535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 21:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Size

90KB
MD5

1ed9e91b83ae91caf826ffb923e3d1fc
SHA1

d3ff75ee9415a637c47dd78885f1e1eb0068dd23
SHA256

535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3
SHA512

c6fc59b83f4d7f4a407fdeabb74b5554f75c4c0da614741af78a9eab5685495f446c50dac9ea0b750b9484a46c9dfd2759d023b9b4452c2ad675772eba79b081
SSDEEP

768:5vw9816uhKiroQ4/wQNNrfrunMxVFA3bA:lEGkmoQlCunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}	{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248EDC67-93DD-448a-8E05-E8762E2D0A28}\stubpath = "C:\\Windows\\{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe"	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}\stubpath = "C:\\Windows\\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe"	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}\stubpath = "C:\\Windows\\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe"	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}\stubpath = "C:\\Windows\\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe"	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D98C60-F44B-4724-ADC8-25F95874922E}	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D98C60-F44B-4724-ADC8-25F95874922E}\stubpath = "C:\\Windows\\{41D98C60-F44B-4724-ADC8-25F95874922E}.exe"	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}\stubpath = "C:\\Windows\\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe"	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F53044-5303-428f-BB4C-451C1BD9681E}	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}\stubpath = "C:\\Windows\\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe"	{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4BA479-10BE-49de-892D-A38353B2D2EB}	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387F6AF0-33BE-45b5-9236-292D376A0028}	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387F6AF0-33BE-45b5-9236-292D376A0028}\stubpath = "C:\\Windows\\{387F6AF0-33BE-45b5-9236-292D376A0028}.exe"	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248EDC67-93DD-448a-8E05-E8762E2D0A28}	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4BA479-10BE-49de-892D-A38353B2D2EB}\stubpath = "C:\\Windows\\{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe"	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}\stubpath = "C:\\Windows\\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe"	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}\stubpath = "C:\\Windows\\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe"	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F53044-5303-428f-BB4C-451C1BD9681E}\stubpath = "C:\\Windows\\{38F53044-5303-428f-BB4C-451C1BD9681E}.exe"	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe

Executes dropped EXE 12 IoCs

pid	Process
3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
4208	{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
3376	{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
File created	C:\Windows\{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
File created	C:\Windows\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
File created	C:\Windows\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe	{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
File created	C:\Windows\{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
File created	C:\Windows\{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
File created	C:\Windows\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
File created	C:\Windows\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
File created	C:\Windows\{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
File created	C:\Windows\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
File created	C:\Windows\{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
File created	C:\Windows\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
Token: SeIncBasePriorityPrivilege	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
Token: SeIncBasePriorityPrivilege	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
Token: SeIncBasePriorityPrivilege	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
Token: SeIncBasePriorityPrivilege	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
Token: SeIncBasePriorityPrivilege	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
Token: SeIncBasePriorityPrivilege	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
Token: SeIncBasePriorityPrivilege	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
Token: SeIncBasePriorityPrivilege	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
Token: SeIncBasePriorityPrivilege	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
Token: SeIncBasePriorityPrivilege	1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
Token: SeIncBasePriorityPrivilege	4208	{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3524	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	93
PID 3152 wrote to memory of 3524	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	93
PID 3152 wrote to memory of 3524	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	93
PID 3152 wrote to memory of 3288	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	94
PID 3152 wrote to memory of 3288	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	94
PID 3152 wrote to memory of 3288	3152	535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe	94
PID 3524 wrote to memory of 4792	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	95
PID 3524 wrote to memory of 4792	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	95
PID 3524 wrote to memory of 4792	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	95
PID 3524 wrote to memory of 3756	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	96
PID 3524 wrote to memory of 3756	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	96
PID 3524 wrote to memory of 3756	3524	{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe	96
PID 4792 wrote to memory of 4328	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	101
PID 4792 wrote to memory of 4328	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	101
PID 4792 wrote to memory of 4328	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	101
PID 4792 wrote to memory of 3832	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	102
PID 4792 wrote to memory of 3832	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	102
PID 4792 wrote to memory of 3832	4792	{38F53044-5303-428f-BB4C-451C1BD9681E}.exe	102
PID 4328 wrote to memory of 1048	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	103
PID 4328 wrote to memory of 1048	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	103
PID 4328 wrote to memory of 1048	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	103
PID 4328 wrote to memory of 3944	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	104
PID 4328 wrote to memory of 3944	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	104
PID 4328 wrote to memory of 3944	4328	{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe	104
PID 1048 wrote to memory of 2748	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	105
PID 1048 wrote to memory of 2748	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	105
PID 1048 wrote to memory of 2748	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	105
PID 1048 wrote to memory of 3608	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	106
PID 1048 wrote to memory of 3608	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	106
PID 1048 wrote to memory of 3608	1048	{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe	106
PID 2748 wrote to memory of 1800	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	107
PID 2748 wrote to memory of 1800	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	107
PID 2748 wrote to memory of 1800	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	107
PID 2748 wrote to memory of 1872	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	108
PID 2748 wrote to memory of 1872	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	108
PID 2748 wrote to memory of 1872	2748	{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe	108
PID 1800 wrote to memory of 3728	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	109
PID 1800 wrote to memory of 3728	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	109
PID 1800 wrote to memory of 3728	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	109
PID 1800 wrote to memory of 4500	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	110
PID 1800 wrote to memory of 4500	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	110
PID 1800 wrote to memory of 4500	1800	{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe	110
PID 3728 wrote to memory of 2504	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	113
PID 3728 wrote to memory of 2504	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	113
PID 3728 wrote to memory of 2504	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	113
PID 3728 wrote to memory of 384	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	114
PID 3728 wrote to memory of 384	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	114
PID 3728 wrote to memory of 384	3728	{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe	114
PID 2504 wrote to memory of 660	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	115
PID 2504 wrote to memory of 660	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	115
PID 2504 wrote to memory of 660	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	115
PID 2504 wrote to memory of 2032	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	116
PID 2504 wrote to memory of 2032	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	116
PID 2504 wrote to memory of 2032	2504	{41D98C60-F44B-4724-ADC8-25F95874922E}.exe	116
PID 660 wrote to memory of 1088	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	117
PID 660 wrote to memory of 1088	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	117
PID 660 wrote to memory of 1088	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	117
PID 660 wrote to memory of 1900	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	118
PID 660 wrote to memory of 1900	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	118
PID 660 wrote to memory of 1900	660	{387F6AF0-33BE-45b5-9236-292D376A0028}.exe	118
PID 1088 wrote to memory of 4208	1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe	119
PID 1088 wrote to memory of 4208	1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe	119
PID 1088 wrote to memory of 4208	1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe	119
PID 1088 wrote to memory of 1684	1088	{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe	120

C:\Users\Admin\AppData\Local\Temp\535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe
"C:\Users\Admin\AppData\Local\Temp\535a02d114ff325adb409fb0d3a1530cb45d63c054c53712b570b4d586e84cd3.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
  C:\Windows\{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
    C:\Windows\{38F53044-5303-428f-BB4C-451C1BD9681E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
      C:\Windows\{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
        
        C:\Windows\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
        
        C:\Windows\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
        
        C:\Windows\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
        
        C:\Windows\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
        
        C:\Windows\{41D98C60-F44B-4724-ADC8-25F95874922E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
        
        C:\Windows\{387F6AF0-33BE-45b5-9236-292D376A0028}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
        
        C:\Windows\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
        
        C:\Windows\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Windows\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe
        
        C:\Windows\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF3C~1.EXE > nul
        13⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D1D~1.EXE > nul
        12⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{387F6~1.EXE > nul
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41D98~1.EXE > nul
        10⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E87~1.EXE > nul
        9⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3377~1.EXE > nul
        8⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD863~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE90~1.EXE > nul
        6⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE4BA~1.EXE > nul
        5⤵
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38F53~1.EXE > nul
      4⤵
      PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{248ED~1.EXE > nul
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\535A02~1.EXE > nul
  2⤵
  PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1444,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:3104

Network

DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

21.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.121.18.2.in-addr.arpa

IN PTR

Response

21.121.18.2.in-addr.arpa

IN PTR

a2-18-121-21deploystaticakamaitechnologiescom
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom

No results found

8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

21.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

21.121.18.2.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FE90D7A-7699-4f58-8AEB-07D85E13CDC6}.exe

Filesize
90KB

MD5
c485be1089cfa152059b10ad4fb317c2

SHA1
5405b5f147de62eb9a044ea77444b8448f2c4147

SHA256
b7103b4f6639b6095cccc8875ce0d5e2c1c6a40001cd32bd6edeb5e4ce2195bc

SHA512
5df163524311c55ed6be98a3826a669d0baa9666ca360fd721bebff3461f28649b3818e880fd0273efd56f007da516ab1e324dc25e0c2f522ae524b887b16207

Download Submit
C:\Windows\{1CB0EFD2-F7F8-4d49-A7E5-97CF35BC1B2E}.exe

Filesize
90KB

MD5
8557d0999057933044a99eefc479079a

SHA1
43ae68fa6d9fa7f624cd1af8610721910f3e0164

SHA256
4fd047ab97902a691627ceb5022077bdd708c84e46adfc4f61848335c1cfe9fc

SHA512
9ee69df22e4b68e4255ee7ab8c559454b107da22e144e5fd1c6c520c3506a8cc21ac41ba320543fbeef9452afe05af25da6e36000e67c4196d5e3c85cb097047

Download Submit
C:\Windows\{248EDC67-93DD-448a-8E05-E8762E2D0A28}.exe

Filesize
90KB

MD5
24c77192330e24a22bb0ae0903373ac8

SHA1
0654ce52daca35d3a5b1fe7006fb3f7ca71fed9d

SHA256
9c80890e3027f5eb0af3c32a07f358e20daa14ad6e76961b983ba20a74118b4b

SHA512
c4c68cfabb6a3d3c8c65b6666b70f76a9ddd2bdcdeb0c731ccf3663e9a78c8440ddf95090adff85b61ab80d8b75e15145a3548f19245d46b9d6bd130821e9563

Download Submit
C:\Windows\{387F6AF0-33BE-45b5-9236-292D376A0028}.exe

Filesize
90KB

MD5
57ba26a9aea958ae4e273566fff31a2d

SHA1
9adb2d049aee0111559781a75e6403243c6837c0

SHA256
3b6ae00b1a0f19f1875218106e91d4d2b8e85a7ed64a0c418972780c8d55dacb

SHA512
419b60049b60c207cbd84f1cd7fcb751752e451fc56d30cdfb7f429570c669b41419b063b2a98e27105fbe22a2dbae31b2d449094738ddca30ba8123f35ecb0b

Download Submit
C:\Windows\{38F53044-5303-428f-BB4C-451C1BD9681E}.exe

Filesize
90KB

MD5
7e922f45eb97d78cfbeefd13161a2667

SHA1
29db879bbcc431ec66da1edc81f653cade983371

SHA256
c5cebd58eb4867d9dcb97f2b416f1c5a36f93043b43c1cc02145204bab8d1d90

SHA512
0a53f604ac405b4fbecbb6ffeb69bcdeae3866b793e46fbbb62e061b5c0403a2342ae80fdb94254fe038de34c66070392c1c36ae0a7c011451da484ba8075e9a

Download Submit
C:\Windows\{41D98C60-F44B-4724-ADC8-25F95874922E}.exe

Filesize
90KB

MD5
58ec2b8d44a8bf9212d5b9a19ae1e778

SHA1
b610bb8eb0b1687cad00eed511035a3bf363ecd9

SHA256
3f66404f7d68311af3c62834fd559dde4768d28eb5f09e51c7e4d3649dd0ee49

SHA512
bef3e93aa11387ea501340a1bfa3db2b793a095f1bc2ad742e1d509089a938449679c082e1e2346cd67233b323199129a9e85b6a31fe651a6dd77f0caa4944c9

