22de54ad113b07bfb7a1f2966e17322254cb27ce5a33d655218164266bef3474

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
Size

408KB
MD5

d5e94ad4088a84c77873b59c9b6a07f5
SHA1

5a2bd61547b7f431a40106c8d77617f639861ebc
SHA256

22de54ad113b07bfb7a1f2966e17322254cb27ce5a33d655218164266bef3474
SHA512

1d266a34f976dd98b6cc5b9bb4e06fb8499bf92a05a46cc2cc3d41aff7c23b77051ef2045ad28d960a3af42904919b39c31cfb1295cab988d8900d1ddc352ee6
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{61513520-C60F-472b-9C61-B586341DCD12}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe{61513520-C60F-472b-9C61-B586341DCD12}.exe{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2688AB7E-B694-4409-8DD5-FB52733CE084}	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F356B0-BE94-4292-8D26-AA67286D0C2E}\stubpath = "C:\\Windows\\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe"	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61513520-C60F-472b-9C61-B586341DCD12}	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61513520-C60F-472b-9C61-B586341DCD12}\stubpath = "C:\\Windows\\{61513520-C60F-472b-9C61-B586341DCD12}.exe"	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD898D8A-C629-4fbf-A6C2-3FF494194780}	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}\stubpath = "C:\\Windows\\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe"	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}\stubpath = "C:\\Windows\\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe"	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}\stubpath = "C:\\Windows\\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe"	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB71160-1154-4d7b-AA3E-C00382ECA163}\stubpath = "C:\\Windows\\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe"	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9755D586-C046-49a8-8E59-B5FA48A952A1}	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}\stubpath = "C:\\Windows\\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe"	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}\stubpath = "C:\\Windows\\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe"	{61513520-C60F-472b-9C61-B586341DCD12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD898D8A-C629-4fbf-A6C2-3FF494194780}\stubpath = "C:\\Windows\\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe"	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB71160-1154-4d7b-AA3E-C00382ECA163}	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2688AB7E-B694-4409-8DD5-FB52733CE084}\stubpath = "C:\\Windows\\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe"	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9755D586-C046-49a8-8E59-B5FA48A952A1}\stubpath = "C:\\Windows\\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe"	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F356B0-BE94-4292-8D26-AA67286D0C2E}	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}	{61513520-C60F-472b-9C61-B586341DCD12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85EAAD03-3B88-4d37-934B-B42F309AB000}	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85EAAD03-3B88-4d37-934B-B42F309AB000}\stubpath = "C:\\Windows\\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe"	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe

Executes dropped EXE 12 IoCs

Processes:

{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe{61513520-C60F-472b-9C61-B586341DCD12}.exe{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe

pid	process
2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe
3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
3968	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
3944	{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe

Drops file in Windows directory 12 IoCs

Processes:

{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe{61513520-C60F-472b-9C61-B586341DCD12}.exe{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe

description	ioc	process
File created	C:\Windows\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
File created	C:\Windows\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	{61513520-C60F-472b-9C61-B586341DCD12}.exe
File created	C:\Windows\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
File created	C:\Windows\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
File created	C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
File created	C:\Windows\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
File created	C:\Windows\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
File created	C:\Windows\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
File created	C:\Windows\{61513520-C60F-472b-9C61-B586341DCD12}.exe	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
File created	C:\Windows\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
File created	C:\Windows\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
File created	C:\Windows\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe{61513520-C60F-472b-9C61-B586341DCD12}.exe{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
Token: SeIncBasePriorityPrivilege	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
Token: SeIncBasePriorityPrivilege	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
Token: SeIncBasePriorityPrivilege	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
Token: SeIncBasePriorityPrivilege	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe
Token: SeIncBasePriorityPrivilege	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
Token: SeIncBasePriorityPrivilege	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
Token: SeIncBasePriorityPrivilege	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
Token: SeIncBasePriorityPrivilege	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
Token: SeIncBasePriorityPrivilege	536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
Token: SeIncBasePriorityPrivilege	3968	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2928 wrote to memory of 2360	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
PID 2928 wrote to memory of 2360	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
PID 2928 wrote to memory of 2360	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
PID 2928 wrote to memory of 4152	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	cmd.exe
PID 2928 wrote to memory of 4152	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	cmd.exe
PID 2928 wrote to memory of 4152	2928	2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe	cmd.exe
PID 2360 wrote to memory of 3552	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
PID 2360 wrote to memory of 3552	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
PID 2360 wrote to memory of 3552	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
PID 2360 wrote to memory of 3772	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	cmd.exe
PID 2360 wrote to memory of 3772	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	cmd.exe
PID 2360 wrote to memory of 3772	2360	{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe	cmd.exe
PID 3552 wrote to memory of 2128	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
PID 3552 wrote to memory of 2128	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
PID 3552 wrote to memory of 2128	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
PID 3552 wrote to memory of 3224	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	cmd.exe
PID 3552 wrote to memory of 3224	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	cmd.exe
PID 3552 wrote to memory of 3224	3552	{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe	cmd.exe
PID 2128 wrote to memory of 1320	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
PID 2128 wrote to memory of 1320	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
PID 2128 wrote to memory of 1320	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
PID 2128 wrote to memory of 1996	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	cmd.exe
PID 2128 wrote to memory of 1996	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	cmd.exe
PID 2128 wrote to memory of 1996	2128	{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe	cmd.exe
PID 1320 wrote to memory of 2464	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	{61513520-C60F-472b-9C61-B586341DCD12}.exe
PID 1320 wrote to memory of 2464	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	{61513520-C60F-472b-9C61-B586341DCD12}.exe
PID 1320 wrote to memory of 2464	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	{61513520-C60F-472b-9C61-B586341DCD12}.exe
PID 1320 wrote to memory of 516	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	cmd.exe
PID 1320 wrote to memory of 516	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	cmd.exe
PID 1320 wrote to memory of 516	1320	{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe	cmd.exe
PID 2464 wrote to memory of 3700	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
PID 2464 wrote to memory of 3700	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
PID 2464 wrote to memory of 3700	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
PID 2464 wrote to memory of 3556	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	cmd.exe
PID 2464 wrote to memory of 3556	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	cmd.exe
PID 2464 wrote to memory of 3556	2464	{61513520-C60F-472b-9C61-B586341DCD12}.exe	cmd.exe
PID 3700 wrote to memory of 2544	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
PID 3700 wrote to memory of 2544	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
PID 3700 wrote to memory of 2544	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
PID 3700 wrote to memory of 1780	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	cmd.exe
PID 3700 wrote to memory of 1780	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	cmd.exe
PID 3700 wrote to memory of 1780	3700	{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe	cmd.exe
PID 2544 wrote to memory of 1332	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
PID 2544 wrote to memory of 1332	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
PID 2544 wrote to memory of 1332	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
PID 2544 wrote to memory of 1560	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	cmd.exe
PID 2544 wrote to memory of 1560	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	cmd.exe
PID 2544 wrote to memory of 1560	2544	{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe	cmd.exe
PID 1332 wrote to memory of 4924	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
PID 1332 wrote to memory of 4924	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
PID 1332 wrote to memory of 4924	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
PID 1332 wrote to memory of 4268	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	cmd.exe
PID 1332 wrote to memory of 4268	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	cmd.exe
PID 1332 wrote to memory of 4268	1332	{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe	cmd.exe
PID 4924 wrote to memory of 536	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
PID 4924 wrote to memory of 536	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
PID 4924 wrote to memory of 536	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
PID 4924 wrote to memory of 1192	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	cmd.exe
PID 4924 wrote to memory of 1192	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	cmd.exe
PID 4924 wrote to memory of 1192	4924	{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe	cmd.exe
PID 536 wrote to memory of 3968	536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
PID 536 wrote to memory of 3968	536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
PID 536 wrote to memory of 3968	536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
PID 536 wrote to memory of 3060	536	{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d5e94ad4088a84c77873b59c9b6a07f5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
C:\Windows\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
C:\Windows\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9755D~1.EXE > nul
4⤵
PID:3224

