bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Size

90KB
MD5

9b25967fba780be4080b4d71be3d2a2a
SHA1

fbef73eaf62f7a333728fd6560874056cee7863d
SHA256

bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78
SHA512

9f03f0d8ec3128792048e51ddad849fe4129f56ef814fcb5731083451a2b1b13bcec3242e60c7a6307aeb0dcc39869c67a1849660ee8ea59305244fecf5a05b5
SSDEEP

768:50w981IshKQLroDL4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzr:CEGI0oDLlVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}\stubpath = "C:\\Windows\\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe"	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF019CEF-C500-4060-BF8F-F478F712BF80}	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F32D39B-F7B5-4081-B329-744F9D846B92}\stubpath = "C:\\Windows\\{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe"	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}\stubpath = "C:\\Windows\\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe"	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AC94A8-A741-498a-B791-870D4BCAD22D}	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B55228-3438-4506-A03A-95CDF53357D4}	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88698821-EB71-4763-8E4F-1E145C1E5AAD}	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F32D39B-F7B5-4081-B329-744F9D846B92}	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2628F134-85A7-4b62-B83C-BD70900022FB}	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF019CEF-C500-4060-BF8F-F478F712BF80}\stubpath = "C:\\Windows\\{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe"	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}\stubpath = "C:\\Windows\\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe"	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EC205A-062D-43f6-9F56-A584BA60A6A5}\stubpath = "C:\\Windows\\{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe"	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}\stubpath = "C:\\Windows\\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe"	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AC94A8-A741-498a-B791-870D4BCAD22D}\stubpath = "C:\\Windows\\{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe"	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EC205A-062D-43f6-9F56-A584BA60A6A5}	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2628F134-85A7-4b62-B83C-BD70900022FB}\stubpath = "C:\\Windows\\{2628F134-85A7-4b62-B83C-BD70900022FB}.exe"	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B55228-3438-4506-A03A-95CDF53357D4}\stubpath = "C:\\Windows\\{F9B55228-3438-4506-A03A-95CDF53357D4}.exe"	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88698821-EB71-4763-8E4F-1E145C1E5AAD}\stubpath = "C:\\Windows\\{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe"	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDF1412-D687-404c-BE50-5FCF90A406CD}	{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDF1412-D687-404c-BE50-5FCF90A406CD}\stubpath = "C:\\Windows\\{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe"	{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
3036	{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe
5076	{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
File created	C:\Windows\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
File created	C:\Windows\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
File created	C:\Windows\{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
File created	C:\Windows\{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
File created	C:\Windows\{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
File created	C:\Windows\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
File created	C:\Windows\{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
File created	C:\Windows\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
File created	C:\Windows\{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
File created	C:\Windows\{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe	{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe
File created	C:\Windows\{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
Token: SeIncBasePriorityPrivilege	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
Token: SeIncBasePriorityPrivilege	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
Token: SeIncBasePriorityPrivilege	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
Token: SeIncBasePriorityPrivilege	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
Token: SeIncBasePriorityPrivilege	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
Token: SeIncBasePriorityPrivilege	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
Token: SeIncBasePriorityPrivilege	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
Token: SeIncBasePriorityPrivilege	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
Token: SeIncBasePriorityPrivilege	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
Token: SeIncBasePriorityPrivilege	5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
Token: SeIncBasePriorityPrivilege	3036	{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4032	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	90
PID 2420 wrote to memory of 4032	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	90
PID 2420 wrote to memory of 4032	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	90
PID 2420 wrote to memory of 1472	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	91
PID 2420 wrote to memory of 1472	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	91
PID 2420 wrote to memory of 1472	2420	bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe	91
PID 4032 wrote to memory of 4120	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	97
PID 4032 wrote to memory of 4120	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	97
PID 4032 wrote to memory of 4120	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	97
PID 4032 wrote to memory of 1020	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	98
PID 4032 wrote to memory of 1020	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	98
PID 4032 wrote to memory of 1020	4032	{2628F134-85A7-4b62-B83C-BD70900022FB}.exe	98
PID 4120 wrote to memory of 4888	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	102
PID 4120 wrote to memory of 4888	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	102
PID 4120 wrote to memory of 4888	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	102
PID 4120 wrote to memory of 4084	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	103
PID 4120 wrote to memory of 4084	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	103
PID 4120 wrote to memory of 4084	4120	{F9B55228-3438-4506-A03A-95CDF53357D4}.exe	103
PID 4888 wrote to memory of 1064	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	105
PID 4888 wrote to memory of 1064	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	105
PID 4888 wrote to memory of 1064	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	105
PID 4888 wrote to memory of 5100	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	106
PID 4888 wrote to memory of 5100	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	106
PID 4888 wrote to memory of 5100	4888	{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe	106
PID 1064 wrote to memory of 4008	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	107
PID 1064 wrote to memory of 4008	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	107
PID 1064 wrote to memory of 4008	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	107
PID 1064 wrote to memory of 2724	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	108
PID 1064 wrote to memory of 2724	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	108
PID 1064 wrote to memory of 2724	1064	{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe	108
PID 4008 wrote to memory of 2556	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	109
PID 4008 wrote to memory of 2556	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	109
PID 4008 wrote to memory of 2556	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	109
PID 4008 wrote to memory of 1132	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	110
PID 4008 wrote to memory of 1132	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	110
PID 4008 wrote to memory of 1132	4008	{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe	110
PID 2556 wrote to memory of 5092	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	111
PID 2556 wrote to memory of 5092	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	111
PID 2556 wrote to memory of 5092	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	111
PID 2556 wrote to memory of 4288	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	112
PID 2556 wrote to memory of 4288	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	112
PID 2556 wrote to memory of 4288	2556	{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe	112
PID 5092 wrote to memory of 3824	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	113
PID 5092 wrote to memory of 3824	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	113
PID 5092 wrote to memory of 3824	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	113
PID 5092 wrote to memory of 3308	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	114
PID 5092 wrote to memory of 3308	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	114
PID 5092 wrote to memory of 3308	5092	{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe	114
PID 3824 wrote to memory of 1832	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	115
PID 3824 wrote to memory of 1832	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	115
PID 3824 wrote to memory of 1832	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	115
PID 3824 wrote to memory of 4180	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	116
PID 3824 wrote to memory of 4180	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	116
PID 3824 wrote to memory of 4180	3824	{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe	116
PID 1832 wrote to memory of 5064	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	117
PID 1832 wrote to memory of 5064	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	117
PID 1832 wrote to memory of 5064	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	117
PID 1832 wrote to memory of 4120	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	118
PID 1832 wrote to memory of 4120	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	118
PID 1832 wrote to memory of 4120	1832	{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe	118
PID 5064 wrote to memory of 3036	5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe	119
PID 5064 wrote to memory of 3036	5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe	119
PID 5064 wrote to memory of 3036	5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe	119
PID 5064 wrote to memory of 1580	5064	{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe	120

C:\Users\Admin\AppData\Local\Temp\bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe
"C:\Users\Admin\AppData\Local\Temp\bcae193e8e31b309f452cd8af5591e60478fb77be2adccf18b6272c77192de78.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
  C:\Windows\{2628F134-85A7-4b62-B83C-BD70900022FB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
    C:\Windows\{F9B55228-3438-4506-A03A-95CDF53357D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
      C:\Windows\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
        
        C:\Windows\{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
        
        C:\Windows\{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
        
        C:\Windows\{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
        
        C:\Windows\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
        
        C:\Windows\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
        
        C:\Windows\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
        
        C:\Windows\{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe
        
        C:\Windows\{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe
        
        C:\Windows\{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe
        13⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41EC2~1.EXE > nul
        13⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AC9~1.EXE > nul
        12⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E102E~1.EXE > nul
        11⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B82E~1.EXE > nul
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F508~1.EXE > nul
        9⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F32D~1.EXE > nul
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF019~1.EXE > nul
        7⤵
        
        PID:1132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88698~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDBB5~1.EXE > nul
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B55~1.EXE > nul
      4⤵
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2628F~1.EXE > nul
    3⤵
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BCAE19~1.EXE > nul
  2⤵
  PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2628F134-85A7-4b62-B83C-BD70900022FB}.exe

Filesize
90KB

MD5
c16b13b9702f5d1976a3e77b90e36c5e

SHA1
398961ed330848dc7d205b6cdcce76fc4f3e3f8e

SHA256
ce319ddf858ea64285fbf5cf64e7c715bfb928b2ff2b33002b54fd8e729577b7

SHA512
ec601c7702dc525ac53d2d5537234109d40d17a01581d38c424c6ccd0431e2015e09f9aa80fd02558fa66c7487126b65c9f5f5b724e6a5abc5a79328a15a5e9e

Download Submit
C:\Windows\{41EC205A-062D-43f6-9F56-A584BA60A6A5}.exe

Filesize
90KB

MD5
a4e4e0ebaca0aad509456fe182dc9352

SHA1
c2f9391e7da4f5e3f8e72c4c9f2f294046937faf

SHA256
83c187671775f95ee0d35be88c930e52fbc3a7c5d0888c3676b7956f0431fb56

SHA512
a7489cef48af47b4afb3141c1c7e58d10bb7e649e2cdac4f790d4656495d2ee42c3e12a54c75cdb162b146eff7f09c2b6c3856c96b43a631b9afc4d1f082f744

Download Submit
C:\Windows\{4DDF1412-D687-404c-BE50-5FCF90A406CD}.exe

Filesize
90KB

MD5
2701a45070d89cd00b765a8570965d07

SHA1
a653d4b008cda970b4ec6efc0ef3da78c5ca1a8f

SHA256
9f2b270880123e6da3433374313bab53821ea6a70ff54a37ce6aabb82c99ac0a

SHA512
6ea3d8b409d3d0e7c5d2f2fccb2e2f19fcc362f2774cadc1c05b6000e12be80cf5acc0c85100f3730a6d712767ddf9ee30975b899ed9089e62806addf1df7a16

Download Submit
C:\Windows\{5F5087DD-1D66-4a17-8563-A3D7F23E4E06}.exe

Filesize
90KB

MD5
c527379dbf3226320b67499f5c94eb48

SHA1
3774f6811979d6914000eb8b356aa97dffc7f77b

SHA256
83d1c7f6cb2e8b068630d7094885423f21db6aa1e271c9eb043d591eed9501b5

SHA512
4db87f67e78fc30af92318a3f595978d85a817105196c3e3c2f791be3aadc47c2498e18aa595dc020a96139d84b132930734ab6d09d8b0f5362080ccac7adfad

Download Submit
C:\Windows\{7F32D39B-F7B5-4081-B329-744F9D846B92}.exe

Filesize
90KB

MD5
923e9510f05ab6f823ce9b8c6d7fe631

SHA1
7275f774bf1fc96dac7d6bd28262ca0ca269e15f

SHA256
28a8fda0d50904a0efa174e3157104c55b7aab95b24eb37015574e80e7a76c35

SHA512
534ca10407b560b09b1d7a796467fd4bb638dc5d35f24555d360ff7852acee8e5df1f93daa167ae9b08c6e9783a54b2cea6391e5122c1f7aa82f08e9abf96d96

Download Submit
C:\Windows\{88698821-EB71-4763-8E4F-1E145C1E5AAD}.exe

Filesize
90KB

MD5
1af757ddee908b38bc0c21d3c13f444c

SHA1
dd66618cd299707e76d33f90e6f5aa5a13f85bdb

SHA256
061f618b9e2438fa236f487d8b0ad257169f1a84fe3104ef62e049b6a6a9d51c

SHA512
d33ac7c9ec407b7d5f7846b4bd797c34d6d6e7907840f9910948b5c81ea246d5df0c5c5969a268598c0a8468797ff516efc7d6967c85b614273b9e4f14dda549

Download Submit
C:\Windows\{8B82E4D3-6EAD-40b1-9F61-BD7A69F12FCA}.exe

Filesize
90KB

MD5
a967d99226f474f9a84ea278f8c6a040

SHA1
f2f820978e6159e7c6cb046188ebb4a00fb4052e

SHA256
8e1e6b0c2cf63ab51d7b0939cffe9a2c983519eee2a04d6478cd39aeb7d556a3

SHA512
0e7b833dcc51fbb3810a7958dbf25e06863b695b6b14d87e0587648f798fa827695d82123480d50e00dfe5a3f033b431ea6201704bdb137dd06d8e5e1516a5cd

Download Submit
C:\Windows\{E102EDBD-E5E0-4759-B633-0DA5D9D89953}.exe

Filesize
90KB

MD5
68946f8761ab17c247498922373df2d7

SHA1
d4b2df89610f2ebdad57233561a8da336aac97ad

SHA256
a928a179cb1122bb4c6e6cb42f22d4951b400659b23f83041a14b5f3eac35663

SHA512
595ca9c64abf109705b627119c2579c6882a0878315128f0a47c8dca36a638a288744901c1d8ede868e8f4190f3e022e0aef0f7cef27372f10fb595f65b2645f

Download Submit
C:\Windows\{EF019CEF-C500-4060-BF8F-F478F712BF80}.exe

Filesize
90KB

MD5
a359570a540e2e60a9b27691c1ef02e4

SHA1
adc163c78ef6eb0f2685af5554892a0dc7dcce68

SHA256
44aec97925863da0aff6010add9644cf55ac7273138ae1b819f20631a5cd12ce

SHA512
a8f01446ab36edbd0851950e43c8c803274f2de6d93e27a3bf63c4f4f2ebfda5dae5892d9e26e7d0ccd9a7b1c8196f143823bc29becf77e34fa3f04151f9a40e

Download Submit
C:\Windows\{F1AC94A8-A741-498a-B791-870D4BCAD22D}.exe

Filesize
90KB

MD5
2f3108951887ef89197e2eb90302bbb9

SHA1
e24b734e8193ae403af5afd2e60ee4a905eec20c

SHA256
c62b14fd788dc7fdc9f6fe251b5e8bdfcb8b3904c8498e5898e98f50a479ef0b

SHA512
862418379b10b6336d587ced8beb1c492a48856a1654548169506498bc0698f8d82d40ce9f55dd7e879f74d82b1021b17fc961202bbf309861d4b542b71be375

Download Submit
C:\Windows\{F9B55228-3438-4506-A03A-95CDF53357D4}.exe

Filesize
90KB

MD5
417d7c514cd467e4cbf572273e7c091e

SHA1
e624f3cd5e67c4c35dd20e559bf1311f453d7715

SHA256
03a50954c3f472421a3d8122e54eb7f4b55cfacd604c551463507f4a1f142ffa

SHA512
45ac580d56b6f3075a3a699fec3a18e70c55427fc8cb65713815b83bf05c124885f0bd917979f43338926e803a22798dc60f54d0407ee0ebf70f43dca3360818

Download Submit
C:\Windows\{FDBB590A-FEE4-4f45-987F-BB6F4D2EC659}.exe

Filesize
90KB

MD5
fd4e8ca54e2b5ac5f060b069361c9db4

SHA1
235ee69855adace295423272ceb21d9bed981347

SHA256
859442bb0e5696616c1a464c855a60b026865685591967e462a9ad702ad3b109

SHA512
ff2ecc8a48e3b989043c14a8c57ba9ea5128525b84a1363938fa2db22365a804e6a155e83ee2dc438b5ddad36bc5a9aff02a55bad4cd56c428dc274f8ca1e989

Download Submit
memory/1064-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1064-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1832-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1832-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3824-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3824-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4120-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4120-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4888-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4888-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5064-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5064-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5076-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5092-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5092-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads