Malware Analysis Report

2025-04-03 14:09

Sample ID 241109-28qhpsxkdk
Target 6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987
SHA256 6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987

Threat Level: Likely malicious

The file 6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:15

Reported

2024-11-09 23:17

Platform

win7-20240903-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0} C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9401C019-7512-480d-B800-AB341A44804E}\stubpath = "C:\\Windows\\{9401C019-7512-480d-B800-AB341A44804E}.exe" C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}\stubpath = "C:\\Windows\\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe" C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72949F39-CDCC-41b9-B939-379E45496FEB}\stubpath = "C:\\Windows\\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe" C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AF7C64-0117-4580-A732-C8CF6EB91196} C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}\stubpath = "C:\\Windows\\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe" C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4F5A7B-4A80-4431-8073-F3F102516C90}\stubpath = "C:\\Windows\\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe" C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}\stubpath = "C:\\Windows\\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe" C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9} C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA788969-B585-4e0d-A9B4-603665F3B0BE} C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA788969-B585-4e0d-A9B4-603665F3B0BE}\stubpath = "C:\\Windows\\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe" C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72949F39-CDCC-41b9-B939-379E45496FEB} C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4F5A7B-4A80-4431-8073-F3F102516C90} C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}\stubpath = "C:\\Windows\\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe" C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9} C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}\stubpath = "C:\\Windows\\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe" C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9} C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AF7C64-0117-4580-A732-C8CF6EB91196}\stubpath = "C:\\Windows\\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe" C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57988B4-0A01-4e7b-B294-711785AF9BAE} C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9401C019-7512-480d-B800-AB341A44804E} C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57988B4-0A01-4e7b-B294-711785AF9BAE}\stubpath = "C:\\Windows\\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe" C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C803CE-CAEC-45bd-B27A-E8BAFE314555} C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe N/A
File created C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe N/A
File created C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe N/A
File created C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe N/A
File created C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe N/A
File created C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
File created C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe N/A
File created C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe N/A
File created C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe N/A
File created C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe N/A
File created C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
PID 2596 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
PID 2596 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
PID 2596 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe
PID 2596 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2760 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
PID 1564 wrote to memory of 2760 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
PID 1564 wrote to memory of 2760 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
PID 1564 wrote to memory of 2760 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe
PID 1564 wrote to memory of 2668 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2668 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2668 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2668 N/A C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2756 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
PID 2760 wrote to memory of 2756 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
PID 2760 wrote to memory of 2756 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
PID 2760 wrote to memory of 2756 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe
PID 2760 wrote to memory of 1560 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1560 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1560 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1560 N/A C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2568 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
PID 2756 wrote to memory of 2568 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
PID 2756 wrote to memory of 2568 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
PID 2756 wrote to memory of 2568 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe
PID 2756 wrote to memory of 2544 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2544 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2544 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2544 N/A C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1852 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
PID 2568 wrote to memory of 1852 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
PID 2568 wrote to memory of 1852 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
PID 2568 wrote to memory of 1852 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1884 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
PID 1852 wrote to memory of 1884 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
PID 1852 wrote to memory of 1884 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
PID 1852 wrote to memory of 1884 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe
PID 1852 wrote to memory of 2336 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2336 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2336 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2336 N/A C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2584 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
PID 1884 wrote to memory of 2584 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
PID 1884 wrote to memory of 2584 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
PID 1884 wrote to memory of 2584 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe
PID 1884 wrote to memory of 1164 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1164 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1164 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1164 N/A C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2880 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
PID 2584 wrote to memory of 2880 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
PID 2584 wrote to memory of 2880 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
PID 2584 wrote to memory of 2880 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe
PID 2584 wrote to memory of 2864 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2864 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2864 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2864 N/A C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe

"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"

C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe

C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FABBD~1.EXE > nul

C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe

C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AF7~1.EXE > nul

C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe

C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F5798~1.EXE > nul

C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe

C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{66C80~1.EXE > nul

C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe

C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4D4F5~1.EXE > nul

C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe

C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CF488~1.EXE > nul

C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe

C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9401C~1.EXE > nul

C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe

C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4ECD3~1.EXE > nul

C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe

C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F19~1.EXE > nul

C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe

C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{71A5A~1.EXE > nul

C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe

C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EA788~1.EXE > nul

Network

N/A

Files

memory/2596-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2596-1-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2596-3-0x00000000003E0000-0x00000000003F1000-memory.dmp

C:\Windows\{C8AF7C64-0117-4580-A732-C8CF6EB91196}.exe

MD5 6591a5153feaf14562938e0071f1b23a
SHA1 b7c927612ded4be6d65b1510cbdbc481319057ea
SHA256 33fe4b98032506788ad55fc1522541d5a37ad40d072306fc246774281d45892f
SHA512 de69d4112fa8f936220cb2cfcc0c7ddfbaddad5679dc0eac227d692c3562efc4b0b1cf20cb640073ae4c5ef66d696296ba7f101f69915832a78dc9ed75d29314

memory/2596-9-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1564-12-0x0000000000350000-0x0000000000361000-memory.dmp

C:\Windows\{F57988B4-0A01-4e7b-B294-711785AF9BAE}.exe

MD5 8a920cfc3965eadff2946152abd3743f
SHA1 8ac4b3927f9f3fcf54fa4a2813f1907da97ebb0c
SHA256 53fa73a4ac1e2d6fc5b56c000c2db1f8ce8fa22a2943dcda5c744c87d2296c18
SHA512 41e4d51b780a57b0d53d89de6c1421f0ced342484dff674fff95a5b43310c519b4c16b57d79483f55920d9915b82da08c2d7ef14d9a940456b58dce1c07acde7

memory/1564-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2760-21-0x0000000000420000-0x0000000000431000-memory.dmp

C:\Windows\{66C803CE-CAEC-45bd-B27A-E8BAFE314555}.exe

MD5 56b29992b9afb50d9b93db72e900a5b1
SHA1 040b670e0d2d0d254e430bdd5a3379a014414a71
SHA256 073d415af0da09c9153356a3d348cc905a4b3ff8fc1d7abe467f4abf8710e946
SHA512 e781e9384a07e2e9dd4e96a64e73b86b986aeaeab9a22a951b2eeaf18de6c238432f8552afb60471e8873558271b8def848756299a9291ab7d1ca86887771f5b

memory/2760-27-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2756-28-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2756-31-0x0000000000290000-0x00000000002A1000-memory.dmp

C:\Windows\{4D4F5A7B-4A80-4431-8073-F3F102516C90}.exe

MD5 2bf8dc207b26576499c70d08fb967185
SHA1 f0aa472b9969bdcad377735f0246c0a6d6634d16
SHA256 6e4ee2b29dfbc1a6a0f5dd0f3d4c7c3bd79ff26ed765d6f33c0ff340f6a1e08a
SHA512 849de6d57aadf50f618ecc91d2dfda9f2e773cdf5e6e430d9efebba83c481994e69e918ae7bde3ee8718c691d4cd0b29342c6a186498f577dc6f237ff0a821ae

memory/2756-37-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2568-40-0x0000000000300000-0x0000000000311000-memory.dmp

C:\Windows\{CF4881F4-1EBA-4b03-9425-30E8B94AFBD0}.exe

MD5 af60574d76f643dfc91332bea107ec41
SHA1 918b29e000bc845e2b9a3f8240765ea3d5d790ec
SHA256 3a1e118b72ba02596fce4a84408769bbd5fa0fd68211d851603ec93e78fdcc0e
SHA512 0a3c221c5320603978c07565479756db9439bfebeec5e076e39a7b0579fdb2269c897096a920924686b34b299009b4041b4c56877367c06086a9a2ddffbd82b9

memory/2568-46-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1852-49-0x0000000000380000-0x0000000000391000-memory.dmp

C:\Windows\{9401C019-7512-480d-B800-AB341A44804E}.exe

MD5 2464d7d1bdc18198ed7f1ad40944d1c2
SHA1 75cf05cf622c2833d09a3fba59a8e35baef111e3
SHA256 94c1d6e76146b3ab3ec754d5ae56b205f346866d2c1cbc2667cc9902e6d8c731
SHA512 b10b56b605f8007825d7cdf4a9f7c8e6ba057616aa08978febcec0dec2459db3052805813db3ea8a1d19bf9b02d5eabf017cc31878eca1bcb4249170d5994017

memory/1852-55-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1884-59-0x0000000000280000-0x0000000000291000-memory.dmp

memory/1884-64-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{4ECD3E83-442E-4f3f-BE41-3485DD346AA9}.exe

MD5 9bf9eb8d567857440853f61c51378df0
SHA1 5b131625751e118c0d7ed644be6d2f59f60ea674
SHA256 fd0ec93e36cddd91b0bf398367c8e457d46741c06152de5ea96052035879a712
SHA512 25a6dced56a0681e826487943a521bebd400fabf542ea02468254566e82deb5d6ab4cdb5a32353bee1b5f66f9f0c8cbdc295d26c7495e3bc39a7789fa60095e4

memory/2584-67-0x00000000002F0000-0x0000000000301000-memory.dmp

C:\Windows\{C3F19A0F-F83A-4905-8DAA-9A4C573940E9}.exe

MD5 058ef4a1c402ba4b11cacbb9e4065f26
SHA1 00a140d259b85929020193734bf330f9794e5d5b
SHA256 9ce9bbf70ecb7f9fbe3620603cf0378876c01c8678f71523aed06628c0c012bc
SHA512 5833206b898676cef11464a68df95475b667bb49ce6658d0dcfe949774d912bb00738b206f340c6cc2cff809ed9c3fcd565767974602cba79a8ff05c8ee98739

memory/2584-73-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2880-76-0x00000000003C0000-0x00000000003D1000-memory.dmp

C:\Windows\{71A5A953-CC2D-4097-88D1-6BAF71C8EAC9}.exe

MD5 e5ac6ee69e5e28e4f1af0de846782ef7
SHA1 97701e66a1632bc1c0f2eb9976623fbfac3d2b18
SHA256 971d6f527fabbdf2ed6f234767875a92c2540d1dfdaf59ceb6e6570011ce2547
SHA512 b74ab2907d2079f9ad3934a25fc6a83ad5045c9210478d912bc5c650e9c6011b0297c2e1fe3db0a40516beab00df80ba879b6a9b4348a882a1e1949081210b9d

memory/2880-82-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2916-85-0x00000000002F0000-0x0000000000301000-memory.dmp

memory/2916-90-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{EA788969-B585-4e0d-A9B4-603665F3B0BE}.exe

MD5 345b92bd4f66d229f2509c8ccdfb1437
SHA1 e646bababc75f0b624bebfe291474f8908619a35
SHA256 4a1ef93e86506e791df2c1b707ca87ba37b985cbd1272086d4c99843d10e8520
SHA512 aac00d7f3fb93804fd9114ed6605e1d1b8c4ba66e5eb389c913db67d52a9db34b586ce06fd9fcadc65d9e8fffa111ff98d7aac9c9f18d841edef38657c703974

memory/572-92-0x0000000000400000-0x0000000000411000-memory.dmp

memory/572-95-0x0000000000380000-0x0000000000391000-memory.dmp

memory/572-101-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{72949F39-CDCC-41b9-B939-379E45496FEB}.exe

MD5 d137ad853fa7ba0119312bd3109375dd
SHA1 65edb6c16bb8c363504a118186e6de2db1616351
SHA256 a0b90175f34a3735717a39f9f35217a68cdf5bbdd85b46f5f88edc318d90a484
SHA512 c517670517c6bd19bc1d280d14f804fa4f46d61b31ba9db05cc94c0d5d1a408531ff15552905fd7bfda9920b71cbe4025ac1bdf5569bf5f1bbb2994424bff05a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:15

