Resubmissions

11/06/2024, 09:42

240611-lpmdyashkj 7

11/06/2024, 09:38

240611-lmdc9asgpp 3

11/06/2024, 09:36

240611-lk8rdasglr 6

11/06/2024, 09:33

240611-lh6h8ssfrp 3

11/06/2024, 09:30

240611-lgq26asbke 3

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/06/2024, 09:42

General

  • Target

    ninja.exe

  • Size

    556KB

  • MD5

    6107353ae21982becc0cc95a6411ad60

  • SHA1

    a60cc6cb7d3fb184941ae2f3a8871f5bfd6a10f0

  • SHA256

    68865c3276d449d746cea5065fdec2baf755d7813e161ab04205b0907b2629b8

  • SHA512

    ae79f504cd18ca1c424867ac10bf688a085699c81599daf48dc72e7c8149f76518bdfce73ae9b8a31959c84d09f3e94220c66ccd47f1f3c47c68f073c587ef22

  • SSDEEP

    12288:cpvpFKupIKTLj5ZFVaZHtkxi6oUnRQw4ddQXq:cpvpB+KTJsHtxURQw44

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 34 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ninja.exe
    "C:\Users\Admin\AppData\Local\Temp\ninja.exe"
    1⤵
      PID:484
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1624
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Checks processor information in registry
      • Modifies registry class
      PID:2892
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff972d9ab58,0x7ff972d9ab68,0x7ff972d9ab78
        2⤵
          PID:3336
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:2
          2⤵
            PID:3960
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:8
            2⤵
              PID:3600
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:8
              2⤵
                PID:3308
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:1
                2⤵
                  PID:3316
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:1
                  2⤵
                    PID:3716
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4180 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:1
                    2⤵
                      PID:432
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:8
                      2⤵
                        PID:2088
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:8
                        2⤵
                          PID:3572
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4540 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:1
                          2⤵
                            PID:4396
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4968 --field-trial-handle=1732,i,7459361257123401272,15321013820097248277,131072 /prefetch:1
                            2⤵
                              PID:4924
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:964
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                              1⤵
                              • Enumerates system info in registry
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:1548
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff972f63cb8,0x7ff972f63cc8,0x7ff972f63cd8
                                2⤵
                                  PID:2336
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
                                  2⤵
                                    PID:3060
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1940
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
                                    2⤵
                                      PID:4152
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                                      2⤵
                                        PID:3284
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                                        2⤵
                                          PID:1640
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
                                          2⤵
                                            PID:1896
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
                                            2⤵
                                              PID:4044
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2060
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
                                              2⤵
                                                PID:1160
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
                                                2⤵
                                                  PID:1096
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
                                                  2⤵
                                                    PID:4604
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:1832
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
                                                    2⤵
                                                      PID:3484
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
                                                      2⤵
                                                        PID:4836
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
                                                        2⤵
                                                          PID:3952
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
                                                          2⤵
                                                            PID:1868
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14935125151569361629,17813286365879687237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                                                            2⤵
                                                              PID:5492
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:3920
                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                              1⤵
                                                                PID:72
                                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                                                1⤵
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:984
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                                1⤵
                                                                  PID:2688
                                                                • C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                  C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                  1⤵
                                                                  • Drops file in Windows directory
                                                                  PID:2252
                                                                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                                                                  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                                                                  1⤵
                                                                    PID:4588
                                                                  • C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
                                                                    "C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" /uninstall
                                                                    1⤵
                                                                      PID:5748
                                                                      • C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
                                                                        "C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=592 /uninstall
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        PID:5776
                                                                        • C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
                                                                          "C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -q -burn.elevated BurnPipe.{46EDDE8D-9044-4E9D-8DB2-8A9E397200F7} {30B3781A-F9BD-4CFB-AA76-D5BAEBE31ED6} 5776
                                                                          3⤵
                                                                          • Adds Run key to start application
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:6088
                                                                    • C:\Windows\system32\msiexec.exe
                                                                      C:\Windows\system32\msiexec.exe /V
                                                                      1⤵
                                                                      • Enumerates connected drives
                                                                      • Drops file in Program Files directory
                                                                      • Drops file in Windows directory
                                                                      • Modifies data under HKEY_USERS
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:6136
                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 31BF83A0961D63C5DD7174B4F7DA2076
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        PID:4740
                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding F55A8A9EBFCBA988A338D048A8E7F31C
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        PID:5172
                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding F61655CCF89DA287CFF7216F3FED76CF
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        PID:1580
                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 670AA5CC08E33CD70C77A479681F88F0
                                                                        2⤵
                                                                        • Loads dropped DLL
                                                                        PID:1044

                                                                    Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Config.Msi\e5969ce.rbs

                                                                            Filesize

                                                                            132KB

                                                                            MD5

                                                                            f57f3b5101a47eecbbb08c0d1f3ab4a5

                                                                            SHA1

                                                                            cd90e5437f0e9388135f5beb1672766c407ad8a4

                                                                            SHA256

                                                                            6400baa4b4fdd08c6cc72abdbf2194e119b30f94df47d4d232dbb7996565b25a

                                                                            SHA512

                                                                            10e70047bfa452d4ae40b124ba5097bf6d79801d347158daf11761f2f4534632e9aa204a9e46b06ac641e16bbd8ef4d14f660c1bb84514f9bf7cf988ac9c3480

                                                                          • C:\Config.Msi\e596aeb.rbs

                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            70cbfd5dc9049c0cb0b95f6f6b13f331

                                                                            SHA1

                                                                            72f882ce0cbc9695b0319d8e0f9f8436ce4df8ca

                                                                            SHA256

                                                                            9930897c3e35fa68130768d0905c75734ff485fbc405c77bf724d2f87d3a882a

                                                                            SHA512

                                                                            770683a0b6b4552391f9646ffb7007327a40f84a3657e11655341d8d0330c436cae94da4ed63f93351cbb7e7977323103629e6ecc02f291dcee503efad38ad71

                                                                          • C:\Config.Msi\e596aed.rbf

                                                                            Filesize

                                                                            3B

                                                                            MD5

                                                                            21438ef4b9ad4fc266b6129a2f60de29

                                                                            SHA1

                                                                            5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

                                                                            SHA256

                                                                            13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

                                                                            SHA512

                                                                            37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

                                                                          • C:\Config.Msi\e596af0.rbs

                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            e1a9fdc188ec3c9ad4c628862ae8d05a

                                                                            SHA1

                                                                            d520a7139ef4c9c8dde510c9a161fb11696ac56f

                                                                            SHA256

                                                                            1ac9e379f36089e571776d97010b9ce8f1da966b3436cdba12fd46dd8e277fb0

                                                                            SHA512

                                                                            b48c4b885f5a0f1b9864c8446806d5ca1fb2e31a8459175bcc5b2d6d59df8df2684fa6c31425a1f97ff2b4dd6ebb9b0ed2092a18664ab9763e7052d58e4e44e3

                                                                          • C:\Config.Msi\e596af4.rbs

                                                                            Filesize

                                                                            102KB

                                                                            MD5

                                                                            7abe39e9f48d62cf570f43d501890001

                                                                            SHA1

                                                                            e3a8b465703c059aad5d00cbe9c0423a6db0abab

                                                                            SHA256

                                                                            505837be6cf62a1f39a28f104b74f47f67121848a9e8475f5b36ff0105592fbf

                                                                            SHA512

                                                                            c3ae02cc4b5b6b3767b6a6297511ae3f1644a330f14b438c34cde83c36dc5851362e106840cdc63303888ab84675d30ec2ff4f7370143686bfe0a1b7c4d05833

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                            Filesize

