b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aa

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
Size

90KB
MD5

5ced24d89717e2ed8e464d53f1dedd90
SHA1

49a3abeb091fcbadfcb1d545c0524715b02ade31
SHA256

b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aa
SHA512

54a422b6569e6f694af70aad9b0c92976c7ca3f961725cc744f42afb4881148d1acfdf292c2b02db2575772188ab917c26cf1fbd7053e6fa6fd0bfd488d2a1e5
SSDEEP

768:Qvw9816vhKQLroS4/wQRNrfrunMxVFA3b7glws:YEGh0oSl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}\stubpath = "C:\\Windows\\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe"	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83775943-B351-434c-ACBE-81FDC32F240B}	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478E37E5-238F-441e-94CF-1FAB63FF1820}	{83775943-B351-434c-ACBE-81FDC32F240B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A59F771-6725-4181-B00A-113BBE9892A8}\stubpath = "C:\\Windows\\{1A59F771-6725-4181-B00A-113BBE9892A8}.exe"	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}\stubpath = "C:\\Windows\\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe"	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83775943-B351-434c-ACBE-81FDC32F240B}\stubpath = "C:\\Windows\\{83775943-B351-434c-ACBE-81FDC32F240B}.exe"	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478E37E5-238F-441e-94CF-1FAB63FF1820}\stubpath = "C:\\Windows\\{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe"	{83775943-B351-434c-ACBE-81FDC32F240B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}\stubpath = "C:\\Windows\\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe"	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A59F771-6725-4181-B00A-113BBE9892A8}	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}\stubpath = "C:\\Windows\\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe"	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}\stubpath = "C:\\Windows\\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe"	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}\stubpath = "C:\\Windows\\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe"	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe

Executes dropped EXE 9 IoCs

pid	Process
1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe
2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
1620	{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
File created	C:\Windows\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
File created	C:\Windows\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
File created	C:\Windows\{83775943-B351-434c-ACBE-81FDC32F240B}.exe	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
File created	C:\Windows\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
File created	C:\Windows\{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
File created	C:\Windows\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
File created	C:\Windows\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
File created	C:\Windows\{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	{83775943-B351-434c-ACBE-81FDC32F240B}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83775943-B351-434c-ACBE-81FDC32F240B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
Token: SeIncBasePriorityPrivilege	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
Token: SeIncBasePriorityPrivilege	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
Token: SeIncBasePriorityPrivilege	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe
Token: SeIncBasePriorityPrivilege	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
Token: SeIncBasePriorityPrivilege	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
Token: SeIncBasePriorityPrivilege	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
Token: SeIncBasePriorityPrivilege	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
Token: SeIncBasePriorityPrivilege	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 1488	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	91
PID 4304 wrote to memory of 1488	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	91
PID 4304 wrote to memory of 1488	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	91
PID 4304 wrote to memory of 4388	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	92
PID 4304 wrote to memory of 4388	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	92
PID 4304 wrote to memory of 4388	4304	b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe	92
PID 1488 wrote to memory of 2500	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	93
PID 1488 wrote to memory of 2500	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	93
PID 1488 wrote to memory of 2500	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	93
PID 1488 wrote to memory of 2788	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	94
PID 1488 wrote to memory of 2788	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	94
PID 1488 wrote to memory of 2788	1488	{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe	94
PID 2500 wrote to memory of 1116	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	101
PID 2500 wrote to memory of 1116	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	101
PID 2500 wrote to memory of 1116	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	101
PID 2500 wrote to memory of 2356	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	102
PID 2500 wrote to memory of 2356	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	102
PID 2500 wrote to memory of 2356	2500	{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe	102
PID 1116 wrote to memory of 2296	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	106
PID 1116 wrote to memory of 2296	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	106
PID 1116 wrote to memory of 2296	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	106
PID 1116 wrote to memory of 1376	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	107
PID 1116 wrote to memory of 1376	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	107
PID 1116 wrote to memory of 1376	1116	{83775943-B351-434c-ACBE-81FDC32F240B}.exe	107
PID 2296 wrote to memory of 2880	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	108
PID 2296 wrote to memory of 2880	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	108
PID 2296 wrote to memory of 2880	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	108
PID 2296 wrote to memory of 3012	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	109
PID 2296 wrote to memory of 3012	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	109
PID 2296 wrote to memory of 3012	2296	{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe	109
PID 2880 wrote to memory of 1504	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	110
PID 2880 wrote to memory of 1504	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	110
PID 2880 wrote to memory of 1504	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	110
PID 2880 wrote to memory of 4280	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	111
PID 2880 wrote to memory of 4280	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	111
PID 2880 wrote to memory of 4280	2880	{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe	111
PID 1504 wrote to memory of 4304	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	112
PID 1504 wrote to memory of 4304	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	112
PID 1504 wrote to memory of 4304	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	112
PID 1504 wrote to memory of 4388	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	113
PID 1504 wrote to memory of 4388	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	113
PID 1504 wrote to memory of 4388	1504	{1A59F771-6725-4181-B00A-113BBE9892A8}.exe	113
PID 4304 wrote to memory of 3260	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	114
PID 4304 wrote to memory of 3260	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	114
PID 4304 wrote to memory of 3260	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	114
PID 4304 wrote to memory of 4236	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	115
PID 4304 wrote to memory of 4236	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	115
PID 4304 wrote to memory of 4236	4304	{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe	115
PID 3260 wrote to memory of 1620	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	116
PID 3260 wrote to memory of 1620	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	116
PID 3260 wrote to memory of 1620	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	116
PID 3260 wrote to memory of 3084	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	117
PID 3260 wrote to memory of 3084	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	117
PID 3260 wrote to memory of 3084	3260	{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe	117

C:\Users\Admin\AppData\Local\Temp\b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe
"C:\Users\Admin\AppData\Local\Temp\b30c51b8205e7f7429d6bfe40624ff529e8b9eed3f8234d800b61322d03185aaN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
  C:\Windows\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
    C:\Windows\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{83775943-B351-434c-ACBE-81FDC32F240B}.exe
      C:\Windows\{83775943-B351-434c-ACBE-81FDC32F240B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
        
        C:\Windows\{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
        
        C:\Windows\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
        
        C:\Windows\{1A59F771-6725-4181-B00A-113BBE9892A8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
        
        C:\Windows\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
        
        C:\Windows\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe
        
        C:\Windows\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B38~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64B49~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A59F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE71~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{478E3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83775~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C0C5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2ECCD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B30C51~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A59F771-6725-4181-B00A-113BBE9892A8}.exe

Filesize
90KB

MD5
4c3a5dc3791a5c44de1bfa1dbfa448e2

SHA1
35775200dd59314566d70e85fae3f1146ba1ed16

SHA256
71cdaf6f3c98241ca545565a2bf1b02d3b3ce6fa02982b1e2e1c2319583bcb09

SHA512
c6bb9995b3a9bb7d896cfc131f99f1ccb9f406cff3ea42a4eec0d4d3432781fdf5b32e96633eb8c4d43238d873d1c24ba89c7585e6f4e92a35b8e7dfc42d7fee

Download Submit
C:\Windows\{2ECCD741-2DA1-445e-AAC0-7398A3FE0346}.exe

Filesize
90KB

MD5
ce8e120da571ac673f0744a982b37ce4

SHA1
051c5f1edf71e1d39294a878609592e76f2218b7

SHA256
5dd5d9c3ed873d72f47d5acbd4b3fb4c95c14152f40b02114baef82e6f40018c

SHA512
372b2cf6e34c001cf529452e4f45b815398b9e18ddc2f0a288bae037a50562e875436fbac266efadd9f99d26b9239ba0fe4070266b975aa6a124701e82ce0a90

Download Submit
C:\Windows\{478E37E5-238F-441e-94CF-1FAB63FF1820}.exe

Filesize
90KB

MD5
f8d73cc1a641039ecf60a1840f207212

SHA1
bd5ea161312f3ca63b6bfa5ac21d77621d16730d

SHA256
5b6770fbd56dd82b442bb2ce5277213ae67784e6045a967a252ee0b582e6bc2e

SHA512
c3ee722c52feda5fc0ca6225bbe29367c184a30fe2811a9bfa20d1b35ee57718a2ef1766c4ad5e50d53fd14031da115b204cce71ddc068aab2ec3f62c7f1c66e

