5411a9d00394116da1ce495f38e602037a92a7e42c63ca57c7a8a612b24ca968

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
Size

380KB
MD5

43cd328aa4fd5269508d217deaff4dca
SHA1

93d0c9900fb63851d012cbe6609779dde7fe4267
SHA256

5411a9d00394116da1ce495f38e602037a92a7e42c63ca57c7a8a612b24ca968
SHA512

f1449a006b221a4de0db697854541ffccc9484f012a39afef930fbdc71505168614e25222d72e409e75f4d4bddde5daeef8cf5036003564cd5898ad645c76354
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG+l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{16632D65-4835-4717-9353-1933CAB0733E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{16632D65-4835-4717-9353-1933CAB0733E}.exe{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE9EE54-FE17-4856-887C-738D944CEF57}	{16632D65-4835-4717-9353-1933CAB0733E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E6C834-1457-47d7-836B-89AC78CA82B7}\stubpath = "C:\\Windows\\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe"	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1CA536-1E1E-4686-9C7E-9215038695D9}	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00BB82D-760D-4c97-91A9-6F5B995510AB}\stubpath = "C:\\Windows\\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe"	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}\stubpath = "C:\\Windows\\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe"	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF2B61E-701A-4581-89CC-191A0A516ED2}\stubpath = "C:\\Windows\\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe"	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16632D65-4835-4717-9353-1933CAB0733E}\stubpath = "C:\\Windows\\{16632D65-4835-4717-9353-1933CAB0733E}.exe"	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26E6958C-176B-4e33-A80E-3480E58CD5F8}	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24B6052-16B7-48ca-ADB8-E2089327381B}	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF2B61E-701A-4581-89CC-191A0A516ED2}	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}\stubpath = "C:\\Windows\\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe"	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00BB82D-760D-4c97-91A9-6F5B995510AB}	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16632D65-4835-4717-9353-1933CAB0733E}	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}\stubpath = "C:\\Windows\\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe"	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24B6052-16B7-48ca-ADB8-E2089327381B}\stubpath = "C:\\Windows\\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe"	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}\stubpath = "C:\\Windows\\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe"	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26E6958C-176B-4e33-A80E-3480E58CD5F8}\stubpath = "C:\\Windows\\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe"	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E6C834-1457-47d7-836B-89AC78CA82B7}	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1CA536-1E1E-4686-9C7E-9215038695D9}\stubpath = "C:\\Windows\\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe"	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE9EE54-FE17-4856-887C-738D944CEF57}\stubpath = "C:\\Windows\\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe"	{16632D65-4835-4717-9353-1933CAB0733E}.exe

Executes dropped EXE 12 IoCs

Processes:

{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe{16632D65-4835-4717-9353-1933CAB0733E}.exe{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe

pid	process
1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe
4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
2884	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
4184	{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe

Drops file in Windows directory 12 IoCs

Processes:

{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe{16632D65-4835-4717-9353-1933CAB0733E}.exe{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe

description	ioc	process
File created	C:\Windows\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
File created	C:\Windows\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
File created	C:\Windows\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
File created	C:\Windows\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
File created	C:\Windows\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
File created	C:\Windows\{16632D65-4835-4717-9353-1933CAB0733E}.exe	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
File created	C:\Windows\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
File created	C:\Windows\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
File created	C:\Windows\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
File created	C:\Windows\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	{16632D65-4835-4717-9353-1933CAB0733E}.exe
File created	C:\Windows\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
File created	C:\Windows\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe{16632D65-4835-4717-9353-1933CAB0733E}.exe{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
Token: SeIncBasePriorityPrivilege	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
Token: SeIncBasePriorityPrivilege	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
Token: SeIncBasePriorityPrivilege	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
Token: SeIncBasePriorityPrivilege	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
Token: SeIncBasePriorityPrivilege	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe
Token: SeIncBasePriorityPrivilege	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
Token: SeIncBasePriorityPrivilege	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
Token: SeIncBasePriorityPrivilege	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
Token: SeIncBasePriorityPrivilege	4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
Token: SeIncBasePriorityPrivilege	2884	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1696 wrote to memory of 1096	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
PID 1696 wrote to memory of 1096	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
PID 1696 wrote to memory of 1096	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
PID 1696 wrote to memory of 392	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	cmd.exe
PID 1696 wrote to memory of 392	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	cmd.exe
PID 1696 wrote to memory of 392	1696	2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe	cmd.exe
PID 1096 wrote to memory of 3744	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
PID 1096 wrote to memory of 3744	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
PID 1096 wrote to memory of 3744	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
PID 1096 wrote to memory of 1152	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	cmd.exe
PID 1096 wrote to memory of 1152	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	cmd.exe
PID 1096 wrote to memory of 1152	1096	{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe	cmd.exe
PID 3744 wrote to memory of 1556	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
PID 3744 wrote to memory of 1556	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
PID 3744 wrote to memory of 1556	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
PID 3744 wrote to memory of 1756	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	cmd.exe
PID 3744 wrote to memory of 1756	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	cmd.exe
PID 3744 wrote to memory of 1756	3744	{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe	cmd.exe
PID 1556 wrote to memory of 2776	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
PID 1556 wrote to memory of 2776	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
PID 1556 wrote to memory of 2776	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
PID 1556 wrote to memory of 556	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	cmd.exe
PID 1556 wrote to memory of 556	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	cmd.exe
PID 1556 wrote to memory of 556	1556	{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe	cmd.exe
PID 2776 wrote to memory of 3668	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
PID 2776 wrote to memory of 3668	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
PID 2776 wrote to memory of 3668	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
PID 2776 wrote to memory of 740	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	cmd.exe
PID 2776 wrote to memory of 740	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	cmd.exe
PID 2776 wrote to memory of 740	2776	{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe	cmd.exe
PID 3668 wrote to memory of 2208	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	{16632D65-4835-4717-9353-1933CAB0733E}.exe
PID 3668 wrote to memory of 2208	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	{16632D65-4835-4717-9353-1933CAB0733E}.exe
PID 3668 wrote to memory of 2208	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	{16632D65-4835-4717-9353-1933CAB0733E}.exe
PID 3668 wrote to memory of 5104	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	cmd.exe
PID 3668 wrote to memory of 5104	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	cmd.exe
PID 3668 wrote to memory of 5104	3668	{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe	cmd.exe
PID 2208 wrote to memory of 4848	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
PID 2208 wrote to memory of 4848	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
PID 2208 wrote to memory of 4848	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
PID 2208 wrote to memory of 4504	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	cmd.exe
PID 2208 wrote to memory of 4504	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	cmd.exe
PID 2208 wrote to memory of 4504	2208	{16632D65-4835-4717-9353-1933CAB0733E}.exe	cmd.exe
PID 4848 wrote to memory of 3412	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
PID 4848 wrote to memory of 3412	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
PID 4848 wrote to memory of 3412	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
PID 4848 wrote to memory of 636	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	cmd.exe
PID 4848 wrote to memory of 636	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	cmd.exe
PID 4848 wrote to memory of 636	4848	{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe	cmd.exe
PID 3412 wrote to memory of 3332	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
PID 3412 wrote to memory of 3332	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
PID 3412 wrote to memory of 3332	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
PID 3412 wrote to memory of 856	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	cmd.exe
PID 3412 wrote to memory of 856	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	cmd.exe
PID 3412 wrote to memory of 856	3412	{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe	cmd.exe
PID 3332 wrote to memory of 4468	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
PID 3332 wrote to memory of 4468	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
PID 3332 wrote to memory of 4468	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
PID 3332 wrote to memory of 3168	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	cmd.exe
PID 3332 wrote to memory of 3168	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	cmd.exe
PID 3332 wrote to memory of 3168	3332	{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe	cmd.exe
PID 4468 wrote to memory of 2884	4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
PID 4468 wrote to memory of 2884	4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
PID 4468 wrote to memory of 2884	4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
PID 4468 wrote to memory of 1696	4468	{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_43cd328aa4fd5269508d217deaff4dca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
C:\Windows\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
C:\Windows\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
C:\Windows\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C00BB~1.EXE > nul
5⤵
PID:556

C:\Windows\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
C:\Windows\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
C:\Windows\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\{16632D65-4835-4717-9353-1933CAB0733E}.exe
C:\Windows\{16632D65-4835-4717-9353-1933CAB0733E}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
C:\Windows\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
C:\Windows\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
C:\Windows\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
C:\Windows\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
C:\Windows\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe
C:\Windows\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe
13⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86E6C~1.EXE > nul
13⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A24B6~1.EXE > nul
12⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E30AE~1.EXE > nul
11⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26E69~1.EXE > nul
10⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ABE9E~1.EXE > nul
9⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16632~1.EXE > nul
8⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF2B~1.EXE > nul
7⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E9F9~1.EXE > nul
6⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD9D~1.EXE > nul
4⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8EC4~1.EXE > nul
3⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E9F9480-CDAF-4c45-86A0-C7B3CA3E3064}.exe

Filesize
380KB

MD5
252ab7e2e2c61489dbd3f0f573bafd95

SHA1
6bae62a44ff9b2b2daef416bc2022f699c586565

SHA256
c69a2f05486f14452ecc046ed9a6cb2d06bd817df6b2e3082ec420f6bb0338cf

SHA512
5b2b847483509ddab6bb9686965ef892c5c3bba72b191579810662594a9d6f80202cd2a7d1419d871b672430a2f3fc6e9a42e7f561f4cff68ea6f8d9ec4e74fa

Download Submit
C:\Windows\{16632D65-4835-4717-9353-1933CAB0733E}.exe

Filesize
380KB

MD5
ebfb298e491171b786b134b1725595cd

SHA1
59f41a9281fcad14ebd61848c33e4ee73f0c6b62

SHA256
9d25fe52859465ef605c75e35dd59bf10633cbb343c2978742cbfea6f8e46c6b

SHA512
e52b63495c9d8ba0b4db1df2df8e336b703b315f8768b452bd99de1f55aad524c4d5c19df03cfbdd0142149d730082205902d004c3d1292cf383c7ad9501c050

Download Submit
C:\Windows\{26E6958C-176B-4e33-A80E-3480E58CD5F8}.exe

Filesize
380KB

MD5
d868e5f25aa59939e4b5fd39ab60b92b

SHA1
13dbb2399d00a2240757b35be5974177d85acca4

SHA256
93693dad239e6b730b2119b48a850035f5ad6d8b4e1ecfd67af8841f27795f7c

SHA512
7ab5d37f2ec35396f6b8fc2e61a7d16602679b950f9bdcdc2d85497576921d9345f2d08186878365fd2752bfeedbffeb88a7abe76cb4b57d73c9cba95d1fbbba

Download Submit
C:\Windows\{6FF2B61E-701A-4581-89CC-191A0A516ED2}.exe

Filesize
380KB

MD5
55c662d82bf7cebb63ad92df5fd1d0be

SHA1
c0dd4e32b783bbc6516a9b6c324b3915422fa78a

SHA256
06612aeb7ffbc85b772611713ffcac23773bf9b8ad14a670bba7ea6526d8295d

SHA512
60cf200bd4e5dabf2a2f193c69eb79c6c9d969d83ed538065904f4fea31895232363688ad3bc221d1536ea44d547286c2a52fe26aaecd7fb477b43f8a3e06948

Download Submit
C:\Windows\{7DD9DE63-262F-41a1-ACC6-276AAC676E48}.exe

Filesize
380KB

MD5
44cd2232102db4fb1c8a2fcb8c4deb5c

SHA1
7f5b05477a609830fb02be6d3cdc3a881978937e

SHA256
aba4afa51cdff4369528e306f552d954e5df15d8a3dcbe9e0f30f4911ac8dc36

SHA512
3e8f12358e2da84a055b7e6a7dc39aa923d006838df49e0c1669acd8ab5b99b3c42e214b381a35f10d0e04cd0ca810629aa4650424c2e30c2346e4b42ad7126e

Download Submit
C:\Windows\{86E6C834-1457-47d7-836B-89AC78CA82B7}.exe

Filesize
380KB

MD5
473cd7f203741bb63cedfb624f48b992

SHA1
b5ae393899bebb62612505c5c2034731c58b39df

SHA256
f1f4aefc4ca8943ed254337aae0ca39cff496073c851b030d1a28fca1f821e40

SHA512
01611aee05bf596751acb9c805775862410a4b7f8357c7f9abba969b30d55253c1da2cc72001708cbca5e1574dc3815f69070330677780de75115082f8c89047

Download Submit
C:\Windows\{A24B6052-16B7-48ca-ADB8-E2089327381B}.exe

Filesize
380KB

MD5
485acfbc8ed0c5da9cf5bb6d5b0c76b0

SHA1
675dcd860845bbbab8f630d33f11ba7ddba4f2d3

SHA256
e7796dce8e73b1d52f4c7ea798e014707715be91f7d8f4f61c72517cc20eb1b2

SHA512
319824f2c45b4b92c8581ba56d78986dc7b7b714cc733ce6221f8ad01ad05a19e22cc512e94a5164fe5cd1ce36c2bb6a446364329198c1ca0d6fe2f6bfb042c1

Download Submit
C:\Windows\{ABE9EE54-FE17-4856-887C-738D944CEF57}.exe

Filesize
380KB

MD5
f83c10e346e1778ef45ffda249189dc1

SHA1
d7b194baa22443fcfb7b47caa73b09c12f3d5280

SHA256
d77bf9580692d61f0ed0f8776931ed8522ceb96b7ebdf4cfb24882e231ef3249

SHA512
b07eb0c0c185ad464531730b76d79f2a3d4b69059e545715c29e35035b17737d82620b5f78405bd290c87c81280dbe6e87770087a7ae18f4effa93f6cee73d80

Download Submit
C:\Windows\{C00BB82D-760D-4c97-91A9-6F5B995510AB}.exe

Filesize
380KB

MD5
5301f43fe422546e1d9920e8b6a20e5a

SHA1
b1af52cbf0ef2dd78ceae3783bb10c005209f496

SHA256
e33bff8499b58b81a3511c1a12ec216da3307f7b47b4cd9d89592c5458209b78

SHA512
4433fe71a1203ec0b8ad29c07c49fe7e1d2a8425bb8a3e41bbcb38db304d156400d7e1f950efbcd84056e831a0d8efe2b041c4ef3f8b397e492c902acdef1b0e

Download Submit
C:\Windows\{DA1CA536-1E1E-4686-9C7E-9215038695D9}.exe

Filesize
380KB

MD5
c04a8a902f2c1596009b6e5e06604621

SHA1
49cbef55c30bc315c288e6e91b4452cdf917f27d

SHA256
8759858787e5028bb06ee0764d6bb67d5ee8af6b7534f8b45a7cfd847cbc732a

SHA512
dd172943466c568ab760f091202fb7c0d79e1a3f60e456b6a50dd0a05325f8cbe3ab5c29ac2c3d068d17e46d7b0220db6f36824b59b07b6c6f538b4f2a643a22

Download Submit
C:\Windows\{E30AEA84-77BF-4183-A8DA-C97EDD8061C8}.exe

Filesize
380KB

MD5
98dd2fff00c73b297bf4a469a07705c9

SHA1
db7961bbaf371b6b03e6aeb33313fab723043719

SHA256
c1bd67b60da8816614510b49d6191fbb072e0702fd070a5415b00f23c3129ce3

SHA512
a335677589d80a8d7884eb80e49fa59cf7dee1a2bf252cfbcce26bb406a51091f78099f44b1156037a982d0fdfa3951686079738b342d6fd22a6c1920fe26713

Download Submit
C:\Windows\{E8EC49B8-0BE9-4ae3-B933-57CD676EC8BA}.exe

Filesize
380KB

MD5
a6496ccd060f22a11ed4f483f85a73b2

SHA1
6cc2fa9f341a1b2f238d7042213ea0345372a8e5

SHA256
d193d6b1777be052f925a4773414aae64cad9371bf32b33245234ae1e6858801

SHA512
8fc9ecdf5d006f65e2f8bd8865b8750b166ab2ecdbbcb1944815161bc8a1488fbc152a80837dbcdbbfac9269a2188d30b43934c230b3bcf07ec0002c597a3fc6

Download Submit