Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-13qqvadb48
Target 6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777
SHA256 6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777

Threat Level: Likely malicious

The file 6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:10

Reported

2024-04-06 22:13

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964BFF01-871E-4c8c-937C-4E98FB4152BC}\stubpath = "C:\\Windows\\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe" C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}\stubpath = "C:\\Windows\\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe" C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B19944F3-83DA-42b1-BAD4-1744BF6E890E} C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51D0881-6CBC-4199-A713-45042C3C2A42} C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C1F7C54-BA71-4999-B089-058DF54DEE31} C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C1F7C54-BA71-4999-B089-058DF54DEE31}\stubpath = "C:\\Windows\\{2C1F7C54-BA71-4999-B089-058DF54DEE31}.exe" C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69719318-7F68-4381-977F-1A1E96E98FD2}\stubpath = "C:\\Windows\\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe" C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59AE1C43-A544-4ea5-99F6-073F9B258739} C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A124937-1789-49fb-BF5E-2E160097FB2C} C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850} C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86} C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}\stubpath = "C:\\Windows\\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe" C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59AE1C43-A544-4ea5-99F6-073F9B258739}\stubpath = "C:\\Windows\\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe" C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51D0881-6CBC-4199-A713-45042C3C2A42}\stubpath = "C:\\Windows\\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe" C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88} C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}\stubpath = "C:\\Windows\\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe" C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A124937-1789-49fb-BF5E-2E160097FB2C}\stubpath = "C:\\Windows\\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe" C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}\stubpath = "C:\\Windows\\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe" C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55ED5284-ED88-4d2e-97B6-242EB97B8A87} C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}\stubpath = "C:\\Windows\\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe" C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69719318-7F68-4381-977F-1A1E96E98FD2} C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964BFF01-871E-4c8c-937C-4E98FB4152BC} C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe N/A
File created C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe N/A
File created C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe N/A
File created C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe N/A
File created C:\Windows\{2C1F7C54-BA71-4999-B089-058DF54DEE31}.exe C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe N/A
File created C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
File created C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe N/A
File created C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe N/A
File created C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe N/A
File created C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe N/A
File created C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe
PID 1312 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe
PID 1312 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe
PID 1312 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe
PID 1312 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe
PID 2736 wrote to memory of 2644 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2644 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2644 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2644 N/A C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2612 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe
PID 2720 wrote to memory of 2612 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe
PID 2720 wrote to memory of 2612 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe
PID 2720 wrote to memory of 2612 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1444 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe
PID 2612 wrote to memory of 1444 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe
PID 2612 wrote to memory of 1444 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe
PID 2612 wrote to memory of 1444 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe
PID 2612 wrote to memory of 2624 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2624 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2624 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2624 N/A C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1808 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe
PID 1444 wrote to memory of 1808 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe
PID 1444 wrote to memory of 1808 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe
PID 1444 wrote to memory of 1808 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe
PID 1444 wrote to memory of 1968 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1968 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1968 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1968 N/A C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2020 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe
PID 1808 wrote to memory of 2020 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe
PID 1808 wrote to memory of 2020 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe
PID 1808 wrote to memory of 2020 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe
PID 1808 wrote to memory of 1204 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1204 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1204 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1204 N/A C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2256 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe
PID 2020 wrote to memory of 2256 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe
PID 2020 wrote to memory of 2256 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe
PID 2020 wrote to memory of 2256 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2280 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe
PID 2256 wrote to memory of 2280 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe
PID 2256 wrote to memory of 2280 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe
PID 2256 wrote to memory of 2280 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe
PID 2256 wrote to memory of 2096 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2096 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2096 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2096 N/A C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe

"C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe"

C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe

C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FD77E~1.EXE > nul

C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe

C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{69719~1.EXE > nul

C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe

C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FFD16~1.EXE > nul

C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe

C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59AE1~1.EXE > nul

C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe

C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{964BF~1.EXE > nul

C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe

C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3EE~1.EXE > nul

C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe

C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1994~1.EXE > nul

C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe

C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A124~1.EXE > nul

C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe

C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B2CF~1.EXE > nul

C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe

C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D51D0~1.EXE > nul

C:\Windows\{2C1F7C54-BA71-4999-B089-058DF54DEE31}.exe

C:\Windows\{2C1F7C54-BA71-4999-B089-058DF54DEE31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55ED5~1.EXE > nul

Network

N/A

Files

memory/1312-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1312-7-0x0000000000420000-0x0000000000431000-memory.dmp

C:\Windows\{69719318-7F68-4381-977F-1A1E96E98FD2}.exe

MD5 0a53782acfee66e180c736eafb82cd58
SHA1 8073a2e4be1b45621817b1de9a270b79c2abf0bc
SHA256 0fad1720fcbf7f557078b50183ad83fc41a6e276d643fa557c5879cbb6b0ab96
SHA512 fb3cea123ddc5d108ed5d6f19d8ac720c4ef0fce57adc6ffb03feb1ae0d5a9a323f9c70dbf642fcfb33872689965c5a0fcca9cb29db505a056035d73791cd5ed

memory/2736-9-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1312-3-0x0000000000420000-0x0000000000431000-memory.dmp

memory/1312-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2736-14-0x0000000000390000-0x00000000003A1000-memory.dmp

memory/2736-19-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{FFD165E5-7AA2-4658-8B4C-D27DDA44DC88}.exe

MD5 a8b3c1ef7f547432db91518276b22ede
SHA1 b0ff6d79432ca7866302b7d8ecc7e23b6f997a5e
SHA256 556b229743af2c0666f519196aea02a7eddff9d9714d31bbc422d7d81d78ab13
SHA512 2d5562ed3a5babf73b7ea5d0e22aadab3a3b4789dc0c577fb356f000754da5dd2d981d2ed3e554e5571a9ed2b0454cf4658d3d3e14b5a6ee7fcec44b0f73060e

memory/2720-20-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{59AE1C43-A544-4ea5-99F6-073F9B258739}.exe

MD5 4a20799aa07c2a0f2dbceaed21d5860b
SHA1 b65cd467a9040272ce748b905eb06c82657bb881
SHA256 4e7717b0077a4e819e89e161887696ef187a2497e40f9ca953e33bef6458786f
SHA512 f79390d844590e534ef7f1c36cc0056a001ef92b6a1c9f5628303933afe77b3eacc6753d07c6f5a1fec578a702c27a7726c4d087b06e19970bce2dc1260a1ad8

memory/2720-27-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{964BFF01-871E-4c8c-937C-4E98FB4152BC}.exe

MD5 9a6598d2ea22cb9450ff8f9b1b928014
SHA1 a942ccd8c11690c894c148e2c7b30f62556b91d0
SHA256 e0893f835544ee268c9720c881c67e215b4306f5ea99349804cfb81e95b635f3
SHA512 64b6b0a8be21e369d5c6cc18290dce82ee60a258ff05fb7714a0eb50327dc88fba37c1ad76777aaa8a39d49e5f99b20373d119b20b0f0600c4092f6e6dfabced

memory/2612-36-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1808-45-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{6E3EEBF8-1A4D-45e2-83C7-D875DDDC9C86}.exe

MD5 210ad54bac25c361d2d9f37587bc26c2
SHA1 fa5d9153142fab852d5442a194cd718685c96709
SHA256 4e6b52446d202ea4fa7574fdd25ab02ad5c790faaa5b1a2bbb962682b0450df3
SHA512 e5b1be0cfef6a1f7571c316e7193976cb902a43abdd2a724ad831eba38b7e2d7640fc7e32d08973690371eae3603dde152e528c203af3cef3c81a8f5b4ca5e84

memory/1444-43-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1808-49-0x0000000000290000-0x00000000002A1000-memory.dmp

memory/2020-56-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{B19944F3-83DA-42b1-BAD4-1744BF6E890E}.exe

MD5 eaf41afbe50c5e82eca19ca3006bd6dc
SHA1 a8ca6164f447aed6da91ca36398faeaf02d07500
SHA256 047850901e699b7c23a7763125881399789acbf0d0fd9b073938611f44c78cc7
SHA512 a673154348dd838160841a3dd5a845b4d5cd0fe04dfe5477edcbfcd5bdce960c47282c323183b4e902a2f67a807f97c94d8c03661c691d4aec08174f7bd4b8b2

memory/1808-54-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1808-53-0x0000000000290000-0x00000000002A1000-memory.dmp

C:\Windows\{2A124937-1789-49fb-BF5E-2E160097FB2C}.exe

MD5 d814aff9b0b612fd79069d9099b79bc9
SHA1 0a2b39d2f89f81b72224fcb2adb91438588bc22e
SHA256 f52b0aa48051624e6dd93e2da12bd8a2924e4dc83886a61520f93b7d3b3be1c8
SHA512 307a1ce87726ac0a5c75eef310ae9b5ced3ef1046dc29ea90a316d0c5519a2b1bcf80d8fa55d48d8a54a21ddf14467d8234c6459752c0bb521ee78eaf356a66a

memory/2256-65-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2020-63-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2256-73-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{1B2CFA46-D2C2-485c-B0F7-CBFB553DE850}.exe

MD5 1c33b7696fade0a662cfaa371ccb4427
SHA1 748f74ce2e21b99c542edf30a25d69e0bef76a31
SHA256 4f2862929d1b71845983106ab79c0f1004f4b90f33e9eda8d7aa419176560d71
SHA512 5446409f60c08cfebb02582c4313f0fd25c20bc739c677be97876cff98a45c872d9959952870148935f323e84d38ea93f933bd751316ad07e5709e45eaf7c81b

memory/1984-82-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2280-81-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{D51D0881-6CBC-4199-A713-45042C3C2A42}.exe

MD5 b954909d600767ebf8428d2a10bb7fea
SHA1 78f2a944561a03d903a93df9af12fda18ad77efa
SHA256 06bf731632e440bef22615bfb28e3107b7311f28bfc95fea84eacde0aceeb4ca
SHA512 5756b6af027363446b50d47a1c66c10da53719e059aefcf4d7907b9dbf5c1c9046cafed367c09bc5cb2b8971237980e40ce6b6ee9bb4c1ee598925e885c52cf3

memory/1984-90-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{55ED5284-ED88-4d2e-97B6-242EB97B8A87}.exe

MD5 f9b595b2c883c39915508249529b2178
SHA1 39f5c84544eabad75074105130f883a55c054ee4
SHA256 3d0e23d039f1ae4b3a0058962845d1e5d2e4a7c0e146cfa74f6aecac398c2baa
SHA512 336e0c955b15092fa8575e8727c719c909749181e883d583cc71d1c057d6f35cf586b29cb95d106df4b489d51bc0458c77e71e4eb44ac07fcc2044d4b8d6bc6f

memory/704-98-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1836-99-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{2C1F7C54-BA71-4999-B089-058DF54DEE31}.exe

MD5 8cc9cb4cdb28b37d1c2bae60512307f2
SHA1 915167489a43fe306a4f269c35e56469bc683956
SHA256 a8ad1ab076893916f45d01582f7cf58cc85037f5f08de0a5412b1eacff32b446
SHA512 b4f429fe5c829aac8261f5b0e4378d68fb3b565179f970a2ac8595ec0571344ba27c68ab98b6e0c6a0639370b731c49b36b53dca96f1b7777d7e9cb2dd83e124

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:10

Reported

2024-04-06 22:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}\stubpath = "C:\\Windows\\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe" C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E495C54A-1056-4f76-9B2A-567D58E05425}\stubpath = "C:\\Windows\\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe" C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA7559C-1387-4646-8256-C6DB3D5D6F98} C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE} C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}\stubpath = "C:\\Windows\\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe" C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2379250-16FC-4217-91DA-6D4AFDC84963}\stubpath = "C:\\Windows\\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe" C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F} C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}\stubpath = "C:\\Windows\\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe" C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}\stubpath = "C:\\Windows\\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe" C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}\stubpath = "C:\\Windows\\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe" C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}\stubpath = "C:\\Windows\\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe" C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3F19BBF-847E-44b2-AB3D-52BA12335E53} C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}\stubpath = "C:\\Windows\\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}.exe" C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}\stubpath = "C:\\Windows\\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe" C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0DBB85-5B7A-4548-B861-6530C93FF226}\stubpath = "C:\\Windows\\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe" C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D} C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2379250-16FC-4217-91DA-6D4AFDC84963} C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EAF24F-EB42-4843-8EBD-CC77F885377D} C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E} C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E93C21C-4290-48b2-829E-AB508DD4E7DF} C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0DBB85-5B7A-4548-B861-6530C93FF226} C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}\stubpath = "C:\\Windows\\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe" C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E495C54A-1056-4f76-9B2A-567D58E05425} C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5} C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe N/A
File created C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe N/A
File created C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe N/A
File created C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe N/A
File created C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe N/A
File created C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe N/A
File created C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
File created C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe N/A
File created C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe N/A
File created C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe N/A
File created C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe N/A
File created C:\Windows\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}.exe C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe
PID 2112 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe
PID 2112 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe
PID 2112 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 3088 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe
PID 1556 wrote to memory of 3088 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe
PID 1556 wrote to memory of 3088 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe
PID 1556 wrote to memory of 4832 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 4832 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 4832 N/A C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 4960 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe
PID 3088 wrote to memory of 4960 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe
PID 3088 wrote to memory of 4960 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe
PID 3088 wrote to memory of 5000 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 5000 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 5000 N/A C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2648 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe
PID 4960 wrote to memory of 2648 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe
PID 4960 wrote to memory of 2648 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe
PID 4960 wrote to memory of 416 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 416 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 416 N/A C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4020 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe
PID 2648 wrote to memory of 4020 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe
PID 2648 wrote to memory of 4020 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2032 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe
PID 4020 wrote to memory of 2032 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe
PID 4020 wrote to memory of 2032 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe
PID 4020 wrote to memory of 3480 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3480 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3480 N/A C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1096 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe
PID 2032 wrote to memory of 1096 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe
PID 2032 wrote to memory of 1096 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe
PID 2032 wrote to memory of 1336 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1336 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1336 N/A C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3352 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe
PID 1096 wrote to memory of 3352 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe
PID 1096 wrote to memory of 3352 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe
PID 1096 wrote to memory of 3232 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3232 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 3232 N/A C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 2456 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe
PID 3352 wrote to memory of 2456 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe
PID 3352 wrote to memory of 2456 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe
PID 3352 wrote to memory of 4828 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 4828 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 4828 N/A C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 3688 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe
PID 2456 wrote to memory of 3688 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe
PID 2456 wrote to memory of 3688 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe
PID 2456 wrote to memory of 4412 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 4412 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 4412 N/A C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 2164 N/A C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe
PID 3688 wrote to memory of 2164 N/A C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe
PID 3688 wrote to memory of 2164 N/A C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe
PID 3688 wrote to memory of 3664 N/A C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe

"C:\Users\Admin\AppData\Local\Temp\6fd77e784b145d65f7131d2633f2eaad61ef76f1c024374cb6520cc17dc18777.exe"

C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe

C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FD77E~1.EXE > nul

C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe

C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB17E~1.EXE > nul

C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe

C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA75~1.EXE > nul

C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe

C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5DAED~1.EXE > nul

C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe

C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3E93C~1.EXE > nul

C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe

C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AA0DB~1.EXE > nul

C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe

C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{36BBB~1.EXE > nul

C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe

C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2379~1.EXE > nul

C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe

C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2AEB3~1.EXE > nul

C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe

C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E3F19~1.EXE > nul

C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe

C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0EAF~1.EXE > nul

C:\Windows\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}.exe

C:\Windows\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E495C~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/2112-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{CB17ECAC-B809-4d35-9BF5-24B2B9804D5E}.exe

MD5 d780b7590d46e9b25741e76d6a1d2416
SHA1 2845eeea4c207d580626f84cb95997f409de0cf2
SHA256 97117d4ca7fcf4c7ee4d0ccc82aa7c93f09872dc7e5b8b91f3b9ebdecdc50d98
SHA512 02a665fb45fc41d69f7bef0a4c2ab6c9890400552b11660fe1945953cea053bf27f3e09a04bce50491e6442eb469786550aa2020bef29fed31dc30690559ce3e

memory/1556-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2112-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1556-11-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{8CA7559C-1387-4646-8256-C6DB3D5D6F98}.exe

MD5 0aa2df7fa5d69bd21714358c2461ab14
SHA1 bb07f95645730d29dc2f4e9e2dca6bcdcb49bd20
SHA256 9c07d4f6c0ac080e260ec7286f88a35ee90a18821735f5e6229bea1c4aa0fd68
SHA512 d14883798a24961b6f8359f6a8c3c9ce230db5c9bb2b97ecbf59d41e3a2cbe92fc17dce1bd1e465e8a3fdec9947627997c47106d592baa82ebe359d287c57d12

memory/3088-12-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5DAED3C0-ED8D-421b-A8A3-D55713E981CE}.exe

MD5 b77541ba0c456fc14c96560b26fad131
SHA1 7df6143cdbd9f62bd7f2724f740f1a49dc7d0612
SHA256 e4aabaf12b1685a8fb7cc7c9c83cd67da22713eebcc0d3e8ad874747d5f59df1
SHA512 d38235278b124d6a68a08f5eb6af34e83c7f58421c15add810fc65551c3f990f5d81579848e4259b6bb7c9601296b2f9aa9e128882c2aef55a51edd6d3ae20cc

memory/3088-16-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3E93C21C-4290-48b2-829E-AB508DD4E7DF}.exe

MD5 cfa8b0715af664c41a9ac56f9ee2ae11
SHA1 046707896f7c6b1d01692fcfa61596de8737f403
SHA256 3a419c8096e20dc02d48bf78aa4f7071c97a7e5771b86c78a6686e85c5b0568d
SHA512 7b04696ac00bfa074e1bc023dc1bae94525cc89cb653b7aeafd424a89d79597de0ef79d6d367a750d2721fa31be487ce2deed6ef13d604d7fb3072a07292ce0b

memory/2648-23-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4960-22-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{AA0DBB85-5B7A-4548-B861-6530C93FF226}.exe

MD5 2882894ebda6112f1fcb8a595828239b
SHA1 aed4422a3f2c87119b48017861e22923a758d814
SHA256 822bd0aca4aeb2524d6d25bb66a454cf4aaf3fc4e1585a382e7f1a14116b9694
SHA512 5b6fbfe0b104aeee9bc5c196c8d9282edee0c831b89b9788e0b5ea8f52e43eb9a123fc3a440ba0f8c616e524a83fae32dd003f49464e8a5b5cfbb1994327ae77

memory/2648-27-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{36BBBFDB-574D-471f-B6D1-D9C02A52F95D}.exe

MD5 2156d74d61597a4b4098cabc1fe8a036
SHA1 d712ddf740181331eb0fff0b640597ef2ce4d29d
SHA256 6980b4f515e95e9be2d686eda74feab1abd5db159ff74b4be0759d668eae8bca
SHA512 0f051c5f37810330e536b8376b8e50c4207e1d9b82f74659abeca4a8301743769facd869e401f6f7edda5c0eccb180f89b67bcb05c086c9b78774f8dd0907401

memory/4020-33-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2032-38-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{C2379250-16FC-4217-91DA-6D4AFDC84963}.exe

MD5 fd24060c356ff45eb51b7b0602847189
SHA1 2b72966424da1f2c3e6ba02ca2bdd833ef6ba90a
SHA256 3366122ddcbd578963a51a380f26781b6b59dda075ddb036161b8e072c1a67c6
SHA512 63023fbe1b6a9b28fee6150923f7c23604e4d3cd2b06c05ad5cccd43dafaeb8c6fbe34c5d2056ac83d9dba377f2b213700ec055622ef4796bee88b31e2650525

memory/1096-43-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{2AEB32B5-61EC-4ac7-8D71-2EED73E9D17F}.exe

MD5 7caf71a106c2990403787645751734b7
SHA1 c8240d72c819561d5e7432cc3e6c03877cbdb536
SHA256 ae755bdad3e847929237ecc27ed390ee71218260f4749d9439cb922fbc2bd222
SHA512 2a1eb3f814a5ed3dd523c23cf5158d84bd17f2ee406eb46e6516bc4b7542dc0132ae0488c85adfa386559b2f915e59f58f0232d15227628bbff0f758e116e7b1

C:\Windows\{E3F19BBF-847E-44b2-AB3D-52BA12335E53}.exe

MD5 0a0eade8a8c7804505a433b25a72ea97
SHA1 74e3333a183a578279c21d8b74bded8fbe5671a9
SHA256 37cd866f6572e386f065f277f909c350ff5be05e10cf81a5b95e240df1be9386
SHA512 2754ac4f743b38decf13ae842631c343919fea2bd2daea29325b9d5c3bec4d7694b4d48683487eac9c82cf2d84921a63e05619de598226c98c4dedc3e56b9812

memory/3352-47-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2456-51-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{F0EAF24F-EB42-4843-8EBD-CC77F885377D}.exe

MD5 e1ad06d062022e687868580397b6201e
SHA1 d63e31621588256282d0e555706909f5506be057
SHA256 7d6bc6cb4790287577c0f95e71a7c9256575c7dd3483f27b9491a20b4d8a2f56
SHA512 509a47cf151c97a0a01aedd732f8ce86ee9a73849f142315ab7e57396c55a9da075981ef9cf35a87fcede0ae1525a5549cc000d39538e5cc2943693d2dd71846

C:\Windows\{E495C54A-1056-4f76-9B2A-567D58E05425}.exe

MD5 cee3e652549b662685619c87010f83a7
SHA1 9f345a88f12c8154a20c3a7390a09a598f222267
SHA256 6b956050e8bb8cdbb605cf6e42c01482e19293527fd01de1a604682873e5cec3
SHA512 d1bca80e34e34a59dad47d51e09ca68fbcc658e694a91ab67d7e6c89a1e20fb78fad11c40c2af62648c04356c256cafa84d6d5e8b4a7ba6a89192733e94e0dc5

memory/3688-57-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2164-62-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{D7EB1610-15AB-4268-8E9B-BB40BE9787B5}.exe

MD5 f2318f1e04bfd723eee1563f83c754e7
SHA1 9d394dca24def726eb711cf7789af7fdee9fe54e
SHA256 551f784206f7064eba079f96a861f70dc9d9393050271109e7ee985162b63764
SHA512 761f97d5dad7d572486dcc809c69a63124807f3126c48a9eaf8c22c7581d8896c456dced753de11b938b05c82408178b05c7bb60a71d19865bd8bab857f381bc