Reported

2024-11-09 23:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609A734B-84C6-4ba9-B716-77AFA01FE735} C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCA8-B557-4642-9C52-54CBA545048A}\stubpath = "C:\\Windows\\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe" C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2} C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09B343FB-D220-457c-BEC1-B2C6927D6956} C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF} C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}\stubpath = "C:\\Windows\\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe" C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}\stubpath = "C:\\Windows\\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe" C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609A734B-84C6-4ba9-B716-77AFA01FE735}\stubpath = "C:\\Windows\\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe" C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC351AF2-F920-4366-9891-6DE6980A8453}\stubpath = "C:\\Windows\\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe" C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}\stubpath = "C:\\Windows\\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe" C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51416E8-EB42-40b6-B965-4410DDD6A370} C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}\stubpath = "C:\\Windows\\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe" C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C09920B-161A-4e85-A580-166309E0423C}\stubpath = "C:\\Windows\\{6C09920B-161A-4e85-A580-166309E0423C}.exe" C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCA8-B557-4642-9C52-54CBA545048A} C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}\stubpath = "C:\\Windows\\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe" C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC351AF2-F920-4366-9891-6DE6980A8453} C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908} C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C09920B-161A-4e85-A580-166309E0423C} C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00A97FA-CC7F-4724-B334-31DD9F713D22} C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00A97FA-CC7F-4724-B334-31DD9F713D22}\stubpath = "C:\\Windows\\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe" C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09B343FB-D220-457c-BEC1-B2C6927D6956}\stubpath = "C:\\Windows\\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe" C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE} C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51416E8-EB42-40b6-B965-4410DDD6A370}\stubpath = "C:\\Windows\\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe" C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6} C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe N/A
File created C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe N/A
File created C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe N/A
File created C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe N/A
File created C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe N/A
File created C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe N/A
File created C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe N/A
File created C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe N/A
File created C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe N/A
File created C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe N/A
File created C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe N/A
File created C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
PID 2360 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
PID 2360 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe
PID 2360 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2428 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
PID 5112 wrote to memory of 2428 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
PID 5112 wrote to memory of 2428 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe
PID 5112 wrote to memory of 4696 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4696 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4696 N/A C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1048 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
PID 2428 wrote to memory of 1048 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
PID 2428 wrote to memory of 1048 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe
PID 2428 wrote to memory of 2732 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2732 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2732 N/A C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 3532 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
PID 1048 wrote to memory of 3532 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
PID 1048 wrote to memory of 3532 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe
PID 1048 wrote to memory of 3784 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 3784 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 3784 N/A C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3600 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
PID 3532 wrote to memory of 3600 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
PID 3532 wrote to memory of 3600 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4396 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
PID 3600 wrote to memory of 4396 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
PID 3600 wrote to memory of 4396 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe
PID 3600 wrote to memory of 4436 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4436 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4436 N/A C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1396 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
PID 4396 wrote to memory of 1396 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
PID 4396 wrote to memory of 1396 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe
PID 4396 wrote to memory of 4164 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4164 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4164 N/A C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 3648 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
PID 1396 wrote to memory of 3648 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
PID 1396 wrote to memory of 3648 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe
PID 1396 wrote to memory of 4736 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4736 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4736 N/A C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1944 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
PID 3648 wrote to memory of 1944 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
PID 3648 wrote to memory of 1944 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe
PID 3648 wrote to memory of 4960 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4960 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4960 N/A C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4320 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
PID 1944 wrote to memory of 4320 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
PID 1944 wrote to memory of 4320 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe
PID 1944 wrote to memory of 3060 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 3060 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 3060 N/A C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1960 N/A C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
PID 4320 wrote to memory of 1960 N/A C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
PID 4320 wrote to memory of 1960 N/A C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe
PID 4320 wrote to memory of 4232 N/A C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe

"C:\Users\Admin\AppData\Local\Temp\6fabbd69cdc19922d2803da060eca605b7e086f8a409176ca263633394cc3987.exe"

C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe

C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FABBD~1.EXE > nul

C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe

C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09B34~1.EXE > nul

C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe

C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE57~1.EXE > nul

C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe

C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F5141~1.EXE > nul

C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe

C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EC18A~1.EXE > nul

C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe

C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC366~1.EXE > nul

C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe

C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB7E~1.EXE > nul

C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe

C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C099~1.EXE > nul

C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe

C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{609A7~1.EXE > nul

C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe

C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2DD~1.EXE > nul

C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe

C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D00A9~1.EXE > nul

C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe

C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC171~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2360-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2360-1-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{09B343FB-D220-457c-BEC1-B2C6927D6956}.exe

MD5 372a0fa9696fe349b1c2a7615b244ae5
SHA1 54c81a1d14309afb0e37244a91360a87fd266772
SHA256 8e7d7f31b0bff110be4b2d764ec343b4ea0cdfe0fe29ae0a99d17989cfec0049
SHA512 d8df0accbafa89fd8901fc9f5a4c8c036d7a6c0022394de6a93bd83825608c74ea48375ac3888e6e3713f334d8001c7ad718aeb66b7ec2ab64e34e54b43ec563

memory/5112-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2360-7-0x0000000000400000-0x0000000000411000-memory.dmp

memory/5112-8-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3DE570C3-297F-4a76-9020-0F35D1A6B7EE}.exe

MD5 4af24c1f83b51b9e65254108f68fe639
SHA1 984731524a83a02118be33a710d3e3e8c5a2c184
SHA256 f3abceb27c2f6d156d6d8f1136df2f7b3441a369e2a69f54ccc150f6b63b6172
SHA512 be542e705ac71054850fd3a831472ccf78a1cfb66eed08021c5066453f93a54f5a450a414294eea02a1163a63a77fcc6584ff724260331b21d2ef55b2221ca41

memory/5112-12-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2428-14-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{F51416E8-EB42-40b6-B965-4410DDD6A370}.exe

MD5 13183e947c1bf1a9fb889a5e9bc0c962
SHA1 46b2f10cf52187c5991804393514c03ed5f55afd
SHA256 a309e13fda47f1e7d08aea4ae7469769497bc70fc89b5467d594e550fb26086e
SHA512 43acb2cb306ffdb2f1933e4251119e3cc0ba5a1c65351c5fffbd9410c17b5f6d276baee682fc7cafac06568911536e268555b01f7de7479aea073cb7e723080c

memory/2428-19-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{EC18AB58-DF5C-4c69-ABB8-AB4167ECB6DF}.exe

MD5 48390b9e54fe690f6977691ca2012d9a
SHA1 dfbfcbf005948ca8797759bac61e1438bfa6c103
SHA256 32fa6bd7bb301ffa86e0139dac7cc8736130f153a4562ddc94e26884755228a6
SHA512 0eaa4f49f0c7618493071c59a70f7aaf5b85a63388b926129521992ceb88f34c5032ecbab521fa7354bf044f64ad8d882208ce31da4ceebb8f1f4ab2b1db639f

memory/3532-24-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1048-22-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{CC366927-F960-4e22-B83E-3BBB8C3FDBE6}.exe

MD5 47218141596812f482002cc2551b4cbb
SHA1 1dfc7f325dc0df2e257a50beaaad5ef119719c1f
SHA256 3c734bffea220bd768bfa9aba69674898ef52dea561ee8b19bd8e9f4fb1ae21e
SHA512 98bf3804fe7949e8c76b919dab80d12b555f311e5c1358d9d20475ce89b82b7ee09f1abe87de3f5c27fb684a88a0f5acfb9a79513f537f94302a3bfae8aeffd5

memory/3600-31-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3532-29-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{DDB7E0FB-931C-4e6f-ADF8-9823D7751908}.exe

MD5 e32f2f170680fa6d2768b23340590047
SHA1 454a3d37da48594b63996adf8e454c01c71c93be
SHA256 7a2ec349d3936c7946ec4972bb50a3bd5aa378d6da6ee7e1e02dcba0fe4d2a48
SHA512 7c5bdc1712b8bdee21675c8771c2bf891dbf092323fcc1ac4c11cb6004550495314571e5bd7f3f22987176e75dbfba186aeb403b6d3105381f6d359ba00589e3

memory/4396-37-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3600-36-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4396-42-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1396-43-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{6C09920B-161A-4e85-A580-166309E0423C}.exe

MD5 c5c995f291048d8691ba90fc660aedd7
SHA1 c5a890726b7d8f4576a43e58a80fc760b2313924
SHA256 a2d5996801a4b8b3c07f9b0dc3a1121ab8d91932f8ea99583ba4b69faf73d059
SHA512 d83bdb9f9523ccd64cdee2f7492672c7675c8a3f9898f9ae0bf20144fcb4a0d70ba133c7447b6d33f06b7a0184651aec892ac7b1fabcee9ab79892ee1797e121

memory/1396-47-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3648-48-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{609A734B-84C6-4ba9-B716-77AFA01FE735}.exe

MD5 ba2634e2f27456cea4805c4f3ac556c1
SHA1 94f5ceab5809de6f96076bcb9af2c3d708d6f86b
SHA256 e8ac2446f803929421251295f965ce095421fafff0ad6a941c7ef9abbd7818e9
SHA512 8e868e8159cbf938a6ded6b115017e3588b9d29a827c228bc47db90ea863edea78e27a71c981bf8e6e1731d2d76c605467fb4aa0affcffc87fda6fb2813326dd

memory/3648-53-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1944-54-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{9E2DDCA8-B557-4642-9C52-54CBA545048A}.exe

MD5 154678b411058bfebe3691f27bc7892c
SHA1 9a547a4ac48f2d4920c46870cb25af38d7d589e9
SHA256 d503d83b3fdbeda3e96cb0b99de4156cbec1710875674580707d4275e92e7ff5
SHA512 4a2a12c63a0b0e82fa8f841b7fca7c1b9ad74e6a43658af846f11ea04ccf26ba58e37be5e6bada39e1a4211a46e9a3fd262b39b2e9d0c6981e22c32e39b070f3

C:\Windows\{D00A97FA-CC7F-4724-B334-31DD9F713D22}.exe

MD5 de51e0489571d2b2e98ca20f080531ec
SHA1 5e7eadd7bef9f41d7d03bf2bab9cdb3fb0f5e7e9
SHA256 0d4e11f7ccd1a95d428378332fc2a54fee476990bcefe43a348f85763bab3e7b
SHA512 9135192e88226986b8e03822406ef6f4f50124e2ef2008f542cdbeb3f5a880fb0c6f1bd88edb7f6c3a3bcceebca280fa03dc4227b68da07098dd39ce8a61d7b1

memory/1944-59-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4320-60-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{AC171C23-E6E7-418f-BEF9-4D18551FE0D2}.exe

MD5 71233ce08c392d659fa492e5b1090f5a
SHA1 d8b4b96b7ba613c7e2dfd9fa4b004cc7acf37d55
SHA256 389a88b8c1dae24f969b2a4ada8b7f5185896c60d9c9319dcec5d627deac91dd
SHA512 c6ed65cce714ceadc0f8006a2c9be8bece113c34d6d8d93fd628f53a04b488ca07271d81eed2c2eee60acb096c569023aa6a8d7f50b47173805df31decaa1071

memory/1960-67-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4320-66-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{FC351AF2-F920-4366-9891-6DE6980A8453}.exe

MD5 78f7fe600c55b2223e20bdfe40c6b94a
SHA1 b2cab048afaee61327d09aa85755dc781527df80
SHA256 191d5d8b8152aae3b10960b7cf9b51b25ccbc37394497e9e81c19ac7b245fc7a
SHA512 b304a5a51579f3fddccc37f983fe57dcb125347ad77716265e644c3a22b659ede24ef7ffcdeaf879ae14233de58a4c25970c86b6d37aa1467efb15b484c0ef83

memory/3160-73-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1960-72-0x0000000000400000-0x0000000000411000-memory.dmp