe" {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}\stubpath = "C:\\Windows\\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe" {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A40BB8-2626-4bba-9549-D6ABE66006D7} {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9959AC73-6AE2-4c5d-817E-ACC467BC940C} {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}\stubpath = "C:\\Windows\\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe" {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}\stubpath = "C:\\Windows\\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe" {D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E6FCB0-54FE-4241-A422-DE4889ACF246} {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59D8249-F119-436f-AC42-B0E63C996DAC} {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe -
Executes dropped EXE 12 IoCs
pid Process 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe 4132 {D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe 744 {BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe File created C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe File created C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe {D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe File created C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe {314C46C8-A4EC-499b-8809-8F09720846B7}.exe File created C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe File created C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe File created C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe File created C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe File created C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe File created C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe File created C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe File created C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe Token: SeIncBasePriorityPrivilege 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe Token: SeIncBasePriorityPrivilege 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe Token: SeIncBasePriorityPrivilege 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe Token: SeIncBasePriorityPrivilege 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe Token: SeIncBasePriorityPrivilege 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe Token: SeIncBasePriorityPrivilege 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe Token: SeIncBasePriorityPrivilege 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe Token: SeIncBasePriorityPrivilege 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe Token: SeIncBasePriorityPrivilege 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe Token: SeIncBasePriorityPrivilege 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe Token: SeIncBasePriorityPrivilege 4132 {D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 556 wrote to memory of 1812 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 88 PID 556 wrote to memory of 1812 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 88 PID 556 wrote to memory of 1812 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 88 PID 556 wrote to memory of 3004 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 89 PID 556 wrote to memory of 3004 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 89 PID 556 wrote to memory of 3004 556 2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe 89 PID 1812 wrote to memory of 4892 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 93 PID 1812 wrote to memory of 4892 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 93 PID 1812 wrote to memory of 4892 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 93 PID 1812 wrote to memory of 2516 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 94 PID 1812 wrote to memory of 2516 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 94 PID 1812 wrote to memory of 2516 1812 {F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe 94 PID 4892 wrote to memory of 3080 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 96 PID 4892 wrote to memory of 3080 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 96 PID 4892 wrote to memory of 3080 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 96 PID 4892 wrote to memory of 3168 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 97 PID 4892 wrote to memory of 3168 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 97 PID 4892 wrote to memory of 3168 4892 {61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe 97 PID 3080 wrote to memory of 3328 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 98 PID 3080 wrote to memory of 3328 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 98 PID 3080 wrote to memory of 3328 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 98 PID 3080 wrote to memory of 1800 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 99 PID 3080 wrote to memory of 1800 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 99 PID 3080 wrote to memory of 1800 3080 {A59D8249-F119-436f-AC42-B0E63C996DAC}.exe 99 PID 3328 wrote to memory of 2644 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 100 PID 3328 wrote to memory of 2644 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 100 PID 3328 wrote to memory of 2644 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 100 PID 3328 wrote to memory of 2124 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 101 PID 3328 wrote to memory of 2124 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 101 PID 3328 wrote to memory of 2124 3328 {88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe 101 PID 2644 wrote to memory of 3036 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 102 PID 2644 wrote to memory of 3036 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 102 PID 2644 wrote to memory of 3036 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 102 PID 2644 wrote to memory of 4292 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 103 PID 2644 wrote to memory of 4292 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 103 PID 2644 wrote to memory of 4292 2644 {FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe 103 PID 3036 wrote to memory of 4196 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 104 PID 3036 wrote to memory of 4196 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 104 PID 3036 wrote to memory of 4196 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 104 PID 3036 wrote to memory of 4792 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 105 PID 3036 wrote to memory of 4792 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 105 PID 3036 wrote to memory of 4792 3036 {314C46C8-A4EC-499b-8809-8F09720846B7}.exe 105 PID 4196 wrote to memory of 2920 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 106 PID 4196 wrote to memory of 2920 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 106 PID 4196 wrote to memory of 2920 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 106 PID 4196 wrote to memory of 2408 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 107 PID 4196 wrote to memory of 2408 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 107 PID 4196 wrote to memory of 2408 4196 {15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe 107 PID 2920 wrote to memory of 644 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 108 PID 2920 wrote to memory of 644 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 108 PID 2920 wrote to memory of 644 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 108 PID 2920 wrote to memory of 4316 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 109 PID 2920 wrote to memory of 4316 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 109 PID 2920 wrote to memory of 4316 2920 {9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe 109 PID 644 wrote to memory of 4388 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 110 PID 644 wrote to memory of 4388 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 110 PID 644 wrote to memory of 4388 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 110 PID 644 wrote to memory of 3960 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 111 PID 644 wrote to memory of 3960 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 111 PID 644 wrote to memory of 3960 644 {570DF862-43E8-426d-8284-1BBFC22F34E5}.exe 111 PID 4388 wrote to memory of 4132 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe 112 PID 4388 wrote to memory of 4132 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe 112 PID 4388 wrote to memory of 4132 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe 112 PID 4388 wrote to memory of 4736 4388 {B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exeC:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exeC:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exeC:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exeC:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exeC:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exeC:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exeC:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exeC:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exeC:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exeC:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exeC:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exeC:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe13⤵
- Executes dropped EXE
PID:744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D210A~1.EXE > nul13⤵PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B3276~1.EXE > nul12⤵PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{570DF~1.EXE > nul11⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9959A~1.EXE > nul10⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{15EC8~1.EXE > nul9⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{314C4~1.EXE > nul8⤵PID:4792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE3FF~1.EXE > nul7⤵PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{88A40~1.EXE > nul6⤵PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A59D8~1.EXE > nul5⤵PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61E6F~1.EXE > nul4⤵PID:3168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1BBA~1.EXE > nul3⤵PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5137289282035a413a86a74e5ac09da39
SHA175bd7b4bff84b7196d7d2ff6f1f7768a8d874209
SHA2562989088fb07460d1dc257cf7903e7776a592be04beafba6a72077a9f728d2ee3
SHA5129c5c69d2e55b1790ea80daeb6e73985f8006e70a2064c4e6417c76de4cc261fa4d95a63aaf541686ff3d9a231aabab839bbd46e9c140521b98deaaa97bd00b5f
-
Filesize
408KB
MD54d7474c3aeaf8e85c0324cb950d9b032
SHA1c2d041b1809492a40276c3c115314db8580fb127
SHA2563bca392a8d4d07a0f9d13e77f26190116c440325bf42bb242ae8b69383bfe724
SHA512516eb5a24e63fbdb6428f0df18a051706c15dc6f27743c3fa884ae550fac121707d4438bdd5ffd627e8bd9a1dad16aa808fa5ff819372ef3734073a34349ef3d
-
Filesize
408KB
MD572c1f258ca58979ec6ce70478daf5edc
SHA17d16e46f4d578df35431efdb6a7168d3e31cc2f5
SHA2564ff65f920bb44c26e9ca0ebc055a7b7adb84374f6340194e652e783a9b774c65
SHA5123d22644dbc8a277b1b4c9f0313b8c65569d835d09ff283c37dce0012a89d2ee1fa8d62a7c0843b761a8fb78b70df520b10b67aa23cc51efe528adc2e4dc2e34e
-
Filesize
408KB
MD5515cf1649174f66ab4eee6b997b49b62
SHA181f2b1fbe71575017c26db5945114e5bc0c66fb7
SHA256167fc171af80760c75d224e812600ad08e0392876451da957955993e5aa30ed3
SHA51236cc0ab66659689e60d4e8e47b00effc88bfcfce42909c0bfe2c16902764405a745d708bf41b07f3759d3dc1afb6b6fb403bacaf3061d318e184314407809a00
-
Filesize
408KB
MD5d9d155435f2cd540813ea0f8a35f1453
SHA1bdc0b89ea420bc24a235e2257370e34d7f123b20
SHA256970a03bd611cc35293acc6ee094ea1725a78e434be442d1420a8e78b38261d0f
SHA51204a221fe9420a3daa7653886020356cc2a374840f3960a836da42d1309a8566da612b5a8a53cd8c9625044edd70a445a14c35adafd2b206685c3bd6d3d8d5e6c
-
Filesize
408KB
MD5e8bc5464718ff27d0e45a6361b34e481
SHA10faf46aae8e3726868c0bb57afe47b7d04420149
SHA25650729c89cd192a5f122c3e8025597ed74f87316295eea30de722ffbb2d782882
SHA512fd5e2e19d14dd1842feb45650838324b32266ce082e0a6668543ed005bf018630aae3c00d518627191b5189c903e65d7e561d0c8a2a81a9d676b8f946c31f412
-
Filesize
408KB
MD5d4a60d4081a06368a51298af0d52be7a
SHA1e545eb93c7a047482aafb8788bec0e7759bbe7a2
SHA2566d311f2b7e26062a3d27cac84e6f4d793503e4b3f303923b2cb056a861eba1db
SHA51225787df952015e4211da8e7d4150227c601f617483ede520b645279583f0def2ad31f40c43f2c8d57683e63430171d107150b1980a8b6cf26393005b9d144e8c
-
Filesize
408KB
MD588fea583604f60b4180925d980292692
SHA18a183fa243fd39bc0b42ec91d1aab05612ebde70
SHA25652458ed9bd7d64541f04079d6c55efea76faa2317df6e016e8aa780056c243ec
SHA512fae54f84437f6411dd4b6e2ad4b05d68cf7e5c83bbaf8320d8ebd8eaa90cd895f77c0217bf08b0f0f8620c113e8f5c94c24f8ef10cf00604278b9596718a6a86
-
Filesize
408KB
MD5262d88851d72d5c3802afe65bacdb0ca
SHA150adb5e5ff4317628300ce45bfafbcd679ea6d8f
SHA256acba00a9f1580c55f4ebc285e485566d6a97d2c34ac6961713516ce5ad1c48fe
SHA51273f5fce36d240e369fbe71453c5a997ca2f9ae63ed0c69e093f3df900972f9910fde145facefab3b89e5a3d8bbc5df276b822f885321b168309db55eaca95551
-
Filesize
408KB
MD50a937690d89886e87fa356050fcb4eee
SHA112d52711b3b67df7cfa3bbeda14fe641c963efb5
SHA256115a904b7996e652d5695c32d228945ee17d1564a396b77d0964345501e60f40
SHA5124ef2d401167616c3b01e3284539870474b0db59480e3e1fa3a6cca1f5132bd3297a15a3413aba5e756f581fda21fa8867ef4827de07eec81cbfb0a87e7bb897d
-
Filesize
408KB
MD5560739613c1a854cb343dcf04aa4acce
SHA1ee5885b9c619c9ff6183286450a6a1d5f716f1f0
SHA256cd690125196f4855d8f2bd122f5b05e05584f0ef1cee3589c4f6eb52c4e462c2
SHA512fe5467c92c855efd2699b76cdd40a1eb13047c74e283241fd48177a03aef8c928b9813455a1ba4430647a35689faf4ab77cbbdca4e3d191c3cbc206a4ce362d8
-
Filesize
408KB
MD56d6990a596a8e9fc5fc8093c744b847b
SHA1d18b8e53ed7ce3c475fce52b534a1a0480672c37
SHA2567de63034ed618e534fa677829b2fdc03e626194c84f590a70e264581516bf546
SHA5121a7021f71771025931e94bd21594c3c085022b49d6e480a6c7fbbf94cbba6eaaa0ad65efc6f4eb5b059be6a1ff2edcdd8ef8b7d0d7ab84441f6016e52ca2ac0c