22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
Size

408KB
MD5

bdcc607a2cdf3f6c710bcf7fc8477ee8
SHA1

0b7c8e8ecab3d7bd522347cc8456f0c4ccfbf1be
SHA256

22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d
SHA512

b53ba2922964ae4b9363368adeca061698064238652edb0e16457c145276e853aeeb631f5325a15b117b5867f7ae66462749f59268a10231e24b3a8fc7ebb6f1
SSDEEP

3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}\stubpath = "C:\\Windows\\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe"	{8217EEF6-E81F-422b-9602-87339CB97422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B139858F-7B1C-40df-956D-8B99B59916B0}	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166DBB24-18EE-4994-BA77-10FC4168C008}	{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8217EEF6-E81F-422b-9602-87339CB97422}\stubpath = "C:\\Windows\\{8217EEF6-E81F-422b-9602-87339CB97422}.exe"	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}\stubpath = "C:\\Windows\\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe"	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}\stubpath = "C:\\Windows\\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe"	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8217EEF6-E81F-422b-9602-87339CB97422}	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}	{8217EEF6-E81F-422b-9602-87339CB97422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}\stubpath = "C:\\Windows\\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe"	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71241AC2-3FA4-4776-9988-5042655A1C0C}\stubpath = "C:\\Windows\\{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe"	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}\stubpath = "C:\\Windows\\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe"	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06204339-625B-4a2d-99AA-6A1F146E6232}	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71241AC2-3FA4-4776-9988-5042655A1C0C}	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B139858F-7B1C-40df-956D-8B99B59916B0}\stubpath = "C:\\Windows\\{B139858F-7B1C-40df-956D-8B99B59916B0}.exe"	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}\stubpath = "C:\\Windows\\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe"	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}\stubpath = "C:\\Windows\\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe"	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06204339-625B-4a2d-99AA-6A1F146E6232}\stubpath = "C:\\Windows\\{06204339-625B-4a2d-99AA-6A1F146E6232}.exe"	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166DBB24-18EE-4994-BA77-10FC4168C008}\stubpath = "C:\\Windows\\{166DBB24-18EE-4994-BA77-10FC4168C008}.exe"	{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe

Executes dropped EXE 12 IoCs

pid	Process
5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe
2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
4596	{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
3820	{166DBB24-18EE-4994-BA77-10FC4168C008}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
File created	C:\Windows\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	{8217EEF6-E81F-422b-9602-87339CB97422}.exe
File created	C:\Windows\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
File created	C:\Windows\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
File created	C:\Windows\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
File created	C:\Windows\{06204339-625B-4a2d-99AA-6A1F146E6232}.exe	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
File created	C:\Windows\{166DBB24-18EE-4994-BA77-10FC4168C008}.exe	{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
File created	C:\Windows\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
File created	C:\Windows\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
File created	C:\Windows\{8217EEF6-E81F-422b-9602-87339CB97422}.exe	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
File created	C:\Windows\{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
File created	C:\Windows\{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
Token: SeIncBasePriorityPrivilege	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
Token: SeIncBasePriorityPrivilege	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
Token: SeIncBasePriorityPrivilege	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
Token: SeIncBasePriorityPrivilege	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe
Token: SeIncBasePriorityPrivilege	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
Token: SeIncBasePriorityPrivilege	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
Token: SeIncBasePriorityPrivilege	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
Token: SeIncBasePriorityPrivilege	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
Token: SeIncBasePriorityPrivilege	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
Token: SeIncBasePriorityPrivilege	3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
Token: SeIncBasePriorityPrivilege	4596	{06204339-625B-4a2d-99AA-6A1F146E6232}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 5092	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	85
PID 2216 wrote to memory of 5092	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	85
PID 2216 wrote to memory of 5092	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	85
PID 2216 wrote to memory of 4424	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	86
PID 2216 wrote to memory of 4424	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	86
PID 2216 wrote to memory of 4424	2216	22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe	86
PID 5092 wrote to memory of 232	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	87
PID 5092 wrote to memory of 232	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	87
PID 5092 wrote to memory of 232	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	87
PID 5092 wrote to memory of 4132	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	88
PID 5092 wrote to memory of 4132	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	88
PID 5092 wrote to memory of 4132	5092	{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe	88
PID 232 wrote to memory of 1272	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	91
PID 232 wrote to memory of 1272	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	91
PID 232 wrote to memory of 1272	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	91
PID 232 wrote to memory of 3800	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	92
PID 232 wrote to memory of 3800	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	92
PID 232 wrote to memory of 3800	232	{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe	92
PID 1272 wrote to memory of 2444	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	94
PID 1272 wrote to memory of 2444	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	94
PID 1272 wrote to memory of 2444	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	94
PID 1272 wrote to memory of 520	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	95
PID 1272 wrote to memory of 520	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	95
PID 1272 wrote to memory of 520	1272	{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe	95
PID 2444 wrote to memory of 2044	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	96
PID 2444 wrote to memory of 2044	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	96
PID 2444 wrote to memory of 2044	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	96
PID 2444 wrote to memory of 2104	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	97
PID 2444 wrote to memory of 2104	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	97
PID 2444 wrote to memory of 2104	2444	{8217EEF6-E81F-422b-9602-87339CB97422}.exe	97
PID 2044 wrote to memory of 1132	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	98
PID 2044 wrote to memory of 1132	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	98
PID 2044 wrote to memory of 1132	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	98
PID 2044 wrote to memory of 4864	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	99
PID 2044 wrote to memory of 4864	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	99
PID 2044 wrote to memory of 4864	2044	{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe	99
PID 1132 wrote to memory of 1768	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	100
PID 1132 wrote to memory of 1768	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	100
PID 1132 wrote to memory of 1768	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	100
PID 1132 wrote to memory of 1208	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	101
PID 1132 wrote to memory of 1208	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	101
PID 1132 wrote to memory of 1208	1132	{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe	101
PID 1768 wrote to memory of 1664	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	102
PID 1768 wrote to memory of 1664	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	102
PID 1768 wrote to memory of 1664	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	102
PID 1768 wrote to memory of 2752	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	103
PID 1768 wrote to memory of 2752	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	103
PID 1768 wrote to memory of 2752	1768	{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe	103
PID 1664 wrote to memory of 2116	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	104
PID 1664 wrote to memory of 2116	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	104
PID 1664 wrote to memory of 2116	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	104
PID 1664 wrote to memory of 4796	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	105
PID 1664 wrote to memory of 4796	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	105
PID 1664 wrote to memory of 4796	1664	{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe	105
PID 2116 wrote to memory of 3568	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	106
PID 2116 wrote to memory of 3568	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	106
PID 2116 wrote to memory of 3568	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	106
PID 2116 wrote to memory of 4692	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	107
PID 2116 wrote to memory of 4692	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	107
PID 2116 wrote to memory of 4692	2116	{B139858F-7B1C-40df-956D-8B99B59916B0}.exe	107
PID 3568 wrote to memory of 4596	3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe	108
PID 3568 wrote to memory of 4596	3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe	108
PID 3568 wrote to memory of 4596	3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe	108
PID 3568 wrote to memory of 4988	3568	{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe	109

C:\Users\Admin\AppData\Local\Temp\22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
"C:\Users\Admin\AppData\Local\Temp\22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
  C:\Windows\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
    C:\Windows\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
      C:\Windows\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\{8217EEF6-E81F-422b-9602-87339CB97422}.exe
        
        C:\Windows\{8217EEF6-E81F-422b-9602-87339CB97422}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
        
        C:\Windows\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
        
        C:\Windows\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
        
        C:\Windows\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
        
        C:\Windows\{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
        
        C:\Windows\{B139858F-7B1C-40df-956D-8B99B59916B0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
        
        C:\Windows\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
        
        C:\Windows\{06204339-625B-4a2d-99AA-6A1F146E6232}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\{166DBB24-18EE-4994-BA77-10FC4168C008}.exe
        
        C:\Windows\{166DBB24-18EE-4994-BA77-10FC4168C008}.exe
        13⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06204~1.EXE > nul
        13⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DBF6~1.EXE > nul
        12⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1398~1.EXE > nul
        11⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71241~1.EXE > nul
        10⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE2B~1.EXE > nul
        9⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF9C5~1.EXE > nul
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36F1B~1.EXE > nul
        7⤵
        
        PID:4864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8217E~1.EXE > nul
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5DE~1.EXE > nul
        5⤵
        
        PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F022F~1.EXE > nul
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3854B~1.EXE > nul
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22D74F~1.EXE > nul
  2⤵
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06204339-625B-4a2d-99AA-6A1F146E6232}.exe

Filesize
408KB

MD5
3520fe0cdff036ddc804d4ca80d04920

SHA1
616fb3e7b87ce454d053888a9a4b75711aaf8a7a

SHA256
912136fd480df26f74e664527c31008420cf0497b6aab8173089d7e9d4c13b13

SHA512
24cdd6a099a9461a609ed9e366ac3955d35eadbf43e4826be96d15fb06d3651795742728cec2f5daac3a5ea88cfd4101b234516d30f3e8279b1524e0eb5df5c9

Download Submit
C:\Windows\{0D5DEA8D-9789-4cef-8E66-D8F8497AD9C4}.exe

Filesize
408KB

MD5
386e33cd734e72ecb10e551f710e07dd

SHA1
dd77ce0f153e4b3770b98781330d8ea658db6fc7

SHA256
ca36792635c3a6f259a05e5f114a56e48ab56beac75397cc3a71422288e03315

SHA512
df60d0564733a801de3913a87cac01ab47bd327e32621f7188c7c956782ecd7c2e0aaf01b52c4dd4f7e55af4df557f5ea014360bb0bdf940b197bb2a7582e928

Download Submit
C:\Windows\{166DBB24-18EE-4994-BA77-10FC4168C008}.exe

Filesize
408KB

MD5
fafa7c257d9dfe20211f7fa0d4e962cb

SHA1
30999b4917edc2932a7bcf620b2acf21822a5e4d

SHA256
f6cea38a01afa1edbf25d8ab4285268e5d8a75a24e9f3990f6bad45b422aa1f5

SHA512
5b0b8159dc7035adae35abca846d32ffe7a5b6c2fddf6bc8b99ff1f6f2583e1b6ee39c83e739a7665dfe71c66fcef95976af6b5933c96e83e98c70d115532dd5

Download Submit
C:\Windows\{36F1B56D-66F7-4328-BAF6-A6D258503F1D}.exe

Filesize
408KB

MD5
352d4b223f6af5546ff3245bbf46c24a

SHA1
8a2ed8465df749f0d2fc7913b9acacff9890e40f

SHA256
73de097b7a652bf656fade6de6c06f64b4179b075b81e18087f6e7a3837798e9

SHA512
ff501cc91f8b787a9af9f98aa67427beeff91ff55b3248ed499b3b46c61ff2af12449b182a71a49e461a84ff545c2c431b961b10ef6ade699bfcc3b878e8761e

Download Submit
C:\Windows\{3854B1E4-DC84-40e6-BAE2-B67BC4C67737}.exe

Filesize
408KB

MD5
df90ba5348034b55caa67c533e561bdf

SHA1
5e1806a183a3fec3f0e28b67a8d471173e287cd8

SHA256
c09b00903de239f53b6abb46e9a66549d6e9da2176f1fde1df084dfe893e6b20

SHA512
32cc67c2082ade99859eda8210a1940adc85cfbec89eea5d51c2d34f4f83001ba5cae2a89a7a5ada23e57b083f7fa7413cf5b8e20d4e976079238fcc9a15fec2

Download Submit
C:\Windows\{71241AC2-3FA4-4776-9988-5042655A1C0C}.exe

Filesize
408KB

MD5
b2bdbb32d94f369dc75f5e5e43c8b8f4

SHA1
d525460f03989cf6751bf45899ab2c5af852d022

SHA256
ff31c06190ceafa661030ba6ff04df8364a0b5b9aec20b54e828fce543e6fb25

SHA512
4a194ad6474942fad4f2e471597f7bccacbf92292338bede38fdcf6b2b1c697ada424a6ffd20fa311a6f1a206cb0923a5c499665c26ebd9edbe58bfabd270739

Download Submit
C:\Windows\{8217EEF6-E81F-422b-9602-87339CB97422}.exe

Filesize
408KB

MD5
23d22bf70243c06e0dac14060680f052

SHA1
e0a9b14b1c12f61b1fe04abcdb3264f8de18f8b7

SHA256
697a693cb48964aca888ddb930f7981a7d0c8bd47f69381721fb1e1d86dc127a

SHA512
07ff12bd6a6b503e63686bb6a71a417e13f4f2d3fa5d3ee1a90510c2f8c8bc6f3caaca9844c9366aa9c1114904df82d0bf53fdfe1e28fc0552a1ae993516129c

Download Submit
C:\Windows\{8DBF6D96-CDEB-4fd3-9F4A-0E0D4FF4C3CA}.exe

Filesize
408KB

MD5
fc2473d776b90b92d3bc3eaa56c43bcf

SHA1
750938b6e32631c1f7cbb8f8bd3a0ae886362d2b

SHA256
884b01a8f296a03fef54587168517127c5d538f0a3f68b5aad0c077f39263f12

SHA512
d3b79f2234125309a9b79e6e5bfb2cd035aacefd115d10d6db066befe518ee0c66c059b11f972dc8b08f52aad845eecf23551f1280c89eef1c5e83f498938563

Download Submit
C:\Windows\{ADE2B6BA-6AFA-4f5a-B929-C592FDA47663}.exe

Filesize
408KB

MD5
54e7d573757c9c697f50529e756d3bf6

SHA1
ed580cccf1c063c4e82bf11ce7564fc2f9da3f0f

SHA256
3613847d15b06e0017fc9b15f3e4c927fb716f2e91472c9584b847de8df9baa5

SHA512
a15b68cfbe478432a8b4d8ea62e22c19569e6e831c36f05af9ec2534943584f571bc1e830a93912f4fe311f118b83c9844f1e08ffd9c8cb2ebbb7dc65eb84858

Download Submit
C:\Windows\{B139858F-7B1C-40df-956D-8B99B59916B0}.exe

Filesize
408KB

MD5
05704c1aae1d63476b86191ef3603c2d

SHA1
7ca94ebba159a948a6815ee710dd103e17d0fb80

SHA256
c777a22b6e41368cd7eb80b3109cc246b7fd8a5427b23aa27f8e2009fd74af2e

SHA512
d4b81b724011b6bf1c548be0e179b8760fc17493c277270cb20cc1ab2095ff2e379ce3ca67a86f32ea6677a5c87e037c494757099847744ad7300f59ebb6d51a

Download Submit
C:\Windows\{BF9C5127-C6D5-44e6-B0BE-1E661E00B569}.exe

Filesize
408KB

MD5
9c3010609f770e0f18b6fe2741a6d6ef

SHA1
88a3340a7f195cd2a7fc82112a5d661015936886

SHA256
f835208e3328a7e9b63417838bae855869cc34be7fee4507cb7fd7c3cac189dd

SHA512
1d9cb7c45512b6a6173523052cf837e49d3e57dc4e6d800f06a02d1f17ba3be7cb5c827b8dd55947320ffbd2d58e3903444dc8a99d75b302fdef775fb5a9cc06

Download Submit
C:\Windows\{F022FE7B-9F7A-4de5-9FE2-3448A5B9DEB9}.exe

Filesize
408KB

MD5
540616946f0a13401aaba72527c3cc0e

SHA1
e3215a6cead1fc7944da9e927c57311a853bed02

SHA256
4d23d5536802f0a6ca51d5cc40bd4239f432eb5e3a572d200586743fb5b4bb27

SHA512
97dec47f0fed985eda901417b965a1e0d103f152ac719d323f192165ddb7e794d9636d6695b68af9a9b2871fd9c41a99d693ad3bed596f0bb3ca28bddab07a0e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads