b133044ab849f7e29d6ca958bc8393345da35514af65d894ccef4323150408e6

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 03:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b381c7c9b23a2dba55aa561e2cd4331a.exe
Size

204KB
MD5

b381c7c9b23a2dba55aa561e2cd4331a
SHA1

3c46281195ebd99b5a71cac20bc61c74a5541be5
SHA256

b133044ab849f7e29d6ca958bc8393345da35514af65d894ccef4323150408e6
SHA512

9af446c09d3691a2ce266b2b2f708a542a65c36ac2296f5c742d488fefe6a399cd3eead0f538743638d399997226eb4ba0367a992acca7e7eabd8348c9ab2504
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oul1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB829C25-243D-4f95-AAF0-78E1886F3360}\stubpath = "C:\\Windows\\{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe"	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01CA6001-70C6-492d-A66D-6C57011A47F1}	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01CA6001-70C6-492d-A66D-6C57011A47F1}\stubpath = "C:\\Windows\\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe"	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{469394C1-9BF8-490e-85AB-6859001AB61E}	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}\stubpath = "C:\\Windows\\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe"	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}\stubpath = "C:\\Windows\\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe"	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}	b381c7c9b23a2dba55aa561e2cd4331a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52C5670-24CA-4494-B030-3E4B3F00905E}	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}\stubpath = "C:\\Windows\\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe"	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{469394C1-9BF8-490e-85AB-6859001AB61E}\stubpath = "C:\\Windows\\{469394C1-9BF8-490e-85AB-6859001AB61E}.exe"	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}\stubpath = "C:\\Windows\\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe"	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB829C25-243D-4f95-AAF0-78E1886F3360}	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C47799-5724-43a4-A3D1-36CD35609CCD}\stubpath = "C:\\Windows\\{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe"	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}\stubpath = "C:\\Windows\\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe"	b381c7c9b23a2dba55aa561e2cd4331a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52C5670-24CA-4494-B030-3E4B3F00905E}\stubpath = "C:\\Windows\\{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe"	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}\stubpath = "C:\\Windows\\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe"	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C47799-5724-43a4-A3D1-36CD35609CCD}	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A079969E-CB67-4734-AD39-422B3D2DDE28}	{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A079969E-CB67-4734-AD39-422B3D2DDE28}\stubpath = "C:\\Windows\\{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe"	{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe

Executes dropped EXE 12 IoCs

pid	Process
1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
3328	{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe
2372	{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	b381c7c9b23a2dba55aa561e2cd4331a.exe
File created	C:\Windows\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
File created	C:\Windows\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
File created	C:\Windows\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
File created	C:\Windows\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
File created	C:\Windows\{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
File created	C:\Windows\{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe	{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe
File created	C:\Windows\{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
File created	C:\Windows\{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
File created	C:\Windows\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
File created	C:\Windows\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
File created	C:\Windows\{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe
Token: SeIncBasePriorityPrivilege	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
Token: SeIncBasePriorityPrivilege	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
Token: SeIncBasePriorityPrivilege	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
Token: SeIncBasePriorityPrivilege	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
Token: SeIncBasePriorityPrivilege	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
Token: SeIncBasePriorityPrivilege	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
Token: SeIncBasePriorityPrivilege	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
Token: SeIncBasePriorityPrivilege	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
Token: SeIncBasePriorityPrivilege	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
Token: SeIncBasePriorityPrivilege	4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
Token: SeIncBasePriorityPrivilege	3328	{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1272	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	103
PID 4148 wrote to memory of 1272	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	103
PID 4148 wrote to memory of 1272	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	103
PID 4148 wrote to memory of 1624	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	104
PID 4148 wrote to memory of 1624	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	104
PID 4148 wrote to memory of 1624	4148	b381c7c9b23a2dba55aa561e2cd4331a.exe	104
PID 1272 wrote to memory of 1420	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	108
PID 1272 wrote to memory of 1420	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	108
PID 1272 wrote to memory of 1420	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	108
PID 1272 wrote to memory of 2564	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	109
PID 1272 wrote to memory of 2564	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	109
PID 1272 wrote to memory of 2564	1272	{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe	109
PID 1420 wrote to memory of 624	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	111
PID 1420 wrote to memory of 624	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	111
PID 1420 wrote to memory of 624	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	111
PID 1420 wrote to memory of 3808	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	112
PID 1420 wrote to memory of 3808	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	112
PID 1420 wrote to memory of 3808	1420	{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe	112
PID 624 wrote to memory of 1084	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	115
PID 624 wrote to memory of 1084	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	115
PID 624 wrote to memory of 1084	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	115
PID 624 wrote to memory of 4196	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	116
PID 624 wrote to memory of 4196	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	116
PID 624 wrote to memory of 4196	624	{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe	116
PID 1084 wrote to memory of 4480	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	117
PID 1084 wrote to memory of 4480	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	117
PID 1084 wrote to memory of 4480	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	117
PID 1084 wrote to memory of 2400	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	118
PID 1084 wrote to memory of 2400	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	118
PID 1084 wrote to memory of 2400	1084	{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe	118
PID 4480 wrote to memory of 1448	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	120
PID 4480 wrote to memory of 1448	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	120
PID 4480 wrote to memory of 1448	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	120
PID 4480 wrote to memory of 4220	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	121
PID 4480 wrote to memory of 4220	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	121
PID 4480 wrote to memory of 4220	4480	{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe	121
PID 1448 wrote to memory of 4596	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	122
PID 1448 wrote to memory of 4596	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	122
PID 1448 wrote to memory of 4596	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	122
PID 1448 wrote to memory of 2384	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	123
PID 1448 wrote to memory of 2384	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	123
PID 1448 wrote to memory of 2384	1448	{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe	123
PID 4596 wrote to memory of 4604	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	124
PID 4596 wrote to memory of 4604	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	124
PID 4596 wrote to memory of 4604	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	124
PID 4596 wrote to memory of 1056	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	125
PID 4596 wrote to memory of 1056	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	125
PID 4596 wrote to memory of 1056	4596	{469394C1-9BF8-490e-85AB-6859001AB61E}.exe	125
PID 4604 wrote to memory of 4864	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	130
PID 4604 wrote to memory of 4864	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	130
PID 4604 wrote to memory of 4864	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	130
PID 4604 wrote to memory of 1436	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	131
PID 4604 wrote to memory of 1436	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	131
PID 4604 wrote to memory of 1436	4604	{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe	131
PID 4864 wrote to memory of 4412	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	136
PID 4864 wrote to memory of 4412	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	136
PID 4864 wrote to memory of 4412	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	136
PID 4864 wrote to memory of 1944	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	137
PID 4864 wrote to memory of 1944	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	137
PID 4864 wrote to memory of 1944	4864	{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe	137
PID 4412 wrote to memory of 3328	4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe	138
PID 4412 wrote to memory of 3328	4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe	138
PID 4412 wrote to memory of 3328	4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe	138
PID 4412 wrote to memory of 876	4412	{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe	139

C:\Users\Admin\AppData\Local\Temp\b381c7c9b23a2dba55aa561e2cd4331a.exe
"C:\Users\Admin\AppData\Local\Temp\b381c7c9b23a2dba55aa561e2cd4331a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
  C:\Windows\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
    C:\Windows\{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
      C:\Windows\{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
        
        C:\Windows\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
        
        C:\Windows\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
        
        C:\Windows\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
        
        C:\Windows\{469394C1-9BF8-490e-85AB-6859001AB61E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
        
        C:\Windows\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
        
        C:\Windows\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
        
        C:\Windows\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe
        
        C:\Windows\{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe
        
        C:\Windows\{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe
        13⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67C47~1.EXE > nul
        13⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB5E~1.EXE > nul
        12⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87C59~1.EXE > nul
        11⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B18F8~1.EXE > nul
        10⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46939~1.EXE > nul
        9⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF0B~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19CAE~1.EXE > nul
        7⤵
        
        PID:4220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01CA6~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F52C5~1.EXE > nul
        5⤵
        
        PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB829~1.EXE > nul
      4⤵
      PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B3F~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B381C7~1.EXE > nul
  2⤵
  PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe

Filesize
192KB

MD5
12db982b2fad1a0ed888dc4e230c5b48

SHA1
410fed98d0ee0d131ec6276e6e94a79f47dccfb5

SHA256
70e2f583d8008258128fa6f6f8df944319a02877c12c9bc43837133d0e807b7a

SHA512
6b58027377b58fc2d1284c2b2474314153029a705fd4488141730bc71b933e718ad7525a5334adacc527dd51f0f1db95f5ae70c7bc25c9beda9b4b8157a331bd

Download Submit
C:\Windows\{01CA6001-70C6-492d-A66D-6C57011A47F1}.exe

Filesize
79KB

MD5
6500d863cc9ba69a4642baf523403d07

SHA1
af1ed7659cb778262c0b55b753869d3bd5634ec4

SHA256
ba0ff20ea0cf93690a927c36635319128d6bd33c6f5352c41d8d161c9b67ffdd

SHA512
4b0c384514bf1b580519d23a466132ed11fd4d9fc96cb2f2250b092bd41efc63bd965c852efe07f117310f8b8d31d0fa51ad9688c394301605838b8ed6886fd1

Download Submit
C:\Windows\{19CAE0E1-2FE0-496a-B555-42F9EFFF7338}.exe

Filesize
204KB

MD5
6b803bbd6a552518e66274eeeccfb491

SHA1
9d5ad62efd4dbec0ce3785185942fe058e054763

SHA256
b347672089cccfb8e3fcc1987d2ebda090542cb3eb63469505c6cd5ef48b4daa

SHA512
42c538a5530bc86532643f2136096f891d24ed411da4670ceffcdfeb7155bc7827a42600b83e952116df2c7eb878939d159ee5ff06412ffb20d6adbcfcf4686c

Download Submit
C:\Windows\{469394C1-9BF8-490e-85AB-6859001AB61E}.exe

Filesize
204KB

MD5
201cf70437dad62ba731a6f9aaf628aa

SHA1
9805f4dfc7820f909f3e01aa4753eb439e45f311

SHA256
72afded1686a735e878f3e59633d3b287424600ce76894aeac9c66d040a12490

SHA512
72c19cfd6f8c1c0dc3952e4f0fdd2deb43de4064237e4542ad07d60405ce3947c4a1afc71cc97adf628474a05017667a9ce2a92e89b11999851f8c2436d37ae5

Download Submit
C:\Windows\{67C47799-5724-43a4-A3D1-36CD35609CCD}.exe

Filesize
204KB

MD5
4d723a7a3cbcdf912bf5736c3d7f1835

SHA1
6226bb4162e3743c3ed975ff3ceb9452adee258b

SHA256
e1fac06c9ce77814d111cc5d28cdecf89a3d3519402bc8ac03a1f5fa0336a47d

SHA512
b6a30b4769f94437c7192950da0fe5e7bffcbc8f07c41137e2bcff9e09d55e76a73d83f43d99236fdc252620eea82c19560c1f9228df8b5ede99bae08e378d0e

Download Submit
C:\Windows\{87C591D8-5C93-4ad6-B1E4-F47F37F78743}.exe

Filesize
204KB

MD5
0f3e6d472fb3986d9f0a320f1a80ad61

SHA1
685477c5049f274def37743b10b85a498d084334

SHA256
b94a502e545502c6dd420fc8c6bb301efadb6eff35a6f687b2790076aefb46d2

SHA512
f8bc4c1d6df45e92dc0e3b738730a8f64fc6c4d8768388ab6dd712a6a92c8d9084a22496eb583b5f491855e70419cb899a5cd37085ef901fefe46f30a96dac14

Download Submit
C:\Windows\{A079969E-CB67-4734-AD39-422B3D2DDE28}.exe

Filesize
204KB

MD5
3f1c0cf8faf8935a9b44b9245ede07ac

SHA1
80403e45ac3dcc6f1488902156a68423d4697220

SHA256
5cc43469a3a3f2f4528e9988b8a17cb561252e89946b98242ac3b468946ceb9b

SHA512
f6fe3f8df393299a871b7dacb4590c92596b0ee15f1b30096091bd9bcf54521c4dab03db254ff74b98a8a2648eb8bc3691f786202ae16cb458447bdf1678809c

Download Submit
C:\Windows\{B18F8D82-C6C8-4da9-8088-F4CD0588A00C}.exe

Filesize
204KB

MD5
9b12a513fe9b5471a2478babdbda96f1

SHA1
a51574397da0a0bc7ce48e662ccbac27642befd9

SHA256
13fae5d72c34725fc2d4b29a10e2e8a2f97e92f37e28ca47e04c08ded2eda940

SHA512
9c86cff6dfbe697f3910121fe55ab0a3c5df87afbd1e115165b9cbdb01d320309139e1368d0d9bb47bd0071ae18c30731ac7d89854229a46841f24bf8365b7ec

Download Submit
C:\Windows\{BCB5E60F-26DD-4ae9-BC7B-D48587ED1899}.exe

Filesize
204KB

MD5
c63c7fd7b1695adf78f8239b6786f05a

SHA1
1f39030fa23f0f662808a5bbe39131c6b5610ea3

SHA256
e3e6c15bec625f9a1446b45d313549efc1e27a24aa00ceca009330c4af039da4

SHA512
e0184e6ec313e4372ea8926e016a3140c1305084e520d473224e95133e9c12901427190837035533a5448a1bb8a6b6293100b506e8ced227d159e222a727b87d

Download Submit
C:\Windows\{DEF0B0D7-F9BC-491f-92FA-0AE4304CFAFF}.exe

Filesize
204KB

MD5
8149704349bd6e3d29e628ea9d8d938a

SHA1
59a90fa1fa0df4002510b99baeb0b57730cd71ce

SHA256
2a3f70573349976c8c154915030fbed3dcc164a84de72ed8c2540d5172bc57a3

SHA512
25cb8b750fe8c78a9bd058c43284b844d69f1ad3bb42cdd2787eb3da7c88ee78ab20db2093c5063c3372d6421bf60e79586c1ce1d29a5f46e463985bc573411c

Download Submit
C:\Windows\{EB829C25-243D-4f95-AAF0-78E1886F3360}.exe

Filesize
204KB

MD5
e32f95e8505e75c99c27f54375e980e8

SHA1
73e374f584a65201ee240365199cb98cb3772f2f

SHA256
1a3e488c53513593f66a1dcba8d45ed44b0c8866cf5c174ae2ed27ab1f9a55e6

SHA512
318f5f9b42981f2a75686eb1b97673946b95c6de538ee34e3059e4f09357a4226aabc8c534c22d1f7e56bf0d2a7a2a21e826256a7500eff79462aa773ad44647

Download Submit
C:\Windows\{F3B3F60F-34E5-475a-8175-0EB38E4D0931}.exe

Filesize
204KB

MD5
36618fc3e08a21250b681c3caa206cc4

SHA1
458f51f65a427bb4dd01aa6bdc382d73d03eb272

SHA256
ffa882021e374195f69d9f948eb8ccc5433033dda83cfb87708f6ddaf7ae4105

SHA512
3ab899ac56e66d6d0929953553378adc00e3889caecd292533c0efee6ad6db1ee97651a8f51082238012a2ae1980ff0c9b7b248e22eab070f47a6be8e9b94c8e

Download Submit
C:\Windows\{F52C5670-24CA-4494-B030-3E4B3F00905E}.exe

Filesize
204KB

MD5
06b84acb3b7b073e629a38eb3c9e84a3

SHA1
30527d66c19ff61c40c87ed3349eb79fab2e02cf

SHA256
65c81da55f75cb88fcb697429a73388a2a58ed037e46ccedbee9ca4bdf32833e

SHA512
e78eff80db51f303e9c45901432e065588fea8ed8c3cdf5c0c877ae1c5f3bd14eeb3a828a476cebed1fb052861088c15bbb69122815872a5cb2787bc881ed33d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads