fbd7cd5f248fb04d5c19a76726ba7fc57aec5494f142166ed01c28da9e915359

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Size

372KB
MD5

cf588db8019232445c572ed0d1c19be6
SHA1

ead705b1b65bd3f86971868226e7cf3eb02380d4
SHA256

fbd7cd5f248fb04d5c19a76726ba7fc57aec5494f142166ed01c28da9e915359
SHA512

0835cdbff8bb272cdeeb47e2fbd7a140283bbcb3097b5870c7659d7aeee291e440d9c87e869faa651b17b4a9eabb308eb814a290355f43e4b7e70b7267c4d241
SSDEEP

3072:CEGh0oumlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG9l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D47F215-78DD-4237-95F4-E8D8BC241D21}	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A19CF3-1176-45e6-A092-A9869873CF5B}	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD876EBF-1CEA-453b-919B-110DF6D0B720}	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C71329F0-880C-44ac-BD1D-88799BA67B4B}\stubpath = "C:\\Windows\\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe"	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51FE2706-7CE4-40bd-9482-CCCDA783C930}\stubpath = "C:\\Windows\\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe"	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91625F8D-D1E0-43aa-8978-FF1C657235DF}	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C71329F0-880C-44ac-BD1D-88799BA67B4B}	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AF66F5-DB48-4fd8-A568-4430971D4416}\stubpath = "C:\\Windows\\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe"	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}\stubpath = "C:\\Windows\\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe"	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A19CF3-1176-45e6-A092-A9869873CF5B}\stubpath = "C:\\Windows\\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe"	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51FE2706-7CE4-40bd-9482-CCCDA783C930}	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D47F215-78DD-4237-95F4-E8D8BC241D21}\stubpath = "C:\\Windows\\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe"	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}\stubpath = "C:\\Windows\\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe"	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C389542E-AC79-432e-BA84-5D01E75D82D9}\stubpath = "C:\\Windows\\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe"	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD876EBF-1CEA-453b-919B-110DF6D0B720}\stubpath = "C:\\Windows\\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe"	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}\stubpath = "C:\\Windows\\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe"	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91625F8D-D1E0-43aa-8978-FF1C657235DF}\stubpath = "C:\\Windows\\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe"	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57792A25-E54C-47e4-9D44-04A7A21771D6}	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57792A25-E54C-47e4-9D44-04A7A21771D6}\stubpath = "C:\\Windows\\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe"	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C389542E-AC79-432e-BA84-5D01E75D82D9}	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AF66F5-DB48-4fd8-A568-4430971D4416}	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe

Executes dropped EXE 12 IoCs

Processes:

{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe

pid	process
860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
2944	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
1232	{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe

Drops file in Windows directory 12 IoCs

Processes:

{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe

description	ioc	process
File created	C:\Windows\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
File created	C:\Windows\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
File created	C:\Windows\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
File created	C:\Windows\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
File created	C:\Windows\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
File created	C:\Windows\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
File created	C:\Windows\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
File created	C:\Windows\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
File created	C:\Windows\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
File created	C:\Windows\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
File created	C:\Windows\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
File created	C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
Token: SeIncBasePriorityPrivilege	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
Token: SeIncBasePriorityPrivilege	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
Token: SeIncBasePriorityPrivilege	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
Token: SeIncBasePriorityPrivilege	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
Token: SeIncBasePriorityPrivilege	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
Token: SeIncBasePriorityPrivilege	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
Token: SeIncBasePriorityPrivilege	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
Token: SeIncBasePriorityPrivilege	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
Token: SeIncBasePriorityPrivilege	3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
Token: SeIncBasePriorityPrivilege	2944	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1504 wrote to memory of 860	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
PID 1504 wrote to memory of 860	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
PID 1504 wrote to memory of 860	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
PID 1504 wrote to memory of 2432	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 1504 wrote to memory of 2432	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 1504 wrote to memory of 2432	1504	2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe	cmd.exe
PID 860 wrote to memory of 4040	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
PID 860 wrote to memory of 4040	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
PID 860 wrote to memory of 4040	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
PID 860 wrote to memory of 3228	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	cmd.exe
PID 860 wrote to memory of 3228	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	cmd.exe
PID 860 wrote to memory of 3228	860	{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe	cmd.exe
PID 4040 wrote to memory of 4472	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
PID 4040 wrote to memory of 4472	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
PID 4040 wrote to memory of 4472	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
PID 4040 wrote to memory of 396	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	cmd.exe
PID 4040 wrote to memory of 396	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	cmd.exe
PID 4040 wrote to memory of 396	4040	{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe	cmd.exe
PID 4472 wrote to memory of 4420	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
PID 4472 wrote to memory of 4420	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
PID 4472 wrote to memory of 4420	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
PID 4472 wrote to memory of 1312	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	cmd.exe
PID 4472 wrote to memory of 1312	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	cmd.exe
PID 4472 wrote to memory of 1312	4472	{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe	cmd.exe
PID 4420 wrote to memory of 1360	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
PID 4420 wrote to memory of 1360	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
PID 4420 wrote to memory of 1360	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
PID 4420 wrote to memory of 4496	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	cmd.exe
PID 4420 wrote to memory of 4496	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	cmd.exe
PID 4420 wrote to memory of 4496	4420	{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe	cmd.exe
PID 1360 wrote to memory of 1004	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
PID 1360 wrote to memory of 1004	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
PID 1360 wrote to memory of 1004	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
PID 1360 wrote to memory of 1692	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	cmd.exe
PID 1360 wrote to memory of 1692	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	cmd.exe
PID 1360 wrote to memory of 1692	1360	{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe	cmd.exe
PID 1004 wrote to memory of 3336	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
PID 1004 wrote to memory of 3336	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
PID 1004 wrote to memory of 3336	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
PID 1004 wrote to memory of 512	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	cmd.exe
PID 1004 wrote to memory of 512	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	cmd.exe
PID 1004 wrote to memory of 512	1004	{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe	cmd.exe
PID 3336 wrote to memory of 2356	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
PID 3336 wrote to memory of 2356	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
PID 3336 wrote to memory of 2356	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
PID 3336 wrote to memory of 5100	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	cmd.exe
PID 3336 wrote to memory of 5100	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	cmd.exe
PID 3336 wrote to memory of 5100	3336	{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe	cmd.exe
PID 2356 wrote to memory of 2668	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
PID 2356 wrote to memory of 2668	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
PID 2356 wrote to memory of 2668	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
PID 2356 wrote to memory of 3396	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	cmd.exe
PID 2356 wrote to memory of 3396	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	cmd.exe
PID 2356 wrote to memory of 3396	2356	{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe	cmd.exe
PID 2668 wrote to memory of 3224	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
PID 2668 wrote to memory of 3224	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
PID 2668 wrote to memory of 3224	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
PID 2668 wrote to memory of 4340	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	cmd.exe
PID 2668 wrote to memory of 4340	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	cmd.exe
PID 2668 wrote to memory of 4340	2668	{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe	cmd.exe
PID 3224 wrote to memory of 2944	3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
PID 3224 wrote to memory of 2944	3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
PID 3224 wrote to memory of 2944	3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
PID 3224 wrote to memory of 4436	3224	{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_cf588db8019232445c572ed0d1c19be6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
C:\Windows\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
C:\Windows\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91625~1.EXE > nul
4⤵
PID:396

C:\Windows\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
C:\Windows\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
C:\Windows\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
C:\Windows\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
C:\Windows\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
C:\Windows\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
C:\Windows\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
C:\Windows\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
C:\Windows\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe
C:\Windows\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe
13⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD876~1.EXE > nul
13⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86A19~1.EXE > nul
12⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3895~1.EXE > nul
11⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15F5F~1.EXE > nul
10⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{195EB~1.EXE > nul
9⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6D47F~1.EXE > nul
8⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{57792~1.EXE > nul
7⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04AF6~1.EXE > nul
6⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7132~1.EXE > nul
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{51FE2~1.EXE > nul
3⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04AF66F5-DB48-4fd8-A568-4430971D4416}.exe

