Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
-
Size
380KB
-
MD5
8c67995833d225fec4058ef2767ccfc3
-
SHA1
86a19b8865a11660c4f7124cfb9acb5343aab9a6
-
SHA256
40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90
-
SHA512
945aae6b041e6fb6f0481f9a8098155705ff11e7bbed8dd07a2d00d1e51dfb5c1a14e47e3900be66aefa274dace6a274cd61d1ccb5609fcdf804fe649eb291d4
-
SSDEEP
3072:mEGh0oxlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGTl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000900000001227e-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000015c49-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0026000000015c93-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0025000000015caf-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f3-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0026000000015caf-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0012000000015d9a-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0027000000015caf-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015e5b-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0028000000015caf-82.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49} {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6104DD92-11ED-40af-AC72-F522DD4B55D8}\stubpath = "C:\\Windows\\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe" {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9} {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C3E774-59E5-4ff5-B687-FE701689EB14} {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}\stubpath = "C:\\Windows\\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe" {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C07498-8388-467a-B213-9B5115E20186} {CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59215EA6-93A1-40dc-A8F7-E0214AAAD562} {B8C07498-8388-467a-B213-9B5115E20186}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2} 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}\stubpath = "C:\\Windows\\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe" {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}\stubpath = "C:\\Windows\\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe" {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6104DD92-11ED-40af-AC72-F522DD4B55D8} {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}\stubpath = "C:\\Windows\\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe" {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}\stubpath = "C:\\Windows\\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe" {0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C} {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1} {0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}\stubpath = "C:\\Windows\\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe" {B8C07498-8388-467a-B213-9B5115E20186}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1} {59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}\stubpath = "C:\\Windows\\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe" {59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0} {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}\stubpath = "C:\\Windows\\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe" {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C3E774-59E5-4ff5-B687-FE701689EB14}\stubpath = "C:\\Windows\\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe" {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B9D4CFD-2966-4eed-8442-A0811AFABA47} {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C07498-8388-467a-B213-9B5115E20186}\stubpath = "C:\\Windows\\{B8C07498-8388-467a-B213-9B5115E20186}.exe" {CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}\stubpath = "C:\\Windows\\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe" 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe -
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 1472 {0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe 1396 {CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe 2252 {B8C07498-8388-467a-B213-9B5115E20186}.exe 2320 {59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe 816 {FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe File created C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe File created C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe File created C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe {0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe File created C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe {CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe File created C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe {59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe File created C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe File created C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe File created C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe File created C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe File created C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe {B8C07498-8388-467a-B213-9B5115E20186}.exe File created C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe Token: SeIncBasePriorityPrivilege 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe Token: SeIncBasePriorityPrivilege 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe Token: SeIncBasePriorityPrivilege 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe Token: SeIncBasePriorityPrivilege 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe Token: SeIncBasePriorityPrivilege 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe Token: SeIncBasePriorityPrivilege 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe Token: SeIncBasePriorityPrivilege 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe Token: SeIncBasePriorityPrivilege 1472 {0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe Token: SeIncBasePriorityPrivilege 1396 {CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe Token: SeIncBasePriorityPrivilege 2252 {B8C07498-8388-467a-B213-9B5115E20186}.exe Token: SeIncBasePriorityPrivilege 2320 {59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3000 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 28 PID 3048 wrote to memory of 3000 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 28 PID 3048 wrote to memory of 3000 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 28 PID 3048 wrote to memory of 3000 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 28 PID 3048 wrote to memory of 2088 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 29 PID 3048 wrote to memory of 2088 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 29 PID 3048 wrote to memory of 2088 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 29 PID 3048 wrote to memory of 2088 3048 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 29 PID 3000 wrote to memory of 2548 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 30 PID 3000 wrote to memory of 2548 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 30 PID 3000 wrote to memory of 2548 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 30 PID 3000 wrote to memory of 2548 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 30 PID 3000 wrote to memory of 2412 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 31 PID 3000 wrote to memory of 2412 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 31 PID 3000 wrote to memory of 2412 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 31 PID 3000 wrote to memory of 2412 3000 {1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe 31 PID 2548 wrote to memory of 2420 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 34 PID 2548 wrote to memory of 2420 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 34 PID 2548 wrote to memory of 2420 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 34 PID 2548 wrote to memory of 2420 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 34 PID 2548 wrote to memory of 2480 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 35 PID 2548 wrote to memory of 2480 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 35 PID 2548 wrote to memory of 2480 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 35 PID 2548 wrote to memory of 2480 2548 {0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe 35 PID 2420 wrote to memory of 2388 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 36 PID 2420 wrote to memory of 2388 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 36 PID 2420 wrote to memory of 2388 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 36 PID 2420 wrote to memory of 2388 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 36 PID 2420 wrote to memory of 1636 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 37 PID 2420 wrote to memory of 1636 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 37 PID 2420 wrote to memory of 1636 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 37 PID 2420 wrote to memory of 1636 2420 {F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe 37 PID 2388 wrote to memory of 2784 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 38 PID 2388 wrote to memory of 2784 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 38 PID 2388 wrote to memory of 2784 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 38 PID 2388 wrote to memory of 2784 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 38 PID 2388 wrote to memory of 2392 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 39 PID 2388 wrote to memory of 2392 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 39 PID 2388 wrote to memory of 2392 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 39 PID 2388 wrote to memory of 2392 2388 {6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe 39 PID 2784 wrote to memory of 2136 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 40 PID 2784 wrote to memory of 2136 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 40 PID 2784 wrote to memory of 2136 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 40 PID 2784 wrote to memory of 2136 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 40 PID 2784 wrote to memory of 2816 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 41 PID 2784 wrote to memory of 2816 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 41 PID 2784 wrote to memory of 2816 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 41 PID 2784 wrote to memory of 2816 2784 {87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe 41 PID 2136 wrote to memory of 1184 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 42 PID 2136 wrote to memory of 1184 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 42 PID 2136 wrote to memory of 1184 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 42 PID 2136 wrote to memory of 1184 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 42 PID 2136 wrote to memory of 664 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 43 PID 2136 wrote to memory of 664 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 43 PID 2136 wrote to memory of 664 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 43 PID 2136 wrote to memory of 664 2136 {9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe 43 PID 1184 wrote to memory of 1472 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 44 PID 1184 wrote to memory of 1472 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 44 PID 1184 wrote to memory of 1472 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 44 PID 1184 wrote to memory of 1472 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 44 PID 1184 wrote to memory of 2732 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 45 PID 1184 wrote to memory of 2732 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 45 PID 1184 wrote to memory of 2732 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 45 PID 1184 wrote to memory of 2732 1184 {A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exeC:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exeC:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exeC:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exeC:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exeC:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exeC:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exeC:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exeC:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exeC:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exeC:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exeC:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exeC:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe13⤵
- Executes dropped EXE
PID:816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59215~1.EXE > nul13⤵PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B8C07~1.EXE > nul12⤵PID:616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CDE21~1.EXE > nul11⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B9D4~1.EXE > nul10⤵PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2C3E~1.EXE > nul9⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9133B~1.EXE > nul8⤵PID:664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87431~1.EXE > nul7⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6104D~1.EXE > nul6⤵PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F33C5~1.EXE > nul5⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0BB47~1.EXE > nul4⤵PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DBA4~1.EXE > nul3⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD51e67d672ba4473f572081cc44b23046b
SHA1f08b2fe030456c822b5b0f3b670bb52ad0b20f50
SHA2567935b164bea338415261b0a91c95ef5f83a12c57909aec276b101d45d88ce7d8
SHA512a0dd0342526a9db5cb797c7a124d93ac4fced7bb7d6ac246452dbb12e7744987c55a24f3b5d247a39cef21573f459fdeecf5b24963d2cb0fc8b4ef36beb29cd2
-
Filesize
380KB
MD5986f3598c94abe8ee98a87cc60858a5e
SHA1a1d74da3cffc30d4ed7019b40f65df1c20bde696
SHA256e73e2e5737cb3701892a729a6f1b35bc31454da09497c7b85a79a88f6d06e01a
SHA512380817c31c7060861b8b5039e361322da4321236bffcfd670f679979db9d6f00302ae410ea81e2169185c23c2101c3dfb5a703ca911d943b65a8ec41522c8650
-
Filesize
380KB
MD58eb92fc46bdccb7571e2df68a386b0e3
SHA110805b7e859888a01b6881ccb26c13b249bc3498
SHA2566b8e34889fe6fbf679780035fb3adbc17f175fd512d09480219d024886bc1fb6
SHA512b5f5a60f201b0d6cf3b836583a2b669ef2716722117f385fa3fdac984590434e62d278fc93fd76ca9621da3ee1d7bdb45b6a00775bd0856e8b73de5e771bf7c4
-
Filesize
380KB
MD5de2e5cc37a307e545c83586be2396047
SHA142651372aa40208a14dbc10310824240f73b3059
SHA256193c225da6f5d4040f479094e721485fae09306aeb2eadc7f8439ef65432b81c
SHA5126bdb41559736fe6d0dc75f2e81f93f028e76aea5f6acd2288f311c372a996c021a38f2a74e629a819b68666e5ccbbac9806a56e1b58fa6f637ca17ae525b755f
-
Filesize
380KB
MD5234a6474f1e552df770afd197cc8c03b
SHA10f592778f7e5805b5d773c7354c15864324dd44e
SHA256d2e9491ca216f8c20ce7bb8b5a09145b88d0f3f884c0e137e45a1f48462b7fb4
SHA512df8afa3f2b3b0fe4156f088eee9e27cabfc1d2313ae190a077ff6e8f3ac623ba87b0a2e15bf15701ab97e58f39cd62135b9e3f4c4153517d5e18b370fb6c63df
-
Filesize
380KB
MD50bbccb98b8dec5d87c9387b68467de64
SHA18e15fdf5e28cc967e53b12c38404c111aedcad5c
SHA2568701ff50be69c0b1f72b97eb7b6a5592fe953198be7e41287395c30110c6ae6f
SHA512522881606a737271ae2896081a10f479db3e46a7a5530531162bd44617e2993dc6aa933641a09a902c73a46c968fdd934fdea6df1d3c3d73d3376bcb1e88804c
-
Filesize
380KB
MD5733075295c9d4f2a9ccda6e5cb372131
SHA13a7dfb07e29018032d85902aeaf9ef04399e9f95
SHA25641bb38202c598f28c93c579536f86c2de3a2235084333b7c5e7949e8684525e3
SHA51293263930dce05349af7af88a15cad3e956221d384fce5c576266d8e17814a54c5c066675bdfbbf4835958ccde1700a5acdb77e8f5ce1314ec24e32ca5a7909f1
-
Filesize
380KB
MD5e0a4cc304a27c881abbfc01289459d19
SHA15f6ea5a2e1792b32c9e82519bf460e53169e808b
SHA2567122f690889dfbd1ed4ce546d9c83e2537b8b8fdb4270e61d13a1e3bec757ee9
SHA512f90441e6a6b9cefa3be9f618ac02f98d9c7cc9605d7af57b17e28da164adfe65e2663ab02d3fb5f27a0952ec5ae09d88c434817a5dc67bec715effee0948ec3a
-
Filesize
380KB
MD59738455a1098e34cfb65170366290d41
SHA1a0522dde1ce313aa792afddc14ac5194ddbe712b
SHA25601775becc18f72ba4f07d39b3e6957b793202ff923f9da2dfcf3a2947e00ca60
SHA512f6df89469cedc66da82368dfe78c60315186646b111221a129cfb9b6ad2e71b4e4d11f5c8ac10f80f8408349e181e72ed63705f36241f4267e67f3fea9e6e027
-
Filesize
380KB
MD569bc1ab2a99e9531f7bb99886cf022c2
SHA1b456c333b5de19a090dfec5228c81eb65ebe303c
SHA25630a4fc80b401da0cbb771838f5f9cf8d71b9a26f1b355b5ad81298eee321e4d5
SHA512a432aa2ba733936ad514e51176e8b1ca810cb660c49b965854434f99ca717739841f7a332b297bf570d6c2c56da897bf156d8b2daee78ddfe875964424f6c38e
-
Filesize
380KB
MD59543d896e8aff2ab70a041aebba78a77
SHA1472dc9b27017dcb9629cd6e6daa234fd476fcf0a
SHA256162ffc6878676bdfbf9ceb295260438d999ec4a97f4638403a7312bc9f9bfe17
SHA5126aa15634fdd6f892b1a44f78122b81f335ded44d83ffec6e492b3ef5b20f772d2c1a07ee37e10982935e926d6550452c0c21aa628143a3b75600a55f8193bf53
-
Filesize
380KB
MD5603a29dcd7b1592bca898f5040a886c9
SHA14f619dce77fdcab53dff39cc0dec7c12e15cb818
SHA25677288278e856b01045933ce6489f8368ee054855d70546648059068b0d72f263
SHA512b25a6f3c6968edec96bf8543260b584da9aa1ef6e4393a07bb5002bead0e71551f475ef633dfdceef9ee03cfdbdb8e00274dfd2ec189125dd29e56f3483bfc18