Analysis Overview
SHA256
6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987
Threat Level: Likely malicious
The file 6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987 was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:15
Reported
2024-11-09 23:17
Platform
win7-20240903-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0} | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9401C019-7512-480d-B800-AB341A44804E}\stubpath = "C:\\Windows\\{9401C019-7512-480d-B800-AB341A44804E}.exe" | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}\stubpath = "C:\\Windows\\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe" | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72949F39-CDCC-41b9-B939-379E45496FEB}\stubpath = "C:\\Windows\\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe" | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AF7C64-0117-4580-A732-C8CF6EB91196} | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}\stubpath = "C:\\Windows\\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe" | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4F5A7B-4A80-4431-8073-F3F102516C90}\stubpath = "C:\\Windows\\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe" | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}\stubpath = "C:\\Windows\\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe" | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9} | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA788969-B585-4e0d-A9B4-603665F3B0BE} | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA788969-B585-4e0d-A9B4-603665F3B0BE}\stubpath = "C:\\Windows\\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe" | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72949F39-CDCC-41b9-B939-379E45496FEB} | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4F5A7B-4A80-4431-8073-F3F102516C90} | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}\stubpath = "C:\\Windows\\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe" | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9} | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}\stubpath = "C:\\Windows\\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe" | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9} | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AF7C64-0117-4580-A732-C8CF6EB91196}\stubpath = "C:\\Windows\\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe" | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57988B4-0A01-4e7b-B294-711785AF9BAE} | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9401C019-7512-480d-B800-AB341A44804E} | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57988B4-0A01-4e7b-B294-711785AF9BAE}\stubpath = "C:\\Windows\\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe" | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C803CE-CAEC-45bd-B27A-E8BAFE314555} | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | N/A |
| N/A | N/A | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | N/A |
| N/A | N/A | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | N/A |
| N/A | N/A | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | N/A |
| N/A | N/A | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | N/A |
| N/A | N/A | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | N/A |
| N/A | N/A | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | N/A |
| N/A | N/A | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | N/A |
| N/A | N/A | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | N/A |
| N/A | N/A | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | N/A |
| N/A | N/A | C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | N/A |
| File created | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | N/A |
| File created | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | N/A |
| File created | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | N/A |
| File created | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | N/A |
| File created | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| File created | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | N/A |
| File created | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | N/A |
| File created | C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | N/A |
| File created | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | N/A |
| File created | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe
"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"
C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FABBD~1.EXE > nul
C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AF7~1.EXE > nul
C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F5798~1.EXE > nul
C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66C80~1.EXE > nul
C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4D4F5~1.EXE > nul
C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF488~1.EXE > nul
C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9401C~1.EXE > nul
C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4ECD3~1.EXE > nul
C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe
C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F19~1.EXE > nul
C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe
C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71A5A~1.EXE > nul
C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe
C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EA788~1.EXE > nul
Network
Files
memory/2596-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2596-1-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2596-3-0x00000000003E0000-0x00000000003F1000-memory.dmp
C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
| MD5 | 6591a5153feaf14562938e0071f1b23a |
| SHA1 | b7c927612ded4be6d65b1510cbdbc481319057ea |
| SHA256 | 33fe4b98032506788ad55fc1522541d5a37ad40d072306fc246774281d45892f |
| SHA512 | de69d4112fa8f936220cb2cfcc0c7ddfbaddad5679dc0eac227d692c3562efc4b0b1cf20cb640073ae4c5ef66d696296ba7f101f69915832a78dc9ed75d29314 |
memory/2596-9-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1564-12-0x0000000000350000-0x0000000000361000-memory.dmp
C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
| MD5 | 8a920cfc3965eadff2946152abd3743f |
| SHA1 | 8ac4b3927f9f3fcf54fa4a2813f1907da97ebb0c |
| SHA256 | 53fa73a4ac1e2d6fc5b56c000c2db1f8ce8fa22a2943dcda5c744c87d2296c18 |
| SHA512 | 41e4d51b780a57b0d53d89de6c1421f0ced342484dff674fff95a5b43310c519b4c16b57d79483f55920d9915b82da08c2d7ef14d9a940456b58dce1c07acde7 |
memory/1564-18-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2760-21-0x0000000000420000-0x0000000000431000-memory.dmp
C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
| MD5 | 56b29992b9afb50d9b93db72e900a5b1 |
| SHA1 | 040b670e0d2d0d254e430bdd5a3379a014414a71 |
| SHA256 | 073d415af0da09c9153356a3d348cc905a4b3ff8fc1d7abe467f4abf8710e946 |
| SHA512 | e781e9384a07e2e9dd4e96a64e73b86b986aeaeab9a22a951b2eeaf18de6c238432f8552afb60471e8873558271b8def848756299a9291ab7d1ca86887771f5b |
memory/2760-27-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2756-28-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2756-31-0x0000000000290000-0x00000000002A1000-memory.dmp
C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
| MD5 | 2bf8dc207b26576499c70d08fb967185 |
| SHA1 | f0aa472b9969bdcad377735f0246c0a6d6634d16 |
| SHA256 | 6e4ee2b29dfbc1a6a0f5dd0f3d4c7c3bd79ff26ed765d6f33c0ff340f6a1e08a |
| SHA512 | 849de6d57aadf50f618ecc91d2dfda9f2e773cdf5e6e430d9efebba83c481994e69e918ae7bde3ee8718c691d4cd0b29342c6a186498f577dc6f237ff0a821ae |
memory/2756-37-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2568-40-0x0000000000300000-0x0000000000311000-memory.dmp
C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
| MD5 | af60574d76f643dfc91332bea107ec41 |
| SHA1 | 918b29e000bc845e2b9a3f8240765ea3d5d790ec |
| SHA256 | 3a1e118b72ba02596fce4a84408769bbd5fa0fd68211d851603ec93e78fdcc0e |
| SHA512 | 0a3c221c5320603978c07565479756db9439bfebeec5e076e39a7b0579fdb2269c897096a920924686b34b299009b4041b4c56877367c06086a9a2ddffbd82b9 |
memory/2568-46-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1852-49-0x0000000000380000-0x0000000000391000-memory.dmp
C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
| MD5 | 2464d7d1bdc18198ed7f1ad40944d1c2 |
| SHA1 | 75cf05cf622c2833d09a3fba59a8e35baef111e3 |
| SHA256 | 94c1d6e76146b3ab3ec754d5ae56b205f346866d2c1cbc2667cc9902e6d8c731 |
| SHA512 | b10b56b605f8007825d7cdf4a9f7c8e6ba057616aa08978febcec0dec2459db3052805813db3ea8a1d19bf9b02d5eabf017cc31878eca1bcb4249170d5994017 |
memory/1852-55-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1884-59-0x0000000000280000-0x0000000000291000-memory.dmp
memory/1884-64-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
| MD5 | 9bf9eb8d567857440853f61c51378df0 |
| SHA1 | 5b131625751e118c0d7ed644be6d2f59f60ea674 |
| SHA256 | fd0ec93e36cddd91b0bf398367c8e457d46741c06152de5ea96052035879a712 |
| SHA512 | 25a6dced56a0681e826487943a521bebd400fabf542ea02468254566e82deb5d6ab4cdb5a32353bee1b5f66f9f0c8cbdc295d26c7495e3bc39a7789fa60095e4 |
memory/2584-67-0x00000000002F0000-0x0000000000301000-memory.dmp
C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
| MD5 | 058ef4a1c402ba4b11cacbb9e4065f26 |
| SHA1 | 00a140d259b85929020193734bf330f9794e5d5b |
| SHA256 | 9ce9bbf70ecb7f9fbe3620603cf0378876c01c8678f71523aed06628c0c012bc |
| SHA512 | 5833206b898676cef11464a68df95475b667bb49ce6658d0dcfe949774d912bb00738b206f340c6cc2cff809ed9c3fcd565767974602cba79a8ff05c8ee98739 |
memory/2584-73-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2880-76-0x00000000003C0000-0x00000000003D1000-memory.dmp
C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe
| MD5 | e5ac6ee69e5e28e4f1af0de846782ef7 |
| SHA1 | 97701e66a1632bc1c0f2eb9976623fbfac3d2b18 |
| SHA256 | 971d6f527fabbdf2ed6f234767875a92c2540d1dfdaf59ceb6e6570011ce2547 |
| SHA512 | b74ab2907d2079f9ad3934a25fc6a83ad5045c9210478d912bc5c650e9c6011b0297c2e1fe3db0a40516beab00df80ba879b6a9b4348a882a1e1949081210b9d |
memory/2880-82-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2916-85-0x00000000002F0000-0x0000000000301000-memory.dmp
memory/2916-90-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe
| MD5 | 345b92bd4f66d229f2509c8ccdfb1437 |
| SHA1 | e646bababc75f0b624bebfe291474f8908619a35 |
| SHA256 | 4a1ef93e86506e791df2c1b707ca87ba37b985cbd1272086d4c99843d10e8520 |
| SHA512 | aac00d7f3fb93804fd9114ed6605e1d1b8c4ba66e5eb389c913db67d52a9db34b586ce06fd9fcadc65d9e8fffa111ff98d7aac9c9f18d841edef38657c703974 |
memory/572-92-0x0000000000400000-0x0000000000411000-memory.dmp
memory/572-95-0x0000000000380000-0x0000000000391000-memory.dmp
memory/572-101-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe
| MD5 | d137ad853fa7ba0119312bd3109375dd |
| SHA1 | 65edb6c16bb8c363504a118186e6de2db1616351 |
| SHA256 | a0b90175f34a3735717a39f9f35217a68cdf5bbdd85b46f5f88edc318d90a484 |
| SHA512 | c517670517c6bd19bc1d280d14f804fa4f46d61b31ba9db05cc94c0d5d1a408531ff15552905fd7bfda9920b71cbe4025ac1bdf5569bf5f1bbb2994424bff05a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:15
Reported
2024-11-09 23:17
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609A734B-84C6-4ba9-B716-77AFA01FE735} | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCA8-B557-4642-9C52-54CBA545048A}\stubpath = "C:\\Windows\\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe" | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2} | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09B343FB-D220-457c-BEC1-B2C6927D6956} | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF} | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}\stubpath = "C:\\Windows\\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe" | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}\stubpath = "C:\\Windows\\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe" | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609A734B-84C6-4ba9-B716-77AFA01FE735}\stubpath = "C:\\Windows\\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe" | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC351AF2-F920-4366-9891-6DE6980A8453}\stubpath = "C:\\Windows\\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe" | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}\stubpath = "C:\\Windows\\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe" | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51416E8-EB42-40b6-B965-4410DDD6A370} | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}\stubpath = "C:\\Windows\\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe" | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C09920B-161A-4e85-A580-166309E0423C}\stubpath = "C:\\Windows\\{6C09920B-161A-4e85-A580-166309E0423C}.exe" | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCA8-B557-4642-9C52-54CBA545048A} | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}\stubpath = "C:\\Windows\\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe" | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC351AF2-F920-4366-9891-6DE6980A8453} | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908} | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C09920B-161A-4e85-A580-166309E0423C} | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00A97FA-CC7F-4724-B334-31DD9F713D22} | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00A97FA-CC7F-4724-B334-31DD9F713D22}\stubpath = "C:\\Windows\\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe" | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09B343FB-D220-457c-BEC1-B2C6927D6956}\stubpath = "C:\\Windows\\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe" | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE} | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51416E8-EB42-40b6-B965-4410DDD6A370}\stubpath = "C:\\Windows\\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe" | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6} | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | N/A |
| N/A | N/A | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | N/A |
| N/A | N/A | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | N/A |
| N/A | N/A | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | N/A |
| N/A | N/A | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | N/A |
| N/A | N/A | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | N/A |
| N/A | N/A | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | N/A |
| N/A | N/A | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | N/A |
| N/A | N/A | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | N/A |
| N/A | N/A | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | N/A |
| N/A | N/A | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | N/A |
| N/A | N/A | C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | N/A |
| File created | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | N/A |
| File created | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | N/A |
| File created | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | N/A |
| File created | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | N/A |
| File created | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | N/A |
| File created | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | N/A |
| File created | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | N/A |
| File created | C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | N/A |
| File created | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | N/A |
| File created | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | N/A |
| File created | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe
"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"
C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FABBD~1.EXE > nul
C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09B34~1.EXE > nul
C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE57~1.EXE > nul
C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F5141~1.EXE > nul
C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC18A~1.EXE > nul
C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CC366~1.EXE > nul
C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB7E~1.EXE > nul
C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6C099~1.EXE > nul
C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{609A7~1.EXE > nul
C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2DD~1.EXE > nul
C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D00A9~1.EXE > nul
C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe
C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC171~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2360-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2360-1-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
| MD5 | 372a0fa9696fe349b1c2a7615b244ae5 |
| SHA1 | 54c81a1d14309afb0e37244a91360a87fd266772 |
| SHA256 | 8e7d7f31b0bff110be4b2d764ec343b4ea0cdfe0fe29ae0a99d17989cfec0049 |
| SHA512 | d8df0accbafa89fd8901fc9f5a4c8c036d7a6c0022394de6a93bd83825608c74ea48375ac3888e6e3713f334d8001c7ad718aeb66b7ec2ab64e34e54b43ec563 |
memory/5112-5-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2360-7-0x0000000000400000-0x0000000000411000-memory.dmp
memory/5112-8-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
| MD5 | 4af24c1f83b51b9e65254108f68fe639 |
| SHA1 | 984731524a83a02118be33a710d3e3e8c5a2c184 |
| SHA256 | f3abceb27c2f6d156d6d8f1136df2f7b3441a369e2a69f54ccc150f6b63b6172 |
| SHA512 | be542e705ac71054850fd3a831472ccf78a1cfb66eed08021c5066453f93a54f5a450a414294eea02a1163a63a77fcc6584ff724260331b21d2ef55b2221ca41 |
memory/5112-12-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2428-14-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
| MD5 | 13183e947c1bf1a9fb889a5e9bc0c962 |
| SHA1 | 46b2f10cf52187c5991804393514c03ed5f55afd |
| SHA256 | a309e13fda47f1e7d08aea4ae7469769497bc70fc89b5467d594e550fb26086e |
| SHA512 | 43acb2cb306ffdb2f1933e4251119e3cc0ba5a1c65351c5fffbd9410c17b5f6d276baee682fc7cafac06568911536e268555b01f7de7479aea073cb7e723080c |
memory/2428-19-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
| MD5 | 48390b9e54fe690f6977691ca2012d9a |
| SHA1 | dfbfcbf005948ca8797759bac61e1438bfa6c103 |
| SHA256 | 32fa6bd7bb301ffa86e0139dac7cc8736130f153a4562ddc94e26884755228a6 |
| SHA512 | 0eaa4f49f0c7618493071c59a70f7aaf5b85a63388b926129521992ceb88f34c5032ecbab521fa7354bf044f64ad8d882208ce31da4ceebb8f1f4ab2b1db639f |
memory/3532-24-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1048-22-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
| MD5 | 47218141596812f482002cc2551b4cbb |
| SHA1 | 1dfc7f325dc0df2e257a50beaaad5ef119719c1f |
| SHA256 | 3c734bffea220bd768bfa9aba69674898ef52dea561ee8b19bd8e9f4fb1ae21e |
| SHA512 | 98bf3804fe7949e8c76b919dab80d12b555f311e5c1358d9d20475ce89b82b7ee09f1abe87de3f5c27fb684a88a0f5acfb9a79513f537f94302a3bfae8aeffd5 |
memory/3600-31-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3532-29-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
| MD5 | e32f2f170680fa6d2768b23340590047 |
| SHA1 | 454a3d37da48594b63996adf8e454c01c71c93be |
| SHA256 | 7a2ec349d3936c7946ec4972bb50a3bd5aa378d6da6ee7e1e02dcba0fe4d2a48 |
| SHA512 | 7c5bdc1712b8bdee21675c8771c2bf891dbf092323fcc1ac4c11cb6004550495314571e5bd7f3f22987176e75dbfba186aeb403b6d3105381f6d359ba00589e3 |
memory/4396-37-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3600-36-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4396-42-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1396-43-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
| MD5 | c5c995f291048d8691ba90fc660aedd7 |
| SHA1 | c5a890726b7d8f4576a43e58a80fc760b2313924 |
| SHA256 | a2d5996801a4b8b3c07f9b0dc3a1121ab8d91932f8ea99583ba4b69faf73d059 |
| SHA512 | d83bdb9f9523ccd64cdee2f7492672c7675c8a3f9898f9ae0bf20144fcb4a0d70ba133c7447b6d33f06b7a0184651aec892ac7b1fabcee9ab79892ee1797e121 |
memory/1396-47-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3648-48-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
| MD5 | ba2634e2f27456cea4805c4f3ac556c1 |
| SHA1 | 94f5ceab5809de6f96076bcb9af2c3d708d6f86b |
| SHA256 | e8ac2446f803929421251295f965ce095421fafff0ad6a941c7ef9abbd7818e9 |
| SHA512 | 8e868e8159cbf938a6ded6b115017e3588b9d29a827c228bc47db90ea863edea78e27a71c981bf8e6e1731d2d76c605467fb4aa0affcffc87fda6fb2813326dd |
memory/3648-53-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1944-54-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
| MD5 | 154678b411058bfebe3691f27bc7892c |
| SHA1 | 9a547a4ac48f2d4920c46870cb25af38d7d589e9 |
| SHA256 | d503d83b3fdbeda3e96cb0b99de4156cbec1710875674580707d4275e92e7ff5 |
| SHA512 | 4a2a12c63a0b0e82fa8f841b7fca7c1b9ad74e6a43658af846f11ea04ccf26ba58e37be5e6bada39e1a4211a46e9a3fd262b39b2e9d0c6981e22c32e39b070f3 |
C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
| MD5 | de51e0489571d2b2e98ca20f080531ec |
| SHA1 | 5e7eadd7bef9f41d7d03bf2bab9cdb3fb0f5e7e9 |
| SHA256 | 0d4e11f7ccd1a95d428378332fc2a54fee476990bcefe43a348f85763bab3e7b |
| SHA512 | 9135192e88226986b8e03822406ef6f4f50124e2ef2008f542cdbeb3f5a880fb0c6f1bd88edb7f6c3a3bcceebca280fa03dc4227b68da07098dd39ce8a61d7b1 |
memory/1944-59-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4320-60-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
| MD5 | 71233ce08c392d659fa492e5b1090f5a |
| SHA1 | d8b4b96b7ba613c7e2dfd9fa4b004cc7acf37d55 |
| SHA256 | 389a88b8c1dae24f969b2a4ada8b7f5185896c60d9c9319dcec5d627deac91dd |
| SHA512 | c6ed65cce714ceadc0f8006a2c9be8bece113c34d6d8d93fd628f53a04b488ca07271d81eed2c2eee60acb096c569023aa6a8d7f50b47173805df31decaa1071 |
memory/1960-67-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4320-66-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe
| MD5 | 78f7fe600c55b2223e20bdfe40c6b94a |
| SHA1 | b2cab048afaee61327d09aa85755dc781527df80 |
| SHA256 | 191d5d8b8152aae3b10960b7cf9b51b25ccbc37394497e9e81c19ac7b245fc7a |
| SHA512 | b304a5a51579f3fddccc37f983fe57dcb125347ad77716265e644c3a22b659ede24ef7ffcdeaf879ae14233de58a4c25970c86b6d37aa1467efb15b484c0ef83 |
memory/3160-73-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1960-72-0x0000000000400000-0x0000000000411000-memory.dmp