0733c4233e1ed3dfde64cf494527ac1f14c174b4b32b39db6830b7e7a852822a

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a449f5f43674efd0bd0185ff357ac4e0N.exe
Size

79KB
MD5

a449f5f43674efd0bd0185ff357ac4e0
SHA1

c9b45135c8fbc011719ab4a632d18938b4247927
SHA256

0733c4233e1ed3dfde64cf494527ac1f14c174b4b32b39db6830b7e7a852822a
SHA512

6686b35d3ab7e4bc369be25e636c6354717136a13062b77f301f8496405740f6f335f14afe6be1f8511290f82c80d963c51159e516c9334e80273ac766f1eee7
SSDEEP

768:4vw9816vhKQLroO4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oOloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AEE058C-B563-4627-99D5-02B9E7739553}\stubpath = "C:\\Windows\\{2AEE058C-B563-4627-99D5-02B9E7739553}.exe"	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E19197-4655-4458-A6D1-983A8DFDFC7E}	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E19197-4655-4458-A6D1-983A8DFDFC7E}\stubpath = "C:\\Windows\\{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe"	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}\stubpath = "C:\\Windows\\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe"	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30D0974-9ACC-4b00-A8A3-429066979C99}	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6722B0-4C9D-44bf-911B-A070CC089A05}\stubpath = "C:\\Windows\\{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe"	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87153B2-D753-41c6-980D-1063524C99E5}\stubpath = "C:\\Windows\\{F87153B2-D753-41c6-980D-1063524C99E5}.exe"	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}\stubpath = "C:\\Windows\\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe"	a449f5f43674efd0bd0185ff357ac4e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}\stubpath = "C:\\Windows\\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe"	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}\stubpath = "C:\\Windows\\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe"	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87153B2-D753-41c6-980D-1063524C99E5}	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}	a449f5f43674efd0bd0185ff357ac4e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AEE058C-B563-4627-99D5-02B9E7739553}	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30D0974-9ACC-4b00-A8A3-429066979C99}\stubpath = "C:\\Windows\\{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe"	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6722B0-4C9D-44bf-911B-A070CC089A05}	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe

Executes dropped EXE 9 IoCs

pid	Process
3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe
1200	{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	a449f5f43674efd0bd0185ff357ac4e0N.exe
File created	C:\Windows\{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
File created	C:\Windows\{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
File created	C:\Windows\{F87153B2-D753-41c6-980D-1063524C99E5}.exe	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
File created	C:\Windows\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
File created	C:\Windows\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
File created	C:\Windows\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
File created	C:\Windows\{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
File created	C:\Windows\{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a449f5f43674efd0bd0185ff357ac4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe
Token: SeIncBasePriorityPrivilege	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
Token: SeIncBasePriorityPrivilege	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
Token: SeIncBasePriorityPrivilege	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
Token: SeIncBasePriorityPrivilege	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
Token: SeIncBasePriorityPrivilege	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
Token: SeIncBasePriorityPrivilege	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
Token: SeIncBasePriorityPrivilege	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe
Token: SeIncBasePriorityPrivilege	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3580	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	102
PID 2824 wrote to memory of 3580	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	102
PID 2824 wrote to memory of 3580	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	102
PID 2824 wrote to memory of 4052	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	103
PID 2824 wrote to memory of 4052	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	103
PID 2824 wrote to memory of 4052	2824	a449f5f43674efd0bd0185ff357ac4e0N.exe	103
PID 3580 wrote to memory of 4732	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	104
PID 3580 wrote to memory of 4732	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	104
PID 3580 wrote to memory of 4732	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	104
PID 3580 wrote to memory of 3696	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	105
PID 3580 wrote to memory of 3696	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	105
PID 3580 wrote to memory of 3696	3580	{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe	105
PID 4732 wrote to memory of 4000	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	108
PID 4732 wrote to memory of 4000	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	108
PID 4732 wrote to memory of 4000	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	108
PID 4732 wrote to memory of 2896	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	109
PID 4732 wrote to memory of 2896	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	109
PID 4732 wrote to memory of 2896	4732	{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe	109
PID 4000 wrote to memory of 1512	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	110
PID 4000 wrote to memory of 1512	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	110
PID 4000 wrote to memory of 1512	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	110
PID 4000 wrote to memory of 2208	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	111
PID 4000 wrote to memory of 2208	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	111
PID 4000 wrote to memory of 2208	4000	{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe	111
PID 1512 wrote to memory of 1740	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	112
PID 1512 wrote to memory of 1740	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	112
PID 1512 wrote to memory of 1740	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	112
PID 1512 wrote to memory of 2068	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	113
PID 1512 wrote to memory of 2068	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	113
PID 1512 wrote to memory of 2068	1512	{2AEE058C-B563-4627-99D5-02B9E7739553}.exe	113
PID 1740 wrote to memory of 4916	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	114
PID 1740 wrote to memory of 4916	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	114
PID 1740 wrote to memory of 4916	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	114
PID 1740 wrote to memory of 3704	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	115
PID 1740 wrote to memory of 3704	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	115
PID 1740 wrote to memory of 3704	1740	{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe	115
PID 4916 wrote to memory of 2532	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	116
PID 4916 wrote to memory of 2532	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	116
PID 4916 wrote to memory of 2532	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	116
PID 4916 wrote to memory of 4664	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	117
PID 4916 wrote to memory of 4664	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	117
PID 4916 wrote to memory of 4664	4916	{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe	117
PID 2532 wrote to memory of 4068	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	118
PID 2532 wrote to memory of 4068	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	118
PID 2532 wrote to memory of 4068	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	118
PID 2532 wrote to memory of 3344	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	119
PID 2532 wrote to memory of 3344	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	119
PID 2532 wrote to memory of 3344	2532	{F87153B2-D753-41c6-980D-1063524C99E5}.exe	119
PID 4068 wrote to memory of 1200	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	120
PID 4068 wrote to memory of 1200	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	120
PID 4068 wrote to memory of 1200	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	120
PID 4068 wrote to memory of 4516	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	121
PID 4068 wrote to memory of 4516	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	121
PID 4068 wrote to memory of 4516	4068	{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe	121

C:\Users\Admin\AppData\Local\Temp\a449f5f43674efd0bd0185ff357ac4e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a449f5f43674efd0bd0185ff357ac4e0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
  C:\Windows\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
    C:\Windows\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
      C:\Windows\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
        
        C:\Windows\{2AEE058C-B563-4627-99D5-02B9E7739553}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
        
        C:\Windows\{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
        
        C:\Windows\{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{F87153B2-D753-41c6-980D-1063524C99E5}.exe
        
        C:\Windows\{F87153B2-D753-41c6-980D-1063524C99E5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe
        
        C:\Windows\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe
        
        C:\Windows\{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5804~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8715~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E672~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E30D0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AEE0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4662~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2122E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0547~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A449F5~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2122E71D-A8BE-4e9b-A4E4-95F3BC23C395}.exe

Filesize
79KB

MD5
c896066639c80d1f816d9529436bada3

SHA1
c9327333e3d66a3b059442390fdc15667baab347

SHA256
cf54c63db08c6110861db6adf6471b79c21add0fefedb85bc3e58847bf04cf87

SHA512
d053dfda330d88c0d9924752a772251d60cce65a572a21a5fd3c0c91ab7b594dfe7b77fe7b1c0d2c0425f68d44e6830651e5f8dd8c57567350ce98ece046b229

Download Submit
C:\Windows\{2AEE058C-B563-4627-99D5-02B9E7739553}.exe

Filesize
79KB

MD5
e5e1573087a260f78e3daf729ef3cdf7

SHA1
becc38fe5daa0e13157f428297b67c3d6c925323

SHA256
2d6b7929f6191c78fc28298a42c1265bcb5b76359853e22107039c7ba75145a5

SHA512
be8d25cf011449a0edba2ce809cdc8bcd9b3d9aa0b7dcaf47247703c5da851d1786108fa1107d010173d1a4eca6447f83a9f42f5cff08cd9f86d049a9459045c

