Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
-
Size
380KB
-
MD5
6d567ac7a66fe4ff2118501fe126bae9
-
SHA1
133a6c80f2401f94d2646b7839f88606d8bc967a
-
SHA256
2d9369dc9317b9d668139c100f78be2db8979ad4c67a3c62b91185ece6601adf
-
SHA512
5665592a36e8c13be5ce5bbeaef83ba0ea7f8f905ff679d09240416e29fa70f9e481fbe1bdad9e78c0aff149b0aca1442fc582aefa5d5c74a473308502847926
-
SSDEEP
3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
resource yara_rule behavioral2/files/0x000200000001e32b-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023256-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002325c-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023256-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002325c-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00020000000219e9-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00020000000219ea-25.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000000026-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000000070d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000000070d-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE} 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}\stubpath = "C:\\Windows\\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe" 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFCB991-94C6-484b-932C-FCE0F483953C} {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115D24B6-F88F-4b65-9606-2C0A80530B5D}\stubpath = "C:\\Windows\\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe" {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49} {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6915B993-2171-4c6f-9E24-D53711C2C3B1} {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28} {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}\stubpath = "C:\\Windows\\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe" {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6} {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}\stubpath = "C:\\Windows\\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe" {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F48177-1F32-48cb-863A-3602EF773218} {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC} {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333} {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115D24B6-F88F-4b65-9606-2C0A80530B5D} {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6915B993-2171-4c6f-9E24-D53711C2C3B1}\stubpath = "C:\\Windows\\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe" {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFCB991-94C6-484b-932C-FCE0F483953C}\stubpath = "C:\\Windows\\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe" {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F48177-1F32-48cb-863A-3602EF773218}\stubpath = "C:\\Windows\\{C5F48177-1F32-48cb-863A-3602EF773218}.exe" {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAF9596-C2CA-4548-98A9-C7B73C45D504} {C5F48177-1F32-48cb-863A-3602EF773218}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}\stubpath = "C:\\Windows\\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe" {C5F48177-1F32-48cb-863A-3602EF773218}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}\stubpath = "C:\\Windows\\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe" {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}\stubpath = "C:\\Windows\\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe" {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}\stubpath = "C:\\Windows\\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe" {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe -
Executes dropped EXE 11 IoCs
pid Process 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe 4576 {F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe File created C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe File created C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe File created C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe File created C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe File created C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe File created C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe File created C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe {C5F48177-1F32-48cb-863A-3602EF773218}.exe File created C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe File created C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe File created C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Token: SeIncBasePriorityPrivilege 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe Token: SeIncBasePriorityPrivilege 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe Token: SeIncBasePriorityPrivilege 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe Token: SeIncBasePriorityPrivilege 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe Token: SeIncBasePriorityPrivilege 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe Token: SeIncBasePriorityPrivilege 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe Token: SeIncBasePriorityPrivilege 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe Token: SeIncBasePriorityPrivilege 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe Token: SeIncBasePriorityPrivilege 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe Token: SeIncBasePriorityPrivilege 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 4524 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 93 PID 4296 wrote to memory of 4524 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 93 PID 4296 wrote to memory of 4524 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 93 PID 4296 wrote to memory of 5088 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 94 PID 4296 wrote to memory of 5088 