                                                                            811B

                                                                            MD5

                                                                            a5a6c3071dbf7be8273bc6b746a8c3a4

                                                                            SHA1

                                                                            f5e341797150053d374036a581cdb6675839e13c

                                                                            SHA256

                                                                            75531b4e6719c7f6f61a8ca9b5b12a88421bea28dcec6548a5ce55caeacaab5c

                                                                            SHA512

                                                                            dc8dc139c9b8a8246063152c7d6d3e9bc92cf1f0cb562af2e524396ec1080f820bb53603e692e255d00f4d3e729227dcb9dbcbf6226f515b01ca3245fa3d2b31

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                            Filesize

                                                                            2B

                                                                            MD5

                                                                            d751713988987e9331980363e24189ce

                                                                            SHA1

                                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                                            SHA256

                                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                            SHA512

                                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            57723e4d6cec23969134aeb69129d6f9

                                                                            SHA1

                                                                            e9573e2ea01ae9a57995095598bf1e4c9f5cf82f

                                                                            SHA256

                                                                            b6df2679b39c6b5dbc3a5ad627e67be5ef63019c6ed6139aea3f8bbe39e3d5c5

                                                                            SHA512

                                                                            d9f3f218f052f62cef51166a213c97bd581e2cfe06b159f6040014a787a7e8940224277e920107774ead667d9253bccde7c851ac2495651388ecd204332c1b06

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            309c159dad5a456064b1dec996f735a9

                                                                            SHA1

                                                                            97cd929b469f35f3ec897e768f35a040820331f3

                                                                            SHA256

                                                                            d356153f18513654295e40bf9a02dc67d1009f59e63233da9291af76ac5b6d0d

                                                                            SHA512

                                                                            7407d1195a634e7bbf2810102dc70d43ea42c19270c5004c4c15c239d8bab093e7811bf896d985dca2fc6e207130c3341f2d723f7f9d212ab3838355673b31a4

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                            Filesize

                                                                            129KB

                                                                            MD5

                                                                            d621320d3801917a7c2bade778fd66fc

                                                                            SHA1

                                                                            37b6037d5a9c58cffcb1f95514471c3b889a4bd5

                                                                            SHA256

                                                                            5164fb747b4750825d541595d6135d9c56a18e9bea6ed23c2a9c5c26339ac4b0

                                                                            SHA512

                                                                            20a5741aba7cfb822161ba70c54a0b869f13c62f2bd57972384b6bff50b81df1450d0dd8a0408193edf6f33546ad1a586525ce7dbb12c6735c004eca3a556b98

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                            Filesize

                                                                            129KB

                                                                            MD5

                                                                            9379979e28952eddc445d8b09203ffbb

                                                                            SHA1

                                                                            83f8565fe8b08d5e5cfeaa0c2a70854acb126fba

                                                                            SHA256

                                                                            3b31127f3135fa08495494747eff9ac6217f73a68816cca2aaa8ed12c5732f73

                                                                            SHA512

                                                                            ad5bea647aaf1286a90d45fcec4a93948d2b156a00d96d7371039d57d4bfc5f383a8e4fdaae01eaff7de8aacb8e5400343c9871670c5e598e6a5782f3306870c

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                                                            Filesize

                                                                            264KB

                                                                            MD5

                                                                            f50f89a0a91564d0b8a211f8921aa7de

                                                                            SHA1

                                                                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                            SHA256

                                                                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                            SHA512

                                                                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                            Filesize

                                                                            152B

                                                                            MD5

                                                                            c1c7e2f451eb3836d23007799bc21d5f

                                                                            SHA1

                                                                            11a25f6055210aa7f99d77346b0d4f1dc123ce79

                                                                            SHA256

                                                                            429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

                                                                            SHA512

                                                                            2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                            Filesize

                                                                            152B

                                                                            MD5

                                                                            6876cbd342d4d6b236f44f52c50f780f

                                                                            SHA1

                                                                            a215cf6a499bfb67a3266d211844ec4c82128d83

                                                                            SHA256

                                                                            ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

                                                                            SHA512

                                                                            dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                            Filesize

                                                                            5KB

                                                                            MD5

                                                                            05bb784bb7aef9a3b7b66c8ad5b5d2f2

                                                                            SHA1

                                                                            2f5e3e0e96972cbcf0cb458fc71164973a3962b9

                                                                            SHA256

                                                                            a8cee849877d258a8c2f1bcf45161de813b1e1656768398363350055b9e5bd3e

                                                                            SHA512

                                                                            5632ddb7a8c7613b60351994912f76062175d64cbae9f6991e50997a75bb03a48c5475b9e29904be1753152c7dcf9f9c0247c4a99476e4523e52d1238fc3437a

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                            Filesize

                                                                            5KB

                                                                            MD5

                                                                            02813055f5f8b51a887506bf786e5588

                                                                            SHA1

                                                                            8df9ca550e848a2d599388d8f87a295a350537e0

                                                                            SHA256

                                                                            88263e4f2e84cdf29692842a78c486ae723b8e06be797c12d52f5b7300326850

                                                                            SHA512

                                                                            57635dc2032856ea094619da00440ca350bea910b635138fb591a533d7eb81767bb79697a288ebf8db8d0e5ec2880294964ec7d024125509cb5aaa1fc8fced27

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                            Filesize

                                                                            16B

                                                                            MD5

                                                                            46295cac801e5d4857d09837238a6394

                                                                            SHA1

                                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                            SHA256

                                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                            SHA512

                                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                            Filesize

                                                                            16B

                                                                            MD5

                                                                            206702161f94c5cd39fadd03f4014d98

                                                                            SHA1

                                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                            SHA256

                                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                            SHA512

                                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            9d415ca51022b1ff34c1d0b53195a739

                                                                            SHA1

                                                                            f86b10f06d1820d57275e3973c326bb0eff0636d

                                                                            SHA256

                                                                            c6fb634d26d5a3559b3f742760605cdbe11910d25edb43778203e43a5b2ab06f

                                                                            SHA512

                                                                            5f7c7f877175d351892d5bb7fc785e54ac055a1ff2aba096b1df6c8b38894c79bc216a6211ad8d5bc5dbc17dc93c9f99272978186915dd0c147d0df9937d4ee3

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            691e653227f988aee91b6412638ee585

                                                                            SHA1

                                                                            37dab37a7f789047173d1eb99beff1c83f98d429

                                                                            SHA256

                                                                            88b18df6a96ad7f2a27ee3fb44aeebc18c6ac070cc8fea2b2b2470e92a6d2dd0

                                                                            SHA512

                                                                            77deb67ba654c5874458d54af5f1c46ded6ff85212595208f1c96d063347b4b526b3a02b9c2d19779066361eb872fff9071d6bc7a49ba1893970fe08f78c9397

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            b4a19d9662ae16e3e2cca7695b333a9a

                                                                            SHA1

                                                                            1374489498c0d3a944d38307b532e223197e98ea

                                                                            SHA256

                                                                            93d18dc85eb69a2fe04346d6e47199dc17210c08316d09ae64cb171c3826d62d

                                                                            SHA512

                                                                            bd3d68310980fd1385c4a464dfa99b21526443e98639b7199d2b8d8b828004e631dbd193e529bab673a8e0f839120281b85b4abe88c12560b4b857e95c7f44ef

                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240611094453_000_windowsdesktop_runtime_6.0.27_win_x64.msi.log

                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            6eaf4d6dde1429b5379e9c1d5555a1dc

                                                                            SHA1

                                                                            af8341a70c01d9fd349e219c85b659fae34b562d

                                                                            SHA256

                                                                            be9984311bf931f4895c1b272a17118f0f892048394411a346a581a580840c22

                                                                            SHA512

                                                                            38c7ad649be6ea008e49ba73964643fc7f887787d043f92cfa799e1cbb1f85c3a81214716c1f2a2649528df99be1b9696ab856bb93f70143a2be2286b99e80d3

                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240611094453_001_dotnet_host_6.0.27_win_x64.msi.log

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            eb454c36838bd677ce277c102aa50aa6

                                                                            SHA1

                                                                            771434e2320c7a62604010ef665a1675fa8effce

                                                                            SHA256

                                                                            6e1a5cee23752ff994d4765f3cdc583a16ea67a83bf4df60435b258fdcea60a4

                                                                            SHA512

                                                                            89b9d6d90d1127a16094c8f5131828d202b5691e2856543057e29786af998e3241541a0c16fb910e2dba86cb04c65633a234695c263bf8b0e9bac0ec3e9c0bdf

                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240611094453_002_dotnet_hostfxr_6.0.27_win_x64.msi.log

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            da318afdb7d0ea771f0e1dd250b4776b

                                                                            SHA1

                                                                            90632d500a481d381c75931a65bf65802f6e5aff

                                                                            SHA256

                                                                            80060a89f4f5912aeebeed4d465054fcb6b8d60becca260e6ee25843e66a191c

                                                                            SHA512

                                                                            487a8ecbd94bc185f9f6f963f51f9054176ea6ffb9b653660508b59935d5c1424c08133f72fe2d447e1e54ef290a114aee3d4393830823c22ec910a3806456cb

                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240611094453_003_dotnet_runtime_6.0.27_win_x64.msi.log

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            2633a7e996e507d4896baa7e73736552

                                                                            SHA1

                                                                            3c654b5741c47fdbff3c0cf45a3fd8994b07809d

                                                                            SHA256

                                                                            69f462112746ed10894d6b4e8b7b171c1779374f0714e96532f091d931c76a17

                                                                            SHA512

                                                                            39f8b011152c74b450d512b89bb41dccba61dc13aaaa50ae3fc293bb52ddf19bf9c57031c52abef4744538c1c39cc8d74e72f49a14c4c995fc79504cc1b39790

                                                                          • C:\Windows\Installer\MSI696E.tmp

                                                                            Filesize

                                                                            225KB

                                                                            MD5

                                                                            d711da8a6487aea301e05003f327879f

                                                                            SHA1

                                                                            548d3779ed3ab7309328f174bfb18d7768d27747

                                                                            SHA256

                                                                            3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

                                                                            SHA512

                                                                            c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

                                                                          • C:\Windows\Temp\{F390FD1E-6912-4A3B-A47A-F9663B7BA0ED}\.ba\bg.png

                                                                            Filesize

                                                                            4KB

                                                                            MD5

                                                                            9eb0320dfbf2bd541e6a55c01ddc9f20

                                                                            SHA1

                                                                            eb282a66d29594346531b1ff886d455e1dcd6d99

                                                                            SHA256

                                                                            9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

                                                                            SHA512

                                                                            9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

                                                                          • C:\Windows\Temp\{F390FD1E-6912-4A3B-A47A-F9663B7BA0ED}\.ba\wixstdba.dll

                                                                            Filesize

                                                                            197KB

                                                                            MD5

                                                                            4356ee50f0b1a878e270614780ddf095

                                                                            SHA1

                                                                            b5c0915f023b2e4ed3e122322abc40c4437909af

                                                                            SHA256

                                                                            41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

                                                                            SHA512

                                                                            b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

                                                                          • memory/5748-457-0x00000000001A0000-0x0000000000216000-memory.dmp

                                                                            Filesize

                                                                            472KB

                                                                          • memory/5776-456-0x00000000001A0000-0x0000000000216000-memory.dmp

                                                                            Filesize

                                                                            472KB

                                                                          • memory/6088-432-0x00000000001A0000-0x0000000000216000-memory.dmp

                                                                            Filesize

                                                                            472KB