The whole attack chain except the initial JS file is executed in-memory (meaning it resides in memory or in the registry). Malwarebytes reports that in some cases Gootkit’s final payload is REvil ransomware.
Minerva labs has stopped Gootkit at one of our clients. The sample we encountered loaded its malicious code inside an environment variable, which is loaded via powershell:
The malicious process tree as seen in Minerva’s Platform: