Malware Analysis Report

2025-06-16 07:34

Sample ID 240601-yygw2aed98
Target 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a
SHA256 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a

Threat Level: Likely malicious

The file 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 20:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 20:11

Reported

2024-06-01 20:14

Platform

win7-20240221-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C020A-32AD-4857-99E0-02B4486DD17B}\stubpath = "C:\\Windows\\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe" C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}\stubpath = "C:\\Windows\\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe" C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CADB709-4AB0-49e2-8030-8965C12B5090} C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}\stubpath = "C:\\Windows\\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe" C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8B925B6-4DF9-4434-A670-35874C97CDC0}\stubpath = "C:\\Windows\\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe" C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89BE992-56EF-419e-9A60-C0D8F4C4D327} C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CADB709-4AB0-49e2-8030-8965C12B5090}\stubpath = "C:\\Windows\\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe" C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03} C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2669C1F-52ED-411d-9D57-6675FC70DBCE} C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C194F340-2985-4f26-B208-CC54E202F18E} C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5} C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}\stubpath = "C:\\Windows\\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe" C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9} C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C020A-32AD-4857-99E0-02B4486DD17B} C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8B925B6-4DF9-4434-A670-35874C97CDC0} C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}\stubpath = "C:\\Windows\\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe" C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5} C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}\stubpath = "C:\\Windows\\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe" C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7} C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}\stubpath = "C:\\Windows\\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe" C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}\stubpath = "C:\\Windows\\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe" C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C194F340-2985-4f26-B208-CC54E202F18E}\stubpath = "C:\\Windows\\{C194F340-2985-4f26-B208-CC54E202F18E}.exe" C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe N/A
File created C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe N/A
File created C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe N/A
File created C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe N/A
File created C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe N/A
File created C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe N/A
File created C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe N/A
File created C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe N/A
File created C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe N/A
File created C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
File created C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
PID 1556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
PID 1556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
PID 1556 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
PID 1556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2488 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
PID 3004 wrote to memory of 2488 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
PID 3004 wrote to memory of 2488 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
PID 3004 wrote to memory of 2488 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
PID 3004 wrote to memory of 2612 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2612 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2612 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2612 N/A C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2544 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
PID 2488 wrote to memory of 2544 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
PID 2488 wrote to memory of 2544 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
PID 2488 wrote to memory of 2544 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
PID 2488 wrote to memory of 1428 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1428 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1428 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1428 N/A C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
PID 2544 wrote to memory of 2428 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
PID 2544 wrote to memory of 2396 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2396 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2396 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2396 N/A C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 3008 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
PID 2428 wrote to memory of 3008 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
PID 2428 wrote to memory of 3008 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
PID 2428 wrote to memory of 3008 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
PID 2428 wrote to memory of 1260 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1260 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1260 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1260 N/A C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1724 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
PID 3008 wrote to memory of 1724 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
PID 3008 wrote to memory of 1724 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
PID 3008 wrote to memory of 1724 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
PID 3008 wrote to memory of 1956 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1956 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1956 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1956 N/A C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2220 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
PID 1724 wrote to memory of 2220 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
PID 1724 wrote to memory of 2220 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
PID 1724 wrote to memory of 2220 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
PID 1724 wrote to memory of 908 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 908 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 908 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 908 N/A C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2132 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
PID 2220 wrote to memory of 2132 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
PID 2220 wrote to memory of 2132 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
PID 2220 wrote to memory of 2132 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
PID 2220 wrote to memory of 540 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 540 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 540 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 540 N/A C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe

"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"

C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe

C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul

C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe

C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A11C0~1.EXE > nul

C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe

C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F8B92~1.EXE > nul

C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe

C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A8F24~1.EXE > nul

C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe

C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F89BE~1.EXE > nul

C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe

C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC419~1.EXE > nul

C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe

C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3CADB~1.EXE > nul

C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe

C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{38A5B~1.EXE > nul

C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe

C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A10BE~1.EXE > nul

C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe

C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B722~1.EXE > nul

C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe

C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D2669~1.EXE > nul

Network

N/A

Files

memory/1556-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe

MD5 6687deccb783fbf2bea37b0738e9efe7
SHA1 4b31d7ad2c472003ae9dddc678da13dc7456bffd
SHA256 708e0fbc393aff80c1f0c2453d97d43f985340e50d532143caf7c4c741add77e
SHA512 8429e306fb61b01556309f7a86d1d6c9d159eb4cd8d23555cfd9bddc3558c274b9b405ab6222210d2738019410e0c7c70b50a9f00c1274d6b0dd09e2a5941772

memory/1556-7-0x0000000000380000-0x0000000000391000-memory.dmp

memory/1556-8-0x0000000000380000-0x0000000000391000-memory.dmp

memory/3004-9-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1556-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3004-21-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe

MD5 febe5562e6b8e6ea6147cf15e21d023a
SHA1 3e682e0f6db9e3bbca29ad2a86807274ebaa3623
SHA256 62e0d40a92d54326212f8d643ada127971bf1813b1d69d1d8bf2858f588c34c9
SHA512 6c25213642268c2a655f6b804539ebd5b8987c72b0d7f6aef6c213a2fdaa3139c3fa6f190f10466585b0b53b76ff383c5a76043e5d4ad69cf87056368bdc896f

memory/2488-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3004-19-0x0000000000380000-0x0000000000391000-memory.dmp

memory/3004-18-0x0000000000380000-0x0000000000391000-memory.dmp

memory/2488-29-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2544-30-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe

MD5 68cc12b611e8f202c106af112e0d4504
SHA1 ffc383ec10e1f29765f8d034f646a03cd3cea471
SHA256 3a6f394ca8950f17c1eb6637519b44f610fef986d84b28f93c3cfa10b2af46e5
SHA512 e494a33fb39824c5888330a41a0cfdbf15922b40210167ac82adf6c7fae67c41dcdcd33bcba7e5e372f40d1ba74bd3d8627a9c348532cab3eabe09a898adf474

memory/2544-34-0x00000000003C0000-0x00000000003D1000-memory.dmp

memory/2544-39-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe

MD5 ba91662474f3d6490fb2194b084ed2be
SHA1 055dad1ffbbe1536c764a93a3b60325a069cf53f
SHA256 629ac607a75de4e6817987a6e85f63e0547eafe88470b6b67cad33a440601502
SHA512 73313297ffe540998c029403fa3cbca7a8e6143fd970fc25ac55bc8f0da26683fb50045ac8e6c6a02dff72d0cfc5e58ebc5e65483ecd56687df362539d24357c

memory/2428-40-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2428-44-0x00000000003B0000-0x00000000003C1000-memory.dmp

memory/2428-49-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe

MD5 0e7e6212a59610681180ec5c105631ac
SHA1 0bf1b29e85efa7f882f31d9dcc2150ec9b83f072
SHA256 40e30d8e2983628aef7bb3741f27b8dec33902a3287c0879e823dc97cab13d75
SHA512 e81a1c29834df297900db38d53e9c3b7310bcd9816123ac5b0e8df4057eee48a440e6244022ebf0a3ce46e0328e3d990c85b90e0de236146bd5cc7fe988964df

memory/3008-56-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1724-58-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe

MD5 f025ba68bd814e211c11c583d06058d3
SHA1 c1f0a7faf2b3d1e9c58441bb581991cdc983c9de
SHA256 6c3a19298253bfad8348d254db5bc82849bc29e9b6ae8c94249dab52411e70f4
SHA512 f814d272295c4fc650691a9802f47dd8545513ef00d13934cf17fc394878cdc22fcd5bcca9316205e4136e491d3504044425cccc8e8e13360c4d289f2dbe57b1

memory/1724-65-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe

MD5 7ff2d382b803252a1b59dad72cd9854a
SHA1 a7d1a54c3fdb27eb2492c8eeed7860b8d64ee1eb
SHA256 35f35adb731b145d8c8cc5fb99155d5281a301a7d47d155e84d9318a3660be4d
SHA512 3b0e7079ad0d859cda96277587a00c2e38cf09c250cc9c14b2b36da2b5bd2e2b7e6485efe681657f1ea5f69c8f49e5cc590579782f7a0a992309af01d330e521

memory/2220-73-0x0000000000370000-0x0000000000381000-memory.dmp

memory/2220-74-0x0000000000370000-0x0000000000381000-memory.dmp

C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe

MD5 ce10e7337ee244c7c69e8a05b1b9b88d
SHA1 4b5ca0d8816ae383d041f8c2df60bf947222d934
SHA256 7e3c287d983568dc6b1910c17a592e2dc6e46e504ce33e9046e20a6c67012011
SHA512 de9f8b39e9693bdb08d07ff28b06ef7d79d5b855d8b42d55461e91c33f02d65624549d80cf5b01390215a5e5989f4a9931ae7c6bae59eedbd2c1898382622d3c

memory/2220-75-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2132-77-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2132-81-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/2132-85-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe

MD5 7deb7bb80e8cbf21f45d53ccb6dd12e7
SHA1 444ec0f4a3892e374520c5eaa1657d83d8831492
SHA256 44f7b94cf390fac4cbcda79b8e77c214a405664d4cef77feac8799f8acb7c1f1
SHA512 4c8b0ea59df10ad6570b54aaa2330498eb0021e8921aa4d5dd96f311c661e00ab577f753ce1da989ef4a50e7e750183c88dd9b40bd7520488f6476637fb8cc95

memory/548-90-0x0000000000350000-0x0000000000361000-memory.dmp

memory/548-95-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe

MD5 ba6d5118b5e620bd31ca8d0a5b871d8b
SHA1 ce970efb68c9bace583d4c851559de24b8e5e85d
SHA256 4ad64fd14c1115144daeab40b0a495c990a0e263ad6168735db920010519b8c9
SHA512 2d3143296ead86c75d75a44a291c9e70133d0e522122b8028872dac2088f4d29cf65df36b05e31bf52a9f8b806267976d1e10c256353e1b75843ffff55e26083

memory/2692-102-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe

MD5 11f8a0d87c55e910fbd5fc6c22460dff
SHA1 47384d43607f46080982b12194420753c42be43c
SHA256 ff43506c1d8874725550b4310f24f3f819a883e4037a4a5ea5c1cf3b2074aa4e
SHA512 bd0a8aa51ef7d65dd4d4da151bdcbf369e875aec4f743d3586fb9b1ccae18fc16de15a23e2a1037f9b44f84f9f4e1e3965edb94b920d6086b0eb8cc9dcfff994

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 20:11

Reported

2024-06-01 20:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}\stubpath = "C:\\Windows\\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe" C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47358A5-9ED2-4262-958A-59D6C7CD205E} C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35354BD1-1F4D-4f09-BB5A-1A7727B92009} C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52AFCF4-334F-401c-970B-F2FB224E0225}\stubpath = "C:\\Windows\\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe" C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5989A06-D50E-477a-966B-5F93C1740C38}\stubpath = "C:\\Windows\\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe" C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}\stubpath = "C:\\Windows\\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe" C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}\stubpath = "C:\\Windows\\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe" C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D352423-EF38-4244-BA75-0804A572F504} C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D352423-EF38-4244-BA75-0804A572F504}\stubpath = "C:\\Windows\\{5D352423-EF38-4244-BA75-0804A572F504}.exe" C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B294F4-59B3-4210-A7E5-08AB595C334B}\stubpath = "C:\\Windows\\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe" C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}\stubpath = "C:\\Windows\\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe" C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7} C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5989A06-D50E-477a-966B-5F93C1740C38} C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627} C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}\stubpath = "C:\\Windows\\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe" C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B294F4-59B3-4210-A7E5-08AB595C334B} C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}\stubpath = "C:\\Windows\\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe" C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48} C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0} C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47358A5-9ED2-4262-958A-59D6C7CD205E}\stubpath = "C:\\Windows\\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe" C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887} C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E} C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52AFCF4-334F-401c-970B-F2FB224E0225} C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}\stubpath = "C:\\Windows\\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe" C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe N/A
File created C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe N/A
File created C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
File created C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe N/A
File created C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe N/A
File created C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe N/A
File created C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe N/A
File created C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe N/A
File created C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe N/A
File created C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe N/A
File created C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe N/A
File created C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe
PID 4744 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe
PID 4744 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe
PID 4744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2088 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe
PID 4620 wrote to memory of 2088 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe
PID 4620 wrote to memory of 2088 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe
PID 4620 wrote to memory of 4516 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4516 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4516 N/A C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 744 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe
PID 2088 wrote to memory of 744 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe
PID 2088 wrote to memory of 744 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe
PID 2088 wrote to memory of 3484 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 3484 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 3484 N/A C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4944 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe
PID 744 wrote to memory of 4944 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe
PID 744 wrote to memory of 4944 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe
PID 744 wrote to memory of 4780 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4780 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4780 N/A C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 908 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe
PID 4944 wrote to memory of 908 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe
PID 4944 wrote to memory of 908 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe
PID 4944 wrote to memory of 916 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 916 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 916 N/A C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2044 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe
PID 908 wrote to memory of 2044 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe
PID 908 wrote to memory of 2044 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe
PID 908 wrote to memory of 3312 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3312 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3312 N/A C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 592 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe
PID 2044 wrote to memory of 592 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe
PID 2044 wrote to memory of 592 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe
PID 2044 wrote to memory of 2068 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2068 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2068 N/A C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 4996 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe
PID 592 wrote to memory of 4996 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe
PID 592 wrote to memory of 4996 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe
PID 592 wrote to memory of 1704 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 1704 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 1704 N/A C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 4508 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe
PID 4996 wrote to memory of 4508 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe
PID 4996 wrote to memory of 4508 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe
PID 4996 wrote to memory of 1160 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1160 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1160 N/A C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 2836 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe
PID 4508 wrote to memory of 2836 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe
PID 4508 wrote to memory of 2836 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe
PID 4508 wrote to memory of 1752 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1752 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1752 N/A C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4024 N/A C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe
PID 2836 wrote to memory of 4024 N/A C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe
PID 2836 wrote to memory of 4024 N/A C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe
PID 2836 wrote to memory of 2600 N/A C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe

"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"

C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe

C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul

C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe

C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D352~1.EXE > nul

C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe

C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35B29~1.EXE > nul

C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe

C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2579~1.EXE > nul

C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe

C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B52AF~1.EXE > nul

C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe

C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{562E1~1.EXE > nul

C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe

C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92F7E~1.EXE > nul

C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe

C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E5989~1.EXE > nul

C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe

C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD081~1.EXE > nul

C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe

C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4735~1.EXE > nul

C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe

C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35354~1.EXE > nul

C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe

C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3C067~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4744-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe

MD5 8ef9638833800624c72d8cca83544f69
SHA1 a9a693977186c1ae20b5899f90ebbf6e1d6f8921
SHA256 8355b5c524b18cbfb3431fca14393990180a4f89824e498b6b44517c998eaa6a
SHA512 0a894f7ab20b376d5c1559ad72aaa20348d11d115862d27b202a32a57c9d9c27dc4f647e48bb821eb6d818fbf627136de119b367843331ba9f580066aa94c163

memory/4620-4-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4744-6-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe

MD5 9d5e941ec1ce5fdf42a5e75b4214cdf5
SHA1 13ab04047abfd2441f737e05992cb963f5eba649
SHA256 faa8aed34b19a1272ea21e7f13c8a5538da8080dad433b3fb51af1a459c2d240
SHA512 a192ba679486f49cf2f79f1a2d80a0efee9d27cee18f2651421a6e4fdc81d5ca920022897eb4744e105271967a66c67cdc762fe87f3c562523a4c457f9099009

memory/4620-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2088-12-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe

MD5 0f3603f73d0ed9218f3a889a06cd4480
SHA1 e4ed3b1d8cad65e734d4efecc7a5fcf69136eeae
SHA256 7897a04fdf8f28cd4fc05aefde78663b6d065f37b703429a65f33a9ff5a6f81d
SHA512 e6e506bb843704c6071a81974319997bd103a33431e903bb41114159f407d547a58e77cb96f5e0722968c9192f6ccb56992fecb4abe525f3230e61b5d7900e1c

memory/2088-16-0x0000000000400000-0x0000000000411000-memory.dmp

memory/744-17-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe

MD5 8be65cb347f3795b15d12eee700ccc84
SHA1 8ce9513c8658a7936650e9c28009fba99d48b8f1
SHA256 bd05cd4a8b4cca3484035c9f7a65c996faa04b7345d2a492eaf2e8c76e8fc7ea
SHA512 2f78d3c563b2b41031b3cf5f8b256fc76a5495ea16ec7377412905ccc82e7157b287152ec7e4cc607137ba9b1deb70e3117a9e8653da21de3f7830bdf9aac27f

memory/744-22-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4944-24-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4944-29-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe

MD5 268fa8693908e82cffe3af9321a481e0
SHA1 733ecb128a819044283af4bd4ed96d19def199de
SHA256 ff88c824de3f7762b1d5f1469b5a40984941572f240d0ce66c5ef17280ae6759
SHA512 f366dfce8991432dbe41658902da0494f7ab542b2b81a1dc27068e2007fa1a3649e3c9b59590687b76914afaac2e831c8b22b0683f68dca8ef355cb109d6b360

memory/908-30-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe

MD5 1f8a0aaf93b480635b1dbe196de6968f
SHA1 3ff783023a4c455d1b54c03946b9ba1acbffb424
SHA256 91688642aaff8a56953b2295f73764916f94686da646c51af70d74e69db55a23
SHA512 a8a9b8e4a73fef7ea68eee26e2d573dd124cd0c9bb9c0a04ca50fde1238a11f294c5225ab424e12e30bc6552396421e60613a7c762111b891b6ecb7ddbb53219

memory/908-35-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2044-36-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe

MD5 e2b47d702bcc9a83b35529e382fd6e35
SHA1 82878f6b97d69ab6b0a161b071696cde8df78d0f
SHA256 68b559b3c83ddc8af1af4483ee24bba686ed228322947d045e5ac8912a12d91e
SHA512 58df57c5ba2941ece6955f8a9109dca3b63b124a89dbe5204e7191ed5e8a0c11fc6355e133ceb9c598cb9cd7fa181a79d0824b31cd90ed638b33239cc28a1eb6

memory/2044-41-0x0000000000400000-0x0000000000411000-memory.dmp

memory/592-44-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4996-46-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe

MD5 163c8ea6acd7b62c4d7ddc21a4bd4628
SHA1 da56145f159e53a4f1bd5958ae03e1ec9b5c4ccd
SHA256 6f0951d2b4ebb377c535684d593b19843617d750739a4fc438b9e8fead46c294
SHA512 44bf9c1507351dc87d3c77ffe5a75b50a7b37dc494bbf0dc73f44fc89e9336769abefe886990a21b77dbb1e72eb3ec664dd56d81130e99c341b45593777c0d0c

C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe

MD5 8e210b1a91253ad83835d7e89a5be2bf
SHA1 022f06b95b42e4dab0cab8536dbcddd8a3de238d
SHA256 b1de14b4b775cc162763a9c5ad2c76361026ef8ad1766294f0b73e718e071aa9
SHA512 9a1e141828f23c637baeb44f4ac52fa9a72210f435485727eef57dc798263d42ac2e9f07114515fdd4f7c0ca7addce315e82b98867a507645c16a7e0732434d1

memory/4996-51-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4508-53-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe

MD5 befe102344d9c421ea29a787a00a3ab4
SHA1 8e51d2b654d663072df6ccaa4d91fa188b90758d
SHA256 f17f66567c22bad3b834c1a552b0077d05b6fcf14feb0dc926bef778ecfb772b
SHA512 10766795bba9a4b44ef24aabb80c46b9499ba8112dfae2513cb18b650ea5ef3656ee5157b71c364cac330505d9e842bfb838d1810967a72480f2b44037c0fd7a

memory/4508-58-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2836-62-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe

MD5 d396d55d03b75879e64a2a1ea6c79e1f
SHA1 c1f2b2c8669995b720f85ea4c32a46f4ee23abe0
SHA256 91d63a0448241c010ae7e4e647dd8ff7df7d56442fa6cec40b050b4af416d4d9
SHA512 4069eeb12c85ce28236b716f13c266c29fef8bbb0c831600ac63f0e007c2e74881db8c44c26ab41ff05dcdc92558bc65ad8c5fb758f24f5312e96446916da210

memory/4024-64-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4024-68-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe

MD5 59aa121a2ac6d3d9df8c45f7d34cf417
SHA1 d9819b01e0d36998c44b93fb888d24ea56869113
SHA256 bc714638869cf47d7930cf3debdce514aaf72feffd57e498311ded3967c50057
SHA512 96170f99b49076145594826772f80af610ce58287ef86a53747a5c507877460070101c707cb2fa90e51d6fbb33ac91bac302f64ce0b369ffbfd6a39f6c23bbde

memory/4208-69-0x0000000000400000-0x0000000000411000-memory.dmp