Download Submit
C:\Windows\{5E6722B0-4C9D-44bf-911B-A070CC089A05}.exe

Filesize
79KB

MD5
7d31b2dc6021200e287ec01e1473c365

SHA1
ada4aaebb134637b5fe21ff390f564685747224d

SHA256
3adae86ade3c810750e17cb4e102659ccee49945a27f646e1f2f96164649f4ce

SHA512
f74f2ebe6785ea679ec38762a71a07b3c601d5cf72bf879f7a39883c4307efca1586abc5091a5cbe40043e34619836b0aea70d15f21385ed920e313f68e65c2c

Download Submit
C:\Windows\{93E19197-4655-4458-A6D1-983A8DFDFC7E}.exe

Filesize
79KB

MD5
caa124fdc4237666073e96be898f1a66

SHA1
67b4efa89e708da4fb26ea2554d435c501ec049e

SHA256
8347b549d91f4e98b37516508ac5adc8b26389c4b00235621ef0f45e7107cc48

SHA512
4e73834046ec28796bb78fa7b820f576bd1f9b373a52dcc94abd0839d47435e0c47542bfbd06e7f4194ef988e8b48bab0bf7c83e3d76980c42b87f7714058478

Download Submit
C:\Windows\{B0547E77-FD3C-4781-AA7C-4BBB5455E85E}.exe

Filesize
79KB

MD5
b11fb2b2436e2550697c4393cc059e1f

SHA1
ff3cd2545584e31b32148c982fcff7e9dc5d0650

SHA256
422d1645f28816864433a709980239d79649967614d0ce5a837f98bf22ac45a6

SHA512
eb191ae97fa9fe613e8d59310ca8007dca7fca4dcc39cee6235a8510c9dd17a62a50cd84b7e9cf1c11be6228bb6bf827bdb5fca5f93daae1dcce36e336404bfa

Download Submit
C:\Windows\{C5804895-7AE4-4ac2-9BF1-7AB96E690C0D}.exe

Filesize
79KB

MD5
bbbd07b96e4828313c4fc1215e14b048

SHA1
0d5452a65dfc97435bbc913fc2af70e3426e6379

SHA256
fe2006067ef9730e7204a50fd4ac455ad0429e481ec9bd2c5ffe79250f24a6d3

SHA512
ef3bb937bea71686d5dab846f3cc69e53859fac08fe15dbf4b3be7943730c13a311586bcf1a1ea32864c4cbc0f28f569a9619f14666176cf6106f17248cbd4b4

Download Submit
C:\Windows\{D466223E-C5B4-4484-BCD8-E527F40BEAD5}.exe

Filesize
79KB

MD5
be17bdf703c235a594d886835ec0c3e0

SHA1
a016c1817e4565917a4941cdcd8147631f6edb73

SHA256
e84f9a63489c704b370ed9eea3dfbcd42687bed979c97c7c6656e942d696d908

SHA512
fb82ac84ca8ed9580f294494d62e1327f3fa0a39b92ef7b2b48b66e58fe4e497c526c053c050d2047a19f6f8f6e3aba917dc30edb9e669ab7b03163cd4ca033c

Download Submit
C:\Windows\{E30D0974-9ACC-4b00-A8A3-429066979C99}.exe

Filesize
79KB

MD5
71ac32c13270e248a2db022efc49fc5b

SHA1
3409341e1caa25e42315967703709d4db133a81b

SHA256
dc5ec2afa65fe663d7c7b3390bbaa81921acbd369563aca640d3a13a17a0a1b4

SHA512
86fbb53133f2c16416d813ee8e8d08eec61cc2deed83a1609b71a7aeff12f3fc16185af45d63f03cb33e4c3f13b4af5d46e455323fa9a40471bde74144094e63

Download Submit
C:\Windows\{F87153B2-D753-41c6-980D-1063524C99E5}.exe

Filesize
79KB

MD5
4cd55a480154b1270c46db612642278e

SHA1
7109e52fcd9efc66dcceafab03d887ea7c90263a

SHA256
8caed6503df2a40fc814d32bf2d48016292c2e3a32dbb1e7ff6162df1880f44f

SHA512
2349e7b75997b1931fe6cb87ace0ecb6499371287f47929a3896704600c7e3fc4cf2c4f1c78fe19573a06a39b57263ef839a7afafab9d73174a2e22585370363

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads