351c6f6aee044d5a61432f48fa7ac89e5d6f96dc9d08a3d2f9e5c5e07db6b20a

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 14:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31e80c449dcb31exeexeexeex.exe
Size

372KB
MD5

31e80c449dcb31153039deeb02e82a61
SHA1

dc095a4b2898b45931a7e0741e220738e922f60a
SHA256

351c6f6aee044d5a61432f48fa7ac89e5d6f96dc9d08a3d2f9e5c5e07db6b20a
SHA512

bda76d9b3249056ee1e4096cec3d19b7e4628718b03eb4e653a2ed276f277de8669d39a5e552f87b57b96d191cee1ab2000cb06a37c9601def5f978e047b7808
SSDEEP

3072:CEGh0oXmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGwl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}	{FA212255-1E84-44f7-8516-DD08128AAB28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}\stubpath = "C:\\Windows\\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe"	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD2D1A3-0992-4f62-AD0A-938022736676}	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43BEF347-0171-461e-9813-B9C7D1ED6C37}	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA212255-1E84-44f7-8516-DD08128AAB28}\stubpath = "C:\\Windows\\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe"	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}\stubpath = "C:\\Windows\\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe"	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}\stubpath = "C:\\Windows\\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe"	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}\stubpath = "C:\\Windows\\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe"	31e80c449dcb31exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B430FA3D-3B8B-4c37-955F-E70561053666}	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B430FA3D-3B8B-4c37-955F-E70561053666}\stubpath = "C:\\Windows\\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe"	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}\stubpath = "C:\\Windows\\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe"	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}\stubpath = "C:\\Windows\\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe"	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}	31e80c449dcb31exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD2D1A3-0992-4f62-AD0A-938022736676}\stubpath = "C:\\Windows\\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe"	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA212255-1E84-44f7-8516-DD08128AAB28}	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}\stubpath = "C:\\Windows\\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe"	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43BEF347-0171-461e-9813-B9C7D1ED6C37}\stubpath = "C:\\Windows\\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe"	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}\stubpath = "C:\\Windows\\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe"	{FA212255-1E84-44f7-8516-DD08128AAB28}.exe

Executes dropped EXE 12 IoCs

pid	Process
660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
4220	{FA212255-1E84-44f7-8516-DD08128AAB28}.exe
4328	{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
File created	C:\Windows\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
File created	C:\Windows\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
File created	C:\Windows\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
File created	C:\Windows\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
File created	C:\Windows\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
File created	C:\Windows\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	31e80c449dcb31exeexeexeex.exe
File created	C:\Windows\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
File created	C:\Windows\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe	{FA212255-1E84-44f7-8516-DD08128AAB28}.exe
File created	C:\Windows\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
File created	C:\Windows\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
File created	C:\Windows\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5112	31e80c449dcb31exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
Token: SeIncBasePriorityPrivilege	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
Token: SeIncBasePriorityPrivilege	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
Token: SeIncBasePriorityPrivilege	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
Token: SeIncBasePriorityPrivilege	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
Token: SeIncBasePriorityPrivilege	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
Token: SeIncBasePriorityPrivilege	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
Token: SeIncBasePriorityPrivilege	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
Token: SeIncBasePriorityPrivilege	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
Token: SeIncBasePriorityPrivilege	1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
Token: SeIncBasePriorityPrivilege	4220	{FA212255-1E84-44f7-8516-DD08128AAB28}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 660	5112	31e80c449dcb31exeexeexeex.exe	79
PID 5112 wrote to memory of 660	5112	31e80c449dcb31exeexeexeex.exe	79
PID 5112 wrote to memory of 660	5112	31e80c449dcb31exeexeexeex.exe	79
PID 5112 wrote to memory of 1220	5112	31e80c449dcb31exeexeexeex.exe	80
PID 5112 wrote to memory of 1220	5112	31e80c449dcb31exeexeexeex.exe	80
PID 5112 wrote to memory of 1220	5112	31e80c449dcb31exeexeexeex.exe	80
PID 660 wrote to memory of 4300	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	81
PID 660 wrote to memory of 4300	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	81
PID 660 wrote to memory of 4300	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	81
PID 660 wrote to memory of 3040	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	82
PID 660 wrote to memory of 3040	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	82
PID 660 wrote to memory of 3040	660	{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe	82
PID 4300 wrote to memory of 212	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	84
PID 4300 wrote to memory of 212	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	84
PID 4300 wrote to memory of 212	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	84
PID 4300 wrote to memory of 1216	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	83
PID 4300 wrote to memory of 1216	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	83
PID 4300 wrote to memory of 1216	4300	{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe	83
PID 212 wrote to memory of 3916	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	86
PID 212 wrote to memory of 3916	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	86
PID 212 wrote to memory of 3916	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	86
PID 212 wrote to memory of 4132	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	85
PID 212 wrote to memory of 4132	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	85
PID 212 wrote to memory of 4132	212	{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe	85
PID 3916 wrote to memory of 2228	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	87
PID 3916 wrote to memory of 2228	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	87
PID 3916 wrote to memory of 2228	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	87
PID 3916 wrote to memory of 776	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	88
PID 3916 wrote to memory of 776	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	88
PID 3916 wrote to memory of 776	3916	{B430FA3D-3B8B-4c37-955F-E70561053666}.exe	88
PID 2228 wrote to memory of 2344	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	89
PID 2228 wrote to memory of 2344	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	89
PID 2228 wrote to memory of 2344	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	89
PID 2228 wrote to memory of 1904	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	90
PID 2228 wrote to memory of 1904	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	90
PID 2228 wrote to memory of 1904	2228	{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe	90
PID 2344 wrote to memory of 2276	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	91
PID 2344 wrote to memory of 2276	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	91
PID 2344 wrote to memory of 2276	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	91
PID 2344 wrote to memory of 412	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	92
PID 2344 wrote to memory of 412	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	92
PID 2344 wrote to memory of 412	2344	{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe	92
PID 2276 wrote to memory of 1712	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	93
PID 2276 wrote to memory of 1712	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	93
PID 2276 wrote to memory of 1712	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	93
PID 2276 wrote to memory of 4608	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	94
PID 2276 wrote to memory of 4608	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	94
PID 2276 wrote to memory of 4608	2276	{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe	94
PID 1712 wrote to memory of 3284	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	95
PID 1712 wrote to memory of 3284	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	95
PID 1712 wrote to memory of 3284	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	95
PID 1712 wrote to memory of 1968	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	96
PID 1712 wrote to memory of 1968	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	96
PID 1712 wrote to memory of 1968	1712	{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe	96
PID 3284 wrote to memory of 1364	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	97
PID 3284 wrote to memory of 1364	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	97
PID 3284 wrote to memory of 1364	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	97
PID 3284 wrote to memory of 2572	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	98
PID 3284 wrote to memory of 2572	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	98
PID 3284 wrote to memory of 2572	3284	{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe	98
PID 1364 wrote to memory of 4220	1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe	99
PID 1364 wrote to memory of 4220	1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe	99
PID 1364 wrote to memory of 4220	1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe	99
PID 1364 wrote to memory of 3000	1364	{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe	100

C:\Users\Admin\AppData\Local\Temp\31e80c449dcb31exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\31e80c449dcb31exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
  C:\Windows\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
    C:\Windows\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{176BD~1.EXE > nul
      4⤵
      PID:1216
  - - C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
      C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CD41~1.EXE > nul
        5⤵
        
        PID:4132
    - - C:\Windows\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
        
        C:\Windows\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
        
        C:\Windows\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
        
        C:\Windows\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
        
        C:\Windows\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
        
        C:\Windows\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
        
        C:\Windows\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
        
        C:\Windows\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe
        
        C:\Windows\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe
        
        C:\Windows\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA212~1.EXE > nul
        13⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32B6D~1.EXE > nul
        12⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3D85~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D9FC~1.EXE > nul
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43BEF~1.EXE > nul
        9⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1844~1.EXE > nul
        8⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD2D~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B430F~1.EXE > nul
        6⤵
        
        PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0ABB~1.EXE > nul
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\31E80C~1.EXE > nul
  2⤵
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe

Filesize
372KB

MD5
55f88b721af463b8c644be16bac139da

SHA1
b177bc769764b9a4202c4b021f27309a12e750ce

SHA256
741aae7d74b0a2211ecbf9d7b7ce03c3dd5256b2a006a5820ce7bb871e75f6d9

SHA512
db2d8d6f42bba0a214a91e83dcd3f4cc871be570bb8773eec64b502e3105ebe4c581287641af0402299f9624fc5c03b54f660287898cddab50cb290ebee0c17a

Download Submit
C:\Windows\{176BD796-256D-4fb7-9925-2E9CAE98D1BF}.exe

Filesize
372KB

MD5
55f88b721af463b8c644be16bac139da

SHA1
b177bc769764b9a4202c4b021f27309a12e750ce

SHA256
741aae7d74b0a2211ecbf9d7b7ce03c3dd5256b2a006a5820ce7bb871e75f6d9

SHA512
db2d8d6f42bba0a214a91e83dcd3f4cc871be570bb8773eec64b502e3105ebe4c581287641af0402299f9624fc5c03b54f660287898cddab50cb290ebee0c17a

Download Submit
C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe

Filesize
372KB

MD5
a0ebadde4883861c8d4de36445f9c988

SHA1
9397e3abf22d3b512a17812acaec2582710941e3

SHA256
ab301c8b0414f43e04aac695cc33dbbe0f5845c0ad2d16417936b87f66bff9ab

SHA512
1b475582355536262ef1165fdb11ac4cc4a61ca9f2a22f176c3e897e60a900279ec7bb6a5798cf486dc864aa04a9cd5695d04dd5768593dda86d490236795b15

Download Submit
C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe

Filesize
372KB

MD5
a0ebadde4883861c8d4de36445f9c988

SHA1
9397e3abf22d3b512a17812acaec2582710941e3

SHA256
ab301c8b0414f43e04aac695cc33dbbe0f5845c0ad2d16417936b87f66bff9ab

SHA512
1b475582355536262ef1165fdb11ac4cc4a61ca9f2a22f176c3e897e60a900279ec7bb6a5798cf486dc864aa04a9cd5695d04dd5768593dda86d490236795b15

Download Submit
C:\Windows\{2CD41D8C-BF6E-4da6-B090-21188162FBC6}.exe

Filesize
372KB

MD5
a0ebadde4883861c8d4de36445f9c988

SHA1
9397e3abf22d3b512a17812acaec2582710941e3

SHA256
ab301c8b0414f43e04aac695cc33dbbe0f5845c0ad2d16417936b87f66bff9ab

SHA512
1b475582355536262ef1165fdb11ac4cc4a61ca9f2a22f176c3e897e60a900279ec7bb6a5798cf486dc864aa04a9cd5695d04dd5768593dda86d490236795b15

Download Submit
C:\Windows\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe

Filesize
372KB

MD5
29fc757de1d1f85eaad446804039e452

SHA1
9e6ffae7a07256936f47f575cf2b90a318547fe8

SHA256
e82841a3602b7cd17b9a1f9c1daba97a7102ccec54614a1640a04e7abd61d5ce

SHA512
985cca1f7af502b10e4c82aa63c2a46bb4236ebec05d7ff98795255eecd5a1e2affa4193456b39d915ba55e111add0d349c13aa91daa55251ec1acb4352f348d

Download Submit
C:\Windows\{32B6D64E-BBCC-4afe-BC84-15FB248E6D44}.exe

Filesize
372KB

MD5
29fc757de1d1f85eaad446804039e452

SHA1
9e6ffae7a07256936f47f575cf2b90a318547fe8

SHA256
e82841a3602b7cd17b9a1f9c1daba97a7102ccec54614a1640a04e7abd61d5ce

SHA512
985cca1f7af502b10e4c82aa63c2a46bb4236ebec05d7ff98795255eecd5a1e2affa4193456b39d915ba55e111add0d349c13aa91daa55251ec1acb4352f348d

Download Submit
C:\Windows\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe

Filesize
372KB

MD5
bb979ea06215dd0d8671cbe42bc856f9

SHA1
722400b5db1ab6026b53b5487355f81dd512d2df

SHA256
52d4d278fb1f73c5aba98877b1e335a512c714672af871d2ae80a4a0a713b163

SHA512
3105be6afa420c4144cf14356305d96643001fe2010e99cc556cebdda924b32ee5e7bf55aaf316d65c907cfa0a1aa96f97507df1f8e5690ca43243d7a0efa9b9

Download Submit
C:\Windows\{3D9FCFD4-8A4B-418d-8C26-1D56598850EB}.exe

Filesize
372KB

MD5
bb979ea06215dd0d8671cbe42bc856f9

SHA1
722400b5db1ab6026b53b5487355f81dd512d2df

SHA256
52d4d278fb1f73c5aba98877b1e335a512c714672af871d2ae80a4a0a713b163

SHA512
3105be6afa420c4144cf14356305d96643001fe2010e99cc556cebdda924b32ee5e7bf55aaf316d65c907cfa0a1aa96f97507df1f8e5690ca43243d7a0efa9b9

Download Submit
C:\Windows\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe

Filesize
372KB

MD5
373d8158cdb1ab42dd66b266e46f229c

SHA1
5a818db3d94b955051828bb5e53ab9288b8998e6

SHA256
37cef3feff0d3a4fec6dc82cd2f0561b7e7e9e78252f261cf70be3c4fc546a0f

SHA512
671d120990b77e84029e963e39bfe69d5fed9b68442bd12c8960c1f7328f36b342c80d3c5a529e77dc671b051be501a279b3315ceb30a4e9c2a36a81ee322184

Download Submit
C:\Windows\{43BEF347-0171-461e-9813-B9C7D1ED6C37}.exe

Filesize
372KB

MD5
373d8158cdb1ab42dd66b266e46f229c

SHA1
5a818db3d94b955051828bb5e53ab9288b8998e6

SHA256
37cef3feff0d3a4fec6dc82cd2f0561b7e7e9e78252f261cf70be3c4fc546a0f

SHA512
671d120990b77e84029e963e39bfe69d5fed9b68442bd12c8960c1f7328f36b342c80d3c5a529e77dc671b051be501a279b3315ceb30a4e9c2a36a81ee322184

Download Submit
C:\Windows\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe

Filesize
372KB

MD5
83b4813894d161673ed6b8ab37153662

SHA1
f5dc15eb23d36a64a970ddfb733845e5167495da

SHA256
1bf9dba3bc994772a9b1ab71d268942d212a84375c15421204d0fbab4e956201

SHA512
7b0144bb822fa7bb9e6e01767e6f1c1fa34f5a7257becbef3facd2aaf8a8e5a77afd9537303c316dd3ff489dc13f5d209756183e3ca397e9fd610bffbf650f6a

Download Submit
C:\Windows\{5DD2D1A3-0992-4f62-AD0A-938022736676}.exe

Filesize
372KB

MD5
83b4813894d161673ed6b8ab37153662

SHA1
f5dc15eb23d36a64a970ddfb733845e5167495da

SHA256
1bf9dba3bc994772a9b1ab71d268942d212a84375c15421204d0fbab4e956201

SHA512
7b0144bb822fa7bb9e6e01767e6f1c1fa34f5a7257becbef3facd2aaf8a8e5a77afd9537303c316dd3ff489dc13f5d209756183e3ca397e9fd610bffbf650f6a

Download Submit
C:\Windows\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe

Filesize
372KB

MD5
23c424fa221dfd3b653e952f8e5660e2

SHA1
dacff7127ceb9db97d4e5198f13a39b415300dde

SHA256
b590bbc85bcdda65910cd5796f24a47584d144c11049f565afb9b8389e20ebae

SHA512
609bea02e6728a0565b707cb50ad7f0cd04806c1903bc2b3cc310f0eda7d6ffcb71458b893e612d874dc4efec5905b6496673af530ec033899dc69f1dd253f92

Download Submit
C:\Windows\{9F7C791F-EA21-49c4-A35B-944DE2CE12EB}.exe

Filesize
372KB

MD5
23c424fa221dfd3b653e952f8e5660e2

SHA1
dacff7127ceb9db97d4e5198f13a39b415300dde

SHA256
b590bbc85bcdda65910cd5796f24a47584d144c11049f565afb9b8389e20ebae

SHA512
609bea02e6728a0565b707cb50ad7f0cd04806c1903bc2b3cc310f0eda7d6ffcb71458b893e612d874dc4efec5905b6496673af530ec033899dc69f1dd253f92

Download Submit
C:\Windows\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe

Filesize
372KB

MD5
d0eb99d4a1b79e21ae6b36897bbed668

SHA1
68d7cd9832171f6ee62e0217378c9ab5cd754fea

SHA256
99b843e3a211755c4cb71192b31bb4aa832584bea61b8c65ca91fce1f3b96137

SHA512
bff7351f966d423253903cab92abc0aa0ed6053b839771129935c798926762f37b85603a409f477d0d9e8844b70f09860d8dff41fca8b06fe2991b921be606ee

Download Submit
C:\Windows\{A1844CB8-4417-41e2-BFE3-8052DE6233C2}.exe

Filesize
372KB

MD5
d0eb99d4a1b79e21ae6b36897bbed668

SHA1
68d7cd9832171f6ee62e0217378c9ab5cd754fea

SHA256
99b843e3a211755c4cb71192b31bb4aa832584bea61b8c65ca91fce1f3b96137

SHA512
bff7351f966d423253903cab92abc0aa0ed6053b839771129935c798926762f37b85603a409f477d0d9e8844b70f09860d8dff41fca8b06fe2991b921be606ee

Download Submit
C:\Windows\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe

Filesize
372KB

MD5
44f46085e16666019219be462f4a0bd1

SHA1
bf4e0d3ab75c9d72afd9400c8dd5ab0d23d0ac99

SHA256
faf13ec1cdedb8d3aeeab0abdccdcca1e7980cd63581deb57a385561c4ea4b02

SHA512
272076fc36896ee84aecddb06f9c06526e00a247c6fb1d0277a3bb294c426d15ccb7ddb0c9185473cca05f119972af31e1f8607840313df366349f11c2072a81

Download Submit
C:\Windows\{A3D85BB0-761D-4a5c-85A5-00C4C000BBBD}.exe

Filesize
372KB

MD5
44f46085e16666019219be462f4a0bd1

SHA1
bf4e0d3ab75c9d72afd9400c8dd5ab0d23d0ac99

SHA256
faf13ec1cdedb8d3aeeab0abdccdcca1e7980cd63581deb57a385561c4ea4b02

SHA512
272076fc36896ee84aecddb06f9c06526e00a247c6fb1d0277a3bb294c426d15ccb7ddb0c9185473cca05f119972af31e1f8607840313df366349f11c2072a81

Download Submit
C:\Windows\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe

Filesize
372KB

MD5
6c80c56de68d66f99b6b48fd285db61d

SHA1
2edc5f628cb2dafed2bf70db9945b071e6dffdf3

SHA256
3bdd2c2234d1240e30571a498766faff2097ec3bdff9702413a6fe2f73172c48

SHA512
6d828ee012211c723ec55d229b4ab1d806ff350500897b50f02e42aad6c455d7b39fff32bc7a5ba83cd87df693813bb69f54204f2f63b14ab1e7cdf8ae956923

Download Submit
C:\Windows\{B0ABB5E9-6364-46e5-9518-F3F2409C98B4}.exe

Filesize
372KB

MD5
6c80c56de68d66f99b6b48fd285db61d

SHA1
2edc5f628cb2dafed2bf70db9945b071e6dffdf3

SHA256
3bdd2c2234d1240e30571a498766faff2097ec3bdff9702413a6fe2f73172c48

SHA512
6d828ee012211c723ec55d229b4ab1d806ff350500897b50f02e42aad6c455d7b39fff32bc7a5ba83cd87df693813bb69f54204f2f63b14ab1e7cdf8ae956923

Download Submit
C:\Windows\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe

Filesize
372KB

MD5
a6a0cb0088a577135e9e5e75cdfd079f

SHA1
5ba88fc785a292d2de148151a980e84719b05475

SHA256
aa1b46e2a94ea51e67db0ff73629156b5572144834f4c9f9d3781509d443df8b

SHA512
bea8769c8bb64124b7d348eea329802d63182e14a001759371f92ac45241a9e6da93b0f5b5444e86ed1b9b18fba08fcb1e54d18ccda7bab05277c436259bc3dc

Download Submit
C:\Windows\{B430FA3D-3B8B-4c37-955F-E70561053666}.exe

Filesize
372KB

MD5
a6a0cb0088a577135e9e5e75cdfd079f

SHA1
5ba88fc785a292d2de148151a980e84719b05475

SHA256
aa1b46e2a94ea51e67db0ff73629156b5572144834f4c9f9d3781509d443df8b

SHA512
bea8769c8bb64124b7d348eea329802d63182e14a001759371f92ac45241a9e6da93b0f5b5444e86ed1b9b18fba08fcb1e54d18ccda7bab05277c436259bc3dc

Download Submit
C:\Windows\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe

Filesize
372KB

MD5
f51eef13e0b42b876ac22729c5092a0a

SHA1
e7e3631b074a3cec915382d8eb518c73fd0366fc

SHA256
4e56b91cec304d61ae896c0728b83d657d5e6ee92cb1ee1c36041ffb75e43cac

SHA512
e63e93251e959386105a9686814fcf690ffe8f204acefcc68b0b24691587baee3a00993e7659fb1c70ece41f47eba4ab69a5c3ddb43cfdc484cc6429d60ff60a

Download Submit
C:\Windows\{FA212255-1E84-44f7-8516-DD08128AAB28}.exe

Filesize
372KB

MD5
f51eef13e0b42b876ac22729c5092a0a

SHA1
e7e3631b074a3cec915382d8eb518c73fd0366fc

SHA256
4e56b91cec304d61ae896c0728b83d657d5e6ee92cb1ee1c36041ffb75e43cac

SHA512
e63e93251e959386105a9686814fcf690ffe8f204acefcc68b0b24691587baee3a00993e7659fb1c70ece41f47eba4ab69a5c3ddb43cfdc484cc6429d60ff60a

Download Submit