a4e3b626f048ac575678b04c9f00c9dca061c1bb724317c9c6647445e16d4ea7

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
Size

372KB
MD5

956b72f56f501efe1ccac015c107ee44
SHA1

51621389ba3e1280c768e59525aca73eae5dfa00
SHA256

a4e3b626f048ac575678b04c9f00c9dca061c1bb724317c9c6647445e16d4ea7
SHA512

35fce51c3a19223bd97a52c9c846ae0e3d03df3aaa6488185010e2a8c13d8f608be1048362098e64212f9689e39b33110cd690adaaa3bb3870fcd7b9250d1281
SSDEEP

3072:CEGh0oMmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGPl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{44899C44-5A93-4413-8B71-FDC975B33133}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D34FE282-95CC-4bca-B3A0-629924833259}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe{44899C44-5A93-4413-8B71-FDC975B33133}.exe{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe{D34FE282-95CC-4bca-B3A0-629924833259}.exe{E608E0B5-235F-4126-9C80-C216F730B71A}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2FEAAC-098E-4539-A011-2DD102A4088F}\stubpath = "C:\\Windows\\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe"	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BA14E41-3407-4439-985A-C0A5EF813F85}	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}\stubpath = "C:\\Windows\\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe"	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E608E0B5-235F-4126-9C80-C216F730B71A}\stubpath = "C:\\Windows\\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe"	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34FE282-95CC-4bca-B3A0-629924833259}\stubpath = "C:\\Windows\\{D34FE282-95CC-4bca-B3A0-629924833259}.exe"	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}\stubpath = "C:\\Windows\\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe"	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34FE282-95CC-4bca-B3A0-629924833259}	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}\stubpath = "C:\\Windows\\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe"	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2FEAAC-098E-4539-A011-2DD102A4088F}	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BA14E41-3407-4439-985A-C0A5EF813F85}\stubpath = "C:\\Windows\\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe"	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89512D5E-A980-4077-A006-D3A957A1BA9E}	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89512D5E-A980-4077-A006-D3A957A1BA9E}\stubpath = "C:\\Windows\\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe"	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E608E0B5-235F-4126-9C80-C216F730B71A}	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}\stubpath = "C:\\Windows\\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe"	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44899C44-5A93-4413-8B71-FDC975B33133}	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44899C44-5A93-4413-8B71-FDC975B33133}\stubpath = "C:\\Windows\\{44899C44-5A93-4413-8B71-FDC975B33133}.exe"	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}\stubpath = "C:\\Windows\\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe"	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}\stubpath = "C:\\Windows\\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe"	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe

Executes dropped EXE 12 IoCs

Processes:

{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe{E608E0B5-235F-4126-9C80-C216F730B71A}.exe{44899C44-5A93-4413-8B71-FDC975B33133}.exe{D34FE282-95CC-4bca-B3A0-629924833259}.exe{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe

pid	process
2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
4560	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
396	{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe

Drops file in Windows directory 12 IoCs

Processes:

2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe{44899C44-5A93-4413-8B71-FDC975B33133}.exe{D34FE282-95CC-4bca-B3A0-629924833259}.exe{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe{E608E0B5-235F-4126-9C80-C216F730B71A}.exe{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe

description	ioc	process
File created	C:\Windows\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
File created	C:\Windows\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
File created	C:\Windows\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
File created	C:\Windows\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
File created	C:\Windows\{D34FE282-95CC-4bca-B3A0-629924833259}.exe	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
File created	C:\Windows\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
File created	C:\Windows\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
File created	C:\Windows\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
File created	C:\Windows\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
File created	C:\Windows\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
File created	C:\Windows\{44899C44-5A93-4413-8B71-FDC975B33133}.exe	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
File created	C:\Windows\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe{E608E0B5-235F-4126-9C80-C216F730B71A}.exe{44899C44-5A93-4413-8B71-FDC975B33133}.exe{D34FE282-95CC-4bca-B3A0-629924833259}.exe{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
Token: SeIncBasePriorityPrivilege	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
Token: SeIncBasePriorityPrivilege	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
Token: SeIncBasePriorityPrivilege	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
Token: SeIncBasePriorityPrivilege	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
Token: SeIncBasePriorityPrivilege	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
Token: SeIncBasePriorityPrivilege	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
Token: SeIncBasePriorityPrivilege	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
Token: SeIncBasePriorityPrivilege	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
Token: SeIncBasePriorityPrivilege	1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
Token: SeIncBasePriorityPrivilege	4560	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1012 wrote to memory of 2784	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
PID 1012 wrote to memory of 2784	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
PID 1012 wrote to memory of 2784	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
PID 1012 wrote to memory of 4628	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	cmd.exe
PID 1012 wrote to memory of 4628	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	cmd.exe
PID 1012 wrote to memory of 4628	1012	2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe	cmd.exe
PID 2784 wrote to memory of 4008	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
PID 2784 wrote to memory of 4008	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
PID 2784 wrote to memory of 4008	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
PID 2784 wrote to memory of 4672	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	cmd.exe
PID 2784 wrote to memory of 4672	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	cmd.exe
PID 2784 wrote to memory of 4672	2784	{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe	cmd.exe
PID 4008 wrote to memory of 3252	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
PID 4008 wrote to memory of 3252	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
PID 4008 wrote to memory of 3252	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
PID 4008 wrote to memory of 812	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	cmd.exe
PID 4008 wrote to memory of 812	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	cmd.exe
PID 4008 wrote to memory of 812	4008	{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe	cmd.exe
PID 3252 wrote to memory of 4192	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
PID 3252 wrote to memory of 4192	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
PID 3252 wrote to memory of 4192	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
PID 3252 wrote to memory of 2212	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	cmd.exe
PID 3252 wrote to memory of 2212	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	cmd.exe
PID 3252 wrote to memory of 2212	3252	{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe	cmd.exe
PID 4192 wrote to memory of 1224	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
PID 4192 wrote to memory of 1224	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
PID 4192 wrote to memory of 1224	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
PID 4192 wrote to memory of 920	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	cmd.exe
PID 4192 wrote to memory of 920	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	cmd.exe
PID 4192 wrote to memory of 920	4192	{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe	cmd.exe
PID 1224 wrote to memory of 320	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
PID 1224 wrote to memory of 320	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
PID 1224 wrote to memory of 320	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
PID 1224 wrote to memory of 4564	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	cmd.exe
PID 1224 wrote to memory of 4564	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	cmd.exe
PID 1224 wrote to memory of 4564	1224	{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe	cmd.exe
PID 320 wrote to memory of 532	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
PID 320 wrote to memory of 532	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
PID 320 wrote to memory of 532	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	{44899C44-5A93-4413-8B71-FDC975B33133}.exe
PID 320 wrote to memory of 816	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	cmd.exe
PID 320 wrote to memory of 816	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	cmd.exe
PID 320 wrote to memory of 816	320	{E608E0B5-235F-4126-9C80-C216F730B71A}.exe	cmd.exe
PID 532 wrote to memory of 1860	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
PID 532 wrote to memory of 1860	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
PID 532 wrote to memory of 1860	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	{D34FE282-95CC-4bca-B3A0-629924833259}.exe
PID 532 wrote to memory of 1904	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	cmd.exe
PID 532 wrote to memory of 1904	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	cmd.exe
PID 532 wrote to memory of 1904	532	{44899C44-5A93-4413-8B71-FDC975B33133}.exe	cmd.exe
PID 1860 wrote to memory of 4232	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
PID 1860 wrote to memory of 4232	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
PID 1860 wrote to memory of 4232	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
PID 1860 wrote to memory of 1056	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	cmd.exe
PID 1860 wrote to memory of 1056	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	cmd.exe
PID 1860 wrote to memory of 1056	1860	{D34FE282-95CC-4bca-B3A0-629924833259}.exe	cmd.exe
PID 4232 wrote to memory of 1764	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
PID 4232 wrote to memory of 1764	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
PID 4232 wrote to memory of 1764	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
PID 4232 wrote to memory of 1448	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	cmd.exe
PID 4232 wrote to memory of 1448	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	cmd.exe
PID 4232 wrote to memory of 1448	4232	{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe	cmd.exe
PID 1764 wrote to memory of 4560	1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
PID 1764 wrote to memory of 4560	1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
PID 1764 wrote to memory of 4560	1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
PID 1764 wrote to memory of 4992	1764	{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_956b72f56f501efe1ccac015c107ee44_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
C:\Windows\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
C:\Windows\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
C:\Windows\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
C:\Windows\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
C:\Windows\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
C:\Windows\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\{44899C44-5A93-4413-8B71-FDC975B33133}.exe
C:\Windows\{44899C44-5A93-4413-8B71-FDC975B33133}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\{D34FE282-95CC-4bca-B3A0-629924833259}.exe
C:\Windows\{D34FE282-95CC-4bca-B3A0-629924833259}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
C:\Windows\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
C:\Windows\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
C:\Windows\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe
C:\Windows\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe
13⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA03~1.EXE > nul
13⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F7C~1.EXE > nul
12⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74EFF~1.EXE > nul
11⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D34FE~1.EXE > nul
10⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{44899~1.EXE > nul
9⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E608E~1.EXE > nul
8⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{89512~1.EXE > nul
7⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E85A0~1.EXE > nul
6⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BA14~1.EXE > nul
5⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D1C~1.EXE > nul
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7A2FE~1.EXE > nul
3⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BEF45CE-8D0F-4ba7-9743-F0E30C17716C}.exe

Filesize
372KB

MD5
69d26e579321ee69d4a7dcedb0b0a4f9

SHA1
f364416a63e97e451f1669c48c6fb0a153b35062

SHA256
c31977d211b5f79378af447980df6bc866096aaffedaa05495c313682aa53d00

SHA512
b0f35ce87ef0062402780bab2160ae5d7d13a43a453cba2aadd932472170cc90e3fbb130b8bde7c9b0eb7ef7a60367ad3adb542c9977c29d0d2d8268582bc0bc

Download Submit
C:\Windows\{44899C44-5A93-4413-8B71-FDC975B33133}.exe

Filesize
372KB

MD5
f8ab384fe9a450fae1097109aa4422bd

SHA1
008b5fc9c514e356efc2ada496b2e9d3b2014b11

SHA256
c8aa8e62c1e91eb2b1df329a91c3e1245ebc25444290d94b348dd59033bf0757

SHA512
7c64857127b97dbc1aea19228b23dd8ba2293cd9201accaa4152709567fb5ad7754116d71bcefb5197296c4ab6ca5321dbbec64a42a0c0299f4832bfff163e72

Download Submit
C:\Windows\{4BA14E41-3407-4439-985A-C0A5EF813F85}.exe

Filesize
372KB

MD5
2f53424453702a1bb980f91e052fa822

SHA1
fdb8bf9e1b7c0397d36db64f13f1b8ad08cf2e3a

SHA256
f60884fe0b41515dfedbab7ddd346e49c1a00cae99f5ab85afbf2f50b9242287

SHA512
b63bef1e61dbabe6f59c3183d01b92ba5c5472221a9be27df5687ebdd78d8d8e221579740d5207f4aeb81962ac741b1c37f8ed186056356b1c680c665f6e1a8b

Download Submit
C:\Windows\{74EFFD2C-C363-4731-A860-7DC3F3CB30B7}.exe

Filesize
372KB

MD5
258f5ab956be4a98907d5328ccfdec68

SHA1
4a4514b13edc77a9212bf12653d277ca843b82a8

SHA256
dc5bb343ef084e9f6b28e3116b53e293c5c2b4d3451c6c24b347e7eecdffe61a

SHA512
caf93e75c4c2ad680dd49b7caa72eb5b14900e591b3e5384a70c049270fa5433e099f9bfc536ea89ad5a2c3cedb8b9842b4449999fc4ed388fcf56bc892a8f21

Download Submit
C:\Windows\{7A2FEAAC-098E-4539-A011-2DD102A4088F}.exe

Filesize
372KB

MD5
4c3406bc6655c95fc32f0a97be041d9d

SHA1
ccc7a4876964085f2f2c2252717cbe18e53f7c6d

SHA256
c39645edac9b1bc969e2d3af1edab943478dc566f93298732a3a4670bdb8cd78

SHA512
f01373e48aa609995888c6356c016972d35ef82fd8ae019e90e827ab9739fa7e41b66e2999fce23b5d31be60ba85c63a14aa96d09ab6cc5007c49a32d23d3d92

Download Submit
C:\Windows\{89512D5E-A980-4077-A006-D3A957A1BA9E}.exe

Filesize
372KB

MD5
c1c8a710360f421b4fd0adfa7c69f2c9

SHA1
cc1434c2a810bcf5ead15f3f768c8df90c93f830

SHA256
e4ac66666742c14f04669fc60e5a73031d78c926c2c34313a2688b306f2f803f

SHA512
dbedda16e8d3617bc83ce17ad8266a420a9e511651d5f7c1fbfde26cb5c5eaafcc935f895acc7b374a6d54e77cc72a07baf45c21a19b1c7e6b19b783e0d21ed8

Download Submit
C:\Windows\{A7F7C7E7-BCFC-41b6-95A5-56086102A949}.exe

Filesize
372KB

MD5
14d45cc9e60144450bcb07380120f69b

SHA1
265edfc050b3f5fbcd8caa1a4ac5cf16f716226a

SHA256
ee72e3b3e19fa8a81aa6fdb207e0af5b08907e762cadf431611a8233d43c200d

SHA512
6bb1ab761daa9cb5c51de8d4f8139ce28050b6e44ff5bf5043bb5c9b73556cd04e384e8d2e4b493a8fd867618afb23452d75f3c0da587f0f50a96b208644b2d9

Download Submit
C:\Windows\{D34FE282-95CC-4bca-B3A0-629924833259}.exe

Filesize
372KB

MD5
547daeadca4609279942ba308a561575

SHA1
e836a306116e7365b8303ba54257fd2007362e7a

SHA256
6171b392e91f3c87d2a024df8a92eb4be9d1100fc640cbd9c037d77fb93ada6a

SHA512
13a6f45f637b7b04dcec9d86177357f1c7c6dc2c6cb06f2281fb8bcd85d8f48f9ecbeb3cbb73fac92241f335f5730344f3f3af91a7d5863bd88b8173eac07a22

Download Submit
C:\Windows\{DEA03FC8-DA5B-4598-8876-7B894E2BE6A7}.exe

Filesize
372KB

MD5
aff7615d7c4a3aab2319666362b211a4

SHA1
7275d224159d0a7084fb5dba46f2519f7002c8e2

SHA256
80fa7f09c31c83afd2a74c2e58082167616becd3355e045205afe1c70617f616

SHA512
654ab80c4e5844fcfd9bee129545297c21f35af23fbdc665f38bc6836f9a3b5d875d637f36c6777f47f1a984c316434623a1fd99498d4f5f9ae7c79651c136cd

Download Submit
C:\Windows\{E608E0B5-235F-4126-9C80-C216F730B71A}.exe

Filesize
372KB

MD5
0da13469aacbd93af6f98a5d044b5a06

SHA1
e9fa5ead517e46d20bf140df62f5ca03754197da

SHA256
5b03d729a061c024f1c1c326a671131f4a018b2a1018d4c7ab6eaea0d14b40d4

SHA512
8c66e00f4849effb3fcdea8f88c1c5de5251c88b1c1e0e0076da1d05cb93673a6beb02726b1fe7451f4da66aad5db3a8ce23c03dbd5ca51dbdbec36d8f886125

Download Submit
C:\Windows\{E85A08FE-1E4C-4c1b-A75B-8C67FA73E7EE}.exe

Filesize
372KB

MD5
27cf6d7511a335363595fb4731a2d91c

SHA1
1b8370991720ecf42b9683ce466e1b5edcca470b

SHA256
568cd654aa9a9b2065c31d1c92773960680e3fcc49006e97173489c813c129d3

SHA512
e91f378d9e79ea4e38461fe0084dbd0258fffa1de42878cebeb9696775d31ef9d6b3f78c39ce88b742acc696d37e06a01a294ccfe163d6bcf79678d9adf5455e

Download Submit
C:\Windows\{F4D1C07A-6B81-4a77-9979-E5FA6CBDF5F2}.exe

Filesize
372KB

MD5
621fc87687c0309e327f652dcc99403a

SHA1
4fd69ed4fae99d348ba72be336974bf4db136eed

SHA256
9fbdf781b808442345a800583fb696d237db50ad2de857f0298b8f8e9960662f

SHA512
10ac506ef5cb9250df9ddd1405a45a884e865150fd0f1773b74bc78fbd43c0d66257952c19d64f22b2285e61aff110f5341fba5cf6392c138e0d5294eaa54117

Download Submit