Download Submit
C:\Windows\{4FE71FD6-FAF1-4f60-B18B-147A1D7F7560}.exe

Filesize
90KB

MD5
db5e18146e5e79035c0a87441aed76d5

SHA1
aecba07aa2e2d2ca72dbd58fdeccf2518fa26cba

SHA256
206ce0db1879513ca41831002c4865ea98240666b59dc667dc354db288aeae36

SHA512
f44592fb9acdd208727a1d4b96a09b7bff3d30412a218dd68dbb2ac78e3bd0d2b59d6a97938fa4fb71dc5821fc62c910bb88637f3d447ff81dbfee8296cc2948

Download Submit
C:\Windows\{64B49A44-5EBF-45dc-88E6-34B0456BDC01}.exe

Filesize
90KB

MD5
f3002861e674accb406271c8765a9b2d

SHA1
6f8ae683c91e021c04ee041f2c88f5850bf4462d

SHA256
722b3e52470b17d05ed9ec64fa7db028f5524e0c77014395793cb8851b863ec4

SHA512
0ec63df8cac1e8f2d83227594e66b089e31e191d0597f63bec98eba29ffc7abdb231549c94d4c2673df8da4d7445c601d0f8d15fb44b12efa6b6b6b320a8802a

Download Submit
C:\Windows\{7C0C58EB-45B6-4902-863F-8DC027C0DB03}.exe

Filesize
90KB

MD5
faf4bc877dd084eb415c4ed9d25f1fd7

SHA1
bca5a8074c0a5c577eabe2302fd9a1c41f90ee21

SHA256
8d65caad01837cb088d92316f5fb8bc1a717b848faa735cc11412e4a31d539ee

SHA512
c4ec869fc07985c6d464d11b442f9485827066bd4ce2a946092cc20054ca6beba88465a71691ba0d4e4a6e41888951bbc24fa2b6b86c5ca8d3b6a518d70f8481

Download Submit
C:\Windows\{83775943-B351-434c-ACBE-81FDC32F240B}.exe

Filesize
90KB

MD5
1c6d2a78be12f9f415fc9d7bb116636e

SHA1
c657e4deb53103416df6c9373aebe8f6b7c27270

SHA256
356bb212e6ca58ea2e4b9c6c3d0049d7f3b0a28a73008ebce285553957e67581

SHA512
58d853c09ea498b1a5724d930775eccdd268ada417b47258ea763b800a0dd93997fe33fe490c44dee4ac8ad9aeb8e64ea147a6b6f6a1ba74836c353b7f4c8d48

Download Submit
C:\Windows\{C3B38B22-7189-4bfa-9978-16E58B5D6BEC}.exe

Filesize
90KB

MD5
8b123ba75eebb138b6ee2fe1a5bf2054

SHA1
a569af30ed8585fd06757764113dc0d27291d54c

SHA256
2ff74f4fef5866b6fb1818551610fcdce988a25f50961fe2e437bc25024e3577

SHA512
2ece7df0a57c7972060d78d81e9d65d201bb348f5cc43330400b7ff40e722a7e95319799153340bbf3f8cd98aaaeb542cca43b819a8b7607fc91c9c0785d6e9c

Download Submit
C:\Windows\{FF6CE85D-CC2E-4011-9636-E22379E1A91F}.exe

Filesize
90KB

MD5
a641bd504e92d0c51b87cbc8dde64248

SHA1
e9973582fc4155e8ccd7d1dc88235af4e0082579

SHA256
d4823e8df63e205e493906918b5b4f89de2510c3497b5c373637204564be29c0

SHA512
2c8e1a5967da6e490a99f75f6ddf8e7da6bd0d2079d743c63b300b6efb83312e735f009a9453921ce4a247cfeab8cba73024439d0bb7caa5183e9db354fc17f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads