f30d2da75b123622539ef3ad7551f6600328a2b35ed21520793912024ecfef15

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Size

204KB
MD5

8de7721085c2872c6457605cb8b3349e
SHA1

27f0ca2467eb8d86a28e35d355b6a781ce7a45a1
SHA256

f30d2da75b123622539ef3ad7551f6600328a2b35ed21520793912024ecfef15
SHA512

cb610a65ab30820486e2fc353bbaf63371a479b208ea3e5ffcd93423de9e5a736878b15302b50125f24691b771eca2acd921ac68fc5e5e1627c2a824940e1078
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{36713230-8819-49f7-9351-7681B08CFC22}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3172115E-8495-492c-91D0-405E14E5381F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{3172115E-8495-492c-91D0-405E14E5381F}.exe{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe{36713230-8819-49f7-9351-7681B08CFC22}.exe{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe{052B132E-56F4-4eaa-86D8-4A0018802462}.exe{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}\stubpath = "C:\\Windows\\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe"	{3172115E-8495-492c-91D0-405E14E5381F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED3729F-959A-47df-BB85-4D10D74B5856}	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED3729F-959A-47df-BB85-4D10D74B5856}\stubpath = "C:\\Windows\\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe"	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052B132E-56F4-4eaa-86D8-4A0018802462}\stubpath = "C:\\Windows\\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe"	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3172115E-8495-492c-91D0-405E14E5381F}	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}	{3172115E-8495-492c-91D0-405E14E5381F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}	{36713230-8819-49f7-9351-7681B08CFC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19218F30-1C3A-4b30-93BA-47BE136670F5}	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19218F30-1C3A-4b30-93BA-47BE136670F5}\stubpath = "C:\\Windows\\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe"	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BFD57E-7367-42c8-B191-6CCF1F972355}	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BFD57E-7367-42c8-B191-6CCF1F972355}\stubpath = "C:\\Windows\\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe"	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052B132E-56F4-4eaa-86D8-4A0018802462}	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A7351E-C86B-4194-89E0-E57384B53A98}\stubpath = "C:\\Windows\\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe"	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36713230-8819-49f7-9351-7681B08CFC22}\stubpath = "C:\\Windows\\{36713230-8819-49f7-9351-7681B08CFC22}.exe"	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}\stubpath = "C:\\Windows\\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe"	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3172115E-8495-492c-91D0-405E14E5381F}\stubpath = "C:\\Windows\\{3172115E-8495-492c-91D0-405E14E5381F}.exe"	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}\stubpath = "C:\\Windows\\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe"	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}\stubpath = "C:\\Windows\\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe"	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A7351E-C86B-4194-89E0-E57384B53A98}	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36713230-8819-49f7-9351-7681B08CFC22}	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}\stubpath = "C:\\Windows\\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe"	{36713230-8819-49f7-9351-7681B08CFC22}.exe

Executes dropped EXE 12 IoCs

Processes:

{052B132E-56F4-4eaa-86D8-4A0018802462}.exe{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe{36713230-8819-49f7-9351-7681B08CFC22}.exe{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe{3172115E-8495-492c-91D0-405E14E5381F}.exe{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe

pid	process
4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe
996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe
4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
5112	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
4372	{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe

Drops file in Windows directory 12 IoCs

Processes:

{3172115E-8495-492c-91D0-405E14E5381F}.exe{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe{36713230-8819-49f7-9351-7681B08CFC22}.exe{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe{052B132E-56F4-4eaa-86D8-4A0018802462}.exe

description	ioc	process
File created	C:\Windows\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	{3172115E-8495-492c-91D0-405E14E5381F}.exe
File created	C:\Windows\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
File created	C:\Windows\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
File created	C:\Windows\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
File created	C:\Windows\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
File created	C:\Windows\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
File created	C:\Windows\{36713230-8819-49f7-9351-7681B08CFC22}.exe	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
File created	C:\Windows\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	{36713230-8819-49f7-9351-7681B08CFC22}.exe
File created	C:\Windows\{3172115E-8495-492c-91D0-405E14E5381F}.exe	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
File created	C:\Windows\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
File created	C:\Windows\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
File created	C:\Windows\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe{052B132E-56F4-4eaa-86D8-4A0018802462}.exe{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe{36713230-8819-49f7-9351-7681B08CFC22}.exe{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe{3172115E-8495-492c-91D0-405E14E5381F}.exe{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
Token: SeIncBasePriorityPrivilege	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
Token: SeIncBasePriorityPrivilege	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe
Token: SeIncBasePriorityPrivilege	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
Token: SeIncBasePriorityPrivilege	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe
Token: SeIncBasePriorityPrivilege	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
Token: SeIncBasePriorityPrivilege	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
Token: SeIncBasePriorityPrivilege	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
Token: SeIncBasePriorityPrivilege	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
Token: SeIncBasePriorityPrivilege	1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
Token: SeIncBasePriorityPrivilege	5112	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4224 wrote to memory of 4668	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
PID 4224 wrote to memory of 4668	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
PID 4224 wrote to memory of 4668	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
PID 4224 wrote to memory of 1496	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 4224 wrote to memory of 1496	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 4224 wrote to memory of 1496	4224	2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe	cmd.exe
PID 4668 wrote to memory of 2400	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
PID 4668 wrote to memory of 2400	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
PID 4668 wrote to memory of 2400	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
PID 4668 wrote to memory of 1868	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	cmd.exe
PID 4668 wrote to memory of 1868	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	cmd.exe
PID 4668 wrote to memory of 1868	4668	{052B132E-56F4-4eaa-86D8-4A0018802462}.exe	cmd.exe
PID 2400 wrote to memory of 3584	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	{36713230-8819-49f7-9351-7681B08CFC22}.exe
PID 2400 wrote to memory of 3584	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	{36713230-8819-49f7-9351-7681B08CFC22}.exe
PID 2400 wrote to memory of 3584	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	{36713230-8819-49f7-9351-7681B08CFC22}.exe
PID 2400 wrote to memory of 4580	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	cmd.exe
PID 2400 wrote to memory of 4580	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	cmd.exe
PID 2400 wrote to memory of 4580	2400	{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe	cmd.exe
PID 3584 wrote to memory of 996	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
PID 3584 wrote to memory of 996	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
PID 3584 wrote to memory of 996	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
PID 3584 wrote to memory of 4592	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	cmd.exe
PID 3584 wrote to memory of 4592	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	cmd.exe
PID 3584 wrote to memory of 4592	3584	{36713230-8819-49f7-9351-7681B08CFC22}.exe	cmd.exe
PID 996 wrote to memory of 3656	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	{3172115E-8495-492c-91D0-405E14E5381F}.exe
PID 996 wrote to memory of 3656	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	{3172115E-8495-492c-91D0-405E14E5381F}.exe
PID 996 wrote to memory of 3656	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	{3172115E-8495-492c-91D0-405E14E5381F}.exe
PID 996 wrote to memory of 1572	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	cmd.exe
PID 996 wrote to memory of 1572	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	cmd.exe
PID 996 wrote to memory of 1572	996	{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe	cmd.exe
PID 3656 wrote to memory of 4948	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
PID 3656 wrote to memory of 4948	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
PID 3656 wrote to memory of 4948	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
PID 3656 wrote to memory of 3452	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	cmd.exe
PID 3656 wrote to memory of 3452	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	cmd.exe
PID 3656 wrote to memory of 3452	3656	{3172115E-8495-492c-91D0-405E14E5381F}.exe	cmd.exe
PID 4948 wrote to memory of 1564	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
PID 4948 wrote to memory of 1564	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
PID 4948 wrote to memory of 1564	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
PID 4948 wrote to memory of 4832	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	cmd.exe
PID 4948 wrote to memory of 4832	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	cmd.exe
PID 4948 wrote to memory of 4832	4948	{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe	cmd.exe
PID 1564 wrote to memory of 648	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
PID 1564 wrote to memory of 648	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
PID 1564 wrote to memory of 648	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
PID 1564 wrote to memory of 1020	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	cmd.exe
PID 1564 wrote to memory of 1020	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	cmd.exe
PID 1564 wrote to memory of 1020	1564	{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe	cmd.exe
PID 648 wrote to memory of 2436	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
PID 648 wrote to memory of 2436	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
PID 648 wrote to memory of 2436	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
PID 648 wrote to memory of 2868	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	cmd.exe
PID 648 wrote to memory of 2868	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	cmd.exe
PID 648 wrote to memory of 2868	648	{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe	cmd.exe
PID 2436 wrote to memory of 1188	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
PID 2436 wrote to memory of 1188	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
PID 2436 wrote to memory of 1188	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
PID 2436 wrote to memory of 4740	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	cmd.exe
PID 2436 wrote to memory of 4740	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	cmd.exe
PID 2436 wrote to memory of 4740	2436	{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe	cmd.exe
PID 1188 wrote to memory of 5112	1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
PID 1188 wrote to memory of 5112	1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
PID 1188 wrote to memory of 5112	1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
PID 1188 wrote to memory of 1208	1188	{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8de7721085c2872c6457605cb8b3349e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
C:\Windows\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
C:\Windows\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\{36713230-8819-49f7-9351-7681B08CFC22}.exe
C:\Windows\{36713230-8819-49f7-9351-7681B08CFC22}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
C:\Windows\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\{3172115E-8495-492c-91D0-405E14E5381F}.exe
C:\Windows\{3172115E-8495-492c-91D0-405E14E5381F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
C:\Windows\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
C:\Windows\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
C:\Windows\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
C:\Windows\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
C:\Windows\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
C:\Windows\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe
C:\Windows\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe
13⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05C2D~1.EXE > nul
13⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39BFD~1.EXE > nul
12⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{19218~1.EXE > nul
11⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6AABC~1.EXE > nul
10⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED37~1.EXE > nul
9⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2D5CD~1.EXE > nul
8⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31721~1.EXE > nul
7⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0D662~1.EXE > nul
6⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36713~1.EXE > nul
5⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A73~1.EXE > nul
4⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{052B1~1.EXE > nul
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052B132E-56F4-4eaa-86D8-4A0018802462}.exe
Filesize
204KB

MD5
bc707862a2ff3466507b33177693abc4

SHA1
f35c45db453b997b5f7a74298f6968265b910c3c

SHA256
62ca1318415f54ca95c9cde9339e496a0805aadee618272cb3b948a215da6bfd

SHA512
d6511d991934f2bd9c2c2efc19d8c75ab8bdd32602b211ecbda28a62fbcdd3d48dd031d9db15a1ae39913230c6a469e3b2fc9dddbdd6f7479ee844f90ee8a624

Download Submit
C:\Windows\{05C2DD19-E07C-4d9a-9657-7367BEE7B54D}.exe
Filesize
204KB

MD5
9a6a8cce96b72f897a3b5c9dc4e2f776

SHA1
db44c1b1bb21184651a8fbf72ccd2432aa74fc31

SHA256
61c44ea1a6f4d2220f69eafbf54635f91718ed31502abbfa71db420ecfa8d45c

SHA512
7f27791afee2c3f254da840b8c16766e1d0dcd0542515943401eeca7316efdc323415b2b2822aaec3727159653cb839d9f6804e27044de077f58e97a7cca6163

Download Submit
C:\Windows\{0D662EA4-21FD-4e1b-AF9E-71D8CF90E5C0}.exe
Filesize
204KB

MD5
f69ce629473312a45fb6a27e78c07819

SHA1
da6693d72041320ed401bfbfff4e6c557e29690b

SHA256
34dd920b3f9c660ee5171e662240aef49a804184122e8293e4629568242f420f

SHA512
f28d254369c0e43a78fc573d00f13c48b47af51c44491737a6b1182c6d08ddfe51f96c3a1e54b060a67f39429e1335750e6f792867c76c52b0894995a1ed0b08

Download Submit
C:\Windows\{19218F30-1C3A-4b30-93BA-47BE136670F5}.exe
Filesize
204KB

MD5
3bd3dbb149cfe20f1a5c961ea28bf890

SHA1
b869eb048adc493b4bd40d23f1af919b2f421dac

SHA256
ccc6e459bbab2d78015db77aedca9ee6dec397257a465d7045f63649f9ac9339

SHA512
0f5afcb21f18696fc4e3eaf290dfbae71a6834cda76bb6a749434b93a37a287e1b1acccfe967ca2652d4922bbf0a144a982eb71e1bbdb8a376b17671657f4bcb

Download Submit
C:\Windows\{2D5CD670-DA66-4f8a-8883-D76BD7FC0F81}.exe
Filesize
204KB

MD5
343228dcfaaf034fb32260fa32b9fc11

SHA1
77065f68ee1c6efbe1e6545c1b20aad30e9ab25f

SHA256
d1ab96992e66ac571246cefeb8334d5ba6997bec4b640ed83b6ddc098f93807e

SHA512
e7d81077932cbab3eeeb162c5fc550533c51e178f0c9a577c99e1dfc256a2038254982988441779e9f97f8e31fe881f3d179c096843082cc6003a36ae93d501c

Download Submit
C:\Windows\{2ED3729F-959A-47df-BB85-4D10D74B5856}.exe
Filesize
204KB

MD5
7c2a4a70bf86b3a3875468be571c08c7

SHA1
c45b23d1faa1cd1d3e1afcd9a4542ba4e88f36b6

SHA256
ee7779a113e0b3320cfe472f5f45ee0377cfad8ee1e6bec3009a1184caefd783

SHA512
fc6447d3ce639f8c4454f85c6d39656b53e7afe2e7eab45e0b8aa188c58f68dc8172c542a7e279fb22fc85e2945c1ce90a5c839b9bfdc3390ab0ad9b9b6bc733

Download Submit
C:\Windows\{3172115E-8495-492c-91D0-405E14E5381F}.exe
Filesize
204KB

MD5
1d5916afeb80caceb64efa0668e58da4

SHA1
cd68c1ad4e9f7a63def84e27940da4a067a63ab9

SHA256
48f97e48f3401b882ee2df23ffe9ae45fb2ced096c1752eff6e7ca0598e0d7d9

SHA512
f2afbb237e9c9caa9959fcd8a379b891b846a555aa45900f94973cb49f77e7d26a9eabe6249ba5361bf3d55c7820f9039797cd49e05c7cd0122012741488868c

Download Submit
C:\Windows\{36713230-8819-49f7-9351-7681B08CFC22}.exe
Filesize
204KB

MD5
93e48f63c9a88b90f456ba4dc132516b

SHA1
1a973586c02affd0c4bf1474477200bd28a0fc37

SHA256
b0457c083ebce7aeee4d54d734b97367baa8fdc9761c6326c85ea34cfac905e3

SHA512
05788660790089eaa6738f777b50d8d165f2a9c4d507831e13a27c5628eb2ab06003ed75e183e3988a8c8a5593b6e4dcc6c0fef76c2010446e6faf33104834f8

Download Submit
C:\Windows\{39BFD57E-7367-42c8-B191-6CCF1F972355}.exe
Filesize
204KB

MD5
1318d4087369638352ce4c59a2f2d505

SHA1
1c67d07bdb47c120ec5e3a41a1e75bcb713c905e

SHA256
55c117211c1de113f53dec67ebf76956a31a919371f36964fd0e7d27c60f0004

SHA512
2ab4ed8367b3c0af9d124dd68e98964c87142b717aaae1b4a7e6dc554062bec7d44bf5265fb41e419b6daf31a348af6101caf68f9e9585264e381b13e91ee674

Download Submit
C:\Windows\{6AABCA67-09C2-4d74-A7E9-E5601A052E1D}.exe
Filesize
204KB

MD5
06793e3de109fb9d0e962d55c36c0628

SHA1
82902a6c28d91719133b3f7eed87e7f9d02b0978

SHA256
0a284329f78f6fc396e0459b9bac0933c579b0caad63e118dc5f9c27e0df284c

SHA512
da51c2cc0060c6e73e83c7786df7cc68c6d56d6b909aab91e55458e0176b2620b3f77fba76c73e3df63fba34349feacb083b35875eda0b830a0e3013fe7bf066

Download Submit
C:\Windows\{A3A7351E-C86B-4194-89E0-E57384B53A98}.exe
Filesize
204KB

MD5
5c2286415a603fdeed82239579f0f781

SHA1
e1223f74031bcd9ba6987ce7a08e8e4cc69c8720

SHA256
ac109f66226d04f7ae07e584850c6d99c2c3626257cda44c1e6877f03d40a15f

SHA512
5c5edb39fc3595c84d9e612166a218b7a50071d6cd2ddbbadd5d2dc0faa46ea236570db7ca4824a32e1cd12097f43b170bcf620b57a65a9aaeabc90a7f153342

Download Submit
C:\Windows\{CF32482B-26F0-4d9e-A8F9-3AAEB146144B}.exe
Filesize
204KB

MD5
d48760bfa8a98b450d1d57ac0d149b1f

SHA1
98f02a66b27f32f34cd12eea98c1bc689ebf9124

SHA256
8b1736d7f6ed15992e9018ad19558cd05380f862885bba077c026bbde5172898

SHA512
f231a0181500ab672462e7bf382dc158e9eaace4ff723f16a10988e966f737dcdc98a8380fa28e15e0d716f190cc0aa53aa0752b0bc60adff408873820805f97

Download Submit