Malware Analysis Report

2025-03-15 00:05

Sample ID 240603-1363tsah2x
Target 5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1
SHA256 5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1

Threat Level: Known bad

The file 5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1 was found to be: Known bad.

Malicious Activity Summary

persistence

Detects Windows executables referencing non-Windows User-Agents

Detects Windows executables referencing non-Windows User-Agents

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:11

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:11

Reported

2024-06-03 22:14

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9991D2-EE11-4c2e-A907-441E46B73E24} C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1328DD-607D-4669-9725-C76D4F098078} C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E2B0114-8F7A-430c-B713-0E7664872299}\stubpath = "C:\\Windows\\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe" C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}\stubpath = "C:\\Windows\\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe" C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16205371-AFE7-42a2-BDCA-1E5C7420C780}\stubpath = "C:\\Windows\\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe" C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9991D2-EE11-4c2e-A907-441E46B73E24}\stubpath = "C:\\Windows\\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe" C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5F781-3BE4-4752-9C56-43AE49529FE4} C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}\stubpath = "C:\\Windows\\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe" C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}\stubpath = "C:\\Windows\\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe" C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{085765FF-F557-45aa-A205-ACA6B029EB3F}\stubpath = "C:\\Windows\\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe" C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}\stubpath = "C:\\Windows\\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe" C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}\stubpath = "C:\\Windows\\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe" C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E2B0114-8F7A-430c-B713-0E7664872299} C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C} C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}\stubpath = "C:\\Windows\\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe" C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16205371-AFE7-42a2-BDCA-1E5C7420C780} C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB} C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4} C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1328DD-607D-4669-9725-C76D4F098078}\stubpath = "C:\\Windows\\{ED1328DD-607D-4669-9725-C76D4F098078}.exe" C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{085765FF-F557-45aa-A205-ACA6B029EB3F} C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDBBF4-AEC3-4661-99F2-16934D2E218A} C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2} C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe N/A
File created C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe N/A
File created C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe N/A
File created C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe N/A
File created C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe N/A
File created C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe N/A
File created C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe N/A
File created C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe N/A
File created C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
File created C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe N/A
File created C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
PID 996 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
PID 996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2712 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
PID 3060 wrote to memory of 2712 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
PID 3060 wrote to memory of 2712 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
PID 3060 wrote to memory of 2712 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
PID 3060 wrote to memory of 2624 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2624 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2624 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2624 N/A C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2396 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
PID 2712 wrote to memory of 2396 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
PID 2712 wrote to memory of 2396 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
PID 2712 wrote to memory of 2396 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
PID 2712 wrote to memory of 2464 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2464 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2464 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2464 N/A C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2816 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
PID 2396 wrote to memory of 2816 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
PID 2396 wrote to memory of 2816 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
PID 2396 wrote to memory of 2816 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
PID 2396 wrote to memory of 2920 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2920 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2920 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2920 N/A C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1456 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
PID 2816 wrote to memory of 1456 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
PID 2816 wrote to memory of 1456 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
PID 2816 wrote to memory of 1456 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
PID 2816 wrote to memory of 1516 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1516 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1516 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1516 N/A C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2460 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
PID 1456 wrote to memory of 2460 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
PID 1456 wrote to memory of 2460 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
PID 1456 wrote to memory of 2460 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
PID 1456 wrote to memory of 2932 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2932 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2932 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2932 N/A C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
PID 2460 wrote to memory of 292 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 292 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 292 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 292 N/A C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1360 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
PID 812 wrote to memory of 1360 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
PID 812 wrote to memory of 1360 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
PID 812 wrote to memory of 1360 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
PID 812 wrote to memory of 1268 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1268 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1268 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1268 N/A C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe

"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"

C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe

C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F45BC~1.EXE > nul

C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe

C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{16205~1.EXE > nul

C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe

C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA999~1.EXE > nul

C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe

C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B5F~1.EXE > nul

C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe

C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57C40~1.EXE > nul

C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe

C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{392AF~1.EXE > nul

C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe

C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED132~1.EXE > nul

C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe

C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E2B0~1.EXE > nul

C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe

C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{08576~1.EXE > nul

C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe

C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D3614~1.EXE > nul

C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe

C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{60EDB~1.EXE > nul

Network

N/A

Files

memory/996-0-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe

MD5 ba6a5c8d050951ec4efb0460f3a8c4fb
SHA1 65d19eaef6456e7f997232d39fda9f007d2b4d48
SHA256 11277f0288f9b6071e574f05ee36654774e36ffd1deafe1b4ccff34171c5f85e
SHA512 084e788d7f6f75043a30e3b482195f7cbb0a75f5e6b0a069541af20486ebbb50dabd5047d57fa7730e2b38033bca9501f66748d2669d8a07f08b7e38a743470c

