cc5cb2bd4273e5bc878f5ff4ad8e669c9a0390a80c742c5ae05118b6fe17e40b

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbb084fdc9799890b9a6ed46e526c149.exe
Size

76KB
MD5

fbb084fdc9799890b9a6ed46e526c149
SHA1

1ff2417f20a30ebf6d4b93b56e96032fe4b88896
SHA256

cc5cb2bd4273e5bc878f5ff4ad8e669c9a0390a80c742c5ae05118b6fe17e40b
SHA512

0e3345c3b358f6a39375f44a1fc70440fcc11b2b30510ee0a9a57dcc5ab0f464dacd4b1674d8797d64c5dae6d218e1417edd03aea089bee5b93aa2bb2799c375
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro6w4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLro6w4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3500272-511E-4618-A2BE-F50FD465BB69}	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1589A0-345E-4b76-9885-CD3390DFE663}	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}\stubpath = "C:\\Windows\\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe"	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD491191-3827-451a-8935-260E603EB80B}	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD491191-3827-451a-8935-260E603EB80B}\stubpath = "C:\\Windows\\{FD491191-3827-451a-8935-260E603EB80B}.exe"	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF4418B9-8980-41db-A940-CABD5D87D63D}	{FD491191-3827-451a-8935-260E603EB80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF4418B9-8980-41db-A940-CABD5D87D63D}\stubpath = "C:\\Windows\\{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe"	{FD491191-3827-451a-8935-260E603EB80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAEB28D9-1334-46f5-883C-713C01F04653}	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B8E639-31CF-4504-88FA-B57539E791FB}\stubpath = "C:\\Windows\\{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe"	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}\stubpath = "C:\\Windows\\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe"	fbb084fdc9799890b9a6ed46e526c149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C867A27E-7562-4b25-B126-66C4CF5BD961}	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3500272-511E-4618-A2BE-F50FD465BB69}\stubpath = "C:\\Windows\\{E3500272-511E-4618-A2BE-F50FD465BB69}.exe"	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B8E639-31CF-4504-88FA-B57539E791FB}	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1589A0-345E-4b76-9885-CD3390DFE663}\stubpath = "C:\\Windows\\{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe"	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FAAC99-1EC6-4704-ABB5-73723C694D73}\stubpath = "C:\\Windows\\{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe"	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAEB28D9-1334-46f5-883C-713C01F04653}\stubpath = "C:\\Windows\\{AAEB28D9-1334-46f5-883C-713C01F04653}.exe"	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}\stubpath = "C:\\Windows\\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe"	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}	fbb084fdc9799890b9a6ed46e526c149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74FAAC99-1EC6-4704-ABB5-73723C694D73}	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C867A27E-7562-4b25-B126-66C4CF5BD961}\stubpath = "C:\\Windows\\{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe"	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe

Executes dropped EXE 11 IoCs

pid	Process
2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
760	{FD491191-3827-451a-8935-260E603EB80B}.exe
4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe
4108	{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
File created	C:\Windows\{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
File created	C:\Windows\{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	{FD491191-3827-451a-8935-260E603EB80B}.exe
File created	C:\Windows\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
File created	C:\Windows\{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
File created	C:\Windows\{E3500272-511E-4618-A2BE-F50FD465BB69}.exe	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
File created	C:\Windows\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	fbb084fdc9799890b9a6ed46e526c149.exe
File created	C:\Windows\{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
File created	C:\Windows\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
File created	C:\Windows\{FD491191-3827-451a-8935-260E603EB80B}.exe	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
File created	C:\Windows\{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3464	fbb084fdc9799890b9a6ed46e526c149.exe
Token: SeIncBasePriorityPrivilege	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
Token: SeIncBasePriorityPrivilege	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
Token: SeIncBasePriorityPrivilege	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
Token: SeIncBasePriorityPrivilege	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
Token: SeIncBasePriorityPrivilege	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
Token: SeIncBasePriorityPrivilege	760	{FD491191-3827-451a-8935-260E603EB80B}.exe
Token: SeIncBasePriorityPrivilege	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
Token: SeIncBasePriorityPrivilege	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
Token: SeIncBasePriorityPrivilege	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
Token: SeIncBasePriorityPrivilege	4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2332	3464	fbb084fdc9799890b9a6ed46e526c149.exe	100
PID 3464 wrote to memory of 2332	3464	fbb084fdc9799890b9a6ed46e526c149.exe	100
PID 3464 wrote to memory of 2332	3464	fbb084fdc9799890b9a6ed46e526c149.exe	100
PID 3464 wrote to memory of 2924	3464	fbb084fdc9799890b9a6ed46e526c149.exe	101
PID 3464 wrote to memory of 2924	3464	fbb084fdc9799890b9a6ed46e526c149.exe	101
PID 3464 wrote to memory of 2924	3464	fbb084fdc9799890b9a6ed46e526c149.exe	101
PID 2332 wrote to memory of 4728	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	104
PID 2332 wrote to memory of 4728	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	104
PID 2332 wrote to memory of 4728	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	104
PID 2332 wrote to memory of 4488	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	105
PID 2332 wrote to memory of 4488	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	105
PID 2332 wrote to memory of 4488	2332	{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe	105
PID 4728 wrote to memory of 1228	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	107
PID 4728 wrote to memory of 1228	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	107
PID 4728 wrote to memory of 1228	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	107
PID 4728 wrote to memory of 3932	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	108
PID 4728 wrote to memory of 3932	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	108
PID 4728 wrote to memory of 3932	4728	{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe	108
PID 1228 wrote to memory of 3112	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	110
PID 1228 wrote to memory of 3112	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	110
PID 1228 wrote to memory of 3112	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	110
PID 1228 wrote to memory of 1828	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	111
PID 1228 wrote to memory of 1828	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	111
PID 1228 wrote to memory of 1828	1228	{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe	111
PID 3112 wrote to memory of 1208	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	112
PID 3112 wrote to memory of 1208	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	112
PID 3112 wrote to memory of 1208	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	112
PID 3112 wrote to memory of 2240	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	113
PID 3112 wrote to memory of 2240	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	113
PID 3112 wrote to memory of 2240	3112	{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe	113
PID 1208 wrote to memory of 760	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	114
PID 1208 wrote to memory of 760	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	114
PID 1208 wrote to memory of 760	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	114
PID 1208 wrote to memory of 3904	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	115
PID 1208 wrote to memory of 3904	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	115
PID 1208 wrote to memory of 3904	1208	{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe	115
PID 760 wrote to memory of 4740	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	116
PID 760 wrote to memory of 4740	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	116
PID 760 wrote to memory of 4740	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	116
PID 760 wrote to memory of 2616	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	117
PID 760 wrote to memory of 2616	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	117
PID 760 wrote to memory of 2616	760	{FD491191-3827-451a-8935-260E603EB80B}.exe	117
PID 4740 wrote to memory of 3540	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	118
PID 4740 wrote to memory of 3540	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	118
PID 4740 wrote to memory of 3540	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	118
PID 4740 wrote to memory of 4424	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	119
PID 4740 wrote to memory of 4424	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	119
PID 4740 wrote to memory of 4424	4740	{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe	119
PID 3540 wrote to memory of 3932	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	120
PID 3540 wrote to memory of 3932	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	120
PID 3540 wrote to memory of 3932	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	120
PID 3540 wrote to memory of 4828	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	121
PID 3540 wrote to memory of 4828	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	121
PID 3540 wrote to memory of 4828	3540	{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe	121
PID 3932 wrote to memory of 4920	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	122
PID 3932 wrote to memory of 4920	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	122
PID 3932 wrote to memory of 4920	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	122
PID 3932 wrote to memory of 2400	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	123
PID 3932 wrote to memory of 2400	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	123
PID 3932 wrote to memory of 2400	3932	{AAEB28D9-1334-46f5-883C-713C01F04653}.exe	123
PID 4920 wrote to memory of 4108	4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe	124
PID 4920 wrote to memory of 4108	4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe	124
PID 4920 wrote to memory of 4108	4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe	124
PID 4920 wrote to memory of 3376	4920	{E3500272-511E-4618-A2BE-F50FD465BB69}.exe	125

