Malware Analysis Report

2025-03-14 23:52

Sample ID 240603-f4x64ada8w
Target f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247
SHA256 f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247

Threat Level: Known bad

The file f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247 was found to be: Known bad.

Malicious Activity Summary

upx persistence

Modifies WinLogon for persistence

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:26

Reported

2024-06-03 05:28

Platform

win7-20240419-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107E44F.exe\"" C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107E44F.exe\"" C:\Windows\107E44F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107E44F.exe\"" C:\Windows\107E44FQVSWRU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\107E44F.exe N/A
N/A N/A C:\Windows\107E44FQVSWRU.exe N/A
N/A N/A C:\Windows\107E44FQVSWRU.exe N/A
N/A N/A C:\Windows\107E44F.exe N/A
N/A N/A C:\Windows\107E44F.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\107E44F.exe = "C:\\Windows\\107E44F.exe" C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\107E44F.exe = "C:\\Windows\\107E44F.exe" C:\Windows\107E44F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\107E44F.exe = "C:\\Windows\\107E44F.exe" C:\Windows\107E44FQVSWRU.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\107E44F.exe C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
File opened for modification C:\Windows\107E44FQVSWRU.exe C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\107E44F.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\107E44F.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\107E44F.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\107E44F.exe
PID 2668 wrote to memory of 1704 N/A C:\Windows\107E44F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2668 wrote to memory of 1704 N/A C:\Windows\107E44F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2668 wrote to memory of 1704 N/A C:\Windows\107E44F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2668 wrote to memory of 1704 N/A C:\Windows\107E44F.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe

"C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\107E44F.exe

C:\Windows\107E44F.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\107E44FQVSWRU.exe

C:\Windows\107E44FQVSWRU.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\107E44FQVSWRU.exe

C:\Windows\107E44FQVSWRU.exe

C:\Windows\107E44F.exe

C:\Windows\107E44F.exe

C:\Windows\107E44F.exe

C:\Windows\107E44F.exe

Network

N/A

Files

memory/2428-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\107E44FQVSWRU.exe

MD5 d86545d2e7ed1285f58a427f8b6f1037
SHA1 4f2629746a8e79fdb4e8b6a6b4c20031a16b46a4
SHA256 f7edf1cebd3549734659bdde785df549382d894c574bfe6bc3d1f53311e5003e
SHA512 38fbf522f41456d6c96d3a58f1ec9954e54bd66db9defb899118605b2627ca45784c84e29f83a1b0d79d0a57c07b152eba7e41c7214c0be9c1ce7cc6e5c68d24

memory/2668-13-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2428-12-0x0000000000330000-0x000000000033F000-memory.dmp

C:\Windows\107E44F.exe

MD5 424d38853dbacda39f9ed6945d285d23
SHA1 62657df90d7214ff7a286534b136e4d1f2ae7ca1
SHA256 771e4c6c0242621198899ce2e0dcc12efb8dec886e4f63fc3e6d5427266ed9a8
SHA512 2d4fba331ec1f4814b7a32e096846274060d29059c1bc2c0cabc14cbe3bcd0404637488e98891ade019fbacac22beb8348c9d7129a0a6f2b1f16132fb8ac6095

memory/2668-19-0x0000000000250000-0x000000000025F000-memory.dmp

memory/2668-18-0x0000000000250000-0x000000000025F000-memory.dmp

memory/2204-23-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/2824-24-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2824-28-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1556-33-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2428-39-0x0000000000400000-0x000000000040F000-memory.dmp

memory/900-40-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-42-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-44-0x0000000000250000-0x000000000025F000-memory.dmp

memory/2668-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-48-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-54-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-55-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-57-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-67-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-66-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-68-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-69-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2204-71-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2668-70-0x0000000000400000-0x000000000040F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:26

Reported

2024-06-03 05:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1FBE13F.exe\"" C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1FBE13F.exe\"" C:\Windows\1FBE13F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1FBE13F.exe\"" C:\Windows\1FBE13FQVSWSX.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\1FBE13F.exe N/A
N/A N/A C:\Windows\1FBE13FQVSWSX.exe N/A
N/A N/A C:\Windows\1FBE13FQVSWSX.exe N/A
N/A N/A C:\Windows\1FBE13F.exe N/A
N/A N/A C:\Windows\1FBE13F.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1FBE13F.exe = "C:\\Windows\\1FBE13F.exe" C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1FBE13F.exe = "C:\\Windows\\1FBE13F.exe" C:\Windows\1FBE13F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1FBE13F.exe = "C:\\Windows\\1FBE13F.exe" C:\Windows\1FBE13FQVSWSX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\1FBE13F.exe C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A
File opened for modification C:\Windows\1FBE13FQVSWSX.exe C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4752 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\1FBE13F.exe
PID 4752 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\1FBE13F.exe
PID 4752 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe C:\Windows\1FBE13F.exe
PID 224 wrote to memory of 3932 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3932 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3932 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 2324 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 2324 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 2324 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1640 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1640 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1640 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1004 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1004 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1004 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3136 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3136 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3136 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1648 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1648 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 1648 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 224 wrote to memory of 3764 N/A C:\Windows\1FBE13F.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe

"C:\Users\Admin\AppData\Local\Temp\f0c6a81af61991dd789914f36ef01eb4738caaaff5fb71f9dd91cac8458d2247.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1FBE13F.exe

C:\Windows\1FBE13F.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1FBE13FQVSWSX.exe

C:\Windows\1FBE13FQVSWSX.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1FBE13FQVSWSX.exe

C:\Windows\1FBE13FQVSWSX.exe

C:\Windows\1FBE13F.exe

C:\Windows\1FBE13F.exe

C:\Windows\1FBE13F.exe

C:\Windows\1FBE13F.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/4752-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\1FBE13FQVSWSX.exe

MD5 ca07b0f2952a62a53e542b8edd83ed6b
SHA1 ce15f0e17d000797bab2b6f4a91587e16693c14b
SHA256 91400a8047de48510b5441ea759cbb6f15ba36ab595f65a40ca4efd9e74d98a0
SHA512 54350ab616a96bb5466b9ce74c3b48c733e27ebad0fd002f54b8fc817a64f213a18a903d2727539a88e7955560b9f9ac70cf86fae21522217490db7ef37f2770

C:\Windows\1FBE13F.exe

MD5 22c18c75b4e05b8bda9b2e7b52627f27
SHA1 3b4669e5326ffc6b01495748a0efff7036f559e0
SHA256 69c1050389ec8f7172c779010ed079d0da0463f4032e936c56442c895e98b9f9
SHA512 9c4aa59b8745397095c1e58e2d8d0e2d804cf262e1bf9a29315b3fc23e77537d1f00306d59d74569c7b95251d79a6c8ab3b23fbe402b24898aea7742430dce35

memory/4752-19-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4908-20-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4908-27-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2304-29-0x0000000000400000-0x000000000040F000-memory.dmp

memory/5336-36-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4752-37-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-38-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-39-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-40-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-42-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-44-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-48-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-54-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-55-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-57-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2444-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/224-66-0x0000000000400000-0x000000000040F000-memory.dmp