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 94 PID 4296 wrote to memory of 5088 4296 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 94 PID 4524 wrote to memory of 4516 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 100 PID 4524 wrote to memory of 4516 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 100 PID 4524 wrote to memory of 4516 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 100 PID 4524 wrote to memory of 4624 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 101 PID 4524 wrote to memory of 4624 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 101 PID 4524 wrote to memory of 4624 4524 {2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe 101 PID 4516 wrote to memory of 4144 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 103 PID 4516 wrote to memory of 4144 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 103 PID 4516 wrote to memory of 4144 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 103 PID 4516 wrote to memory of 4796 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 104 PID 4516 wrote to memory of 4796 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 104 PID 4516 wrote to memory of 4796 4516 {B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe 104 PID 4144 wrote to memory of 3036 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 106 PID 4144 wrote to memory of 3036 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 106 PID 4144 wrote to memory of 3036 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 106 PID 4144 wrote to memory of 4876 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 107 PID 4144 wrote to memory of 4876 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 107 PID 4144 wrote to memory of 4876 4144 {4FFCB991-94C6-484b-932C-FCE0F483953C}.exe 107 PID 3036 wrote to memory of 3476 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 108 PID 3036 wrote to memory of 3476 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 108 PID 3036 wrote to memory of 3476 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 108 PID 3036 wrote to memory of 1516 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 109 PID 3036 wrote to memory of 1516 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 109 PID 3036 wrote to memory of 1516 3036 {FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe 109 PID 3476 wrote to memory of 2052 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 110 PID 3476 wrote to memory of 2052 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 110 PID 3476 wrote to memory of 2052 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 110 PID 3476 wrote to memory of 4916 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 111 PID 3476 wrote to memory of 4916 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 111 PID 3476 wrote to memory of 4916 3476 {C5F48177-1F32-48cb-863A-3602EF773218}.exe 111 PID 2052 wrote to memory of 452 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 112 PID 2052 wrote to memory of 452 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 112 PID 2052 wrote to memory of 452 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 112 PID 2052 wrote to memory of 1064 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 113 PID 2052 wrote to memory of 1064 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 113 PID 2052 wrote to memory of 1064 2052 {3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe 113 PID 452 wrote to memory of 4724 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 114 PID 452 wrote to memory of 4724 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 114 PID 452 wrote to memory of 4724 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 114 PID 452 wrote to memory of 4720 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 115 PID 452 wrote to memory of 4720 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 115 PID 452 wrote to memory of 4720 452 {F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe 115 PID 4724 wrote to memory of 776 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 116 PID 4724 wrote to memory of 776 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 116 PID 4724 wrote to memory of 776 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 116 PID 4724 wrote to memory of 5064 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 117 PID 4724 wrote to memory of 5064 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 117 PID 4724 wrote to memory of 5064 4724 {C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe 117 PID 776 wrote to memory of 3104 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 118 PID 776 wrote to memory of 3104 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 118 PID 776 wrote to memory of 3104 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 118 PID 776 wrote to memory of 1656 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 119 PID 776 wrote to memory of 1656 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 119 PID 776 wrote to memory of 1656 776 {6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe 119 PID 3104 wrote to memory of 4576 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe 120 PID 3104 wrote to memory of 4576 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe 120 PID 3104 wrote to memory of 4576 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe 120 PID 3104 wrote to memory of 4200 3104 {115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exeC:\Windows\{2EF4FCD2-D7CE-4b83-99F2-B98C52A4F2AE}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exeC:\Windows\{B9C7975C-85B7-4bc5-BD2E-D89F677BBC28}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exeC:\Windows\{4FFCB991-94C6-484b-932C-FCE0F483953C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exeC:\Windows\{FEEA6D98-5317-4e2b-A62C-5F03A009B1A6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exeC:\Windows\{C5F48177-1F32-48cb-863A-3602EF773218}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exeC:\Windows\{3DAF9596-C2CA-4548-98A9-C7B73C45D504}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exeC:\Windows\{F30D2E4D-B085-4b0f-AE1C-3822E8885AFC}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exeC:\Windows\{C9AEA7EF-0FDA-42aa-9C1D-2469BA255333}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exeC:\Windows\{6915B993-2171-4c6f-9E24-D53711C2C3B1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exeC:\Windows\{115D24B6-F88F-4b65-9606-2C0A80530B5D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exeC:\Windows\{F5D55528-C2A1-4998-A7D7-33C7AE5C2A49}.exe12⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exeC:\Windows\{9B765254-8B15-443a-8483-3F95CAAED4EA}.exe13⤵PID:3696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F5D55~1.EXE > nul13⤵PID:4712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{115D2~1.EXE > nul12⤵PID:4200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6915B~1.EXE > nul11⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9AEA~1.EXE > nul10⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F30D2~1.EXE > nul9⤵PID:4720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3DAF9~1.EXE > nul8⤵PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C5F48~1.EXE > nul7⤵PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FEEA6~1.EXE > nul6⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FFCB~1.EXE > nul5⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9C79~1.EXE > nul4⤵PID:4796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2EF4F~1.EXE > nul3⤵PID:4624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:1336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5a105376e4cffd62ae4370502068f9b64
SHA16c29f5e16170572fa51a0cb3eaed2726eeefd68a
SHA256d27febe4422f8b52ec8e9db8d8e6df8233938914061501fe6ac09dc0b0158a01
SHA512f5bfe0ec52663a46296928f1e7da3a4087048f37ae385029438f4d97aa6d4a8892579755b4dd905f63eca18c8912b02680c8e4484e13d727cef95578103c2d06
-
Filesize
380KB
MD5509194960e32e1e3677fb350549cedbd
SHA1a1f00449b69ef2eca8d6ba5ab602abcfe358703b
SHA2561f0df1208bc996e1a7165f887e5d4b5e1fe7db36e9f700b1ee171f8b3e5704f3
SHA51295efb27cabf1f0a08778a37ab78f082c5ad88fabcf9b67d368f8c8c2eac53ce47462b71a6a736102b18eb080826ee5927d27c7ab8d457e1be734239acfc0247c
-
Filesize
380KB
MD5b133a395152a574aef68ebda3df3f7c1
SHA1e3b921dbf44897c925ba8c130e34eaa982f0e39c
SHA25641277493cb685edb1ebe777067ba642730ebc63cb96f5459892f612ca9639e5c
SHA5120f0073b248228ad42ec23ca892df74ddf76e44a59e86e8e0d9bc4b15c9588009c7add83fdff86dce81ecdc5d8e5b1741c805c6bb546217460f5b95eb7bda9859
-
Filesize
380KB
MD5dfeb09425ab5cccd2df5c17685153f5d
SHA1e23ae3638077fc928876ad694bf25b5c656c877d
SHA2562946231b0127c898ab37137ae93021a951ec27dba782c94498d32caf8c798166
SHA51250754669896fef7e3dade01b5740172188ce3d8c390a6e16d8b12fa95df58d6f94f6d0a22e84a72be9ce778a5e173154a65d2cfd3f963917a478694777319ab8
-
Filesize
380KB
MD594a700766612c95b9e917a3872e2cd1e
SHA1b4155c868206d4489535fd6d2dd89671b0462275
SHA256295cc22064c817b331476f10065928099ed408818d1e8e36b3bea7dff32d33c9
SHA51286d578548abe92ff164eb3d5bee38f4c57249f679d7b90a1ba86939f5849494aa43c5994fb2aaea2a67ddfcebe7cc4a095d2a6373c5e0a8a369dcec10845e7d0
-
Filesize
305KB
MD5d6af5a96dc90688c7abfc1aa58c26a32
SHA1425d8898babe3bfe52003ffeb293949ed2f3e0ab
SHA25680329085660f9b348e81559dff2e597ba341b4a434054a3166f47bab6725acec
SHA5120d2d9272e53f5a04d45f885dd2fe2c97ed3f238577481c9fc2e156c22dc640e82062d8f2ddbb92e6f77049b56c7553ca882c2aeb29a99e157e6bcd9732a69269
-
Filesize
243KB
MD5086d2c94804af2753fa079f39b641ca2
SHA173c9e10472fb8f3d1802b5773ba6e3248ce411a0
SHA256501279ace150fc257919fb584ee1b657b3f3e8a705e03a590be2ea14577506c0
SHA5121ebb59934fc4fbf7062b850d96d5f6a02937907596940b51f36d96473778e464c7c272c6e3fffae1e4266775677db0db1c5b1f09a43ae85738de2012837a1416
-
Filesize
380KB
MD549d55df98811ccc5a2915e12e6a34b4a
SHA165202f2906513dad966a221a7657b02c2b1d6023
SHA256ccf4e40e6aba68d5a45e4681c675579eb8ea7bcd4bfbd6f4983d31fa08d17d90
SHA51258c587637505fc6b8ccb1e563ccd5f236f8457cbb279eace366554f7f3d91b2fafbb638028551ed75013dd6eb165d9667703c486318fab4b552887394fec9c94
-
Filesize
380KB
MD54c5a14ad9a398128d9672b99f49ebe6c
SHA13958f472803bd5be896d6e6d0e5b3b9c4fe5a980
SHA256440e58d04b9e62604c6a651951500e809156d483e45c34a9c0525d217d6923e3
SHA5124db013bc72d5605b142c86161bc73458c8b4d0eb2d016a0b02aab4536e3762fe8d4e94f1139bcdad8bd96ddbbbdc5d2c42f929b05d6c39d1585aa227d151b4d4
-
Filesize
380KB
MD530e9d7e86c9d27d336a925727be48279
SHA1570623c239e1846c4801cd8b723cee69cb519319
SHA256aaea71ae11f46132128650aa8fef0fe28e333ba6d9866aae5c3ab3525237640b
SHA512cccda9a10f522c31a94d342999bdb927c04dffb5e25113684828c859b1773a16026f2f0bb603431d178e50a274e6fd72c22b350ff9de8b0900ef0995c56537d5
-
Filesize
380KB
MD57207e0984edb624194323b4ce56f3ee2
SHA11719c25058024013fd0fba7bec0409fb9d0bdd99
SHA256fa6d0855592936c49dc8fe84cb8e3f9c8c116c30a559b7bc886296daccfa5c7a
SHA5126f81c19c37660c35b4b9a27711cc937a0296d3add3dfa60b400cba9c3e2b627a147c6b5366198609f965897f5774f9ad9fb54b512588b91d26c6700ac829eff3
-
Filesize
380KB
MD549867ae2470c9bd8dc19dad00c6173e2
SHA116648246a887d00fb8ae785df9590817644074ba
SHA2563c8e16e4099b931e79eb26a275b748157ac6c3d1dce550473e6fad8138690e42
SHA5124eb1b033565ff266173ec957c60167c30edc72e4680936941fd80e72baeacf439733aff439ae91c91091a0f8e050d0fb853a0f81c7a61c1e50c49b42fc4e4396
-
Filesize
380KB
MD559ed078ef9d21ebb25137b719604537a
SHA1bb87dfd5eb264897919cd35fe1436ed0f461f75d
SHA2564e2781986606404edd811182cc6d7b782109840367a8e33b5d3c929e9e54e37f
SHA512c14752950136e60d11e6e508529a2312f8c03e68c10d1327db8dd91bec9ca46bacd048b990ec72199b1131bd06d76480e6b9ae5810ec5d262e4d66440430c4e9