C:\Users\Admin\AppData\Local\Temp\fbb084fdc9799890b9a6ed46e526c149.exe
"C:\Users\Admin\AppData\Local\Temp\fbb084fdc9799890b9a6ed46e526c149.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
  C:\Windows\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
    C:\Windows\{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
      C:\Windows\{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
        
        C:\Windows\{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
        
        C:\Windows\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{FD491191-3827-451a-8935-260E603EB80B}.exe
        
        C:\Windows\{FD491191-3827-451a-8935-260E603EB80B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
        
        C:\Windows\{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
        
        C:\Windows\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
        
        C:\Windows\{AAEB28D9-1334-46f5-883C-713C01F04653}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{E3500272-511E-4618-A2BE-F50FD465BB69}.exe
        
        C:\Windows\{E3500272-511E-4618-A2BE-F50FD465BB69}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe
        
        C:\Windows\{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe
        12⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3500~1.EXE > nul
        12⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAEB2~1.EXE > nul
        11⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EFB7~1.EXE > nul
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF441~1.EXE > nul
        9⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD491~1.EXE > nul
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{532F6~1.EXE > nul
        7⤵
        
        PID:3904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C867A~1.EXE > nul
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FAA~1.EXE > nul
        5⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC158~1.EXE > nul
      4⤵
      PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{37060~1.EXE > nul
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FBB084~1.EXE > nul
  2⤵
  PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EFB7253-3401-471d-A3EB-49AD61E3DCFF}.exe

Filesize
76KB

MD5
434778f46acc148d3cd0a06bb3c0a3eb

SHA1
4770c5e654414f59a7b54fcdc29b21edf81a160c

SHA256
15280ca9b0e01707eabf647dd9567ab4aab5c757e36abb99022ef8036b9a266a

SHA512
09b26d51e15c78e4bc7ecc1e12d4c2ff6ccc38d11461d9ddd2f3bc327c76076f65bcc757d57efce9b611454babd9b18ab85b13d3545d58e35f32b8791567b4f5

Download Submit
C:\Windows\{37060841-42F8-45aa-9EDC-8AF3DFD24C1E}.exe

Filesize
76KB

MD5
4452c5cdbb2a2bba3be09030823e3231

SHA1
a8c496113c69f826f5e65556e229fb3db3a68642

SHA256
0bc5879c528eeb7b5200ea92a224ddb47be32f80ab0b5ce340a435ed5f7e792f

SHA512
11c2d83ed0e31a0fb4b3b5dbc5d60c6666425f6efb1fbfa01ad3ab0bebaf6f514c1b5eea1b3c22eaa0e641ad45cdfd7c14bbac59da5f35319aaea28de3650625

Download Submit
C:\Windows\{532F6872-7BC0-4bb6-BF9D-D8FE344E8F17}.exe

Filesize
76KB

MD5
e991589cfd9729b1e06ea1f7e6646ce9

SHA1
cd7c849597acd475780d8ae99ada0afddf566d15

SHA256
07970c440718b958f4f51eeaca0614aa7815bc9fb3d8679bdf50e2715355c93d

SHA512
f174074300118e87d06f44ca3d6cc5fbe36d78d4ee7d268fcd6af51cf4c64c17255f8340d1d44d899191cd775eb791fff17e324ad5c49f4d2c9637fc445eff4d

Download Submit
C:\Windows\{74FAAC99-1EC6-4704-ABB5-73723C694D73}.exe

Filesize
76KB

MD5
1cd27e462cc7e00edd4ff2361b319ec6

SHA1
31a900fe7131a27389bfc14491ec8fbbbe2174e5

SHA256
df94b44a9ea0bb12ace3d48963a9e9cfe60db399e0c7b3ff072657e05b603238

SHA512
867e5429704431cf2bd2e02530d1e38cbac14b074c89409e7ba1d43813a0fb306e58eaa38556ee11d64cd3e07ee801aa1c1f7a0af1d24816733180b08eb46b98

Download Submit
C:\Windows\{AAEB28D9-1334-46f5-883C-713C01F04653}.exe

Filesize
76KB

MD5
1d42ef71c1670032d59afb415a6d8855

SHA1
3156e07f5727d6154534c0f41e1382456d57c934

SHA256
385313f133d1967b9bcf6fc95c7f08e7ffb5d5da0ca1fbce4d2ab235f0c18b44

SHA512
bce272de8173889d2c35fcce8082f7344f184bbbca64aa5af325ddda0c77e2657126862d180cc7906417283cb8983d8b8e4a4d3ecf61ed6c84c3f5375ca78f16

Download Submit
C:\Windows\{C867A27E-7562-4b25-B126-66C4CF5BD961}.exe

Filesize
76KB

MD5
0c55ddbc63051c785206bd4539ebfb78

SHA1
9b8df6feb297161fd26597235e3a00709fb93593

SHA256
79d0d573965329c32c58d42efad9f8499de23887ff1bc448fb27acf8c0b107ed

SHA512
f90b3007b8bbff85b24f71c4667fe3e434ef8e2b4dce328472827da6e00c22d815ac5497283781a38544b09a36fdbfdc33e12f83b2363edc869aa57f41d9ab8d

Download Submit
C:\Windows\{DC1589A0-345E-4b76-9885-CD3390DFE663}.exe

Filesize
76KB

MD5
1e7ca9b4839b31e6754494359d2bfcf2

SHA1
fc0e910d91f47d2943fd1dddaf3569ac73378bd1

SHA256
7308fbfc26be8dec07b8b515a4b62093cdd6ba5da4463a109d7cfe10c86ae3ae

SHA512
58c9681622939b3dd07d8147e4926bd7587a858ce9bbc5b5bf9aa3d8c7c0e05e4a0fc8fbacfb154995bc7ed821d08e465681b6b85faa5d22b6b397d296c7a2a7

Download Submit
C:\Windows\{E3500272-511E-4618-A2BE-F50FD465BB69}.exe

Filesize
76KB

MD5
890f47405ae4177bc318a7210f3975e6

SHA1
41790799310b2565069cc7aa1ff458b38e624570

SHA256
4a72ff4aa7a05fbb1548eda649be6a989d9de4d6e28e5f40a262a946136566f1

SHA512
b7492cec1027b541d0bfb01add7987213f96e6a927c173d4fa93467a7dcbbc5facdd2bf392a2b6a9f230930b058649bb5badf47a55cbff19b0e97bf4be717d7a

Download Submit
C:\Windows\{E9B8E639-31CF-4504-88FA-B57539E791FB}.exe

Filesize
76KB

MD5
e82d51b44ee72feee877019e9242610e

SHA1
60156bf67a6c938742fb09de2ad0cae67d0e8b7c

SHA256
12a69d57d24f6120ae5f2357f58bb243f22a4152c764bb9df469aa65ba8875e9

SHA512
064ba794e17d5612327ca8b7c4619e9e0b5f5783b7b96f1736585117d7f9036480f8bf13c127a52b4c5ac254462994785679325aa5ef20e5505d15806b448bb7

Download Submit
C:\Windows\{FD491191-3827-451a-8935-260E603EB80B}.exe

Filesize
76KB

MD5
2c4b9082c802ed81c1debc9b04e0ba02

SHA1
d230117a8557769ad5e8c1f946e5f2254275b24e

SHA256
9499c43e2c4f2be3e86759bc6cd72bb1d2e6e2ca540702ac0fc10c451280e8d4

SHA512
17cdd3493661434201de7ab8a57d93f6d93a49cced04a37a8f8835b3954a651ff323b917778ad9eee0743b24086ee0c505e1e1613794efca2fd60853e72a3599

Download Submit
C:\Windows\{FF4418B9-8980-41db-A940-CABD5D87D63D}.exe

Filesize
76KB

MD5
d8a70e8c6a6e16caecd94a9fce671caa

SHA1
547c53567105b48d01d3584573729104c2fdba7d

SHA256
315393a73ca2ec6e8f13237f5f2947decaee01eb2438bbe2a2da55764ae5dfa5

SHA512
dc283d3f04edd11ded90ff722b54947d5e4b6de5631bc29eb88c36ca45d34c000b7504757fa55a1c537d44e1e4a6fb1bcd09410b47506cfae5ab2e9fa683236a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads