d3dbc3203cf6b125b5ec7ccc6b91ebb489db3648acd821bb33b19bc9e48e0b69

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 11:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25dc5f6111247dexeexeexeex.exe
Size

204KB
MD5

25dc5f6111247ddaf6e77ce0f905eeab
SHA1

c5f4b752af1058f5df5a9140c2b92ddfbdadd9cd
SHA256

d3dbc3203cf6b125b5ec7ccc6b91ebb489db3648acd821bb33b19bc9e48e0b69
SHA512

70dcacf9512afafc06e4bf3b46753e3522b6a2783881c4b57856c170ea9234a8b0f7132299f178cd8c258497e9a727746a23e5b57c2eee7f5cfe63ac799cf6e4
SSDEEP

1536:1EGh0oYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oYl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5393D77E-D678-4057-849D-A80FDFE285D6}	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}\stubpath = "C:\\Windows\\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe"	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E968576-A88D-4cef-A781-2B4CE7AD2501}\stubpath = "C:\\Windows\\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe"	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B37A0CD-F5E5-4439-874C-22176C512EA6}\stubpath = "C:\\Windows\\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe"	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}	{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BED469E-59DE-4674-BBEF-3F805060F6C4}	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BED469E-59DE-4674-BBEF-3F805060F6C4}\stubpath = "C:\\Windows\\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe"	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E968576-A88D-4cef-A781-2B4CE7AD2501}	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}\stubpath = "C:\\Windows\\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe"	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}\stubpath = "C:\\Windows\\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe"	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}\stubpath = "C:\\Windows\\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe"	25dc5f6111247dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}\stubpath = "C:\\Windows\\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe"	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5393D77E-D678-4057-849D-A80FDFE285D6}\stubpath = "C:\\Windows\\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe"	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADEB703B-8AA7-429e-98F3-F35290960589}	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}\stubpath = "C:\\Windows\\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe"	{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}	25dc5f6111247dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}\stubpath = "C:\\Windows\\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe"	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B37A0CD-F5E5-4439-874C-22176C512EA6}	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADEB703B-8AA7-429e-98F3-F35290960589}\stubpath = "C:\\Windows\\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe"	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
4664	{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
3324	{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	25dc5f6111247dexeexeexeex.exe
File created	C:\Windows\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
File created	C:\Windows\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
File created	C:\Windows\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
File created	C:\Windows\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
File created	C:\Windows\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe	{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
File created	C:\Windows\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
File created	C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
File created	C:\Windows\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
File created	C:\Windows\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
File created	C:\Windows\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
File created	C:\Windows\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3244	25dc5f6111247dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
Token: SeIncBasePriorityPrivilege	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
Token: SeIncBasePriorityPrivilege	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
Token: SeIncBasePriorityPrivilege	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
Token: SeIncBasePriorityPrivilege	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
Token: SeIncBasePriorityPrivilege	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
Token: SeIncBasePriorityPrivilege	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
Token: SeIncBasePriorityPrivilege	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
Token: SeIncBasePriorityPrivilege	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
Token: SeIncBasePriorityPrivilege	4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
Token: SeIncBasePriorityPrivilege	4664	{ADEB703B-8AA7-429e-98F3-F35290960589}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3928	3244	25dc5f6111247dexeexeexeex.exe	83
PID 3244 wrote to memory of 3928	3244	25dc5f6111247dexeexeexeex.exe	83
PID 3244 wrote to memory of 3928	3244	25dc5f6111247dexeexeexeex.exe	83
PID 3244 wrote to memory of 3248	3244	25dc5f6111247dexeexeexeex.exe	84
PID 3244 wrote to memory of 3248	3244	25dc5f6111247dexeexeexeex.exe	84
PID 3244 wrote to memory of 3248	3244	25dc5f6111247dexeexeexeex.exe	84
PID 3928 wrote to memory of 1920	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	85
PID 3928 wrote to memory of 1920	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	85
PID 3928 wrote to memory of 1920	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	85
PID 3928 wrote to memory of 3160	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	86
PID 3928 wrote to memory of 3160	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	86
PID 3928 wrote to memory of 3160	3928	{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe	86
PID 1920 wrote to memory of 3312	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	89
PID 1920 wrote to memory of 3312	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	89
PID 1920 wrote to memory of 3312	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	89
PID 1920 wrote to memory of 4924	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	88
PID 1920 wrote to memory of 4924	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	88
PID 1920 wrote to memory of 4924	1920	{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe	88
PID 3312 wrote to memory of 2788	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	90
PID 3312 wrote to memory of 2788	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	90
PID 3312 wrote to memory of 2788	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	90
PID 3312 wrote to memory of 412	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	91
PID 3312 wrote to memory of 412	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	91
PID 3312 wrote to memory of 412	3312	{5393D77E-D678-4057-849D-A80FDFE285D6}.exe	91
PID 2788 wrote to memory of 3452	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	92
PID 2788 wrote to memory of 3452	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	92
PID 2788 wrote to memory of 3452	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	92
PID 2788 wrote to memory of 4888	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	93
PID 2788 wrote to memory of 4888	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	93
PID 2788 wrote to memory of 4888	2788	{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe	93
PID 3452 wrote to memory of 4232	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	94
PID 3452 wrote to memory of 4232	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	94
PID 3452 wrote to memory of 4232	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	94
PID 3452 wrote to memory of 3292	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	95
PID 3452 wrote to memory of 3292	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	95
PID 3452 wrote to memory of 3292	3452	{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe	95
PID 4232 wrote to memory of 3996	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	96
PID 4232 wrote to memory of 3996	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	96
PID 4232 wrote to memory of 3996	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	96
PID 4232 wrote to memory of 1900	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	97
PID 4232 wrote to memory of 1900	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	97
PID 4232 wrote to memory of 1900	4232	{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe	97
PID 3996 wrote to memory of 3048	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	98
PID 3996 wrote to memory of 3048	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	98
PID 3996 wrote to memory of 3048	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	98
PID 3996 wrote to memory of 1848	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	99
PID 3996 wrote to memory of 1848	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	99
PID 3996 wrote to memory of 1848	3996	{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe	99
PID 3048 wrote to memory of 1368	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	100
PID 3048 wrote to memory of 1368	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	100
PID 3048 wrote to memory of 1368	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	100
PID 3048 wrote to memory of 572	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	101
PID 3048 wrote to memory of 572	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	101
PID 3048 wrote to memory of 572	3048	{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe	101
PID 1368 wrote to memory of 4820	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	102
PID 1368 wrote to memory of 4820	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	102
PID 1368 wrote to memory of 4820	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	102
PID 1368 wrote to memory of 4612	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	103
PID 1368 wrote to memory of 4612	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	103
PID 1368 wrote to memory of 4612	1368	{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe	103
PID 4820 wrote to memory of 4664	4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe	104
PID 4820 wrote to memory of 4664	4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe	104
PID 4820 wrote to memory of 4664	4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe	104
PID 4820 wrote to memory of 4580	4820	{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe	105

C:\Users\Admin\AppData\Local\Temp\25dc5f6111247dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\25dc5f6111247dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
  C:\Windows\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
    C:\Windows\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{049C5~1.EXE > nul
      4⤵
      PID:4924
  - - C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
      C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
        
        C:\Windows\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
        
        C:\Windows\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
        
        C:\Windows\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
        
        C:\Windows\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
        
        C:\Windows\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
        
        C:\Windows\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
        
        C:\Windows\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
        
        C:\Windows\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe
        
        C:\Windows\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe
        13⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEB7~1.EXE > nul
        13⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B37A~1.EXE > nul
        12⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F444~1.EXE > nul
        11⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E968~1.EXE > nul
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4FA5~1.EXE > nul
        9⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A1A2~1.EXE > nul
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D9A5~1.EXE > nul
        7⤵
        
        PID:3292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BED4~1.EXE > nul
        6⤵
        
        PID:4888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5393D~1.EXE > nul
        5⤵
        
        PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C814~1.EXE > nul
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\25DC5F~1.EXE > nul
  2⤵
  PID:3248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe

Filesize
204KB

MD5
e8e105b9c8198f0460790c82f564e679

SHA1
5c854b122e46d2c04f95a955ac17f02aa6bc676f

SHA256
4c205345663aad297f16b0d9bdaa96dc722fc6c8ef2bba88e4b3394b378d461a

SHA512
d9afd23b69bcd0057c9a5f8689848bd0bfb0ce7d1ab0b889604f27821b0d01b0e77cfc481870fb160e2a3c964841aec10c3760c5a5ace5f8e2a21c651dde6d1f

Download Submit
C:\Windows\{049C5832-4FCB-45ba-AF7E-FCF97A9B95A2}.exe

Filesize
204KB

MD5
e8e105b9c8198f0460790c82f564e679

SHA1
5c854b122e46d2c04f95a955ac17f02aa6bc676f

SHA256
4c205345663aad297f16b0d9bdaa96dc722fc6c8ef2bba88e4b3394b378d461a

SHA512
d9afd23b69bcd0057c9a5f8689848bd0bfb0ce7d1ab0b889604f27821b0d01b0e77cfc481870fb160e2a3c964841aec10c3760c5a5ace5f8e2a21c651dde6d1f

Download Submit
C:\Windows\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe

Filesize
204KB

MD5
5c0baa463d8a081dc3347ddd08e20c87

SHA1
0792816faf9f3e8df78d82437420962aa64f7d27

SHA256
4939ca3b844b659eb3dd723ea8cb1f12077b10991fd9edd027ce21ce79203db9

SHA512
b43198b885d8ef2e4df117982fecc7b3fba90ef0a5d8108e9ceced4fc1d50ef1d0d302d114c9e1136cb82e91ab50b69b56103d368567c4f31325875602bc11a9

Download Submit
C:\Windows\{1D9A5B1D-997E-42fb-8EF3-6615C7576711}.exe

Filesize
204KB

MD5
5c0baa463d8a081dc3347ddd08e20c87

SHA1
0792816faf9f3e8df78d82437420962aa64f7d27

SHA256
4939ca3b844b659eb3dd723ea8cb1f12077b10991fd9edd027ce21ce79203db9

SHA512
b43198b885d8ef2e4df117982fecc7b3fba90ef0a5d8108e9ceced4fc1d50ef1d0d302d114c9e1136cb82e91ab50b69b56103d368567c4f31325875602bc11a9

Download Submit
C:\Windows\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe

Filesize
204KB

MD5
bf073a5e8698167975379353392f12d1

SHA1
30752568be2908de9a517c7c22d30c7506a0738e

SHA256
bc3fbf5b73b96e4d39719187c754860f6bbcdbf02fd4727cbb7e12e5c90867cc

SHA512
1ba1bf2ffc2b9d218e14c84c4835309193dfdcb2723c51ec36233d78c35a40a7957868b49d99c85a9fd7f4389b972256b4db8bef7c8251f016941a0abe351a9a

Download Submit
C:\Windows\{1E968576-A88D-4cef-A781-2B4CE7AD2501}.exe

Filesize
204KB

MD5
bf073a5e8698167975379353392f12d1

SHA1
30752568be2908de9a517c7c22d30c7506a0738e

SHA256
bc3fbf5b73b96e4d39719187c754860f6bbcdbf02fd4727cbb7e12e5c90867cc

SHA512
1ba1bf2ffc2b9d218e14c84c4835309193dfdcb2723c51ec36233d78c35a40a7957868b49d99c85a9fd7f4389b972256b4db8bef7c8251f016941a0abe351a9a

Download Submit
C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe

Filesize
204KB

MD5
8d6ec18af5b302e791b7f5fb91b35b99

SHA1
c06c98c52faa5617845970ad2a07c102f62a4b9e

SHA256
b5391dd2a69d2a382701d8f32b20c0fe8b795f0d2ac1b25bb76f0e773d905e9d

SHA512
d58f5394cf3f19778b58e8ba564b4b3c1aeff55ce990a8f3cfdb99e323dc76679db8fa5bb456ca1349d98f1c02e160cf2f789784efcb7e45ec301f68f5b49b1c

Download Submit
C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe

Filesize
204KB

MD5
8d6ec18af5b302e791b7f5fb91b35b99

SHA1
c06c98c52faa5617845970ad2a07c102f62a4b9e

SHA256
b5391dd2a69d2a382701d8f32b20c0fe8b795f0d2ac1b25bb76f0e773d905e9d

SHA512
d58f5394cf3f19778b58e8ba564b4b3c1aeff55ce990a8f3cfdb99e323dc76679db8fa5bb456ca1349d98f1c02e160cf2f789784efcb7e45ec301f68f5b49b1c

Download Submit
C:\Windows\{5393D77E-D678-4057-849D-A80FDFE285D6}.exe

Filesize
204KB

MD5
8d6ec18af5b302e791b7f5fb91b35b99

SHA1
c06c98c52faa5617845970ad2a07c102f62a4b9e

SHA256
b5391dd2a69d2a382701d8f32b20c0fe8b795f0d2ac1b25bb76f0e773d905e9d

SHA512
d58f5394cf3f19778b58e8ba564b4b3c1aeff55ce990a8f3cfdb99e323dc76679db8fa5bb456ca1349d98f1c02e160cf2f789784efcb7e45ec301f68f5b49b1c

Download Submit
C:\Windows\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe

Filesize
204KB

MD5
8c50f60ba0b01d9c018b8f5b2d092abd

SHA1
f2a07c998e37ccc54674dc4b69afd2c2ec29b6d3

SHA256
95944d9f8eebc44e371e39e790875e5a6849e0e182cacd87d6bc9c6d031fb658

SHA512
d7ce6fc52e0f90119c5b79ae90762163b20502575cfd14b74d3786551035a990ab3d7cc22f8f42baf8311dedd146374893d96b28eecdb28badaa481e5f119fc3

Download Submit
C:\Windows\{5B37A0CD-F5E5-4439-874C-22176C512EA6}.exe

Filesize
204KB

MD5
8c50f60ba0b01d9c018b8f5b2d092abd

SHA1
f2a07c998e37ccc54674dc4b69afd2c2ec29b6d3

SHA256
95944d9f8eebc44e371e39e790875e5a6849e0e182cacd87d6bc9c6d031fb658

SHA512
d7ce6fc52e0f90119c5b79ae90762163b20502575cfd14b74d3786551035a990ab3d7cc22f8f42baf8311dedd146374893d96b28eecdb28badaa481e5f119fc3

Download Submit
C:\Windows\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe

Filesize
204KB

MD5
f1a2547ac6dd5b4d7952c30529ce4a59

SHA1
0cf75f6bda6d6a5e5e5af8a0d81eb4184884d07e

SHA256
12dfb98b038f9d581ae2b24cf87ccab5efb012cea2d49499251d922a7e1cbe5f

SHA512
f623a6755415d7b9dfb3731afb75e38d5ce1d1195521c0834564b902fefd5d146303a5e098d75f413f4aa25cb7394db862a094d63fb00c1320a9057f9bafcc42

Download Submit
C:\Windows\{7BED469E-59DE-4674-BBEF-3F805060F6C4}.exe

Filesize
204KB

MD5
f1a2547ac6dd5b4d7952c30529ce4a59

SHA1
0cf75f6bda6d6a5e5e5af8a0d81eb4184884d07e

SHA256
12dfb98b038f9d581ae2b24cf87ccab5efb012cea2d49499251d922a7e1cbe5f

SHA512
f623a6755415d7b9dfb3731afb75e38d5ce1d1195521c0834564b902fefd5d146303a5e098d75f413f4aa25cb7394db862a094d63fb00c1320a9057f9bafcc42

Download Submit
C:\Windows\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe

Filesize
204KB

MD5
0919fb786e9ace35f88280d76367eeb4

SHA1
0b7b83079b062db28c4d29283af700af215cfd2a

SHA256
92c01567ce9d2956f7114c26bca894eaeea35f95d807410fb360860519b31bf5

SHA512
d00c7cebca12e676afae215f9441cd91c7c9ce4ab15ff845a1055dd9ff6a0057386f1fe9f38b9bb3c563931bb30439206345111744bbfb6380ec1586170a4309

Download Submit
C:\Windows\{7C814F7E-FD33-4f62-846F-6BF3C02292E2}.exe

Filesize
204KB

MD5
0919fb786e9ace35f88280d76367eeb4

SHA1
0b7b83079b062db28c4d29283af700af215cfd2a

SHA256
92c01567ce9d2956f7114c26bca894eaeea35f95d807410fb360860519b31bf5

SHA512
d00c7cebca12e676afae215f9441cd91c7c9ce4ab15ff845a1055dd9ff6a0057386f1fe9f38b9bb3c563931bb30439206345111744bbfb6380ec1586170a4309

Download Submit
C:\Windows\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe

Filesize
204KB

MD5
f53d9037d6d132b2655b8b1b723f7a24

SHA1
964f697cc7b3fb59c4fb7c3813314c7c1283d870

SHA256
13a4c812e3daca7de68002067645fc14bcb7c9c48655ef4e522f7f4ffaf196b0

SHA512
c04f620c08ed36b5f15eeb9b89d0df0c446a0fb5b90f127145fe31e2def0c08d2ad17e56693c6deadb5b62e83f0d59c1e5bd9c650e66e4970e1ac35b7a09966f

Download Submit
C:\Windows\{7F444DAC-04D6-4ad9-9C62-CF3A008EE017}.exe

Filesize
204KB

MD5
f53d9037d6d132b2655b8b1b723f7a24

SHA1
964f697cc7b3fb59c4fb7c3813314c7c1283d870

SHA256
13a4c812e3daca7de68002067645fc14bcb7c9c48655ef4e522f7f4ffaf196b0

SHA512
c04f620c08ed36b5f15eeb9b89d0df0c446a0fb5b90f127145fe31e2def0c08d2ad17e56693c6deadb5b62e83f0d59c1e5bd9c650e66e4970e1ac35b7a09966f

Download Submit
C:\Windows\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe

Filesize
204KB

MD5
2b029af89c8aca32061a3dfb43c2c110

SHA1
9ce2b4858a42a38490983a04048c5b17bbba18de

SHA256
1d62af30b8b961eeff81ce6f8604028c12560dd9fc4994101a8b748ca937e4a1

SHA512
f03b50f4d5c2a1e6991e64f5b4592f451065690e20332bff647ce0e99858fb6de1f0520858a33ced923dec5af2b689761837f54fba01ade303463c1ce513bf0b

Download Submit
C:\Windows\{9A1A2DA6-91AB-4a5b-A371-3092EC801DB6}.exe

Filesize
204KB

MD5
2b029af89c8aca32061a3dfb43c2c110

SHA1
9ce2b4858a42a38490983a04048c5b17bbba18de

SHA256
1d62af30b8b961eeff81ce6f8604028c12560dd9fc4994101a8b748ca937e4a1

SHA512
f03b50f4d5c2a1e6991e64f5b4592f451065690e20332bff647ce0e99858fb6de1f0520858a33ced923dec5af2b689761837f54fba01ade303463c1ce513bf0b

Download Submit
C:\Windows\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe

Filesize
204KB

MD5
42b9b02cdb57e4410ce6ba97191cafe5

SHA1
6f846ff6a72da9b864dbe96643225fb8359c5074

SHA256
33b943766ae81b97e7aa598f37836c164de331a008acd74e0f32c7803249a680

SHA512
ffe5b92d4650be77f53e70510972bafa5bd62d5dec7ea18269bf355380bfbbb63d798af87e401a3a169032ffaf1edac1731d6c8a65cea14eb5cead71ecf77fde

Download Submit
C:\Windows\{ADEB703B-8AA7-429e-98F3-F35290960589}.exe

Filesize
204KB

MD5
42b9b02cdb57e4410ce6ba97191cafe5

SHA1
6f846ff6a72da9b864dbe96643225fb8359c5074

SHA256
33b943766ae81b97e7aa598f37836c164de331a008acd74e0f32c7803249a680

SHA512
ffe5b92d4650be77f53e70510972bafa5bd62d5dec7ea18269bf355380bfbbb63d798af87e401a3a169032ffaf1edac1731d6c8a65cea14eb5cead71ecf77fde

Download Submit
C:\Windows\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe

Filesize
204KB

MD5
f1c109ac002cebeac746890aa396c68c

SHA1
d79d2b6e13078d5d3eba6bf3515cf3d39fc09c60

SHA256
aec9cb871f900019807de6a9179486e539095351f8e6207780ef07964cba8a53

SHA512
5ae4398a1febeca78a408895b453acb975593bfd161e50c88f9df75b56b7cec789b94c0cc8bc2a684881e3243baf7ca2fb857afb25ab0b1205e3b9491b319514

Download Submit
C:\Windows\{B23C9312-2E7B-40fd-A7E4-E2B092C91330}.exe

Filesize
204KB

MD5
f1c109ac002cebeac746890aa396c68c

SHA1
d79d2b6e13078d5d3eba6bf3515cf3d39fc09c60

SHA256
aec9cb871f900019807de6a9179486e539095351f8e6207780ef07964cba8a53

SHA512
5ae4398a1febeca78a408895b453acb975593bfd161e50c88f9df75b56b7cec789b94c0cc8bc2a684881e3243baf7ca2fb857afb25ab0b1205e3b9491b319514

Download Submit
C:\Windows\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe

Filesize
204KB

MD5
a9361c7c508ada2b02c1a0639f7ae37f

SHA1
a296dafeeba32ca6c732e34ded4addf05ecb9036

SHA256
73075c5d0e61edca28c98757e296e2754a1e7890d7dc6f4df7c152f601e52aa8

SHA512
23e1bbf539aa155e08964ac7c4128b72843ca746d2055f5ab1fb0e53ee228809724f4312eb4203ae13eb93aa2c983963df3058b76bbd82d45fbeda88e05ac540

Download Submit
C:\Windows\{E4FA5D01-19B2-4054-86D6-FCBB23B69950}.exe

Filesize
204KB

MD5
a9361c7c508ada2b02c1a0639f7ae37f

SHA1
a296dafeeba32ca6c732e34ded4addf05ecb9036

SHA256
73075c5d0e61edca28c98757e296e2754a1e7890d7dc6f4df7c152f601e52aa8

SHA512
23e1bbf539aa155e08964ac7c4128b72843ca746d2055f5ab1fb0e53ee228809724f4312eb4203ae13eb93aa2c983963df3058b76bbd82d45fbeda88e05ac540

Download Submit