63266e8b189ab68064dd6b08c3a59a9a77f34aa0ddd0d05c487c589f5cda09d5

Analysis

max time kernel
149s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Size

197KB
MD5

2db276831963609abab179ef7e026e56
SHA1

37b9a6d66a32477bc67bb0ea80607581ec43ecb7
SHA256

63266e8b189ab68064dd6b08c3a59a9a77f34aa0ddd0d05c487c589f5cda09d5
SHA512

75f635aff9846fc48241a3df8edaba182c88437fb48b32e409ff2c98abd2715fdef7ecd7683410cc0284451cf4f5771a56a3acd580f5a4b9a9c300672bf4c7aa
SSDEEP

3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGilEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{018F4772-0CAD-4171-A503-6F3888156C24}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9C09DB46-F313-484d-A5EB-832D63243453}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe{018F4772-0CAD-4171-A503-6F3888156C24}.exe{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe{9C09DB46-F313-484d-A5EB-832D63243453}.exe{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04A0076D-679F-4c8b-B93E-397929ED14E7}	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018F4772-0CAD-4171-A503-6F3888156C24}	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE9B746-6A39-4348-9B5F-06049557CD4D}	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10C3D49B-BE02-4af5-BA2E-149C6B016647}	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10C3D49B-BE02-4af5-BA2E-149C6B016647}\stubpath = "C:\\Windows\\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe"	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018F4772-0CAD-4171-A503-6F3888156C24}\stubpath = "C:\\Windows\\{018F4772-0CAD-4171-A503-6F3888156C24}.exe"	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}\stubpath = "C:\\Windows\\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe"	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9260A271-C2BC-4578-B547-ACBA860BA9B1}\stubpath = "C:\\Windows\\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe"	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04A0076D-679F-4c8b-B93E-397929ED14E7}\stubpath = "C:\\Windows\\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe"	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C09DB46-F313-484d-A5EB-832D63243453}	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABA9794-6B16-41c8-8685-48E72CE52F76}	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9260A271-C2BC-4578-B547-ACBA860BA9B1}	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE9B746-6A39-4348-9B5F-06049557CD4D}\stubpath = "C:\\Windows\\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe"	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}\stubpath = "C:\\Windows\\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe"	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}\stubpath = "C:\\Windows\\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe"	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABA9794-6B16-41c8-8685-48E72CE52F76}\stubpath = "C:\\Windows\\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe"	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}\stubpath = "C:\\Windows\\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe"	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}\stubpath = "C:\\Windows\\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe"	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C09DB46-F313-484d-A5EB-832D63243453}\stubpath = "C:\\Windows\\{9C09DB46-F313-484d-A5EB-832D63243453}.exe"	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe

Executes dropped EXE 12 IoCs

Processes:

{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe{018F4772-0CAD-4171-A503-6F3888156C24}.exe{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe{9C09DB46-F313-484d-A5EB-832D63243453}.exe{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe

pid	process
4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
4976	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
4820	{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe

Drops file in Windows directory 12 IoCs

Processes:

{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe{9C09DB46-F313-484d-A5EB-832D63243453}.exe{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{018F4772-0CAD-4171-A503-6F3888156C24}.exe{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe

description	ioc	process
File created	C:\Windows\{9C09DB46-F313-484d-A5EB-832D63243453}.exe	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
File created	C:\Windows\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
File created	C:\Windows\{018F4772-0CAD-4171-A503-6F3888156C24}.exe	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
File created	C:\Windows\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
File created	C:\Windows\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
File created	C:\Windows\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
File created	C:\Windows\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
File created	C:\Windows\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
File created	C:\Windows\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
File created	C:\Windows\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
File created	C:\Windows\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
File created	C:\Windows\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe{018F4772-0CAD-4171-A503-6F3888156C24}.exe{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe{9C09DB46-F313-484d-A5EB-832D63243453}.exe{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
Token: SeIncBasePriorityPrivilege	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
Token: SeIncBasePriorityPrivilege	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
Token: SeIncBasePriorityPrivilege	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
Token: SeIncBasePriorityPrivilege	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
Token: SeIncBasePriorityPrivilege	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
Token: SeIncBasePriorityPrivilege	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
Token: SeIncBasePriorityPrivilege	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
Token: SeIncBasePriorityPrivilege	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
Token: SeIncBasePriorityPrivilege	2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
Token: SeIncBasePriorityPrivilege	4976	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2228 wrote to memory of 4720	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
PID 2228 wrote to memory of 4720	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
PID 2228 wrote to memory of 4720	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
PID 2228 wrote to memory of 4336	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 2228 wrote to memory of 4336	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 2228 wrote to memory of 4336	2228	2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe	cmd.exe
PID 4720 wrote to memory of 1960	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
PID 4720 wrote to memory of 1960	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
PID 4720 wrote to memory of 1960	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	{018F4772-0CAD-4171-A503-6F3888156C24}.exe
PID 4720 wrote to memory of 1288	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	cmd.exe
PID 4720 wrote to memory of 1288	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	cmd.exe
PID 4720 wrote to memory of 1288	4720	{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe	cmd.exe
PID 1960 wrote to memory of 3288	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
PID 1960 wrote to memory of 3288	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
PID 1960 wrote to memory of 3288	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
PID 1960 wrote to memory of 3728	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	cmd.exe
PID 1960 wrote to memory of 3728	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	cmd.exe
PID 1960 wrote to memory of 3728	1960	{018F4772-0CAD-4171-A503-6F3888156C24}.exe	cmd.exe
PID 3288 wrote to memory of 4224	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
PID 3288 wrote to memory of 4224	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
PID 3288 wrote to memory of 4224	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
PID 3288 wrote to memory of 1672	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	cmd.exe
PID 3288 wrote to memory of 1672	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	cmd.exe
PID 3288 wrote to memory of 1672	3288	{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe	cmd.exe
PID 4224 wrote to memory of 1048	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
PID 4224 wrote to memory of 1048	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
PID 4224 wrote to memory of 1048	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
PID 4224 wrote to memory of 1732	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	cmd.exe
PID 4224 wrote to memory of 1732	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	cmd.exe
PID 4224 wrote to memory of 1732	4224	{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe	cmd.exe
PID 1048 wrote to memory of 2596	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
PID 1048 wrote to memory of 2596	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
PID 1048 wrote to memory of 2596	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
PID 1048 wrote to memory of 2368	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	cmd.exe
PID 1048 wrote to memory of 2368	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	cmd.exe
PID 1048 wrote to memory of 2368	1048	{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe	cmd.exe
PID 2596 wrote to memory of 4080	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
PID 2596 wrote to memory of 4080	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
PID 2596 wrote to memory of 4080	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
PID 2596 wrote to memory of 5016	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	cmd.exe
PID 2596 wrote to memory of 5016	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	cmd.exe
PID 2596 wrote to memory of 5016	2596	{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe	cmd.exe
PID 4080 wrote to memory of 4488	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
PID 4080 wrote to memory of 4488	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
PID 4080 wrote to memory of 4488	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
PID 4080 wrote to memory of 4160	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	cmd.exe
PID 4080 wrote to memory of 4160	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	cmd.exe
PID 4080 wrote to memory of 4160	4080	{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe	cmd.exe
PID 4488 wrote to memory of 4244	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
PID 4488 wrote to memory of 4244	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
PID 4488 wrote to memory of 4244	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	{9C09DB46-F313-484d-A5EB-832D63243453}.exe
PID 4488 wrote to memory of 708	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	cmd.exe
PID 4488 wrote to memory of 708	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	cmd.exe
PID 4488 wrote to memory of 708	4488	{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe	cmd.exe
PID 4244 wrote to memory of 2540	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
PID 4244 wrote to memory of 2540	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
PID 4244 wrote to memory of 2540	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
PID 4244 wrote to memory of 996	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	cmd.exe
PID 4244 wrote to memory of 996	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	cmd.exe
PID 4244 wrote to memory of 996	4244	{9C09DB46-F313-484d-A5EB-832D63243453}.exe	cmd.exe
PID 2540 wrote to memory of 4976	2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
PID 2540 wrote to memory of 4976	2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
PID 2540 wrote to memory of 4976	2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
PID 2540 wrote to memory of 1840	2540	{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_2db276831963609abab179ef7e026e56_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
C:\Windows\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\{018F4772-0CAD-4171-A503-6F3888156C24}.exe
C:\Windows\{018F4772-0CAD-4171-A503-6F3888156C24}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
C:\Windows\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
C:\Windows\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
C:\Windows\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
C:\Windows\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
C:\Windows\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
C:\Windows\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\{9C09DB46-F313-484d-A5EB-832D63243453}.exe
C:\Windows\{9C09DB46-F313-484d-A5EB-832D63243453}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
C:\Windows\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
C:\Windows\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe
C:\Windows\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe
13⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9260A~1.EXE > nul
13⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FABA9~1.EXE > nul
12⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C09D~1.EXE > nul
11⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9EA59~1.EXE > nul
10⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16AB0~1.EXE > nul
9⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{38EC8~1.EXE > nul
8⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{10C3D~1.EXE > nul
7⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{03A0E~1.EXE > nul
6⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE9B~1.EXE > nul
5⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{018F4~1.EXE > nul
4⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{710B2~1.EXE > nul
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{018F4772-0CAD-4171-A503-6F3888156C24}.exe
Filesize
197KB