Download Submit
C:\Windows\{A337770C-CCA3-47f4-85BB-AFABC9F35B9D}.exe

Filesize
90KB

MD5
7cc820e5b4ff8c691821700e8e23bce8

SHA1
08bcb9e0b01383a184d6840d479118eeabe6a65e

SHA256
12d92d953c7d7bd7cbd52a039771fbaaa04cd802198f5cea58e0ad756ca29d63

SHA512
3a8c6a9b68271ac4897845a83e696b75c3b1cea8dee4214109e4528402681fb67eef06e256be5e86e33431724559d43341e4fad9c25e59b39a65d2fe03fc2ced

Download Submit
C:\Windows\{A7E87F3D-0CCB-47b4-9364-2060EA8FFB8A}.exe

Filesize
90KB

MD5
63b318c4aa0e8ec800776f142ef0de83

SHA1
3f9ccda2211edebdc5088c45ff02784d74670650

SHA256
aa572d793f5dc4e146168d33673e77a1924b7d077ee117211b374699958dc3bb

SHA512
373fb88fbf0a729c74b07782e99692260af2aedb059d472b14b751f23c254273311a3d880ee4f3893da7da92a47f7a5603bb927ff5c476549e3b7019c3d782dd

Download Submit
C:\Windows\{BCF3CF09-5E38-49e4-851A-95C602BB3AEF}.exe

Filesize
90KB

MD5
63fa3b1f1bb3811eb3e772461b084e1e

SHA1
359681c5cd9dcb5aa91a41a2152872744f3e6a08

SHA256
5ae841709d2ed3ccc9e00f1ae3fdca0d34dcb73c1cc2eb8fa50da0d1a1059abe

SHA512
3490aad658d5bd37aeebc0d22dbc3920c1b21a16d0d50008d156e50c8d014b67aa4965c97558a588b7131957c0b182e7c7a8496d8c7f83982a486e430aa4d9d4

Download Submit
C:\Windows\{BD863F03-1046-40f2-841A-2C5F1A4B2FBA}.exe

Filesize
90KB

MD5
7076235993471c6ccf09d8c1ee63f143

SHA1
22009edd613b1a5ef307854f8e3c16b9a675cfb8

SHA256
3c54c0709ccc501713fafed401f3ae3ff9b8cf45be25b011d6645015b393d13c

SHA512
adc69fed570182ea4ab97534736daa36d1b2fa58851d3226f7645baaa907f4fbc4e1c45811c6fcb08e9c278701727121f4f6bef17a034f50298bdf3e9b9bd736

Download Submit
C:\Windows\{BE4BA479-10BE-49de-892D-A38353B2D2EB}.exe

Filesize
90KB

MD5
0ddb8221a18c5d32889fe837c01b3cc2

SHA1
91b258d293367e95c325f6e217cb9518f6a267cb

SHA256
55231f887c54572a345dc60db336b08e65ebd324c87bbf79295a0ba4f1774f5a

SHA512
e6b09978ab0f6cce620be1e9a68b55506a00f7ee3b135a89d0ec30051506ae5b70188f8b05cf7ab611102cd8b8f83efa247a0b353c9c8b149e8935e242869211

Download Submit
C:\Windows\{C3D1D87E-1DA5-43ea-972B-90FEF058D8C6}.exe

Filesize
90KB

MD5
1cb4c5e689a1985bc5c9b35ee2163c2c

SHA1
895a242cd95a7df17ba165db40851420e5b5186d

SHA256
ec4f1238e66d1e6b23afef51b4cd43f0284e8ff5d5ae9f56f6d70b5845c855ee

SHA512
ac79a3664a770bea24cfecf8fe5dbab8077e78feb82d606290b1c2a1a61f48c26b4ed58c0ee0a218c8cb63bb3ceb7add3e725ea74ac6f03458a9aa17aec25092

Download Submit
memory/660-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1088-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1800-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2504-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3152-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3152-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3376-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3524-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3524-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3728-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4208-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4208-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4328-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4328-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4792-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.