e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Size

89KB
MD5

b1d291fe56b0578d9f7000687930160d
SHA1

e452c1d4ef3647e1d93a38f9f46822ae93e24eea
SHA256

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940
SHA512

2e32eb34aa661298f448ac4da81df688b95b4bc20c93557d11395ed0cbc865d418ca43875e0bced02bfcda38f001b02882ca899d83c924bb64906a97fc4f4d50
SSDEEP

768:5vw9816thKQLroa4/wQkNrfrunMxVFA3k:lEG/0oalbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{A7CE429C-8658-4066-9836-0E804BD85B55}.exe{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exee8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe{964746D3-E556-41b5-BB90-DAD4411C8914}.exe{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36048BCB-95EE-4874-B4F4-1DD73BD09369}	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD862007-B25B-4bdc-94F2-C7440C445FF1}	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{964746D3-E556-41b5-BB90-DAD4411C8914}\stubpath = "C:\\Windows\\{964746D3-E556-41b5-BB90-DAD4411C8914}.exe"	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CE429C-8658-4066-9836-0E804BD85B55}\stubpath = "C:\\Windows\\{A7CE429C-8658-4066-9836-0E804BD85B55}.exe"	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{964746D3-E556-41b5-BB90-DAD4411C8914}	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F898A2E3-C9F0-44e5-B26D-712F391606DB}	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4F374C-55EC-494f-9A3C-A04912030AB7}	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}\stubpath = "C:\\Windows\\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe"	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F898A2E3-C9F0-44e5-B26D-712F391606DB}\stubpath = "C:\\Windows\\{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe"	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}\stubpath = "C:\\Windows\\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe"	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36048BCB-95EE-4874-B4F4-1DD73BD09369}\stubpath = "C:\\Windows\\{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe"	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}\stubpath = "C:\\Windows\\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe"	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD862007-B25B-4bdc-94F2-C7440C445FF1}\stubpath = "C:\\Windows\\{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe"	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4F374C-55EC-494f-9A3C-A04912030AB7}\stubpath = "C:\\Windows\\{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe"	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CE429C-8658-4066-9836-0E804BD85B55}	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe

Executes dropped EXE 9 IoCs

Processes:

{A7CE429C-8658-4066-9836-0E804BD85B55}.exe{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe{964746D3-E556-41b5-BB90-DAD4411C8914}.exe{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe

pid	process
4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
4412	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
3424	{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe

Drops file in Windows directory 9 IoCs

Processes:

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{A7CE429C-8658-4066-9836-0E804BD85B55}.exe{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe{964746D3-E556-41b5-BB90-DAD4411C8914}.exe

description	ioc	process
File created	C:\Windows\{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
File created	C:\Windows\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
File created	C:\Windows\{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
File created	C:\Windows\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
File created	C:\Windows\{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
File created	C:\Windows\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
File created	C:\Windows\{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
File created	C:\Windows\{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
File created	C:\Windows\{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{A7CE429C-8658-4066-9836-0E804BD85B55}.exe{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe{964746D3-E556-41b5-BB90-DAD4411C8914}.exe{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Token: SeIncBasePriorityPrivilege	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
Token: SeIncBasePriorityPrivilege	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
Token: SeIncBasePriorityPrivilege	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
Token: SeIncBasePriorityPrivilege	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
Token: SeIncBasePriorityPrivilege	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
Token: SeIncBasePriorityPrivilege	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
Token: SeIncBasePriorityPrivilege	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
Token: SeIncBasePriorityPrivilege	4412	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{A7CE429C-8658-4066-9836-0E804BD85B55}.exe{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe{964746D3-E556-41b5-BB90-DAD4411C8914}.exe{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe

description	pid	process	target process
PID 4780 wrote to memory of 4084	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
PID 4780 wrote to memory of 4084	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
PID 4780 wrote to memory of 4084	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
PID 4780 wrote to memory of 3488	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 4780 wrote to memory of 3488	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 4780 wrote to memory of 3488	4780	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 4084 wrote to memory of 4372	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
PID 4084 wrote to memory of 4372	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
PID 4084 wrote to memory of 4372	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
PID 4084 wrote to memory of 4840	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	cmd.exe
PID 4084 wrote to memory of 4840	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	cmd.exe
PID 4084 wrote to memory of 4840	4084	{A7CE429C-8658-4066-9836-0E804BD85B55}.exe	cmd.exe
PID 4372 wrote to memory of 440	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
PID 4372 wrote to memory of 440	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
PID 4372 wrote to memory of 440	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
PID 4372 wrote to memory of 8	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	cmd.exe
PID 4372 wrote to memory of 8	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	cmd.exe
PID 4372 wrote to memory of 8	4372	{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe	cmd.exe
PID 440 wrote to memory of 880	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
PID 440 wrote to memory of 880	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
PID 440 wrote to memory of 880	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
PID 440 wrote to memory of 2932	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	cmd.exe
PID 440 wrote to memory of 2932	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	cmd.exe
PID 440 wrote to memory of 2932	440	{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe	cmd.exe
PID 880 wrote to memory of 4640	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
PID 880 wrote to memory of 4640	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
PID 880 wrote to memory of 4640	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
PID 880 wrote to memory of 1576	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	cmd.exe
PID 880 wrote to memory of 1576	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	cmd.exe
PID 880 wrote to memory of 1576	880	{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe	cmd.exe
PID 4640 wrote to memory of 1532	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
PID 4640 wrote to memory of 1532	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
PID 4640 wrote to memory of 1532	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
PID 4640 wrote to memory of 3844	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	cmd.exe
PID 4640 wrote to memory of 3844	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	cmd.exe
PID 4640 wrote to memory of 3844	4640	{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe	cmd.exe
PID 1532 wrote to memory of 4628	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
PID 1532 wrote to memory of 4628	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
PID 1532 wrote to memory of 4628	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
PID 1532 wrote to memory of 2488	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	cmd.exe
PID 1532 wrote to memory of 2488	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	cmd.exe
PID 1532 wrote to memory of 2488	1532	{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe	cmd.exe
PID 4628 wrote to memory of 4412	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
PID 4628 wrote to memory of 4412	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
PID 4628 wrote to memory of 4412	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
PID 4628 wrote to memory of 4020	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	cmd.exe
PID 4628 wrote to memory of 4020	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	cmd.exe
PID 4628 wrote to memory of 4020	4628	{964746D3-E556-41b5-BB90-DAD4411C8914}.exe	cmd.exe
PID 4412 wrote to memory of 3424	4412	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe	{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe
PID 4412 wrote to memory of 3424	4412	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe	{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe
PID 4412 wrote to memory of 3424	4412	{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe	{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe

C:\Users\Admin\AppData\Local\Temp\e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
"C:\Users\Admin\AppData\Local\Temp\e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
C:\Windows\{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
C:\Windows\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
C:\Windows\{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
C:\Windows\{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
C:\Windows\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
C:\Windows\{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
C:\Windows\{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
C:\Windows\{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe
C:\Windows\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe
10⤵
- Executes dropped EXE
PID:3424

C:\Windows\{1268C90D-F1A7-4cce-BE0E-DC65DA3886E4}.exe
C:\Windows\{1268C90D-F1A7-4cce-BE0E-DC65DA3886E4}.exe
11⤵
PID:2616

C:\Windows\{4E56E74A-A149-4c77-B4FB-6E233669477A}.exe
C:\Windows\{4E56E74A-A149-4c77-B4FB-6E233669477A}.exe
12⤵
PID:4776

C:\Windows\{BA5B9148-1572-428a-9EA7-4366F88B9B63}.exe
C:\Windows\{BA5B9148-1572-428a-9EA7-4366F88B9B63}.exe
13⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1268C~1.EXE > nul
12⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{32F9E~1.EXE > nul
11⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4F3~1.EXE > nul
10⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96474~1.EXE > nul
9⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD862~1.EXE > nul
8⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4DA82~1.EXE > nul
7⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36048~1.EXE > nul
6⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F898A~1.EXE > nul
5⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A126A~1.EXE > nul
4⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CE4~1.EXE > nul
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E8967E~1.EXE > nul
2⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1268C90D-F1A7-4cce-BE0E-DC65DA3886E4}.exe
Filesize
89KB

MD5
1d2a8c30231fa78a1baa519a7055c6da

SHA1
fbb40b490fcaa1d43369c9f930c35b950d0bfab2

SHA256
ddb3a1079fc726d0fd960df6ed62a4aa2e4395c1ab53ad73e6cd96cce1a111df

SHA512
02c011d152d80b3ee87575ed30c3d9a2b675846da5b5dd97f0132d2dd67a1e9696e25ba4e923e0dc52d256b4384217ff180d8284b3f3397430137f0fe45e2b7f

Download Submit
C:\Windows\{32F9E146-1EF1-47dd-BD35-AF1CBB4EFC6B}.exe
Filesize
89KB

MD5
ac4f3224b2eb3e05e740ad0d5621e6d4

SHA1
5d125dd8872087aeaa903afa1fe71bb44a187c89

SHA256
d2ad402fe08717ee2a5d3a45d3a9b8405fffc7896857d6e9e7d11b5f74138f96

SHA512
f627760a19be464645ac30d1ecb0dff6921d8996bfda68d4c110dc15577f82a81aa432f9dafa1ee139399c69a5044705fdb5eed686f95dbe14081c9c1306bfd7

Download Submit
C:\Windows\{36048BCB-95EE-4874-B4F4-1DD73BD09369}.exe
Filesize
89KB

MD5
5f3137db9edd82b034ef725aa2eca353

SHA1
b65878757614824af0483c8b602535d542a01171

SHA256
08ef39d1951fe774a298c7caf8e76e78f90f03c5d49e0f9e6f40dd8a53a17830

SHA512
6ce0b1c8d620ed800841a24db6216fd08a649dd691ae9ef82b64e41f367e3da5040c8fec294ace1f70cea83e0ea3586061459a15a20ca2335c4c358b7b364f5e

Download Submit
C:\Windows\{4DA82B1B-2D99-46d5-81AD-58D5475DA882}.exe
Filesize
89KB

MD5
7cebcc67acdd8de3932286793b53405f

SHA1
8e0c13861a7be372ece2df9984dda7b49ceb19cd

SHA256
ade2736e7b0241e0e6af13f93396bd3743f07f3059cf93a9379404f47a62922b

SHA512
5a4d71219cae289d847714a34f3249684cea7bfb86023735bd1d42a5dde4ef316b79673131c98378aa758059dfdbba22e0d5ed2555de1db3e5b53662bd94ba3b

Download Submit
C:\Windows\{4E56E74A-A149-4c77-B4FB-6E233669477A}.exe
Filesize
89KB

MD5
8a9a0e310c234a8568774b7ca7b8be08

SHA1
815e749271b26e74a01d1bdfdc2183cc24b4432c

SHA256
ed60490333fcb0a3462b435bf65908a41cb59175c955099a45d1ead13a9ec7e1

SHA512
bc7337c9bff59a6d2adcc5469d12fa13dcab9bec1fb7a97ca54b9978ea5208101e8e08d4120315739401481cd75437d4a8f2fa1d52f7106cd4f6f20f7c2c3352

Download Submit
C:\Windows\{964746D3-E556-41b5-BB90-DAD4411C8914}.exe
Filesize
89KB

MD5
dcc1b7ba84f0723f1c6e2c4ebe4bbde5

SHA1
4e5abc7614817ec80aa1f6ff65d79543d41aa9d2

SHA256
7cb363762d9b5cef6b924d4a908f0b2d26d6887f54fd38016845adfcf249ad8e

SHA512
10e3178eff4704fd4bc21803dcff0ac55370f45d150921282c764d5e29aedbeadd9a0a6191062d86c902cb33ac5e6449c4abdaede91dfc202d040ecb0e624c60

Download Submit
C:\Windows\{A126AF19-B1A5-4d52-B6C9-E32D51077A86}.exe
Filesize
89KB

MD5
f28a679e97ce49126e80f3f6ab6070bb

SHA1
04587f100206ffa6da25ab6abd02522d0f8552ad

SHA256
95a9ddf7fa223114d9cd5bbd318581274b67a3131e469bfbe038b3a5967b95fb

SHA512
85944c9edd985a69bf4aec3a0b1b2d8e7dc195307f0ec4427e46bc80f085f2da1c8dd83d3a8cdcc28e2044e03630710cc6c1464f065bebd9d86b3ca49fb62c7d

Download Submit
C:\Windows\{A7CE429C-8658-4066-9836-0E804BD85B55}.exe
Filesize
89KB

MD5
c92ef1fccd7adf516b62bacfcb7ca0eb

SHA1
a4eb59e5d1c68846373235800149868a2a207225

SHA256
9dec4603d7ce2c4f569f233960a5c28e04c20cb0eb32139bb10b758352a4e55f

SHA512
d3f5922080dbbe179c126877c170499654af9c24b55cc8d22fbb5742bd6f289537023212e663e4f0785e0f9f67d1a5fe14c0c65d6e6f8d7dd508a8877875273b

Download Submit
C:\Windows\{BA5B9148-1572-428a-9EA7-4366F88B9B63}.exe
Filesize
1KB

MD5
be496e88e341578f93cd320c06214526

SHA1
fa1e0571b476cef0d49c312a39d0c6155e83683a

SHA256
50a439a5cc4577889a6a98d433c863b5c3616ad0bddc813b16503b2d2f5e79ff

SHA512
a5f419feb29714020eced6edb67f4057c4612d5f16604d0978a1b6b608590ef0ed70a8d395e6fbe2b7a90ba8e6e2657f0e2a9124113279152c7fb0ea0bcfb68f

Download Submit
C:\Windows\{BA5B9148-1572-428a-9EA7-4366F88B9B63}.exe
Filesize
54KB

MD5
d42304ac8fbf1b567ac38015846e9eaf

SHA1
2589bf43a06ddacbd5d12aff28ff009acf319eb9

SHA256
012ed02c3c62b523789f3ee04b0c7c43b18f003b74d7a0534fce8e8046037678

SHA512
194fbe05441e8850f9faf3686435f6411dcb3f80f0753d544c9e09d41e3a17e1316dd792ac492e987b146c755b435fd4cf28766e241d1305fcc36695b61b885e

Download Submit
C:\Windows\{CD862007-B25B-4bdc-94F2-C7440C445FF1}.exe
Filesize
89KB

MD5
f6844c0da9a21bb14b6a660c584d95d4

SHA1
54c2c0b245090f904f8c6ebd0b96e421947186e2

SHA256
df1aec005ec2383e295cbc248592ef98f20bd6dc5ef17eae00637d29163ace28

SHA512
b814cca361f4b15e48b9ae4abf1de783ed0538029ff99301dad5efebc292bdcdc03a1b7e33eca17b4305e4bcaca51c504b8f38c08a999cd57b2b6125ce235996

Download Submit
C:\Windows\{EE4F374C-55EC-494f-9A3C-A04912030AB7}.exe
Filesize
89KB

MD5
d28f6c80be7668ecd07c8763915fd6d6

SHA1
d89ff09358d2a82f8fec99d2c1108da2d194274e

SHA256
964f904ad690110dbebb11a8cdb23764edd5cd01d120e6db57a76b617574465c

SHA512
c80ca32ca781be0150098e5ad4a382b3e15676f129c15852c2bb47c0c80ac5a4a2668ea176bf96ef59de78dea30bcebff247335e6d106aa94b849707cea72729

Download Submit
C:\Windows\{F898A2E3-C9F0-44e5-B26D-712F391606DB}.exe
Filesize
89KB

MD5
1c4a53eae4f0bddbf71bd0171868d17e

SHA1
ff8cf828fb97986225e979c92cf68bb66235e3c3

SHA256
94a5b54608b504786626ac8abf7f96d530693ee7076ee3d4fa3c20b1c75c008c

SHA512
e8db5cc2abf5feef3f5bedfda880da5133aafd618ab21c72dcc5628aba462f283984167f3ec4b6990ed5dfcee51cfba620c5f369e5b6b4b7bda1e40f39bed08d

Download Submit
memory/440-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/440-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/880-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/880-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1532-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1532-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2140-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3424-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3424-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4084-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4084-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4372-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4372-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4412-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4412-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4628-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4628-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4640-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4640-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4776-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4776-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4780-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4780-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download