C:\Windows\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
C:\Windows\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
C:\Windows\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\{61513520-C60F-472b-9C61-B586341DCD12}.exe
C:\Windows\{61513520-C60F-472b-9C61-B586341DCD12}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
C:\Windows\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
C:\Windows\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
C:\Windows\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
C:\Windows\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
C:\Windows\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
C:\Windows\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe
C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe
13⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE89F~1.EXE > nul
13⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA79~1.EXE > nul
12⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD898~1.EXE > nul
11⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85EAA~1.EXE > nul
10⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF83~1.EXE > nul
9⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2420D~1.EXE > nul
8⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61513~1.EXE > nul
7⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{34F35~1.EXE > nul
6⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF02~1.EXE > nul
5⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2688A~1.EXE > nul
3⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2420DCA5-CF6A-40e6-A5C6-50C546EF5A2B}.exe

Filesize
408KB

MD5
8e33ebd80c328064a87cc741f00b467b

SHA1
6c01c48bb7b15fd4651dab87d1bcb56d61597160

SHA256
13f933b8dc0bccaa6289ed41058fc2312cf1e2bcbc592ecb1578d83875815f88

SHA512
b2bc407d682d521d573aad5270fead624c8967a2c75b13f7fd6450d805cb241b490797ca58c2682e5f4058537f4e944e9a02af07f8db7f35185a6b2b27cdf27a

Download Submit
C:\Windows\{2688AB7E-B694-4409-8DD5-FB52733CE084}.exe

Filesize
408KB

MD5
0b2b36d3e66d1b927ac82a5902587e86

SHA1
10957c655e5056c949c33c4788499a0e5d921181

SHA256
9d351ac261c0f1db6783c9cdc9870d2e35c4c5c0a04bc36d3b918cc255b9dbd6

SHA512
37b2804bbf409c025f501c5ef86c7d6eac379403f1536126e0942b7daddbf8029756fadef4d688b96d1611110e633a46492c81e03ab8282db29c26c550ed074d

Download Submit
C:\Windows\{34F356B0-BE94-4292-8D26-AA67286D0C2E}.exe

Filesize
408KB

MD5
538c188357df4a584716a446ba21033e

SHA1
8c413f54521ad6767fad086075761220357fbc58

SHA256
eb01778691ae3a2dc5cbf6337e6cf26022ec85f2045be273d7b40f57b5038fc6

SHA512
9a7b3fb654f1a40866a1483067bcedb094e29077523c9a992d1ad963db9a206c99a0ea66e5a28f9250550b27b0077929a9ae57c881985f5636abf6f1f17e15e0

Download Submit
C:\Windows\{3CF8365F-5204-45bc-9C82-1D6D9EBD0DB6}.exe

Filesize
408KB

MD5
f7cf0964e6337d3721de2898e5491d39

SHA1
624335aaf5cd69d0faa6328173342aeb64bb72ba

SHA256
80ad59f8322c324a2fe6df9e776112307ca2ab65e742c21104d3684d4b9b7554

SHA512
63b0a3c3cb98997c8d52ba153cfdbf295e45c52fe9b60a1768fb6886e1eabed1350fd2e6c6d20c2ee6e404ffab14f33612445e7b29f0e04428ef4fd44276a3cb

Download Submit
C:\Windows\{3DA79CD2-DDC8-47ae-A75A-260F6A161764}.exe

Filesize
408KB

MD5
f35d11fac063a2989b833d83f0f6ceba

SHA1
7c5818fc9f3ccf3088407743ee2b848aa0ed34f5

SHA256
b36bca5a7b025808cdd4578ddc545d7b848d0c7ecb2b9b0a5d50495470ec0079

SHA512
637494345117e190d86bb4a00a1448fc6412197f13a822cb65aa10e77468137ae7b9350c55be4366f353775846c408f7f5c7991253d2a573eac3db4a31c49a00

Download Submit
C:\Windows\{61513520-C60F-472b-9C61-B586341DCD12}.exe

Filesize
408KB

MD5
116faee81759e228dce852ed41c9b58f

SHA1
cee1a2372b7941e913b29751b69fe201a9cff055

SHA256
7348ff2e117c7169bc2ca3c2d9f8ce03fbe454f47d3890e7f0d20e69b0ad61fb

SHA512
34cf61ca8464faec86f74b15f78184572cb3ec9afcd6b2e31c2e7c78b917987b6cb320c02b7831443347d9f346ebeec09b40caf4b2b32e4280b10db9e3038459

Download Submit
C:\Windows\{85EAAD03-3B88-4d37-934B-B42F309AB000}.exe

Filesize
408KB

MD5
3f0a67de0272f0c1823832d16a130313

SHA1
f5ecd6190be336d5addb449b9587acc6479b8376

SHA256
fcd968c91b6c0d04963591ed2a81fac5783edff4b98512ebcc1f9fe6f66b6e6a

SHA512
3a21117f2cb3fdcac055aa266ad56f764c6439f685191eac8f47efd84ada11ece02dc8a6c85e8c9eeffb7183aa84378883930be1ed44ce6f2017fad83b293a41

Download Submit
C:\Windows\{9755D586-C046-49a8-8E59-B5FA48A952A1}.exe

Filesize
408KB

MD5
674e83ffe4beab9296ef469bfc24de5e

SHA1
ec7f5accfa1c812419a2a38281b3321bebd5a48e

SHA256
657ddb2afadf1a34066929194feb51c0b548469d125a96b8f1ae6d670cfcc15c

SHA512
51e7e9dc29980734f853c6f81c143a1c30a86c59239813b4e587e53fec58ccc41dfa494935894982461aa5dfd4385d7daabd86fc3e7466ed28f89e12ee0419fb

Download Submit
C:\Windows\{9DF02B0F-2A02-4a02-AEE7-6D7C568A3951}.exe

Filesize
408KB

MD5
a04a39e0cbb7a79336c6d8eda7fce672

SHA1
f0e9db59e0a10fc724da5325bc3c150aca36e47f

SHA256
9478cf6a33cbe8b746dba740e8d34e984e22ad6764551101f0b0d694eae2e690

SHA512
e4994fc1746fbf2a4196b689cf55512907407b5e96238f1a8894f1d3fd96a233d3ee62002ee3fdd8f25c02b87c7c93242b74fe8a06d0ec145c03d444b2a2e84c

Download Submit
C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe

Filesize
187KB

MD5
c4e1b7939bf74c099e91c08601287fab

SHA1
6fc03b20c4060cc4b738c0cdb3b0175c00c6a031

SHA256
f6e66aa1b019f5675d9e47a4020ed0b16a4b5778d400e78422242f269c1a6da3

SHA512
28839a14507376a01ce7ffe365895bc48e58ff9c25476dc42e02c9064b8e7876123631698e82e6231df8f49bfa6bee0a3d34f863a72573f90724db35afc901ad

Download Submit
C:\Windows\{ABB71160-1154-4d7b-AA3E-C00382ECA163}.exe

Filesize
214KB

MD5
2736b03e3333cbab8e40985689be6619

SHA1
a3f3f67cd33ebf3f0f74c1578f431d4358537da5

SHA256
587a6b2cad78ea9167ac2fed720606b1276ea4dff37436bf7c8b62c5e8e91a83

SHA512
e06e7619d158d51171cd12654ed3d1ee2732139a4eba4633f78569797540eefd1d58acb82649af058a5e3df2aae246bf66a9057502ae3fc0e060875fdfcd44d3

Download Submit
C:\Windows\{BD898D8A-C629-4fbf-A6C2-3FF494194780}.exe

Filesize
408KB

MD5
5fe674a389b8708914092cf480148f9c

SHA1
b501fe18c6c200119d572e89f92707b0df6bc0fb

SHA256
1062fa9371eba08a5008403cd6dc1eb982b44f117318ec559c8067df0f8e1305

SHA512
acf83e7fd14d4382ae6818ef3b96d9e0d4b35cd31761186d5461b1f9a96695e69c7bdaea920f2d2fa9c47a7e19dfd93b8a07917743724933969740603c5042a8

Download Submit
C:\Windows\{DE89F7F4-38D8-45b9-AC37-D0A4A79F4A5E}.exe

Filesize
408KB

MD5
b70a0b82ba913428ab4b07b3f5473861

SHA1
62902f2c6c1e65177f4b4b3b51034179f4c0340c

SHA256
5c9b49b9f465095aa95615604402d4e78de983a257303bc324326d08da791477

SHA512
ee92cb034be77ddd6f28f12842ea9e4602956baefdc4b0d2583b7d8a7a74f6234964466036058f4a38c63778438090680236f70401900e638182b08064ef72e9

Download Submit