d6ba1e53c4e1bfd19a20b204acaaf38b1feaa68ebad0d61e5899dc9e7734c0b4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Size

408KB
MD5

aa399fda7d6d1372a3e9ec581cd54229
SHA1

3d765d7c6f2dff137fb70880eb93e03f55c0fdb8
SHA256

d6ba1e53c4e1bfd19a20b204acaaf38b1feaa68ebad0d61e5899dc9e7734c0b4
SHA512

b8f09ed062be054135e9b23b4d8828fb1567df0c7b64d3b231dd4c177a7cb085c9fcaad19ecd1988db06d0472b4782fa8173336da079d225881d9af7a83a1f24
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}\stubpath = "C:\\Windows\\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe"	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DB831E-09CA-4522-8E01-453F542DF3C3}	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DB831E-09CA-4522-8E01-453F542DF3C3}\stubpath = "C:\\Windows\\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe"	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C73C478-AD58-4787-A17A-7B5A4C56F323}\stubpath = "C:\\Windows\\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe"	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18B1BB36-8E63-4c98-ABA9-09985782911C}	{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}\stubpath = "C:\\Windows\\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe"	{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}\stubpath = "C:\\Windows\\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe"	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}\stubpath = "C:\\Windows\\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe"	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}\stubpath = "C:\\Windows\\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe"	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C73C478-AD58-4787-A17A-7B5A4C56F323}	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}\stubpath = "C:\\Windows\\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe"	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}	{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}\stubpath = "C:\\Windows\\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe"	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}\stubpath = "C:\\Windows\\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe"	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18B1BB36-8E63-4c98-ABA9-09985782911C}\stubpath = "C:\\Windows\\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe"	{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe

Executes dropped EXE 11 IoCs

Processes:

{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe

pid	process
2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
1276	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
1928	{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
596	{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
1320	{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe

Drops file in Windows directory 11 IoCs

Processes:

{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe

description	ioc	process
File created	C:\Windows\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe	{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
File created	C:\Windows\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe	{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
File created	C:\Windows\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
File created	C:\Windows\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
File created	C:\Windows\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
File created	C:\Windows\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
File created	C:\Windows\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
File created	C:\Windows\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
File created	C:\Windows\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
File created	C:\Windows\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
File created	C:\Windows\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
Token: SeIncBasePriorityPrivilege	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
Token: SeIncBasePriorityPrivilege	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
Token: SeIncBasePriorityPrivilege	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
Token: SeIncBasePriorityPrivilege	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
Token: SeIncBasePriorityPrivilege	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
Token: SeIncBasePriorityPrivilege	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
Token: SeIncBasePriorityPrivilege	1276	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
Token: SeIncBasePriorityPrivilege	1928	{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
Token: SeIncBasePriorityPrivilege	596	{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2868 wrote to memory of 2476	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
PID 2868 wrote to memory of 2476	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
PID 2868 wrote to memory of 2476	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
PID 2868 wrote to memory of 2476	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
PID 2868 wrote to memory of 2572	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	cmd.exe
PID 2868 wrote to memory of 2572	2868	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	cmd.exe
PID 2476 wrote to memory of 2616	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
PID 2476 wrote to memory of 2616	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
PID 2476 wrote to memory of 2616	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
PID 2476 wrote to memory of 2616	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
PID 2476 wrote to memory of 2684	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	cmd.exe
PID 2476 wrote to memory of 2684	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	cmd.exe
PID 2476 wrote to memory of 2684	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	cmd.exe
PID 2476 wrote to memory of 2684	2476	{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe	cmd.exe
PID 2616 wrote to memory of 2264	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
PID 2616 wrote to memory of 2264	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
PID 2616 wrote to memory of 2264	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
PID 2616 wrote to memory of 2264	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
PID 2616 wrote to memory of 2380	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	cmd.exe
PID 2616 wrote to memory of 2380	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	cmd.exe
PID 2616 wrote to memory of 2380	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	cmd.exe
PID 2616 wrote to memory of 2380	2616	{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe	cmd.exe
PID 2264 wrote to memory of 2648	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
PID 2264 wrote to memory of 2648	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
PID 2264 wrote to memory of 2648	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
PID 2264 wrote to memory of 2648	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
PID 2264 wrote to memory of 2544	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	cmd.exe
PID 2264 wrote to memory of 2544	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	cmd.exe
PID 2264 wrote to memory of 2544	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	cmd.exe
PID 2264 wrote to memory of 2544	2264	{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe	cmd.exe
PID 2648 wrote to memory of 1384	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
PID 2648 wrote to memory of 1384	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
PID 2648 wrote to memory of 1384	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
PID 2648 wrote to memory of 1384	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
PID 2648 wrote to memory of 1532	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	cmd.exe
PID 2648 wrote to memory of 1532	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	cmd.exe
PID 2648 wrote to memory of 1532	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	cmd.exe
PID 2648 wrote to memory of 1532	2648	{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe	cmd.exe
PID 1384 wrote to memory of 2092	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
PID 1384 wrote to memory of 2092	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
PID 1384 wrote to memory of 2092	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
PID 1384 wrote to memory of 2092	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
PID 1384 wrote to memory of 1784	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	cmd.exe
PID 1384 wrote to memory of 1784	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	cmd.exe
PID 1384 wrote to memory of 1784	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	cmd.exe
PID 1384 wrote to memory of 1784	1384	{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe	cmd.exe
PID 2092 wrote to memory of 1584	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
PID 2092 wrote to memory of 1584	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
PID 2092 wrote to memory of 1584	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
PID 2092 wrote to memory of 1584	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
PID 2092 wrote to memory of 1372	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	cmd.exe
PID 2092 wrote to memory of 1372	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	cmd.exe
PID 2092 wrote to memory of 1372	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	cmd.exe
PID 2092 wrote to memory of 1372	2092	{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe	cmd.exe
PID 1584 wrote to memory of 1276	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
PID 1584 wrote to memory of 1276	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
PID 1584 wrote to memory of 1276	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
PID 1584 wrote to memory of 1276	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
PID 1584 wrote to memory of 2024	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	cmd.exe
PID 1584 wrote to memory of 2024	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	cmd.exe
PID 1584 wrote to memory of 2024	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	cmd.exe
PID 1584 wrote to memory of 2024	1584	{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
C:\Windows\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
C:\Windows\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
C:\Windows\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
C:\Windows\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
C:\Windows\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
C:\Windows\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
C:\Windows\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
C:\Windows\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
C:\Windows\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
C:\Windows\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe
C:\Windows\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe
12⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18B1B~1.EXE > nul
12⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BA812~1.EXE > nul
11⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD6B~1.EXE > nul
10⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7EADD~1.EXE > nul
9⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7C73C~1.EXE > nul
8⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B543~1.EXE > nul
7⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{58DB8~1.EXE > nul
6⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E1A~1.EXE > nul
5⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B10D3~1.EXE > nul
4⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{99A5E~1.EXE > nul
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18B1BB36-8E63-4c98-ABA9-09985782911C}.exe

Filesize
408KB

MD5
833bcd03f196a4d3f9b2be34fe16aa1f

SHA1
c1b418f59ebc45a28eef5cd59644dfd51cd229d7

SHA256
587e34ce7e5c395e86acd53d211d3248033b71601f0eb211345b63fb369d704b

SHA512
c1ff0aefcf10fd4b8c72729cf5a9355a984a3368d489f07493e8bccb179d100086d849fc7be826eeb37f75edae1cb2accc671bc7faf02bfe796ffff603e94c7d

Download Submit
C:\Windows\{3A3205D2-51E8-4ebf-9535-5C8687D9E9C1}.exe

Filesize
408KB

MD5
be8c920a993dddc29144cb56ecddc91a

SHA1
046b7d3a9bccee44618e0742798dba6f397bc295

SHA256
c6da086e4a72fe4e646ee2ef84297abefbde88ffcb7135fb10624af712377f74

SHA512
e4a4a9f011462abae62103700364609b9a5e5a29060f2534747db719e744cc9ca3aa4039e66bbcecca5e1d3af342b04f44096f6f4e06c8e4f9f4f03077b02010

Download Submit
C:\Windows\{4B54391F-5E39-48e9-9E17-97AE6ABA170B}.exe

Filesize
408KB

MD5
fc5092352f565094661450931aa013dc

SHA1
d5283b5ee034b11691f1e5dd1b42ef5ed2e99340

SHA256
2f7ae4a8314248e9f0d1b1791e8198b868d7d6608cb972712d257326e8fc90d5

SHA512
5b0d366918b2a4b0572e3dbf6f2ed5260e862d1ae6d565e55d362096a7f62523f0f3c494b1b1d06a3dfa58853ba07c0ba75bdb07a5b421ee607ef9a8cb3a713d

Download Submit
C:\Windows\{58DB831E-09CA-4522-8E01-453F542DF3C3}.exe

Filesize
408KB

MD5
67ed862e36be43fbfc4b0b2051ccb67f

SHA1
6bacb3cacaa60d6cbd18dea4eb9dd9e51247cb47

SHA256
d9613165f54d24998873af72a1f0fb3d213aa2d71abb76b0d78fafe7bdcbaf23

SHA512
5e556316081b366a9f945c6882df2751f23af046bad4466c25c7b00a58b60c2fbd4eb459646c777fcac65edb5708d759433a28cae510193d594197cc094ec0ca

Download Submit
C:\Windows\{7C73C478-AD58-4787-A17A-7B5A4C56F323}.exe

Filesize
408KB

MD5
5fa460a065148fd880ec3b807db6d4b8

SHA1
d5deae54ce284a5c4a06f736918e5fb0c12a8f19

SHA256
224213958582780cedf03a6338880a260aec362865c725e560fb13e4ffe3e72e

SHA512
61d308618790b855774952642ad91908296ab12d970a5234262fc08215c7555e8deeb34f4903cabe0c1e789735cddd0e3f87959a270abafb1c605f9c69eaef85

Download Submit
C:\Windows\{7EADD3F4-118E-4d4e-9CCE-0F8E42BBFF4C}.exe

Filesize
408KB

MD5
c1f9a21667e8b18e649759d0ebde7ab7

SHA1
a64da9a03517928b0993fca69432b8e5239a0190

SHA256
7cfafc4fe3bfa7939831f9f31c70a5fd4b0db009d3226d4184288670cdf02abd

SHA512
b6ddaa602b28cb94eab885082f1c772fe704252f69c96964e3f35971534aee7fb31ae7086702e05008780b2af7a536f9c368ecd468bf1105c8bcdc6f5438f771

Download Submit
C:\Windows\{99A5E0F4-250E-4582-A7CF-AFDDCA4B9040}.exe

Filesize
408KB

MD5
7954f5b317f8eec1acb3190ffa8ddcd9

SHA1
f60216223a549e285d78e09b129517232b44174a

SHA256
e2fc9cd9ae9bc92e573b2c76a8c1d89bee6b56dd80fe1acf1f56e19cc05e8efb

SHA512
125026e04387521cd8bf0200fc55a25b88175788d23f9c90a733d6ff2b3b625b346477cf4b717c985ba5c78fba9d4bfd48d05db3183f926b029aba99f2fe14ac

Download Submit
C:\Windows\{B10D3EDB-EE7B-422b-BB2A-0E60CDC18178}.exe

Filesize
408KB

MD5
43e710aa8622dc9f8a75deb392e69bc8

SHA1
a28188fa0fa846eb56a4b28da2e0d0a69adc5412

SHA256
2ab9a3b71a69b8e714ce00ffdf7e0af1f54629222d0f72523a6c2e0bde76d29d

SHA512
27a06ca61620512c2ba8ce687ab3e3e6d27315c1b0529d8add70acc113e1e8036c7c4130cd43826a945a1d7a36fd15b7f202f406c46c01b47ddc68159060a563

Download Submit
C:\Windows\{BA812423-1E2A-4ea3-B35B-AFB332FBF34D}.exe

Filesize
408KB

MD5
ae2c89aeb927bd44bbd8108a46292705

SHA1
0bf7f3318b4a4094b7326544b0889ec192a0ab5c

SHA256
6d7d697ab82e6f4271fc66e94277c027398a78706395d554c935271efaa00700

SHA512
5e0cd32d0dd5740e2a5bd5d773a782df150d7bab6d7c35ccedebbc4dd433a0593210f42a86dfbaa0546a1c7425570a52f58fe90e58f8df8e737e275ad6c6882f

Download Submit
C:\Windows\{CAD6B4D0-0B17-4683-B7E4-0033C6021BE0}.exe

Filesize
408KB

MD5
59ff054d9b6a1a9eff1a65493e1c93b6

SHA1
d0065a18b373cc6253ff1c056b6e2717b5295812

SHA256
97abe0156963d559da8016c31d544abaca5c1076f7ea2d4d0572b1f953be64f3

SHA512
a1908d7cf61ccb18a3f431e23dd3fc70450b4a951b95acc6d461a8c706e1b44379b3a500002c7e37804e71c77d90f43bdd0b6c0f863ba4b35c5ae39aacf84a3f

Download Submit
C:\Windows\{D0E1A40E-C5F6-41a1-825E-3F0E87C18FFD}.exe

Filesize
408KB

MD5
7dfc2e88152a916bbf09d3f0b6ec5272

SHA1
18f3f5b49baac421f218f76828ba27bb15846196

SHA256
d7b731bc91703fe9429aae452fc8181da5688748d576f16cae0479f61be3ade2

SHA512
cd4e3e57c66dd3eaa74f39cb537da26f6e117eea62a0d44d59c6f2072d2a72cdb682c07eab16a67e234b203df834a9aded4d828374ba3c03b08a7331b06e4fbf

Download Submit