memory/3060-9-0x0000000000400000-0x0000000000410000-memory.dmp

memory/996-8-0x0000000000280000-0x0000000000290000-memory.dmp

memory/996-7-0x0000000000280000-0x0000000000290000-memory.dmp

memory/996-10-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3060-14-0x0000000000670000-0x0000000000680000-memory.dmp

memory/3060-19-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe

MD5 6783b7f60ae050b80f523c7a9b9bc60e
SHA1 28b8849bdccde3ba51bfe190d9918b3a472039d4
SHA256 3841426a59a27c8ec1a36b4068033d51095a9b074fd43b1596ba0da46b5dc61c
SHA512 c220a86c64e2e1dc61cf3accaf1f065925d4c90d6b8ed01e9d0806f45b5d306746c5b1b4f359ccf77e4c659b35012d10343a42076c8ede20a7fdc55f0d8388f5

memory/2712-20-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2712-24-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2712-29-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe

MD5 d312036e81f42e35058c0294e8eb9ecf
SHA1 1fafbc627e431d4170218a5159a753c3c60c93c9
SHA256 255b8f5618907579758c494ea2495765ae01972f04f6271a952329a09263c0ab
SHA512 d337a564d28235c42c56c7a4c38cc3f05877c7afc505b70ede8a55d6c22a659709efba16739f9217c104ce2d64ece50f8809dbcec1948863aba55658067a0ee7

memory/2396-30-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2816-39-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2396-38-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe

MD5 e13272d4c725b13c5e77e6b29aaf52db
SHA1 4c8bfac0ab5785b5cacad8a83f9e26f2c925cc48
SHA256 f65fc52f5ba8a765eb17479028f09f4e60002742a75b6f1717627a2f96fa039d
SHA512 bf46c87651a4c5b0a7eab2ee4c65ba27ded46db069432fbbd91c5363780240852f4901e28e3d808bdfaf935feaba021093344b08d1571ec16cef9bd3c1ec0e59

memory/2816-43-0x00000000005A0000-0x00000000005B0000-memory.dmp

memory/1456-49-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe

MD5 27e2a10a4bb8d50fac77c1177805ac72
SHA1 c7c1df1cac8b45b66601d0e3b4cf67d5db640ebf
SHA256 87b6f7a9f77d5c48e7eb29cf4f71e29101f2c9f3cf8307e24e9d4c756db9d228
SHA512 8f44298a16b46baab9b3d43a208f3d3a308004c03630866b8cda390c4d5be7811b644a83c4b340938cd70ed2242901d0114be572270326c201c178b572cb030f

memory/2816-48-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1456-57-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe

MD5 d93953b37ee9cc9a39f595b3dff7ce8d
SHA1 29a9ca6bf4b2755d1e4951ced453a791c75aeb99
SHA256 2a55217364d10a32669e5d360e1e795be9d2b88deb64d5025e566ae1668d47b3
SHA512 5b8aa85270cda6e6a27e7f8b842a2d6af15ab21a52156a19618066ddebbeec704516e780892e04566f135a6afce66a18800cbfd8a3909aa412e694a68bc1946f

C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe

MD5 3ca5f84a6ed0b7fb3085c99b80aef59e
SHA1 b67571e27a8a8c27d2a4869f7f344c5117172423
SHA256 2dc7605a05b690c1c4b703d7d05a2b4de8f0e7def6e5055e96ea88d0ff1f0b83
SHA512 396af47a1887194f5a58134313cbfeba7b31f7621f634c0de05622315de9e4b4cfe3741ffb9e1bd32214a3463505ed6a02c5bc989574830a758e0ab44c8d4933

memory/2460-61-0x0000000000270000-0x0000000000280000-memory.dmp

memory/2460-66-0x0000000000400000-0x0000000000410000-memory.dmp

memory/812-67-0x0000000000400000-0x0000000000410000-memory.dmp

memory/812-75-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1360-76-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe

MD5 9b6584269054317d82bab3be76ba5052
SHA1 450ef77ca54b09d8e6b438570812c80b985783f5
SHA256 f70bca02992f6068e39a8d1eba3b821e875b49d51d24cba1c14eefe7a0f3444c
SHA512 3f465525ebb7cd439ed1eccc248246d7b8fd50b5aca1b7ae60dd25c7bab9e169c58f065a40161cc931f6baec74e792b3a9f9f796ce89c0bffa0d3790edc1a9db

memory/1360-84-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe

MD5 4ecf9777474f33ac62170c5d407fd6f0
SHA1 8fb32c2829ea2236aaa03c9f6cb590c7c3b8fb09
SHA256 91cc989d65799c96be8335e8411d5590738f3a92f6a7a7f3350b4ae31fe748ba
SHA512 532bf162a49ffb972eaaa18bd2c429f0ae4f4465755586b379c22a0db16ebdc0f56aa118e3b3ad1adfb0ab69110490e63dc12d52e77beb798f56efe1592129e0

C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe

MD5 3781d2337634541d3804ce9d0d04d261
SHA1 641ceb617a3e694631b6b22973ab28aec775dac7
SHA256 3d30acfe6fa1e04e06cacf20e074a029bb70206d581b80262c983e4e1baa67ff
SHA512 f6ddebbdf6b2d52c9b1820b5dcc065bdf69cddc1751b3c20482dec87e8b43f43d59a2b1c8dbbee89e6a817735d282f88327840a0258f995b3ce676162e46a1fd

memory/1264-92-0x0000000000400000-0x0000000000410000-memory.dmp

memory/588-96-0x0000000000270000-0x0000000000280000-memory.dmp

memory/588-101-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe

MD5 4b031e52efde529fd162263fb139ffc3
SHA1 1afbed68a76e230053717c60cc4ff60dc59abc73
SHA256 fbd5456b551127f3526fbc5399bb9af9d7d765a14392c7b747a5660061a7d568
SHA512 9093c3932a960d9977de12b468a7478138f906a626017c93b83709a7ff7d537ee376f54241a45201648e21745da545c841d8bb68f2de716154272c787e63af52

memory/1204-102-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:11

Reported

2024-06-03 22:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}\stubpath = "C:\\Windows\\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe" C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A52924-E66E-4862-B0AD-D1071EA6700D}\stubpath = "C:\\Windows\\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe" C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98907E83-B3CD-4f8f-803E-64C21A71F366} C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B1D440-F6FD-4646-83D1-344602913843} C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA255D99-9949-4920-ABF8-013A56932847} C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3753D4-D7A5-44eb-93F4-23A80F66707C} C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A9AD0E-226F-45bf-A99B-B566D60C0988} C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83BE808-D192-4483-9695-33F6E94F0F87}\stubpath = "C:\\Windows\\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe" C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951453FB-B63D-4998-A49A-5E49F225FE48}\stubpath = "C:\\Windows\\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe" C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}\stubpath = "C:\\Windows\\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe" C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8811E4-0583-4fc5-8701-D4FA592B32B0} C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3078F-BDBE-4e73-AC48-A137A5FBD366} C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}\stubpath = "C:\\Windows\\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe" C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98907E83-B3CD-4f8f-803E-64C21A71F366}\stubpath = "C:\\Windows\\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe" C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A40B1C-3C12-4cd5-8727-A28004CA6C39} C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}\stubpath = "C:\\Windows\\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe" C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B1D440-F6FD-4646-83D1-344602913843}\stubpath = "C:\\Windows\\{77B1D440-F6FD-4646-83D1-344602913843}.exe" C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B} C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}\stubpath = "C:\\Windows\\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe" C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA255D99-9949-4920-ABF8-013A56932847}\stubpath = "C:\\Windows\\{DA255D99-9949-4920-ABF8-013A56932847}.exe" C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}\stubpath = "C:\\Windows\\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe" C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83BE808-D192-4483-9695-33F6E94F0F87} C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951453FB-B63D-4998-A49A-5E49F225FE48} C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A52924-E66E-4862-B0AD-D1071EA6700D} C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe N/A
File created C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe N/A
File created C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe N/A
File created C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe N/A
File created C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe N/A
File created C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe N/A
File created C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe N/A
File created C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe N/A
File created C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
File created C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe N/A
File created C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe N/A
File created C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
PID 4780 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
PID 4780 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
PID 4780 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 680 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
PID 2720 wrote to memory of 680 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
PID 2720 wrote to memory of 680 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
PID 2720 wrote to memory of 2876 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2876 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2876 N/A C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 4724 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
PID 680 wrote to memory of 4724 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
PID 680 wrote to memory of 4724 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
PID 680 wrote to memory of 896 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 896 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 896 N/A C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4148 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
PID 4724 wrote to memory of 4148 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
PID 4724 wrote to memory of 4148 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
PID 4724 wrote to memory of 3260 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3260 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3260 N/A C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3252 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
PID 4148 wrote to memory of 3252 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
PID 4148 wrote to memory of 3252 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
PID 4148 wrote to memory of 4712 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 4712 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 4712 N/A C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 2740 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
PID 3252 wrote to memory of 2740 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
PID 3252 wrote to memory of 2740 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
PID 3252 wrote to memory of 4136 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4136 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4136 N/A C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3136 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
PID 2740 wrote to memory of 3136 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
PID 2740 wrote to memory of 3136 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
PID 2740 wrote to memory of 1872 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1872 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1872 N/A C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3124 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
PID 3136 wrote to memory of 3124 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
PID 3136 wrote to memory of 3124 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
PID 3136 wrote to memory of 2864 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2864 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2864 N/A C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4424 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
PID 3124 wrote to memory of 4424 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
PID 3124 wrote to memory of 4424 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
PID 3124 wrote to memory of 4480 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4480 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4480 N/A C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4904 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
PID 4424 wrote to memory of 4904 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
PID 4424 wrote to memory of 4904 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
PID 4424 wrote to memory of 2128 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2128 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2128 N/A C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2900 N/A C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
PID 4904 wrote to memory of 2900 N/A C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
PID 4904 wrote to memory of 2900 N/A C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
PID 4904 wrote to memory of 3220 N/A C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe

"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"

C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe

C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F45BC~1.EXE > nul

C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe

C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0B0~1.EXE > nul

C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe

C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA255~1.EXE > nul

C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe

C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6F375~1.EXE > nul

C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe

C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A9A~1.EXE > nul

C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe

C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A83BE~1.EXE > nul

C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe

C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95145~1.EXE > nul

C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe

C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{02F30~1.EXE > nul

C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe

C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09A52~1.EXE > nul

C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe

C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98907~1.EXE > nul

C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe

C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77B1D~1.EXE > nul

C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe

C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23A40~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4780-0-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe

MD5 5f13f88e774ff8d338a778d54e2ff767
SHA1 fe6b721c8e76feab421798c9c232b00006595c11
SHA256 09277c2115ba79a823c89df2b7b2a2d81487e2fd8e4a223a9332458bf59d36ac
SHA512 0cb9eeda0dbdd2359b05c417af001e194a852002d38c20908d1e68e0466882889a80a7d3148d0b5d40ba1884be1588e53e1e636781ab70462d87e3e3ff2f0893

memory/2720-4-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4780-5-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2720-11-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe

MD5 7b45d1ea8ac8c1aa50ef90950fc44ec4
SHA1 43a61f3ddffc5ba0a88c2deeb2f5931848eb514b
SHA256 2c5beec8d9aca4f6195102c993b670be99301eac89c11508f793f4701dca0f8b
SHA512 50b7a2e6d6ca62f9b47c650a4224ba70483d8dd75d332cf6701ee21d3b543c5951c4ff438707bdf360872097342058fcdeca51771764f877b59c5ad333c57c7e

memory/680-12-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe

MD5 1a503adb9b327505fb24bddf21838a11
SHA1 b7a9a6d621e01941913fa0e86ffa1351b97346ea
SHA256 ff48c983068ff4732a1461b26b9014f505bd48aed50dcba5f08ed82aeec8d160
SHA512 8e9efe5dc8367c6a41b95c2e9e5bd8db6c45941fd25675605d5ee01734e3b3e405a99c88787d124a85a96117adb5478e020ed261ad99272f3ada3089a64b5966

memory/4724-18-0x0000000000400000-0x0000000000410000-memory.dmp

memory/680-17-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe

MD5 2615fdc306c55238010905a51b766d03
SHA1 4dd6ca0f42722e559e169a19a340e106dea9c588
SHA256 0812596cebc95ca0de598b6e0127f93b653bfdc8609616d3b095182d02db9a98
SHA512 77222e6aa02b10428f04617cb27c5878deac924cbce616472d5d77fb3a5fa0617a0ea08fcadee9d295bb3297be38c274ea877334a235356b6c0083bbf8e88323

memory/4148-23-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4724-22-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe

MD5 07cdee17529a783ff82c0fb58a09135e
SHA1 0478bddedfa094ab42ceee121dd91828f6bb1766
SHA256 2628e16ed3e7200bb4597463cb159052a514e6e0fb8242ded2cf0fde30db1cfe
SHA512 b1fa392819124900e09d41184d5a8b9e3b43a8897da0139d6b947b90627be06ac1bfc7348893ffc28e217a70d677575b33482ce2d351e2d3b9cc4ea38d52abbc

memory/4148-28-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3252-30-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe

MD5 77ec4768c58408cd141260a66bd85d00
SHA1 6b4886c3b6d5b883c465468dfd03d57f68dc2121
SHA256 bdb54c9170c2726d1bb3c699dacedf8ce80a98b1aa4333bdd5daeaa7e341a5a4
SHA512 407e012217bdc444ca480235af52207fc07844ad6514a22843d7a017e946ab4bac54cb1837125f42565c8f576eb5a9ef4f79ce3df2a5645ca3ad5b4e87f70546

memory/3252-35-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2740-36-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2740-39-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe

MD5 70c236c659ffffd63d706fa53aade1bb
SHA1 eb8f48a8b05512af14ab7ad2c2197f9d3c7c213d
SHA256 512878d140c999157653dca1dc26c9170ddb165651f688b76de4a6252ce7444b
SHA512 b090659108fdd16c7553c44b65a0cea06bb02ffd3b5983e3050d4df88ffe6c18f94c6b6e3d00b419241fbe2734a8f3dfb71106cf67ba4abab7382802bd6af1b6

memory/3136-42-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3136-47-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3124-48-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe

MD5 6303ff0eaadbc9241970df999d56031d
SHA1 219f6dc92d565ff2af932285cb97bc3f6303f21e
SHA256 aeb10d1c03a930ef3a0d5a70266b03636ff8982898458a817b12be4315c64340
SHA512 89c70ef585705ae350c9400eb947d979f46972261e81ced9a506c9af69dad1d414e0ab38dbec1437fa803f984ae8a117240746cfee7e71f30d4f8acbd5e42034

C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe

MD5 5bb8e48ba5011ab205077e4c1af5d8e7
SHA1 7896d55ba7b00427f2e4e7e309f24b35dcd6e791
SHA256 9909a4b2dc05031ed8a384b522618863a68711596f77277c19d9cb431321f23d
SHA512 126f76869560d51b4537d637b5eee4d7795f04ac6850194f9fe11a24750e7b0d6d51790ac9fe9057ab08becc3973d8e32ed69eda5a4b4603be427a45b59ba8ff

memory/3124-52-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4424-54-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4904-60-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4424-59-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe

MD5 c3e402bcc40ce32b273f546a1aa3838f
SHA1 59b7bdbb5d76efbab7d44a44cf84261a017c0775
SHA256 3db479571b8e653578411fbcdf7f3c754a577a958b82ba371076afda7800d377
SHA512 02bcc11c672ac3c0b5b6651fd9794313e22cb9a3942b4c2602f7a6b689980054fb02d22f3a55429f654f6149055fcdb27df43d7ddc3b315896616b3bf2cb1ed8

C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe

MD5 98b07a8e34d2f4bfb8c9e736db6c0c9f
SHA1 5f0940dbfdc2abd3e0d3bbe3ff6d4ae0803f0f2c
SHA256 788af22edbe67014496e3628cc539211de35091285166f7d9d267c270d5a3ca9
SHA512 feb98374f587b60225d0f1ca56c0361bb8752857753c2514ec42c851512ed160804b0c641d6d9ee2a90bde67ebffbb9fc35b23c2b215c6ab9544b63a5c881ec8

memory/2900-65-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4904-64-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2900-69-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe

MD5 b393ae78988bb81b1872586a4ad8bf33
SHA1 7664f2325b26e384e53f5e7b4f838369cd4b308a
SHA256 3c6084f8db89433c257ef5d7d8e70c671bef332f3c5b030408e47e2501b1e8ac
SHA512 c1db42e1bb433baaca40433977f0bc9013c4d4a409a5b5cdad8b8a4a8078218b518a0d55d3f8f9ca6a0f98066fcb153e5a02c1a84ea7625a823479681bf59790

memory/3176-71-0x0000000000400000-0x0000000000410000-memory.dmp