MD5
fb80e0e361e24e873d7d67c98ef6fafd

SHA1
1201da3ee0ff00a404cab81a757a54687d91898d

SHA256
b6c50dcaad1093876309d5f4d2a0f21af6ea77310b1637aeb224c8281a2fa704

SHA512
e86c57a516f904225ed760166f629360ad58e0c0cda8331bd0b1def17999d1595b895eac0a52b8d249cb2ebe8489c858315f97565dae83049dea9e700e55e5ce

Download Submit
C:\Windows\{03A0E293-EA95-4cba-8C90-F3106A4C47F8}.exe
Filesize
197KB

MD5
66702f078112a94a4467cf2778388554

SHA1
f8b6bf3e7166c860ed082442d7f308c806a1c188

SHA256
af066c4e768f11b07feac63224da13f36fed07e90d0bb5205d30cc5da78ec8da

SHA512
ed72664b606b9462b8faefe738809f5756312c21786ec4036f7f282bbbba75e25d8c788267c7391a9ac67a253a808759bdd5f299d7724cfc2fbaef018b803262

Download Submit
C:\Windows\{04A0076D-679F-4c8b-B93E-397929ED14E7}.exe
Filesize
197KB

MD5
739c0b74943be30180896d107243fd10

SHA1
cde32e03d09124dd789b2d8e413dcc4daed1a4fb

SHA256
91bbf6fc95e215d3805fc5cda5df435e93ef548354c397cad13b87d32dc4fbf0

SHA512
4e5bb753d91e0ff52d86115904aebef078f4dd08338eb12be56929c5d9a55072eff9d243b8ec633ab8461b7b484d3f8c6e6b93f0daaec78d404dff0c6f505cb3

Download Submit
C:\Windows\{10C3D49B-BE02-4af5-BA2E-149C6B016647}.exe
Filesize
197KB

MD5
3e4334cc9d92a3ef209ac1ca68527d25

SHA1
e36b034a20293926849e9f88df350ce66bbccb4d

SHA256
0c94380dc58d58a48ec6b9bfe8bc06a586338cf0a443e989473a678c89f837b2

SHA512
eea7d2b764610d9b8be16511385783d233bbcf702088ee2c5eb55f279155aa56252f77fe173bdf15bc6de6f96df0c08014882fca776d75740beb2e1735ecaab4

Download Submit
C:\Windows\{16AB003E-36CD-4d86-ADCE-C9AE3F5CAEF8}.exe
Filesize
197KB

MD5
e37343d8a81e4597f82d3bd16eaf8f7c

SHA1
810ccd443e992647ea3c406820205f8a799a8bb9

SHA256
fca2f64132daeb47d1d3eb0b7df42c2c2b1e558a817b8eb0b1535241a0c89b13

SHA512
874fb46b531d9dae21b8fac91e782e71cbc6c9a0d11d653f00c1df159b5e837ec84db2128cbb492caea09f9475d61b3f2271b81a4b02af4f3f1f57735e43242d

Download Submit
C:\Windows\{38EC83D5-5B7E-4ec1-B43C-B1E86A30A6DE}.exe
Filesize
197KB

MD5
1a777bd68a3241e95459b04770bdf35b

SHA1
504b88bd81b0dc76597d64348d1712c1fde39c7e

SHA256
b5d420a1681dcc99ab5552d63eff8faf3b16523d640ec5f824718064d284cc12

SHA512
8df3e44227e9b1ba74ac51f1d3720d55cc46d195e5260179e4e16c6ead231181a272eef56be53847d033adc7f4edca917033a46286e946107fddd52041056656

Download Submit
C:\Windows\{710B2759-11AC-4e9b-8898-9ABE658AD8DC}.exe
Filesize
197KB

MD5
9e4a34c255e962cf50228af1b8ae9f25

SHA1
3d3408ea0b972090922ccebff8278bb8ba0d9f93

SHA256
ba17b9d690096d5478def7f97294460a6f94158063ce7b07cc1c858e7d5a31b3

SHA512
e48f73a31c7fb0893f71897fe20f91b1312d286978c44df5b06965adadf475699144caa8195f5266faa9d374b38c2d3a4fb62b7f149f03df7edf8438c36fa6b0

Download Submit
C:\Windows\{9260A271-C2BC-4578-B547-ACBA860BA9B1}.exe
Filesize
197KB

MD5
adb109bcc7272110971cfa1ccf7ee0fb

SHA1
56dd80aba4d8e9eca2952efbdfd0a514d5865ba3

SHA256
5fdd392c6d98d972ecc7774b650979cd1ed7d18ff00ac1402a9c1c325cc46b5e

SHA512
3568764b39271b0d085b829df966c05299ec051c120d393ef6990b2d9c1177eb4c239a15e582b54c5009d1f2553048957f47766fec90ac74476942a74acea960

Download Submit
C:\Windows\{9C09DB46-F313-484d-A5EB-832D63243453}.exe
Filesize
197KB

MD5
a4510bc266e1bdd18573d1128a3c7e06

SHA1
1b7c2d8a2d214e3720d677d90dc8491543d051f7

SHA256
848d6e6d3e76512dffff44ed018f17ea22b3652b2c82d33fb2b1fad629ea297f

SHA512
0db9ac2cb2baab7c4a10b0b5553ee7437824134ab6c4961f0133b4383d0123f1cd96ab3212c74d40525b0feb385d22034fad3219fe3389a180c1512d21f0ae41

Download Submit
C:\Windows\{9DE9B746-6A39-4348-9B5F-06049557CD4D}.exe
Filesize
197KB

MD5
d42a23cba0ac5a2a2458520b7679c99f

SHA1
a5da544e1cf20611d2425806d60eae8b94a11f18

SHA256
86b2817df1738759051e3bb4bf2ccb50bd413a9629c94e448f9c01269445e5ac

SHA512
e82fbb00ff77d9880e4ced99d07602319a8d4b3cd5f9929367085231edc55c0f613d80aa5148f555341f5bf8f6e744fd2610ddd17192242d0a18ddcde0e8bcbf

Download Submit
C:\Windows\{9EA596E4-5872-4e97-B4C7-BE4651CEBEEF}.exe
Filesize
197KB

MD5
ca4cf92020fa024fedc5a829bffbf635

SHA1
77f41bd7819a591a56c1182991527b04b148a998

SHA256
1d51158bea81656049c39677f19cc71e1a663563b5896be14718330ad56e6c45

SHA512
2e94632c5eb1c7468ddece9dccb6509c5c6ea44f5b914ec7951296c16fb96103c5fae8c0c326bfc170824ed676121dfb60a7ea013bb49b71f0f17e7d1bff98f9

Download Submit
C:\Windows\{FABA9794-6B16-41c8-8685-48E72CE52F76}.exe
Filesize
197KB

MD5
94142d88ada171e76270904260bfabee

SHA1
b8474126592a77471fa46f7660aacc5973f651e6

SHA256
bf99368988a44da07aa0298383264c9f32d933da46a6da3ad4e674fb271939b6

SHA512
1e4b38b6a86cb1d6b4421c3b890916bd89000d4f1dd09680f3841079e16e13765b26d839f1a9f28f3e548dee848c53ee5c957143820e3e41ec1d405f1431ee0a

Download Submit