Filesize
372KB

MD5
4d1f8714ec91cd13e061b22d7f3c2bce

SHA1
28f5fc9c30b3495ea97ebda7896ab9a6320a0ed9

SHA256
904a712675df8d360403ecccdc25a1d90a194bcf16e3198beda518a4d9ebef0d

SHA512
b5c20ed3a02c16c127627fb1f4970a3056a37fc9ea06abed1c0aa7359c82c4cf28363901e0eba334935f730860b8d59086de283b3b6b56ea10e9b7dc6b44c0ae

Download Submit
C:\Windows\{15F5F2BA-1353-4ef4-9A0F-C210B0881882}.exe

Filesize
372KB

MD5
55e122caf0783a489a79ee5e40216122

SHA1
570e6cbbb1f68bc636e0113436fac6d6d5b22774

SHA256
996f934dbc195a45ffd6e793b771c58cf813e3e3bf3332c2b76916fac24cf3b4

SHA512
8f8e586ffabd5a873bbb66033b6844881eec0eb67620d93996aa508eda66da1a8d8ed9664e7cc0bbae009b0b0595e70a5adf5763f599c7df5dc7fde63584cb33

Download Submit
C:\Windows\{195EB22D-6FB3-4cc4-ABFB-BC3B2C8C0300}.exe

Filesize
372KB

MD5
d4916d56f0277b0100c3f13ba322ffdf

SHA1
f86b0e0d3a283c6e015ec0b6d0e84b9d217ac50a

SHA256
93c49197546df7eb1427a1a233d15ec0b5b2490d85e1192ebea76252da7e5cca

SHA512
a52bf2d92c118023c103f109d5eb6409eedf296d3937e582a156d86397509377af7c3e404b933a98c970b2974b4a79c24862f3aaf49571fbccfa347b8179939c

Download Submit
C:\Windows\{51FE2706-7CE4-40bd-9482-CCCDA783C930}.exe

Filesize
372KB

MD5
efb473e734c2d1c2307896707468c8b8

SHA1
de75e7519157970d00b0b7c26496dfca92ab0884

SHA256
ad9a79676e95aecf8064d18f7d21aaeaa6e25f7d4ac62a4f86f1d78770d2abf1

SHA512
8bdba9506d403ff616ce5784735c4bfdf2732e33be0949e47373821d592c5896088e85f4b95876454ad4ea7f73540f81a498e8adee28d12f10917b4d23208cc4

Download Submit
C:\Windows\{57792A25-E54C-47e4-9D44-04A7A21771D6}.exe

Filesize
372KB

MD5
9101520470891c26c6a3c25b62289a99

SHA1
d0d8dffcc1199bddef8689d9fcf09a2748cf3dba

SHA256
12a3ea4bbf179004af3be2bf0ebec2cb206b8f8c5086c35977fd3c8d3791d4c3

SHA512
c4eb977fdf33fdeca77f9d0bbd1da3cc7039871a053df8db1ab4401103bbac6e1449a4d782e475bb429abf7a7adaccec7232c6418755ebedf0b072e0562b8231

Download Submit
C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe

Filesize
372KB

MD5
5aa6199ff5bc2127e3cb9554d73cc47d

SHA1
df3749d562601ab45c652e9294cdf5f48118a9d6

SHA256
74e29fe43c24b6625df530fc11d88be995a7686927f41b850070151103cff156

SHA512
658aa7ea7fdc09082ad26e7fadd2b7d5d829dd1de8beccd32ee869428c8884547705f0a7ea1a98c1cdae03116ec47880e820987dc203bcd3bc20131a261d312d

Download Submit
C:\Windows\{6D47F215-78DD-4237-95F4-E8D8BC241D21}.exe

Filesize
318KB

MD5
a0c633023eeb7eb04239df20b6f9b168

SHA1
732d3aab69ae2957d1c10e7addb5a96a82cbf380

SHA256
ae90dc7df571791d42136ecd412a0cc2ec607bedd98f987cad7cf2731ffd7d0c

SHA512
6156695d4f6bf7a9b65d6fd616deb3d0eb912dcedf402316dbf6fe204035d8c003c658bae50e8b0e7a4a57ae6e576f0bb076adab1c06fc01fe22cf2fd90a15a8

Download Submit
C:\Windows\{86A19CF3-1176-45e6-A092-A9869873CF5B}.exe

Filesize
372KB

MD5
5e635e19af63c292320ca0328d113711

SHA1
eae7b7ef0687e7114daae4454aa39685cdbd8f4d

SHA256
f3be43fe85cdf72d5db65dc035b196cfc6bd4b9f14ffd88161adf6fea3c8f9c1

SHA512
49d4d3882fb5e98c699b2956f0407501e35f802e497dc41a6f40348f992e8d6878a67e6ff4afb82514529540864b9438aff5ca4492c2169253fabd9fd769b620

Download Submit
C:\Windows\{91625F8D-D1E0-43aa-8978-FF1C657235DF}.exe

Filesize
372KB

MD5
88f662f2ae32ae6c20b254577dcdd529

SHA1
573db001d78c7b06c920528a717264b5ab46ca31

SHA256
333cdd6fe026054187f7e4c8c175814e4d9420d9ba61fc2ba0a7d8ff8060e300

SHA512
718edcb3ab9d28a38b95cb6b1294367a532c8eba797a6c6b9ac80c9c196442a8e08b2a88062203522018fe98ad9f5542269df575658ca37030b89c792cfac826

Download Submit
C:\Windows\{AD876EBF-1CEA-453b-919B-110DF6D0B720}.exe

Filesize
372KB

MD5
63a659296ea171fac17125597c2a8823

SHA1
60b2caa39a48ed316127962aec9a4cb7008c211f

SHA256
a9977c05720e3b85aaf0c72c7ef11f4b8287d3326a7126bda621bc20c80cd762

SHA512
5e1bb78786366ae6513c27199cf7cdce8b5ca152cabfdb32f7d8c97bdd6cb0b245bf85701842bccaa72fa8cc60ea13e0087230dda4480feb0258ca75689d11ca

Download Submit
C:\Windows\{C389542E-AC79-432e-BA84-5D01E75D82D9}.exe

Filesize
372KB

MD5
5c318258634f053b7a40f6aa324a0d38

SHA1
aeaf03b765bd86dd37890eaa8477f4bd4bd316fe

SHA256
8b8e892dcd998fbf5f3923833be76cf748ba3f2e50c5f7821208be9608e1447f

SHA512
addf5bee9aae00f77874eb37f3f1c1b943f0be35fedffcf2f9910d853ec3006061975ff8614d4e95f9b35c2ca5947422136b574494e7295b239cb22ad7781d03

Download Submit
C:\Windows\{C3E18B35-D3E7-40c3-B434-F16E5C45710F}.exe

Filesize
372KB

MD5
d66c3ecb648e7ed3910a451ffa87f5dc

SHA1
01ba318d82adbb8774fd9913f7dcfc2d981d8103

SHA256
8049abf359d8791ec8a41cea1aea1cb8efc5aa77b8124a42e67e14f692970e69

SHA512
34e33be9846b28179ee04834777a434ea3ecab9739623453870116111d5a2b5087ea373717b0f69216a95fdc1ab94080d9697849c9371cb20665caaf9983bb41

Download Submit
C:\Windows\{C71329F0-880C-44ac-BD1D-88799BA67B4B}.exe

Filesize
372KB

MD5
a35ffec2d210fe92978cbc8882fc32a0

SHA1
6a2ef51848725938b2396e1fa5633ce145a062d9

SHA256
ecd50c7bd4094d9d81e8927b7d7b925267c0824a192d8c75540bba31fd763fe4

SHA512
278f5cefd10722b6b5cb8905edae5adbc2376ee2890419a1dfcefcf0aac2f9fe43b4e99990fb2eeb9a97c0f66ccf6cebeb53782b369822e5ca27670b91079567

Download Submit