8b1163e9d210bec6e9e666faa9a626e131d382cdcc21a545a6d786b972460763

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01448fb0f53dc44af596646793f89e60N.exe
Size

90KB
MD5

01448fb0f53dc44af596646793f89e60
SHA1

050aa832d1b214435c81feca808a17213bcb648c
SHA256

8b1163e9d210bec6e9e666faa9a626e131d382cdcc21a545a6d786b972460763
SHA512

e06e424a1706dcaca32b7045f3791813356e266c3737354e0893ec44a081f8cc09f26fd212bed359426afdc876db9a77811a4bbb6e842b534034226d785fb3d6
SSDEEP

768:Qvw9816vhKQLro34/wQRNrfrunMxVFA3b7glw:YEGh0o3l2unMxVS3Hg

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FCA60F-A71F-4328-8AED-38B78CDA247A}	01448fb0f53dc44af596646793f89e60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FCA60F-A71F-4328-8AED-38B78CDA247A}\stubpath = "C:\\Windows\\{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe"	01448fb0f53dc44af596646793f89e60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}\stubpath = "C:\\Windows\\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe"	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}\stubpath = "C:\\Windows\\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe"	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}\stubpath = "C:\\Windows\\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe"	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B339A3E1-7674-42be-B174-2BFD4E55474A}\stubpath = "C:\\Windows\\{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe"	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}\stubpath = "C:\\Windows\\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe"	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3452FBA0-2D77-4338-A248-047D17E08FDA}	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}\stubpath = "C:\\Windows\\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe"	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{454576A3-98C7-4be9-884F-97A2F712EEF9}	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}\stubpath = "C:\\Windows\\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe"	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A559461D-3780-4135-8ADF-B2063262BAE8}	{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3452FBA0-2D77-4338-A248-047D17E08FDA}\stubpath = "C:\\Windows\\{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe"	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}\stubpath = "C:\\Windows\\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe"	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{454576A3-98C7-4be9-884F-97A2F712EEF9}\stubpath = "C:\\Windows\\{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe"	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B339A3E1-7674-42be-B174-2BFD4E55474A}	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A559461D-3780-4135-8ADF-B2063262BAE8}\stubpath = "C:\\Windows\\{A559461D-3780-4135-8ADF-B2063262BAE8}.exe"	{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe

Executes dropped EXE 11 IoCs

pid	Process
4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
2188	{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A559461D-3780-4135-8ADF-B2063262BAE8}.exe	{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe
File created	C:\Windows\{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
File created	C:\Windows\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
File created	C:\Windows\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
File created	C:\Windows\{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
File created	C:\Windows\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
File created	C:\Windows\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
File created	C:\Windows\{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	01448fb0f53dc44af596646793f89e60N.exe
File created	C:\Windows\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
File created	C:\Windows\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
File created	C:\Windows\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
File created	C:\Windows\{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4760	01448fb0f53dc44af596646793f89e60N.exe
Token: SeIncBasePriorityPrivilege	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
Token: SeIncBasePriorityPrivilege	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
Token: SeIncBasePriorityPrivilege	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
Token: SeIncBasePriorityPrivilege	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
Token: SeIncBasePriorityPrivilege	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
Token: SeIncBasePriorityPrivilege	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
Token: SeIncBasePriorityPrivilege	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
Token: SeIncBasePriorityPrivilege	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
Token: SeIncBasePriorityPrivilege	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
Token: SeIncBasePriorityPrivilege	4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4296	4760	01448fb0f53dc44af596646793f89e60N.exe	93
PID 4760 wrote to memory of 4296	4760	01448fb0f53dc44af596646793f89e60N.exe	93
PID 4760 wrote to memory of 4296	4760	01448fb0f53dc44af596646793f89e60N.exe	93
PID 4760 wrote to memory of 1356	4760	01448fb0f53dc44af596646793f89e60N.exe	94
PID 4760 wrote to memory of 1356	4760	01448fb0f53dc44af596646793f89e60N.exe	94
PID 4760 wrote to memory of 1356	4760	01448fb0f53dc44af596646793f89e60N.exe	94
PID 4296 wrote to memory of 4212	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	95
PID 4296 wrote to memory of 4212	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	95
PID 4296 wrote to memory of 4212	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	95
PID 4296 wrote to memory of 3448	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	96
PID 4296 wrote to memory of 3448	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	96
PID 4296 wrote to memory of 3448	4296	{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe	96
PID 4212 wrote to memory of 3672	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	101
PID 4212 wrote to memory of 3672	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	101
PID 4212 wrote to memory of 3672	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	101
PID 4212 wrote to memory of 2764	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	102
PID 4212 wrote to memory of 2764	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	102
PID 4212 wrote to memory of 2764	4212	{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe	102
PID 3672 wrote to memory of 1900	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	103
PID 3672 wrote to memory of 1900	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	103
PID 3672 wrote to memory of 1900	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	103
PID 3672 wrote to memory of 3048	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	104
PID 3672 wrote to memory of 3048	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	104
PID 3672 wrote to memory of 3048	3672	{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe	104
PID 1900 wrote to memory of 544	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	105
PID 1900 wrote to memory of 544	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	105
PID 1900 wrote to memory of 544	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	105
PID 1900 wrote to memory of 1184	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	106
PID 1900 wrote to memory of 1184	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	106
PID 1900 wrote to memory of 1184	1900	{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe	106
PID 544 wrote to memory of 672	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	107
PID 544 wrote to memory of 672	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	107
PID 544 wrote to memory of 672	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	107
PID 544 wrote to memory of 2456	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	108
PID 544 wrote to memory of 2456	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	108
PID 544 wrote to memory of 2456	544	{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe	108
PID 672 wrote to memory of 372	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	109
PID 672 wrote to memory of 372	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	109
PID 672 wrote to memory of 372	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	109
PID 672 wrote to memory of 1156	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	110
PID 672 wrote to memory of 1156	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	110
PID 672 wrote to memory of 1156	672	{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe	110
PID 372 wrote to memory of 3852	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	111
PID 372 wrote to memory of 3852	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	111
PID 372 wrote to memory of 3852	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	111
PID 372 wrote to memory of 460	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	112
PID 372 wrote to memory of 460	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	112
PID 372 wrote to memory of 460	372	{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe	112
PID 3852 wrote to memory of 728	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	113
PID 3852 wrote to memory of 728	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	113
PID 3852 wrote to memory of 728	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	113
PID 3852 wrote to memory of 428	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	114
PID 3852 wrote to memory of 428	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	114
PID 3852 wrote to memory of 428	3852	{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe	114
PID 728 wrote to memory of 4784	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	115
PID 728 wrote to memory of 4784	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	115
PID 728 wrote to memory of 4784	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	115
PID 728 wrote to memory of 2688	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	116
PID 728 wrote to memory of 2688	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	116
PID 728 wrote to memory of 2688	728	{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe	116
PID 4784 wrote to memory of 2188	4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe	117
PID 4784 wrote to memory of 2188	4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe	117
PID 4784 wrote to memory of 2188	4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe	117
PID 4784 wrote to memory of 1520	4784	{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe	118

C:\Users\Admin\AppData\Local\Temp\01448fb0f53dc44af596646793f89e60N.exe
"C:\Users\Admin\AppData\Local\Temp\01448fb0f53dc44af596646793f89e60N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
  C:\Windows\{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
    C:\Windows\{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
      C:\Windows\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
        
        C:\Windows\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
        
        C:\Windows\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
        
        C:\Windows\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
        
        C:\Windows\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
        
        C:\Windows\{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
        
        C:\Windows\{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
        
        C:\Windows\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe
        
        C:\Windows\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CBAA~1.EXE > nul
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B339A~1.EXE > nul
        11⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45457~1.EXE > nul
        10⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E1FF~1.EXE > nul
        9⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC7AE~1.EXE > nul
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA68B~1.EXE > nul
        7⤵
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5625A~1.EXE > nul
        6⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B9C~1.EXE > nul
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3452F~1.EXE > nul
      4⤵
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69FCA~1.EXE > nul
    3⤵
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\01448F~1.EXE > nul
  2⤵
  PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3904,i,12101950716832706950,8384629015980369538,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17B9C7BA-0CFF-49a3-B352-E12C89D7525D}.exe

Filesize
90KB

MD5
cd330ecf02ca39b14871c113e6a8c47b

SHA1
0ac727f28586710239d01fb824ea42ee7eed23b8

SHA256
0135ab80d2d2357bba89d7197f161fd4bc1dd27628ef912fdef4b0c8cdf933f9

SHA512
24644197cb815841408dc5652f12d2f9f0f2ee9c19c352fce65a9db0525d87a4fdb55770ce2d159bad3753202de0f9d1564d9095e55110ba74ab12f1c1a91519

Download Submit
C:\Windows\{3452FBA0-2D77-4338-A248-047D17E08FDA}.exe

Filesize
90KB

MD5
fe0e6c3885206ad4dc5abf4b362c3b29

SHA1
29f3c65694a6e4bb244749f56efe6edd57cf8a1e

SHA256
8f148047db979aad3aefddec12c8ab179bf076ebd425b52766053879bb131440

SHA512
c13783aff8639c358578e294f96fc51061184847a4602e5e519123e83327a1cd85959599a174875a447eeeb554ca7e3e6247d9aaf7047497c92fadc70d06365a

Download Submit
C:\Windows\{454576A3-98C7-4be9-884F-97A2F712EEF9}.exe

Filesize
90KB

MD5
c102f71aaee546926c37e6c7aee39757

SHA1
c2185cd4dd487ff8cd4bc1e528d8e2406001f5a9

SHA256
92ef2c285d976398383a8c729334ca9deabe35c6e83d2e82aa2f430cb3b923b1

SHA512
61b02619eff671956f76102d5e384482a55288edcea985d8dd805c29ba1d8077fcfc3cbb41d2a6b557377fbdc2184bbd0bebb5d7678ffc5f1e355c12a67a8d36

Download Submit
C:\Windows\{5625AD2D-C7CB-4f97-B96A-BD3989290E56}.exe

Filesize
90KB

MD5
2787f3ca025c788abc2f9441d75484a4

SHA1
b662cc69d14b3c04c67061cf8767a2df0c4688ee

SHA256
2737d9cae41596769c47c31a1100e90700812035751cc346ab9ff61dd8fbd6e9

SHA512
aadab1de9018d81b20d4e67aa131d571c3c8c6774e60931bf8a752f8dd79a06393965f02023d3cd721868bba39351a0eec45838a715728a59d8834245cf3799e

Download Submit
C:\Windows\{69FCA60F-A71F-4328-8AED-38B78CDA247A}.exe

Filesize
90KB

MD5
05ec5e0a5bd31b28c844d3b167867d4d

SHA1
8029a117397071a5654518992937a403e3f9e1ea

SHA256
52cc026d3d52debb43df6c5acaa59e76141deddb5ab794a26a7ded60f365a89f

SHA512
69ab8cb8c5ae2b63a7448aacf39bee271259bbff955e820f695624ec103043a509df2b3990a5b3044b02c4236ba867dc5efae7bf8e6496e0667871e18d57cef1

Download Submit
C:\Windows\{7A52F7C8-C464-4bf4-A278-5C995AD543A4}.exe

Filesize
90KB

MD5
ce8fc499ad56919547fdbf05a35adc09

SHA1
d4aa972b4f6ef0c9605f2a0927e0e9e7d9d79320

SHA256
97dc7760f7c05167eeaa325b7eb30c43d65001ee247ffceed47fe5df545da627

SHA512
c703efc5ecc84469e1d1cd46ea6e1a4d13811c9f1b6a144313511dca275d4fdedaabb6f096a5c26c8bc5e8661e613eb5dbd1f72be8d7facba3335e580ded7a61

Download Submit
C:\Windows\{8CBAAA17-9D7B-4a03-9444-7A6FC223B070}.exe

Filesize
90KB

MD5
d8e9bc7d66a656c7e6421122c7b95015

SHA1
499d462833ed79fa945458fd75d99dcbea4495db

SHA256
d481e023c0104536fa00893e90eb918b6b0969227845bdf31f0082e4c030a7d7

SHA512
223401e0097a37c41b4d2faa9a54b158fc5b1a45d16131feb2214a77be2ccf4dbc56e2debeee6430069d4df60e367710e59e0369034f119ef9fffca366927201

Download Submit
C:\Windows\{9E1FFDB4-4A49-4b5b-82BC-B7CD49DEE7DA}.exe

Filesize
90KB

MD5
9ed73e6e2fc490af4ad74e74ee44da2d

SHA1
ad9c77cb33c03032b9f7f7d28e71d66222de3b9a

SHA256
18e79ccc8c32403d5f11888eaf95db8e854618acca6ca53e5e4ffc3bb1adddba

SHA512
3458e825be3b349a3f1d168d22f8b14dae2731d450b52110f632b02eb1457d5e81e89c5e8dee4bbe40d5cc938cb7e1fc564d4977b894bc000bae6329383b6cf5

Download Submit
C:\Windows\{B339A3E1-7674-42be-B174-2BFD4E55474A}.exe

Filesize
90KB

MD5
70eea9a25fe0fef09e5727b0e2cabfcd

SHA1
0e9b6339d6a57e3f95b69824bdbbb9637a6efa54

SHA256
5c01d1b8d13f8dd456f241eaca258a0d325fcf53f0b2acbc76486fb9940a8c83

SHA512
85dabbc9d3e7327916513da458960ac684ac838fc0c3b0a23d479ae73f9c8dffeac9ee91acafde9789fcb76daab65c0820337d706c1a25e363aa096f2614e3da

Download Submit
C:\Windows\{CC7AEAFD-54C7-4dce-917B-E0B924FA5D73}.exe

Filesize
90KB

MD5
cf364669823e6cf004fc8712dd0b3ac2

SHA1
dc8c32e2c9e4c13b80e6c5dc0350ecc301b9eded

SHA256
1d3250dcf144f3497116c5eeac02289cc62bbd49077028f6e04880266a065363

SHA512
c2ebcee01b9b3100bfec3ed0b2b2bfca668145f6cff0a4decd02c4abef3fe2bd6c6e648426239ecce2d67fcfab899cbd24db0b64d87fb903f5cd38aec1f482d3

Download Submit
C:\Windows\{EA68BD25-4DDC-476b-999D-4CAEBB26761C}.exe

Filesize
90KB

MD5
96a4c220139f05c23fdca238b218f171

SHA1
62dbc4b802401394975b5147fa09af8ba3adbf07

SHA256
aca28dd661e077b6d382e03dc7d226dc5cbcbaeaf7e9583cda4896ac87e043f2

SHA512
972f6c99e066a6820f9fa30d9f6bce3b9ff85b59120f0ceae8045960fc8916b436c22221967b3441305ef2962301f19ed0d2f9c5eb5880dbbb7d5f56279b1f72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads