Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
-
Size
344KB
-
MD5
02df46e8c5329e63f5ec9bf636f35022
-
SHA1
39c38efbaf16218991bc24267b70355f90731b9a
-
SHA256
81a487f5327b4005b040996fbcdc64b9d9e70023f47d3bfcf57f93d762a55a47
-
SHA512
6e1211682b49f5de51952eb5f0545b80a33210e32b0ad1dd09f88d2ad0c3d45d88fe9b5e287a09dedc9cf1e33f96a9c89e1d90f96344e83415b9e76e4ce45cb2
-
SSDEEP
3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023243-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023249-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002324c-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e759-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002324c-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e759-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002324c-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e759-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002324c-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e759-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023248-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e759-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}\stubpath = "C:\\Windows\\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe" {94363654-19F7-4678-8B07-D5CD65D36F09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD} {D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC689295-DDC6-4101-BD61-EA5837D77485} 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{267F06CF-ED21-422d-B770-4A2701D7B694} {BC689295-DDC6-4101-BD61-EA5837D77485}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{267F06CF-ED21-422d-B770-4A2701D7B694}\stubpath = "C:\\Windows\\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe" {BC689295-DDC6-4101-BD61-EA5837D77485}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94363654-19F7-4678-8B07-D5CD65D36F09}\stubpath = "C:\\Windows\\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe" {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}\stubpath = "C:\\Windows\\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe" {1E839587-FE50-4d42-A95C-8612D512782B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC689295-DDC6-4101-BD61-EA5837D77485}\stubpath = "C:\\Windows\\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe" 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6} {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}\stubpath = "C:\\Windows\\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe" {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55} {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E839587-FE50-4d42-A95C-8612D512782B}\stubpath = "C:\\Windows\\{1E839587-FE50-4d42-A95C-8612D512782B}.exe" {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA14B5E8-4534-4e66-8D75-F022991DA23C} {267F06CF-ED21-422d-B770-4A2701D7B694}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94363654-19F7-4678-8B07-D5CD65D36F09} {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080} {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}\stubpath = "C:\\Windows\\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe" {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}\stubpath = "C:\\Windows\\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe" {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E839587-FE50-4d42-A95C-8612D512782B} {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D11CD935-48D4-482f-904B-5A7A29BAEEE9} {1E839587-FE50-4d42-A95C-8612D512782B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}\stubpath = "C:\\Windows\\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe" {D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA14B5E8-4534-4e66-8D75-F022991DA23C}\stubpath = "C:\\Windows\\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe" {267F06CF-ED21-422d-B770-4A2701D7B694}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C} {94363654-19F7-4678-8B07-D5CD65D36F09}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}\stubpath = "C:\\Windows\\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe" {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D} {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe -
Executes dropped EXE 12 IoCs
pid Process 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe 808 {D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe 3392 {E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe File created C:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe File created C:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe {1E839587-FE50-4d42-A95C-8612D512782B}.exe File created C:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe {D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe File created C:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe File created C:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe {BC689295-DDC6-4101-BD61-EA5837D77485}.exe File created C:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe {267F06CF-ED21-422d-B770-4A2701D7B694}.exe File created C:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe File created C:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe File created C:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe {94363654-19F7-4678-8B07-D5CD65D36F09}.exe File created C:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe File created C:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exe {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe Token: SeIncBasePriorityPrivilege 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe Token: SeIncBasePriorityPrivilege 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe Token: SeIncBasePriorityPrivilege 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe Token: SeIncBasePriorityPrivilege 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe Token: SeIncBasePriorityPrivilege 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe Token: SeIncBasePriorityPrivilege 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe Token: SeIncBasePriorityPrivilege 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe Token: SeIncBasePriorityPrivilege 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe Token: SeIncBasePriorityPrivilege 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe Token: SeIncBasePriorityPrivilege 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe Token: SeIncBasePriorityPrivilege 808 {D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1012 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 92 PID 1792 wrote to memory of 1012 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 92 PID 1792 wrote to memory of 1012 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 92 PID 1792 wrote to memory of 1164 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 93 PID 1792 wrote to memory of 1164 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 93 PID 1792 wrote to memory of 1164 1792 2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe 93 PID 1012 wrote to memory of 4840 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 96 PID 1012 wrote to memory of 4840 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 96 PID 1012 wrote to memory of 4840 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 96 PID 1012 wrote to memory of 4852 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 97 PID 1012 wrote to memory of 4852 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 97 PID 1012 wrote to memory of 4852 1012 {BC689295-DDC6-4101-BD61-EA5837D77485}.exe 97 PID 4840 wrote to memory of 3104 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 98 PID 4840 wrote to memory of 3104 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 98 PID 4840 wrote to memory of 3104 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 98 PID 4840 wrote to memory of 1692 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 99 PID 4840 wrote to memory of 1692 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 99 PID 4840 wrote to memory of 1692 4840 {267F06CF-ED21-422d-B770-4A2701D7B694}.exe 99 PID 3104 wrote to memory of 2336 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 102 PID 3104 wrote to memory of 2336 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 102 PID 3104 wrote to memory of 2336 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 102 PID 3104 wrote to memory of 4912 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 103 PID 3104 wrote to memory of 4912 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 103 PID 3104 wrote to memory of 4912 3104 {BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe 103 PID 2336 wrote to memory of 4680 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 104 PID 2336 wrote to memory of 4680 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 104 PID 2336 wrote to memory of 4680 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 104 PID 2336 wrote to memory of 2064 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 105 PID 2336 wrote to memory of 2064 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 105 PID 2336 wrote to memory of 2064 2336 {94363654-19F7-4678-8B07-D5CD65D36F09}.exe 105 PID 4680 wrote to memory of 64 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 106 PID 4680 wrote to memory of 64 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 106 PID 4680 wrote to memory of 64 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 106 PID 4680 wrote to memory of 1044 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 107 PID 4680 wrote to memory of 1044 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 107 PID 4680 wrote to memory of 1044 4680 {D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe 107 PID 64 wrote to memory of 4380 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 108 PID 64 wrote to memory of 4380 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 108 PID 64 wrote to memory of 4380 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 108 PID 64 wrote to memory of 4472 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 109 PID 64 wrote to memory of 4472 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 109 PID 64 wrote to memory of 4472 64 {89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe 109 PID 4380 wrote to memory of 1244 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 110 PID 4380 wrote to memory of 1244 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 110 PID 4380 wrote to memory of 1244 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 110 PID 4380 wrote to memory of 4216 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 111 PID 4380 wrote to memory of 4216 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 111 PID 4380 wrote to memory of 4216 4380 {4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe 111 PID 1244 wrote to memory of 4028 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 112 PID 1244 wrote to memory of 4028 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 112 PID 1244 wrote to memory of 4028 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 112 PID 1244 wrote to memory of 1920 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 113 PID 1244 wrote to memory of 1920 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 113 PID 1244 wrote to memory of 1920 1244 {18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe 113 PID 4028 wrote to memory of 4044 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 114 PID 4028 wrote to memory of 4044 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 114 PID 4028 wrote to memory of 4044 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 114 PID 4028 wrote to memory of 2576 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 115 PID 4028 wrote to memory of 2576 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 115 PID 4028 wrote to memory of 2576 4028 {CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe 115 PID 4044 wrote to memory of 808 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe 116 PID 4044 wrote to memory of 808 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe 116 PID 4044 wrote to memory of 808 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe 116 PID 4044 wrote to memory of 4776 4044 {1E839587-FE50-4d42-A95C-8612D512782B}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exeC:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exeC:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exeC:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exeC:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exeC:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exeC:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exeC:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exeC:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exeC:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exeC:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exeC:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exeC:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe13⤵
- Executes dropped EXE
PID:3392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D11CD~1.EXE > nul13⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E839~1.EXE > nul12⤵PID:4776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE0A0~1.EXE > nul11⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18F6C~1.EXE > nul10⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D344~1.EXE > nul9⤵PID:4216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89AF3~1.EXE > nul8⤵PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D9D95~1.EXE > nul7⤵PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94363~1.EXE > nul6⤵PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA14B~1.EXE > nul5⤵PID:4912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{267F0~1.EXE > nul4⤵PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC689~1.EXE > nul3⤵PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD52c5540a0f911e7db4656926c3adcfb3c
SHA11df8f05a25502ff4884374ced1c6886565a5c3e5
SHA2563f83cebe70bcbe8d8f0821ad0c1cff4f7e18f8d73c9dacaf4e471aba9bcbab59
SHA512aeb6afbfebbae2c7e903d5c4da1377b95fb63dbeaa20f064db391b8a336d66b3eda350620be64cb16c0e5f59c41538dcdf5438b7c90ecef39ccd9999854576ee
-
Filesize
344KB
MD5012604ab294eec1770dfc2ded574e1ca
SHA18dc865ec317649091d51fefa1b62d472d58ff580
SHA256aa171bfbcd1dc420a0cd793b8e272e81701f1b0d288a12d6d12d68920b35924a
SHA51279ee7b0ea5a165c9ec0dcc7f911681abd1a1f98fd81535e27bdd07df70e888d80ad2a0a28c8fc1c561a0d31283679cb8476bd6b1fa02281776b3f4d190a62b5e
-
Filesize
344KB
MD5f3fa84d287a99cd0e097bdfc80e1a269
SHA1bf778edbd932925473b949ae5ca00921612f9cd7
SHA25696ce59d2f43de6ec82263944699b4813994f38fc2768d0141ee9724fc2284f0e
SHA5126a6f7a06ac466b8f2f6051bb14b80a7648e69e1663fd4612677e14c3cf58b8872fe6cecff99b62ca70b2b192ef47771c3457ff2f0ca936f74af730c281769eb6
-
Filesize
344KB
MD5825456a2bed572757822f29cef50ea80
SHA1e6304c5ef4a2e1c0c92ec49d5a794341c0639989
SHA2565f742294946fe2e5d10bc96f8da81433b7f10bf23b334bd97602cd45a9200907
SHA51255cef6a8df85922e2d1a35e89730df1b9ceb96a598fb520a0d4ebbdaa3a9906d95c32dfac54f64eff4f75883ae5297e5cdc125b767826b0302c0d18187be83f1
-
Filesize
344KB
MD5d6cefdfccdb872b99c8e1b870e64e8f5
SHA1d69a0d6680bd4215bc266ef47cf52d96bed7befe
SHA256b68f5c3cc05966ee36fc3dc7957921f0c8680b8b713e4e3ef0b4a6739e177a9e
SHA5122bccd6a879abaa9aec5ff5e8185de6dfa1188b7b215f5e40381f4ac4c4c3c005f22dd9f6c60cd23ac1b1655e2ef0b198f6c18a451120956f1f5454cc40e15a5e
-
Filesize
344KB
MD5372ab1ffb6ee78a1ed5a982910193973
SHA119ad626b70d43014e05c82e4095e2df1dced37c5
SHA256013e38ba65e6ea736b5a87f46d4481036c9d728e3fdb92b317dcc6533e392ea7
SHA51270c96091b7b4bbfcf8cdd12d3b77d95ee97e8b651f636400e04c3273ad0dae009a63b611ed1212ed41bbd8d1402c8ca158c97768ac8e51cbaa1468d3b78b8df4
-
Filesize
344KB
MD5ee05685c7b970dcf673f9ebf062faa63
SHA1595ea19d139224be7bf8070596ee3ef2c182475a
SHA256d811ce8809271bbd6600f26fc9d47d1bd37c99ceb5f582556757c4273fa5677d
SHA5125c5dd96cdb1578e5b8b6eed559fbe4b69e0ff1ee57a88b2cdf633ee4bbe50d093f2abcb0f3d4e0b0e6b647c3057e2de6e52a96cdfc223146ca5ac2614f64778e
-
Filesize
344KB
MD5c38f4769b4e2908dd1c7f683b0b2d7d9
SHA11c2827b5ad02ead6a63a87f99e013d23a3030350
SHA256201523b09c288349030db4d5fab966028a6c5c599f3e141a7460624a41707b39
SHA512eee6a7ff3d6715554865149ca700021c05f6365df9a515f0d2b9a1e4d010329b9241a9be41b8969c52e105cd28f007cd5cee7e37b2c0f65af12c416c0253a6bb
-
Filesize
344KB
MD50d48bd44c10744b0de2ff79ec541a324
SHA17f5103cd6b18210ccff6d5dcb05c13f2d424bbae
SHA256fc179016fc97981cad794d28927795a1d60f8203fd23d6aac9009da0e3e251e7
SHA51243e2633ad7ce85d5e2ae8966eed1122b0f220f11bd267eb5e6bd4f93c94c112e9ce46e61c31ade5ba5a63dca446ce1e546aff67a85e0119b82b863dd56cb97d5
-
Filesize
344KB
MD54148d5c79246434524345401ed06933a
SHA17c6e9e6869176f33de72a81d67540e3e08c6edb6
SHA25697269594132ab851dfa4367cc095f89094c5eabb8e97d8db5878e9249a9d8f88
SHA5127059bd1bc3691873668773e86287156f03d6b18f3cd316148042bcc7e3113e228d60a3a842e5ea6efec0808893734a84843d04d7b673e5f0350bc5be1dcd939f
-
Filesize
344KB
MD56a79f739517b3714af643fa28751ce33
SHA181a18a05a6604505bf5f3e92b46a568026ab2664
SHA256d90d6029cb469f5f6bd62d37bb10f295596688189267cd54ed3ae3caa3ba161e
SHA5129e38a99d7a04cb42b569ee006e9477a7d0414e9560eef185398f85482c6695a44e315827c8f3921e3994c0c0667ed192799b869a627be3895af490ce5cdf3c0f
-
Filesize
344KB
MD57f0263a7db903a3ecaddd2664681564a
SHA111491f4225e17811c950ee66d0ce789f05373ee4
SHA256fa630b1440ea4dbeec213c22c86044d41b0a92b67a325e6c18c2a94c6eac9e67
SHA51296229b6cc09aa1115579dff15ab26b2fa9bdddf23d16864b9c1b9c1e6867d77dfc6c1af8dc671accc07d1da3c91d03d0c135a6df427dae577355d6cf0b39bf60