Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
-
Size
168KB
-
MD5
7ad159816e5e1b401a70f0c9ca3f4b07
-
SHA1
d95d8f2aadaf3afb86740a04d14dfd68ce06cbd1
-
SHA256
eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3
-
SHA512
1618b23f7ff4b3f41be7982b0256177324a4c212328d5ead5af0ead8e1bac4e962fcd7e8ea0dcfb4ddffff2720dcbb612042ffa13c6b02171f460f2fd5b41e11
-
SSDEEP
1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023204-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000231fa-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320b-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000231fa-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df7-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df8-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021df7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000707-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}\stubpath = "C:\\Windows\\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe" {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1D38934-28D1-44e9-AE67-2158241E5D40}\stubpath = "C:\\Windows\\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe" {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F} {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B21AB4-3146-494c-B43E-9B5541D83E04} {8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D} {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}\stubpath = "C:\\Windows\\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe" {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}\stubpath = "C:\\Windows\\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe" {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0} {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}\stubpath = "C:\\Windows\\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe" 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD14D6EB-1968-4b20-82E4-5159168E442E}\stubpath = "C:\\Windows\\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe" {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}\stubpath = "C:\\Windows\\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe" {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478CFFF3-CD2A-4435-99E9-F3D2B0853296} {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E} {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}\stubpath = "C:\\Windows\\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe" {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}\stubpath = "C:\\Windows\\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe" {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD14D6EB-1968-4b20-82E4-5159168E442E} {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE} {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2} {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1D38934-28D1-44e9-AE67-2158241E5D40} {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E06F327-5D4F-4e68-8387-1D5328A27369} {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E06F327-5D4F-4e68-8387-1D5328A27369}\stubpath = "C:\\Windows\\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe" {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}\stubpath = "C:\\Windows\\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe" {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B21AB4-3146-494c-B43E-9B5541D83E04}\stubpath = "C:\\Windows\\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe" {8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A} 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe -
Executes dropped EXE 12 IoCs
pid Process 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe 2104 {8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe 4624 {73B21AB4-3146-494c-B43E-9B5541D83E04}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe File created C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe File created C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe File created C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe {8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe File created C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe File created C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe File created C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe File created C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe File created C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe File created C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe File created C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe File created C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe Token: SeIncBasePriorityPrivilege 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe Token: SeIncBasePriorityPrivilege 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe Token: SeIncBasePriorityPrivilege 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe Token: SeIncBasePriorityPrivilege 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe Token: SeIncBasePriorityPrivilege 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe Token: SeIncBasePriorityPrivilege 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe Token: SeIncBasePriorityPrivilege 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe Token: SeIncBasePriorityPrivilege 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe Token: SeIncBasePriorityPrivilege 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe Token: SeIncBasePriorityPrivilege 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe Token: SeIncBasePriorityPrivilege 2104 {8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 3832 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 97 PID 4500 wrote to memory of 3832 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 97 PID 4500 wrote to memory of 3832 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 97 PID 4500 wrote to memory of 1844 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 98 PID 4500 wrote to memory of 1844 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 98 PID 4500 wrote to memory of 1844 4500 2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe 98 PID 3832 wrote to memory of 2808 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 99 PID 3832 wrote to memory of 2808 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 99 PID 3832 wrote to memory of 2808 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 99 PID 3832 wrote to memory of 1296 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 100 PID 3832 wrote to memory of 1296 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 100 PID 3832 wrote to memory of 1296 3832 {93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe 100 PID 2808 wrote to memory of 4644 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 102 PID 2808 wrote to memory of 4644 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 102 PID 2808 wrote to memory of 4644 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 102 PID 2808 wrote to memory of 2784 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 103 PID 2808 wrote to memory of 2784 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 103 PID 2808 wrote to memory of 2784 2808 {FD14D6EB-1968-4b20-82E4-5159168E442E}.exe 103 PID 4644 wrote to memory of 4488 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 104 PID 4644 wrote to memory of 4488 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 104 PID 4644 wrote to memory of 4488 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 104 PID 4644 wrote to memory of 4960 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 105 PID 4644 wrote to memory of 4960 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 105 PID 4644 wrote to memory of 4960 4644 {38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe 105 PID 4488 wrote to memory of 3496 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 106 PID 4488 wrote to memory of 3496 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 106 PID 4488 wrote to memory of 3496 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 106 PID 4488 wrote to memory of 3240 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 107 PID 4488 wrote to memory of 3240 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 107 PID 4488 wrote to memory of 3240 4488 {478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe 107 PID 3496 wrote to memory of 3204 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 108 PID 3496 wrote to memory of 3204 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 108 PID 3496 wrote to memory of 3204 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 108 PID 3496 wrote to memory of 4400 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 109 PID 3496 wrote to memory of 4400 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 109 PID 3496 wrote to memory of 4400 3496 {02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe 109 PID 3204 wrote to memory of 4848 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 110 PID 3204 wrote to memory of 4848 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 110 PID 3204 wrote to memory of 4848 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 110 PID 3204 wrote to memory of 4876 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 111 PID 3204 wrote to memory of 4876 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 111 PID 3204 wrote to memory of 4876 3204 {35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe 111 PID 4848 wrote to memory of 4756 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 112 PID 4848 wrote to memory of 4756 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 112 PID 4848 wrote to memory of 4756 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 112 PID 4848 wrote to memory of 3604 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 113 PID 4848 wrote to memory of 3604 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 113 PID 4848 wrote to memory of 3604 4848 {F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe 113 PID 4756 wrote to memory of 3372 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 114 PID 4756 wrote to memory of 3372 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 114 PID 4756 wrote to memory of 3372 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 114 PID 4756 wrote to memory of 4956 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 115 PID 4756 wrote to memory of 4956 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 115 PID 4756 wrote to memory of 4956 4756 {E1D38934-28D1-44e9-AE67-2158241E5D40}.exe 115 PID 3372 wrote to memory of 4900 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 116 PID 3372 wrote to memory of 4900 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 116 PID 3372 wrote to memory of 4900 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 116 PID 3372 wrote to memory of 3648 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 117 PID 3372 wrote to memory of 3648 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 117 PID 3372 wrote to memory of 3648 3372 {2E06F327-5D4F-4e68-8387-1D5328A27369}.exe 117 PID 4900 wrote to memory of 2104 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe 118 PID 4900 wrote to memory of 2104 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe 118 PID 4900 wrote to memory of 2104 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe 118 PID 4900 wrote to memory of 2796 4900 {5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exeC:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exeC:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exeC:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exeC:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exeC:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exeC:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exeC:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exeC:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exeC:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exeC:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exeC:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exeC:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe13⤵
- Executes dropped EXE
PID:4624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D3C3~1.EXE > nul13⤵PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D45A~1.EXE > nul12⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E06F~1.EXE > nul11⤵PID:3648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1D38~1.EXE > nul10⤵PID:4956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F4D53~1.EXE > nul9⤵PID:3604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35A60~1.EXE > nul8⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02BB0~1.EXE > nul7⤵PID:4400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{478CF~1.EXE > nul6⤵PID:3240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{38CCB~1.EXE > nul5⤵PID:4960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD14D~1.EXE > nul4⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93ECB~1.EXE > nul3⤵PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5442ba02b0fc60d8ec9025a3de7a40621
SHA1e2e971882a86c71df35822ef6cedd79e1c6dc4ac
SHA256a7212fb19199a9cd6a538ff07e0ef5a4b90f8fe59e91dd03307aee9343ecc462
SHA512982e6a79d31fc13e75ae0d645dff4ab7570581637576943d8e32769dc7aec51a6511c169e03fd37e74eca36d42cfd33270cc454fe05779eb9e816c825a65c38a
-
Filesize
168KB
MD5cac6a19afb5a85b397b20ab2c55667be
SHA1b89070a24d8a33bbb3b799856fc8d0a91e6a1cbe
SHA25616856d1e09482f808f79cf63d00b82ef093fdece23a340bacc88bf90d6579744
SHA5125d0310eef18cd25d12256079739264b6987d3c96035949652a66de5fd2ef5f74672f7db5aadccc72be8e553812f343bfa3f43c1d381d3b5cb647a74496ec7e37
-
Filesize
168KB
MD5a820386440c8597080a7510793a4d722
SHA1e84cd5a5136f5f475a9cf0e32c9e97ba66390c35
SHA2560b8e69fb07a8d2684462ebabb3b8170f52f1862682eda6c27a2b3fd0431b5ab8
SHA5127ec013fc6217686ab8fc755a911123ffa4fbb99cb3564344359bc12ec80a3b60fa944f38287cbbda0a90b8f3b02d4d4eb626d1497ba2517d460c29feab61d27d
-
Filesize
168KB
MD5018533f2a5c4df62a711ab7d535812dd
SHA17d2c4954b2eff5890e64d0c9a4acb200fd2d8ea7
SHA256a870090c75cbebdfc8e7baf15e263a851dfcd8d9728d07ac0d523d479e429a0b
SHA5121c07886fdfc9d82ac2a89a4f43eb67e09753b37109d3704580a2836eb7e3b0e265418928630ee28060625c5564f5178fff5bd5753ddc6808e52f44838e14ba8a
-
Filesize
168KB
MD514523da205c2d3bdfc27917b8654c3a3
SHA125eeba50e052500db4f644c47b029347ccb82543
SHA2561cadcf5ce6457158444b2829d10dc8a65f0c88498ad31e1162ecb64744e93285
SHA5121e21566c55ce16a1001c617194175cb60eea1addd3054d62827ca4e298809b3e09e8545c0ef13ee23cb594e47bd3fae45ae6484d0e145e95096b51d97e8c4bc9
-
Filesize
168KB
MD56f709c40613213d9697bae4d07aefd52
SHA18e40d14cfb7d59ff4615e2d95d87d8049b21e905
SHA256029b9bacec91a9e24abec7a8ed75620ca94d4fec3624c29c42cce5fb2f431914
SHA51268dba71f7058d705c47a3ee0748f4ef5b4bae067340758332703658c7444c9c2f0b028f313aa96080de1247d79ca0cd21c61f0542ccc4d874eb3d2f451ef7570
-
Filesize
168KB
MD55de47c55a843866b26900c5e72b932db
SHA180d5e75394f7b8f0e7baeb9c652ff95476e9f2a3
SHA256fd8f7722f687e73dc8fb222e2bb62b573375c79f242ec08de4c6770948a6407a
SHA512e01aa63e36ce4b6057b8be4533f2fd3fdac0631ebafef1e10ecedeb4c82910848b5f180e1cf06d806b17a630e05adacd34e718933979c9a0111dca8ae8efe78a
-
Filesize
168KB
MD59cc922f34c35da7811305abe5d5d9d8a
SHA120a187ed0742238eba88cd2f6e954acdbf4ce93c
SHA2561d8f18a26802c29a40ceae2225eb93d02efcfcef78f757bf19b1e912463e6ed2
SHA5129d1a9650813d040eefcf6e1a2f746226feeacdb2355b940ab6089301c380730b71a31455d60ed794e92c817a27c950dd9e0d5b09cbc389d9feb1d0073b6ad303
-
Filesize
168KB
MD592260aad30abc24d4d2867afaa505ce9
SHA11df1f4a694af652584907a3c5b345974f3e40428
SHA256d631c247f56230d194dfbb762a4d951125faa05408a76401198c0ea07f202516
SHA512bc37a39f597c411bf76f71d69ed1c7be85a1407b1be167e8efb676c6d42851b7ad52b0b7b4962a8f2a14be9da10e949f7cd3cd9340a8481fa15a2f98bc6da336
-
Filesize
168KB
MD5f7fb956999653c261c27295a0a3d7edf
SHA141e51c1f0529987f83b62d48813f4d4952bfd5fe
SHA256d9f2f990b6dc806da9360ef1fd3c69f7e496b42ff0569ceabe05acb20af7230e
SHA512d9a5e36665a574575880405043c5a732ebf14d8a39ac43d3152c579001decc849276af2f9b3b12529f4bacbb10bb9916acae3da9953a4d1e155daaae631a4662
-
Filesize
168KB
MD5123fe34a2bd0b0bee2518ac2b0e11567
SHA1b6887013c8ec63f52c769d0ce24936eab057e8a0
SHA256987b7f223f4a06e63dac73ef1a934ea2073c24b23a30d346dfbe008a82d277c1
SHA512164ff8cfeff64213cbb428b5599d2bc8e4cd3349b260bd41b32150db8e80acb87287eee2593350df47b5b7d143ee390916e395efc519b938fc23e2c1c7a2861a
-
Filesize
168KB
MD55615a4d17c4d6cea9351113073262b88
SHA1fb56aaa89c14305a18f4abfec4896be05c088f95
SHA256cc14e8a1b82f9129745fc36b4fe11d05d09ca7f5df995ec9d8591fd8b6fd3563
SHA5122eb625299608ee3fc8f4dfa51bdca07a1479acdc4c0fd8c3ad11f74f1e64a0184e1d2ad1a3cecd7c1d7fe4e7860c1dee4fc7e758bf8f482231bfcd96251389a9