cc3895e853a55568ac47007c0cbe9bf6ee607255456296ca20781803a13d0287

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Size

90KB
MD5

8db0a7d9903b18038b6240536c8115a0
SHA1

486dc0d0b83196df0029f3a8247162903135bd9d
SHA256

cc3895e853a55568ac47007c0cbe9bf6ee607255456296ca20781803a13d0287
SHA512

32ef4043d7798a91ae1802594c3030565d44279042e43fb13d1e648069512b14190ac16ca2682482412b959195dd84fc9ca21cea9e15fba14c615ac299acac14
SSDEEP

768:5vw9816thKQLroe4/wQkNrfrunMxVFA3bA:lEG/0oelbunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}\stubpath = "C:\\Windows\\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe"	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163DEA24-F184-41fb-81BA-54453BA76A49}	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}\stubpath = "C:\\Windows\\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe"	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776E0AA1-7C81-451c-B83C-065E7D20803B}\stubpath = "C:\\Windows\\{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe"	{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E98BBAB-1E0C-41be-A605-C97B83505687}	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}\stubpath = "C:\\Windows\\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe"	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}\stubpath = "C:\\Windows\\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe"	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}\stubpath = "C:\\Windows\\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe"	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163DEA24-F184-41fb-81BA-54453BA76A49}\stubpath = "C:\\Windows\\{163DEA24-F184-41fb-81BA-54453BA76A49}.exe"	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776E0AA1-7C81-451c-B83C-065E7D20803B}	{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30599A2-1D97-412e-AAD3-C977D7AF8489}	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F80EB4C6-C618-4232-A053-62381EFF3408}\stubpath = "C:\\Windows\\{F80EB4C6-C618-4232-A053-62381EFF3408}.exe"	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E98BBAB-1E0C-41be-A605-C97B83505687}\stubpath = "C:\\Windows\\{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe"	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F80EB4C6-C618-4232-A053-62381EFF3408}	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}\stubpath = "C:\\Windows\\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe"	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}\stubpath = "C:\\Windows\\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe"	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30599A2-1D97-412e-AAD3-C977D7AF8489}\stubpath = "C:\\Windows\\{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe"	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe

Executes dropped EXE 12 IoCs

pid	Process
4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
640	{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe
4524	{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
File created	C:\Windows\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
File created	C:\Windows\{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
File created	C:\Windows\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
File created	C:\Windows\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
File created	C:\Windows\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
File created	C:\Windows\{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
File created	C:\Windows\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
File created	C:\Windows\{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
File created	C:\Windows\{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
File created	C:\Windows\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
File created	C:\Windows\{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe	{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Token: SeIncBasePriorityPrivilege	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
Token: SeIncBasePriorityPrivilege	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
Token: SeIncBasePriorityPrivilege	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
Token: SeIncBasePriorityPrivilege	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
Token: SeIncBasePriorityPrivilege	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
Token: SeIncBasePriorityPrivilege	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
Token: SeIncBasePriorityPrivilege	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
Token: SeIncBasePriorityPrivilege	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
Token: SeIncBasePriorityPrivilege	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
Token: SeIncBasePriorityPrivilege	1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
Token: SeIncBasePriorityPrivilege	640	{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4288	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	90
PID 3968 wrote to memory of 4288	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	90
PID 3968 wrote to memory of 4288	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	90
PID 3968 wrote to memory of 4348	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	91
PID 3968 wrote to memory of 4348	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	91
PID 3968 wrote to memory of 4348	3968	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	91
PID 4288 wrote to memory of 1248	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	97
PID 4288 wrote to memory of 1248	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	97
PID 4288 wrote to memory of 1248	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	97
PID 4288 wrote to memory of 3932	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	98
PID 4288 wrote to memory of 3932	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	98
PID 4288 wrote to memory of 3932	4288	{F80EB4C6-C618-4232-A053-62381EFF3408}.exe	98
PID 1248 wrote to memory of 3556	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	102
PID 1248 wrote to memory of 3556	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	102
PID 1248 wrote to memory of 3556	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	102
PID 1248 wrote to memory of 4420	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	103
PID 1248 wrote to memory of 4420	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	103
PID 1248 wrote to memory of 4420	1248	{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe	103
PID 3556 wrote to memory of 436	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	105
PID 3556 wrote to memory of 436	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	105
PID 3556 wrote to memory of 436	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	105
PID 3556 wrote to memory of 3052	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	106
PID 3556 wrote to memory of 3052	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	106
PID 3556 wrote to memory of 3052	3556	{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe	106
PID 436 wrote to memory of 3848	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	107
PID 436 wrote to memory of 3848	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	107
PID 436 wrote to memory of 3848	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	107
PID 436 wrote to memory of 4312	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	108
PID 436 wrote to memory of 4312	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	108
PID 436 wrote to memory of 4312	436	{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe	108
PID 3848 wrote to memory of 3176	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	109
PID 3848 wrote to memory of 3176	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	109
PID 3848 wrote to memory of 3176	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	109
PID 3848 wrote to memory of 2636	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	110
PID 3848 wrote to memory of 2636	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	110
PID 3848 wrote to memory of 2636	3848	{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe	110
PID 3176 wrote to memory of 3976	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	111
PID 3176 wrote to memory of 3976	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	111
PID 3176 wrote to memory of 3976	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	111
PID 3176 wrote to memory of 3296	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	112
PID 3176 wrote to memory of 3296	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	112
PID 3176 wrote to memory of 3296	3176	{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe	112
PID 3976 wrote to memory of 3920	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	113
PID 3976 wrote to memory of 3920	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	113
PID 3976 wrote to memory of 3920	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	113
PID 3976 wrote to memory of 3308	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	114
PID 3976 wrote to memory of 3308	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	114
PID 3976 wrote to memory of 3308	3976	{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe	114
PID 3920 wrote to memory of 2432	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	115
PID 3920 wrote to memory of 2432	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	115
PID 3920 wrote to memory of 2432	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	115
PID 3920 wrote to memory of 4860	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	116
PID 3920 wrote to memory of 4860	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	116
PID 3920 wrote to memory of 4860	3920	{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe	116
PID 2432 wrote to memory of 1924	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	117
PID 2432 wrote to memory of 1924	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	117
PID 2432 wrote to memory of 1924	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	117
PID 2432 wrote to memory of 3412	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	118
PID 2432 wrote to memory of 3412	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	118
PID 2432 wrote to memory of 3412	2432	{163DEA24-F184-41fb-81BA-54453BA76A49}.exe	118
PID 1924 wrote to memory of 640	1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe	119
PID 1924 wrote to memory of 640	1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe	119
PID 1924 wrote to memory of 640	1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe	119
PID 1924 wrote to memory of 4544	1924	{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe	120

C:\Users\Admin\AppData\Local\Temp\virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_8db0a7d9903b18038b6240536c8115a0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
  C:\Windows\{F80EB4C6-C618-4232-A053-62381EFF3408}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
    C:\Windows\{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
      C:\Windows\{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
        
        C:\Windows\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
        
        C:\Windows\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
        
        C:\Windows\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
        
        C:\Windows\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
        
        C:\Windows\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
        
        C:\Windows\{163DEA24-F184-41fb-81BA-54453BA76A49}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
        
        C:\Windows\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe
        
        C:\Windows\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe
        
        C:\Windows\{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EFC4~1.EXE > nul
        13⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8E3B~1.EXE > nul
        12⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163DE~1.EXE > nul
        11⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2181D~1.EXE > nul
        10⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{026EA~1.EXE > nul
        9⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04131~1.EXE > nul
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B130F~1.EXE > nul
        7⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2697~1.EXE > nul
        6⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E98B~1.EXE > nul
        5⤵
        
        PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3059~1.EXE > nul
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F80EB~1.EXE > nul
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE > nul
  2⤵
  PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{026EA504-AA9A-4dc1-91A3-42CA44A89E70}.exe

Filesize
90KB

MD5
bae5c81870ada92d2d02641c8fbbec18

SHA1
a7588769e2cf5e44a9a8c966b9a3f1df82fa616d

SHA256
9db9124da20cdb845471c10a0d16975d1809789997356887d825bbaea15e7502

SHA512
f5bd313f349f7dcdf8f24d5b8b9b37484e2f3d14987964650ef15382a2c88e6966d81802a1a9e728c3289395876a1aff4fe2fedb1dee0d2a635876a75c16ec9d

Download Submit
C:\Windows\{04131D56-1A5F-4793-A45C-04FF86C5F0E3}.exe

Filesize
90KB

MD5
7668b35d3d5bf74d61b1c110c52b37b5

SHA1
c2e44b221168c522ceef9047a9f9872ed1b3b95e

SHA256
08dd865fd4ea3fa037f88dc46bd291d2c0461d1da15e9bc9ff5223ec4c5c4e8c

SHA512
247117da3448518cb83e5272b2f9f8164b23416583de7604519df8539070e3663c9d5315fd3e4faf4ee58539bb0920714f8e2763c20a3f3fcd1bfd4cb4c00d47

Download Submit
C:\Windows\{163DEA24-F184-41fb-81BA-54453BA76A49}.exe

Filesize
90KB

MD5
ef441b9a9c6f12c847ba92401e03fa99

SHA1
a2d01ba1295279027f0f2146415dfc8ab354bc73

SHA256
4dfc76c700c9383d7298c29efcfa022155dc915de810bd7e67dc247c1ee5b54a

SHA512
08c00c579671708e3eb0ac7dc8ba0649a2d4cf935647d845b585e1e01f72de7de006c922ad6f8d7f2ec4cf9f655e3a6bca2c8542aea39f993a038de224bfee36

Download Submit
C:\Windows\{1E98BBAB-1E0C-41be-A605-C97B83505687}.exe

Filesize
90KB

MD5
ff7524ea067ff9055f308f69b3dfcf23

SHA1
c629df87bebeb7a1fb96cae6f849069a9f985ac8

SHA256
ba9b8774a2bd8dcbd259e76200096c776c54e1d73f604a515bac35b89a455325

SHA512
cb23cc0d86ddbbfe5634c1fdc85a8d34559dc1d62e541f5c1abc6b1813440ced4eaa8865c17876e7ab9c75d800d2f103a9bbe1a4fb36853a6fec54c3f027f98f

Download Submit
C:\Windows\{2181D203-4D9D-4fd1-A9CC-F631373ED1FD}.exe

Filesize
90KB

MD5
0b317146075c1f1718bf8a1b32ac5190

SHA1
a1f24b04c6daa582cc92b9d6c2e7f3a822e80352

SHA256
0eb18513945c969b92990ef6cdc573493f7eeb8ae20648147607910367007c6f

SHA512
be5e7b3be262705c1c41460db9258139307fa94fe1111d02c2263714d8ba0aba99b91df21d8061ee6ee37576bebacc3ee3848c5e305085bfe13156c2bead72f3

Download Submit
C:\Windows\{776E0AA1-7C81-451c-B83C-065E7D20803B}.exe

Filesize
90KB

MD5
6b70461fc1573eb5eaf9e4b3f2adf688

SHA1
042e620087d584b1dea3132bc7c1f69e17082324

SHA256
d15257259a54e37d2de16ee70c492ceeafdcdb815be7274a6079d83761949da0

SHA512
c9533e1d501637cece9a45f18242adb7027d6a71e0dc49fe4eb44acc88e574960d35bf9c6bf2756f9c53f26e704d96ef9a35ac1335628b7e405400ef8ad3f27a

Download Submit
C:\Windows\{7EFC4B93-DC13-4111-84D7-17FD0710D2C1}.exe

Filesize
90KB

MD5
2b3a5b3d60e3d69b67622cb9a80c6113

SHA1
1256b7e01dcaad8982c6ad0fcc74f7cb158fd323

SHA256
4a6853c07a3d4ac479fc8929cec378d273c8753f137748caa9cf1ba796399e98

SHA512
f9eb9e2e301d9484fc0ea86c5afe79f459b06682d360f79f26bea853521ed84124a4e669b8a5a85ab46514f15fa36b954479f5dae075b360cc466e4ca5068bd7

Download Submit
C:\Windows\{B130FC85-02C6-4d0f-9B43-00E6FD93A97C}.exe

Filesize
90KB

MD5
7d19f8570b36155a8c7b9e13e2199f0a

SHA1
cd25ee5dda408f9dd26322f37ce1cb47bac26a6f

SHA256
af099d818ec23ff758eb1c3e8e68517f7b58db8336eaa8d28cf7fc3305aa6eb6

SHA512
389ce18f2933ae176e8c87b2ed9d04de960d1831c94327b28ea8f685ae53865294bea4f90d8b1f5b383009d22a09102091ccfde470c541aaffe2b4132d3f8c20

Download Submit
C:\Windows\{C2697EB4-28A6-4820-BA10-C615C0E7DB3F}.exe

Filesize
90KB

MD5
1bef2eae8f6159d556cb1527ab7e264d

SHA1
e10c75aa4ac3c2f5b9e6ead270f69638a27bcab0

SHA256
dac30c89c426997f96706ff4c6933e892baa9d82a3e15d93c9c50497824f094c

SHA512
552b2d52e40c3b0048b1f0060be35324d5d704f142ac56e5c7d741d38f652a8b014c49f7e71f2f16abc7fd09d16a2e56df9f8a3b8d8a701b3fb0c7c52e396891

Download Submit
C:\Windows\{C30599A2-1D97-412e-AAD3-C977D7AF8489}.exe

Filesize
90KB

MD5
42f91a2331e434840ab58fdfd4079c76

SHA1
f845e8bf45af29f7142891af655e9b83612980fc

SHA256
f7944c36ec51a42fab84098bd0db16fc3824251781a44da98c2bd41c3e29b38f

SHA512
4024b30f27979d595b1afc96a97d301fa78f49a3f0b0ec608d765f692e0807e6e3acf640e63ded9a0f94e63c48b84ca9649290339b8b78da10090185bde81a37

Download Submit
C:\Windows\{D8E3B132-08B7-440e-8CCC-12EBEB8E3181}.exe

Filesize
90KB

MD5
031272e87fed157abd082c52908dee88

SHA1
72cd1f912296a6c8498cbd004af266f1c79c03b0

SHA256
2c9bac45058820d25fefd0fcaddd5fab94d8a91e654269097a0e250040061998

SHA512
b50ddcea9a4a48005a09dabcae80fcc330d9e85f306fa71097dd35d146c0e1b872497d8dc0532d76408b121ff2d507991aee026678a5ecf9862d9a14a092f9b7

Download Submit
C:\Windows\{F80EB4C6-C618-4232-A053-62381EFF3408}.exe

Filesize
90KB

MD5
b2463a3e069e5a5e0bc4f81ac6eebb9b

SHA1
2b7f6ceb570f03c5d6384237827478893989a291

SHA256
ff031de77b34c167659e29865bd9f314af19634a3e7b2fd6cef77865166ff8bd

SHA512
58d53d4c12e342bb45500b7a5d4083ddb2f56f06a78c3238e1a2018f4f386771b59458b821576c096664e77248a6bbdc8a00908425da1bbe039efa36a269b94f

Download Submit
memory/436-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/436-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/640-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/640-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1248-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1248-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2432-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2432-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3176-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3176-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3556-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3556-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3848-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3848-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3920-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3920-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4524-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads