717b21cdfcc9d7270fc85aaa2ebd8e865e45b584f862cbfdf9f544f7482d46e7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Size

408KB
MD5

0cd20ffec964472cc4a54e8b4e619260
SHA1

038a39a7a43f12af68aca4ce322712f56662fb89
SHA256

717b21cdfcc9d7270fc85aaa2ebd8e865e45b584f862cbfdf9f544f7482d46e7
SHA512

ac46f8b1ac716289c42260f4f3bb6338da409b9872470cf5c83b629d965ac0cf9e2f99f08c2206507d6c4166b88d24e0f63f67b56f63bdd93bfe02e301e9bb4f
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{97068678-2415-4ca4-8484-2A93ED361E44}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{36035558-B448-46a2-99FC-CF716295BA4A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{97068678-2415-4ca4-8484-2A93ED361E44}.exe{37835512-14FB-494d-B2DA-677F2F2D906D}.exe{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe{36035558-B448-46a2-99FC-CF716295BA4A}.exe{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe{96D020FB-1311-4ea0-A770-638B370EBA99}.exe{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36035558-B448-46a2-99FC-CF716295BA4A}\stubpath = "C:\\Windows\\{36035558-B448-46a2-99FC-CF716295BA4A}.exe"	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F44D29F-141C-4747-A03A-EBEC25AAC950}	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F44D29F-141C-4747-A03A-EBEC25AAC950}\stubpath = "C:\\Windows\\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe"	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4700CE-CF59-4410-8C01-C103B8BA2222}	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37835512-14FB-494d-B2DA-677F2F2D906D}	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}\stubpath = "C:\\Windows\\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe"	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D34907-1757-4e82-ADAE-E8E72008B3A9}	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97068678-2415-4ca4-8484-2A93ED361E44}	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37835512-14FB-494d-B2DA-677F2F2D906D}\stubpath = "C:\\Windows\\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe"	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}\stubpath = "C:\\Windows\\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe"	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4700CE-CF59-4410-8C01-C103B8BA2222}\stubpath = "C:\\Windows\\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe"	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D34907-1757-4e82-ADAE-E8E72008B3A9}\stubpath = "C:\\Windows\\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe"	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97068678-2415-4ca4-8484-2A93ED361E44}\stubpath = "C:\\Windows\\{97068678-2415-4ca4-8484-2A93ED361E44}.exe"	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D020FB-1311-4ea0-A770-638B370EBA99}\stubpath = "C:\\Windows\\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe"	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}\stubpath = "C:\\Windows\\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe"	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36035558-B448-46a2-99FC-CF716295BA4A}	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}\stubpath = "C:\\Windows\\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe"	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}\stubpath = "C:\\Windows\\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe"	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D020FB-1311-4ea0-A770-638B370EBA99}	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe

Executes dropped EXE 12 IoCs

Processes:

{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe{97068678-2415-4ca4-8484-2A93ED361E44}.exe{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe{96D020FB-1311-4ea0-A770-638B370EBA99}.exe{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe{36035558-B448-46a2-99FC-CF716295BA4A}.exe{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe{37835512-14FB-494d-B2DA-677F2F2D906D}.exe{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe

pid	process
4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
2464	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
3704	{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe

Drops file in Windows directory 12 IoCs

Processes:

{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe{36035558-B448-46a2-99FC-CF716295BA4A}.exe{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe{96D020FB-1311-4ea0-A770-638B370EBA99}.exe{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe{37835512-14FB-494d-B2DA-677F2F2D906D}.exe2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{97068678-2415-4ca4-8484-2A93ED361E44}.exe{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe

description	ioc	process
File created	C:\Windows\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
File created	C:\Windows\{97068678-2415-4ca4-8484-2A93ED361E44}.exe	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
File created	C:\Windows\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
File created	C:\Windows\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
File created	C:\Windows\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
File created	C:\Windows\{36035558-B448-46a2-99FC-CF716295BA4A}.exe	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
File created	C:\Windows\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
File created	C:\Windows\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
File created	C:\Windows\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
File created	C:\Windows\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
File created	C:\Windows\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
File created	C:\Windows\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe{97068678-2415-4ca4-8484-2A93ED361E44}.exe{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe{96D020FB-1311-4ea0-A770-638B370EBA99}.exe{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe{36035558-B448-46a2-99FC-CF716295BA4A}.exe{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe{37835512-14FB-494d-B2DA-677F2F2D906D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
Token: SeIncBasePriorityPrivilege	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
Token: SeIncBasePriorityPrivilege	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
Token: SeIncBasePriorityPrivilege	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
Token: SeIncBasePriorityPrivilege	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
Token: SeIncBasePriorityPrivilege	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
Token: SeIncBasePriorityPrivilege	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
Token: SeIncBasePriorityPrivilege	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
Token: SeIncBasePriorityPrivilege	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
Token: SeIncBasePriorityPrivilege	2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
Token: SeIncBasePriorityPrivilege	2464	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4628 wrote to memory of 4744	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
PID 4628 wrote to memory of 4744	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
PID 4628 wrote to memory of 4744	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
PID 4628 wrote to memory of 4964	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 4628 wrote to memory of 4964	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 4628 wrote to memory of 4964	4628	2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe	cmd.exe
PID 4744 wrote to memory of 5012	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
PID 4744 wrote to memory of 5012	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
PID 4744 wrote to memory of 5012	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	{97068678-2415-4ca4-8484-2A93ED361E44}.exe
PID 4744 wrote to memory of 468	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	cmd.exe
PID 4744 wrote to memory of 468	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	cmd.exe
PID 4744 wrote to memory of 468	4744	{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe	cmd.exe
PID 5012 wrote to memory of 2004	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
PID 5012 wrote to memory of 2004	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
PID 5012 wrote to memory of 2004	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
PID 5012 wrote to memory of 1820	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	cmd.exe
PID 5012 wrote to memory of 1820	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	cmd.exe
PID 5012 wrote to memory of 1820	5012	{97068678-2415-4ca4-8484-2A93ED361E44}.exe	cmd.exe
PID 2004 wrote to memory of 4560	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
PID 2004 wrote to memory of 4560	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
PID 2004 wrote to memory of 4560	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
PID 2004 wrote to memory of 392	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	cmd.exe
PID 2004 wrote to memory of 392	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	cmd.exe
PID 2004 wrote to memory of 392	2004	{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe	cmd.exe
PID 4560 wrote to memory of 3396	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
PID 4560 wrote to memory of 3396	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
PID 4560 wrote to memory of 3396	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
PID 4560 wrote to memory of 2116	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	cmd.exe
PID 4560 wrote to memory of 2116	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	cmd.exe
PID 4560 wrote to memory of 2116	4560	{96D020FB-1311-4ea0-A770-638B370EBA99}.exe	cmd.exe
PID 3396 wrote to memory of 4148	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
PID 3396 wrote to memory of 4148	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
PID 3396 wrote to memory of 4148	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	{36035558-B448-46a2-99FC-CF716295BA4A}.exe
PID 3396 wrote to memory of 3620	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	cmd.exe
PID 3396 wrote to memory of 3620	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	cmd.exe
PID 3396 wrote to memory of 3620	3396	{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe	cmd.exe
PID 4148 wrote to memory of 2648	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
PID 4148 wrote to memory of 2648	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
PID 4148 wrote to memory of 2648	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
PID 4148 wrote to memory of 2576	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	cmd.exe
PID 4148 wrote to memory of 2576	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	cmd.exe
PID 4148 wrote to memory of 2576	4148	{36035558-B448-46a2-99FC-CF716295BA4A}.exe	cmd.exe
PID 2648 wrote to memory of 4268	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
PID 2648 wrote to memory of 4268	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
PID 2648 wrote to memory of 4268	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
PID 2648 wrote to memory of 1652	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	cmd.exe
PID 2648 wrote to memory of 1652	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	cmd.exe
PID 2648 wrote to memory of 1652	2648	{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe	cmd.exe
PID 4268 wrote to memory of 2172	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
PID 4268 wrote to memory of 2172	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
PID 4268 wrote to memory of 2172	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
PID 4268 wrote to memory of 4028	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	cmd.exe
PID 4268 wrote to memory of 4028	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	cmd.exe
PID 4268 wrote to memory of 4028	4268	{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe	cmd.exe
PID 2172 wrote to memory of 2540	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
PID 2172 wrote to memory of 2540	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
PID 2172 wrote to memory of 2540	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
PID 2172 wrote to memory of 4256	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	cmd.exe
PID 2172 wrote to memory of 4256	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	cmd.exe
PID 2172 wrote to memory of 4256	2172	{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe	cmd.exe
PID 2540 wrote to memory of 2464	2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
PID 2540 wrote to memory of 2464	2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
PID 2540 wrote to memory of 2464	2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
PID 2540 wrote to memory of 1048	2540	{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0cd20ffec964472cc4a54e8b4e619260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
C:\Windows\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\{97068678-2415-4ca4-8484-2A93ED361E44}.exe
C:\Windows\{97068678-2415-4ca4-8484-2A93ED361E44}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
C:\Windows\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
C:\Windows\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
C:\Windows\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\{36035558-B448-46a2-99FC-CF716295BA4A}.exe
C:\Windows\{36035558-B448-46a2-99FC-CF716295BA4A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
C:\Windows\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
C:\Windows\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
C:\Windows\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
C:\Windows\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
C:\Windows\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe
C:\Windows\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe
13⤵
- Executes dropped EXE
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{37835~1.EXE > nul
13⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B470~1.EXE > nul
12⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F44D~1.EXE > nul
11⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFE0~1.EXE > nul
10⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64A45~1.EXE > nul
9⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36035~1.EXE > nul
8⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{895F7~1.EXE > nul
7⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96D02~1.EXE > nul
6⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8C74C~1.EXE > nul
5⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{97068~1.EXE > nul
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{24422~1.EXE > nul
3⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F44D29F-141C-4747-A03A-EBEC25AAC950}.exe

Filesize
408KB

MD5
cd0b4816ee86ab5d1b28a1dda755e228

SHA1
9e468fad23e24cfd129002c4910fca5fdeec1175

SHA256
6d22b464fee7b4a2ee2429633ca6fbc5428df1d70b89cd1654ab33e246f7b5f6

SHA512
2252bf1cc0cc41b184c2f3171f3b2e1d805dd97eb53bc3ca892875bc011c724540b8613df707123e5f09c054aeba27eb29e14643101db5a67d0b3289242dd4e9

Download Submit
C:\Windows\{22D34907-1757-4e82-ADAE-E8E72008B3A9}.exe

Filesize
408KB

MD5
1d463c3fc186c1b10b829d16d1b6df25

SHA1
27c5633249af52194d8e20196157a95fd0c8207e

SHA256
b17e48690febc8a8d5a02d5544aa37e519c98c8fd1708ca9085a5b5c2f0c0c4a

SHA512
797790fcb95bf3e0f689a7be18e3e550f886d123ba9a4eadf88877076a124fb36b330fdddab4aad6ca9d9d940d2f1a19fbdeb200037c9616ca034b9b53aefa21

Download Submit
C:\Windows\{24422CBC-CA56-498e-8AE9-4BCB2A0D2612}.exe

Filesize
408KB

MD5
905b3fd0ef705da91eaab6d388531104

SHA1
5f1e012a2ae2f8f2c89a4972e86ab08e2a9486ee

SHA256
38b632529639573d2483c2e37ae87c8ff6685b77f432015fb0194935a6344d27

SHA512
dff8de0652a388ed051eadee731a4e6115f3342b6863731d7c473d1584b02def5f62e7e1f957d687adb883262831bda4c672c0b227039220ce38aba697bffc1f

Download Submit
C:\Windows\{36035558-B448-46a2-99FC-CF716295BA4A}.exe

Filesize
408KB

MD5
044efda5e574029ba46dde4853e756ce

SHA1
64517ced24c5c099fae58e19fa591c0b4e61cd30

SHA256
2c382e9c3a8e71d311ce8122abee4cd379ceb9058bfb9b847463f7d12aded335

SHA512
333195165515f341eb8811b068bf141b8f0477ec14bd39db7735d0ce118e4335089ea08e22eccf89a21e5e1164ab419ff1d66c9727cb0da1fb3f4d6b414161e5

Download Submit
C:\Windows\{37835512-14FB-494d-B2DA-677F2F2D906D}.exe

Filesize
408KB

MD5
dc2cb18a147adce6b82c606d56e9aec7

SHA1
5828ca954c8381d4c217925d63ba1e56a658de30

SHA256
924faa566dab4da6d8d3983e60338105bb27a6555d61dcf4bff971a38f745f3c

SHA512
20aed7a391143f6fded4c63ebe8e685516eaacc22b836667031cb6a99e8cc1268412c547dfa69fd013a730e7b66cb590c476e1a4a989c32d2de39df67843fcb5

Download Submit
C:\Windows\{64A45B99-6F35-4e58-8176-0A67A67D2D7D}.exe

Filesize
408KB

MD5
8334ede08c281b120bcb5d37491c30d6

SHA1
bc45464445c631c09bfadf1f48bed3b71939dabe

SHA256
ecdba2fa160eb1b64fee6e4a7d3203b93f4446dee971e0ff56aa145da309b318

SHA512
9839fe32beb5bbd3bd978403578255c96ebda08513281e3b70ccc0fa35fce4384566424db1e7dab72b056f130c9a66c7e5ec9b244c6e156af5ac6affad66485f

Download Submit
C:\Windows\{895F70D5-F6FC-4264-9C44-256BD0A7ADF1}.exe

Filesize
408KB

MD5
4c1a5608be08e0270db270a8464456d9

SHA1
139fa74d5014040cfd6581160f5bfac92f9f6ab6

SHA256
96bcfec3a2f291b4b0051308b0d64cbcb8fdabdd1969719709184f97da6e388b

SHA512
dca00327db88cc81bd89c9378e3c5d4d83f75bf5ac36822daa8fec8fc521d0b84ce077721bff471de263ba77dc923f436c8a52c00b4a8b07da217756c52f1dec

Download Submit
C:\Windows\{8C74C146-A00E-4ca6-9E2E-90DBE2624C06}.exe

Filesize
408KB

MD5
706af81496ef5590f8824886e0bb3bc6

SHA1
bf62f4eba4c73540b7153ff8b770cdf7921bcba9

SHA256
8d362d162fae9dc98f03b4712d0377c292a5be58f3d0a4b172bfbd348d63ee7c

SHA512
23f221efc5b643d869803a8dc4b28348cec5b667f6e9fc864ab189eb2ecc47564738bea3143dab26b68f86fbce78656bd3d9e7beaf0cff78bd7d52c641216394

Download Submit
C:\Windows\{96D020FB-1311-4ea0-A770-638B370EBA99}.exe

Filesize
408KB

MD5
2be2c0d3fa653c1edc03cf3a2c5e3984

SHA1
1703b0fbe672c3a02d77774a467d16a34bfa6303

SHA256
be434de3832c88a7060a564560125f4371e4f3a6d93b468387923e5cf386c6f7

SHA512
7b991a3e6f797c4537d246899ec7247658345c27e04a803b3afccd9b0d5d35f449dd6f65aedf49d53908d1b8067e544b6f7d751f680e8103cba4258ba20aaec0

Download Submit
C:\Windows\{97068678-2415-4ca4-8484-2A93ED361E44}.exe

Filesize
408KB

MD5
0047ae3ad2aae6145951c389afef1174

SHA1
9c0408041290128a599107e8e86bb310e4dc9cde

SHA256
0e52c58ff3dba21cf064f71d01d80678d5283673c8bbda7decfc374648574509

SHA512
8d84251c465784e10b167aea5700ccefa38560fd873ae52b873035b33b5cd6aa745033af1df1b9940a8e7da19e8f0573614f55259916a846cf065d5496a8529f

Download Submit
C:\Windows\{9B4700CE-CF59-4410-8C01-C103B8BA2222}.exe

Filesize
408KB

MD5
cdc03a0b69dc463e356b8052578cd4b5

SHA1
4ee66c04ebe882709a949660517a55c2ee3e3e9b

SHA256
c7041c2450ce0e8a2faba9169f0f3eb55741a3426bfd59a2e5835e219666b284

SHA512
0ee907214955f6aa902d6e592dae2ecae07dc38ccb57c6d9b32b9f77286c2f5eb3a5d637442f430bf7794596ae0e638099910cd6b86e35c9bd3422074a568bd4

Download Submit
C:\Windows\{DEFE05A6-A807-4798-9F68-3D7775BF7B1A}.exe

Filesize
408KB

MD5
2a5ddcc7a98473f7b32cab870313b4b5

SHA1
27460bf316d0be27ce2df0857b79fe959ee02cbb

SHA256
248cfb5af9c3938d1949e1671bc22ea1adeceb0b5c603de84fbeaec8ea41bf20

SHA512
9508983dda535e4e4324fdc9554101eaf36ddc72372353d8401340df0b151c9c0cbcf8a28331757b3a86a02a708d8774aea5242556bafc21ecfec42d7fc8ac5c

Download Submit