Malware Analysis Report

2025-04-03 12:41

Sample ID 241109-2xhcystjdy
Target 3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N
SHA256 3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02

Threat Level: Likely malicious

The file 3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:57

Reported

2024-11-09 22:59

Platform

win7-20241010-en

Max time kernel

119s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFDF62C-A144-40f0-8697-A04E04158336}\stubpath = "C:\\Windows\\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe" C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}\stubpath = "C:\\Windows\\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe" C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6294A7-B600-4c0c-8400-73FDF66D6407} C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}\stubpath = "C:\\Windows\\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe" C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}\stubpath = "C:\\Windows\\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe" C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10AB623-4331-4c48-8B5B-713A2709348B}\stubpath = "C:\\Windows\\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe" C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A655707-6F93-44e7-A14B-110193113253} C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}\stubpath = "C:\\Windows\\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe" C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFDF62C-A144-40f0-8697-A04E04158336} C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F26E6605-BA5D-45e0-B32A-98647C97D4BB} C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5494D5F6-869C-4a30-839E-70A1DCD2C71C} C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10AB623-4331-4c48-8B5B-713A2709348B} C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB} C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C905348-4D36-4ede-B365-5DE741C54AAC}\stubpath = "C:\\Windows\\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe" C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6294A7-B600-4c0c-8400-73FDF66D6407}\stubpath = "C:\\Windows\\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe" C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A655707-6F93-44e7-A14B-110193113253}\stubpath = "C:\\Windows\\{0A655707-6F93-44e7-A14B-110193113253}.exe" C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C905348-4D36-4ede-B365-5DE741C54AAC} C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F} C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe N/A
File created C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe N/A
File created C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe N/A
File created C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
File created C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe N/A
File created C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe N/A
File created C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe N/A
File created C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe N/A
File created C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
PID 2580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
PID 2580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
PID 2580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
PID 2580 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2912 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
PID 2156 wrote to memory of 2912 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
PID 2156 wrote to memory of 2912 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
PID 2156 wrote to memory of 2912 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
PID 2156 wrote to memory of 2840 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2840 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2840 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2840 N/A C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 536 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
PID 2912 wrote to memory of 536 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
PID 2912 wrote to memory of 536 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
PID 2912 wrote to memory of 536 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
PID 2912 wrote to memory of 2728 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2728 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2728 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2728 N/A C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 2732 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
PID 536 wrote to memory of 2732 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
PID 536 wrote to memory of 2732 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
PID 536 wrote to memory of 2732 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
PID 536 wrote to memory of 1968 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1968 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1968 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1968 N/A C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1800 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
PID 2732 wrote to memory of 1800 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
PID 2732 wrote to memory of 1800 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
PID 2732 wrote to memory of 1800 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1444 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
PID 1800 wrote to memory of 1444 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
PID 1800 wrote to memory of 1444 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
PID 1800 wrote to memory of 1444 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
PID 1800 wrote to memory of 2976 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2976 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2976 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2976 N/A C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 956 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
PID 1444 wrote to memory of 956 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
PID 1444 wrote to memory of 956 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
PID 1444 wrote to memory of 956 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
PID 1444 wrote to memory of 2988 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2988 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2988 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2988 N/A C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 316 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
PID 956 wrote to memory of 316 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
PID 956 wrote to memory of 316 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
PID 956 wrote to memory of 316 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
PID 956 wrote to memory of 2784 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2784 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2784 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2784 N/A C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe

"C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"

C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe

C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A7333~1.EXE > nul

C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe

C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5494D~1.EXE > nul

C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe

C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B10AB~1.EXE > nul

C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe

C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A655~1.EXE > nul

C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe

C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C905~1.EXE > nul

C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe

C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3579~1.EXE > nul

C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe

C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6BFDF~1.EXE > nul

C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe

C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDB7~1.EXE > nul

C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe

C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D629~1.EXE > nul

Network

N/A

Files

C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe

MD5 41bbe8aa36764e09496f2ce07e3403dd
SHA1 18723c29ebeab71217c7c47953530359048286db
SHA256 431d1a32dcf96b7438dbafd2f00c68999de0f9bdc67815993ac3825f55bd81c0
SHA512 87106aa175d92a08734e31ffa512b09fb84b7795bd6eb592f81b9f9d8407678fb0967d748820af8240346154ca88470df3dba49e1620330d99cab0fc3a8ed4c1

C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe

MD5 d35c4a4f628ae38c8548df1d94e3dfcb
SHA1 a7d4601cc6e852d944bb3438258865bec5a90959
SHA256 9a2c3ba664569d11ab51f6841ca08073efeb1a4a71720cb2355c1fcc1db3af4d
SHA512 4da884f6a8bafcbe02d8876b87a33605c952121ee7f1cbf6426e1869aba04f00986d145df2732e16e7a3bf57db31e13f2d904311584882269f35fe0d0822fb37

C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe

MD5 13e29c34799003e98bb1dc95f66e12e2
SHA1 49ba042997f19333eb204c565cd7cf913b518b8d
SHA256 8f6ee51aaa66719a4ef69f85e566cd048328871b0359c387e1a31ff75771e485
SHA512 a4cd5b2e3d1f77a70baf7edbfb864d3a59750b09aec70b92c842ed7eda7bbe0705e9770a916b984bc3b0325f93551bc15020c93b5b5d6fb05423f0f65618822d

C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe

MD5 d10211450792d38de51beaabd0b6f5f8
SHA1 066a0ced2096e15634c377e3b1559d51acc74012
SHA256 1390c36eee912ae5d97a931ceb740c364f9ef6be3b6ded0290627de29b78605a
SHA512 d9b00f62afc7362710a5d384e7777163e6c2ad9ef29af3d44adfea469b0173ff128f69eb77dab7b23fbb539fd791bd89f651391e7fac433b607ac3a94d105b98

C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe

MD5 8df82f5e49e8891499f8f7615335d45e
SHA1 9e197cfea47a2722dcd8bf9b0de70870a82792d0
SHA256 9be77f425fd14abdc0ec2ce67f290c8f96b8d8e07b979e1777776e2bc81354ec
SHA512 c4b3e5f015df2206f80251efc26fdc949613bbdf4b148d17ce7773a40834d0b5b1f1a29c421ac2b77b115d275c18a1cae6e86345e30693cbba66def71ae57cc3

C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe

MD5 a8b0f06782521c7c89be715d9a30cde6
SHA1 63e870bdf4edcdfa3c98ca231ad7beb76ecafd34
SHA256 d21e417254a67dba589658e35b2129818ca1680a7b5bfd216f9a508c90dab8c1
SHA512 6ddf826e1f7acfb14ed15836db119f19deaaade9fd7b58f01ba1df5bf51203d999b448488b8fd9c237c3182656112f9d6caf66820bbf7e3c83157304ba0f5e19

C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe

MD5 621ac05b7c13e594d046c8b7fb5e75a7
SHA1 bbbf1ef45cf316aa1b3456f85e37fccef3b087d4
SHA256 dd55fa3190182e85a47ef389651383596581d92ef71444751d6c95af00c59114
SHA512 eb64a84c60504d39b5d9596f7808639b2aa3109af9f80a3ba630914601b3613baee76020b6336c39b0677137027a41995f7f9643bfc88795b408f1d0bfe1fd6c

C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe

MD5 97a8a95207694bb5b99eb4c2fa9a2cd0
SHA1 9b4e59d34153b6b5f4157a17ff378902606198bc
SHA256 fd32471cd32057c79370ad31013eab596ed190dc4969b829bb34b1e31ba463e1
SHA512 1119cd70c481a69a07ddf04ba9c2bf5ca2d6962baa54fd64b7dd41bd34225147a8ec14c3ae5a2cf5e10cc1ef00f0fa694502b43d99eecc00d711dae47f74b001

C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe

MD5 719954da1453ba8e33d638ec5096bc86
SHA1 63233f3dc98dd0941704d2de75bfeedbb48f5464
SHA256 91d5b9eb9d648b4a1b1fe8459b679d32c5b777cf3d2610f8bc73775d0614bd87
SHA512 34a7de46b0ca424e6e35b0eb5ca7b84d39781a6ad64c27e3d58d870dd93537a0d1f59009bddec42d172fb4e91d282c0babe2076ee8111bc232a16a32156ff427

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:57

Reported

2024-11-09 22:59

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C} C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15900012-9144-4bf5-B06B-1224CE75B3C5} C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}\stubpath = "C:\\Windows\\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe" C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5} C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}\stubpath = "C:\\Windows\\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe" C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D89223B-2661-413a-9BDE-C69E53005914}\stubpath = "C:\\Windows\\{8D89223B-2661-413a-9BDE-C69E53005914}.exe" C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}\stubpath = "C:\\Windows\\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe" C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110512C6-A217-48ed-B7DA-4B94A50BF357} C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110512C6-A217-48ed-B7DA-4B94A50BF357}\stubpath = "C:\\Windows\\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe" C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23} C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D89223B-2661-413a-9BDE-C69E53005914} C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}\stubpath = "C:\\Windows\\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe" C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C} C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}\stubpath = "C:\\Windows\\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe" C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58} C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}\stubpath = "C:\\Windows\\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe" C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15900012-9144-4bf5-B06B-1224CE75B3C5}\stubpath = "C:\\Windows\\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe" C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318} C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe N/A
File created C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe N/A
File created C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe N/A
File created C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe N/A
File created C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe N/A
File created C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe N/A
File created C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
File created C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe N/A
File created C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe
PID 552 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe
PID 552 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe
PID 552 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 3708 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe
PID 3876 wrote to memory of 3708 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe
PID 3876 wrote to memory of 3708 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe
PID 3876 wrote to memory of 3904 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 3904 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 3904 N/A C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 3332 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe
PID 3708 wrote to memory of 3332 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe
PID 3708 wrote to memory of 3332 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe
PID 3708 wrote to memory of 2180 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 2180 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 2180 N/A C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 2868 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe
PID 3332 wrote to memory of 2868 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe
PID 3332 wrote to memory of 2868 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe
PID 3332 wrote to memory of 1228 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 1228 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 1228 N/A C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 4844 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe
PID 2868 wrote to memory of 4844 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe
PID 2868 wrote to memory of 4844 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe
PID 2868 wrote to memory of 5000 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 5000 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 5000 N/A C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 1812 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe
PID 4844 wrote to memory of 1812 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe
PID 4844 wrote to memory of 1812 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe
PID 4844 wrote to memory of 3164 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3164 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 3164 N/A C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2104 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe
PID 1812 wrote to memory of 2104 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe
PID 1812 wrote to memory of 2104 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe
PID 1812 wrote to memory of 4380 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4380 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4380 N/A C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3672 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe
PID 2104 wrote to memory of 3672 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe
PID 2104 wrote to memory of 3672 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe
PID 2104 wrote to memory of 4560 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 4560 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 4560 N/A C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2236 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe
PID 3672 wrote to memory of 2236 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe
PID 3672 wrote to memory of 2236 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe
PID 3672 wrote to memory of 2300 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2300 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2300 N/A C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe

"C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"

C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe

C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A7333~1.EXE > nul

C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe

C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D892~1.EXE > nul

C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe

C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{84755~1.EXE > nul

C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe

C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11051~1.EXE > nul

C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe

C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{179D1~1.EXE > nul

C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe

C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0C6DA~1.EXE > nul

C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe

C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15900~1.EXE > nul

C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe

C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{640FD~1.EXE > nul

C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe

C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27E3F~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe

MD5 255df5c3a495f74175c77bbb50a3f5e4
SHA1 0bfea9f202e679e6600a454e853a6ba7ad311ae9
SHA256 1f00cf60557521dec87ebe1c576209e7717537daff61bbae9a7ac61463e994c1
SHA512 97529f10f866c6a169033dedecab356d295fbfd6f05bf9219622d28e3bbf371fb976bc7da2583dc02dd87d6fe46edd37725044e5716ff35af5e9f7f8d12f2c78

C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe

MD5 a7e2e39b932beea4e40f24c6bbd25fff
SHA1 d5b3f239c47d202f1487ee75bea313a7cd741b94
SHA256 f9a380a180ff6fcd5fe9ff3e8f069a248d59045f3e77efca1dc204712bde4f34
SHA512 ba667b83cc53ca60048c3fd8c4b3800fcbb91f98d726d2919fc75ded7aa3dc18e581d395dda3b1b7d27968c909fbb825dc7dcdeb981442f3b449cb31bc50b5c8

C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe

MD5 53f120bd701c16ed39692a808ae57e4a
SHA1 8a4c3953133ffdcffc6da39fd41c8578f5996cb3
SHA256 3f1c6b015b57862d79d891ad055acbcbf1acd1aa1d8beb3589f8a0f651b29e98
SHA512 0a851dd81a052ef6d4a45babc29b13f7ec7be308404f55f89503bbdd08a80f55e1902b8f76beab0cf89761facf74635738b1ecf74be03ecfec105187159aafc1

C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe

MD5 41c3e0ee818ed1cc6566e2346f1ff862
SHA1 a33762984d88a6da972b6c1fe1fd95d30ff3bb03
SHA256 799d55a89a577f9fe19bbd978848da7eb1b1fef4bbb5b73caec043e443582593
SHA512 2d8d12f1ef2e87a71adb5cda5baec9ed775d2ef1c075ed1dbe36ec38369bd85fccfacb9f1294326b98dc0ad3157645a391db34b15d7b7b54b1178fd564d3a6b9

C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe

MD5 7191e492cd1ef18739ff5bbdec5dbed3
SHA1 36e1d03dc301c4d4de671ffb9b0e066dd3035970
SHA256 4c99f7327e07c74d802da6e5778254069349ed1e3bc6889ab9577282a835bd64
SHA512 d66d5ef47653683ac34db6bd8d442b96909162b4375165fc261055af60281839c548671c944af1ff31d7ddb8b5a855cdfd56aa625cb8cb46501b5ed174492f62

C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe

MD5 8bf2dc1f01dd09af8002efdc0f917227
SHA1 06be7b9a3747c830a4a3a6f24b971f218a7b16d9
SHA256 efee5c33841c2a798ea5b291f10624c52214b4a877655fa8e74a6686bd6d90d6
SHA512 1d74d57fe039be34c35a82b2b469b70da2347ea9ab3d154bb9d316d78336187c93d07e029ea5ad0140d8ba62de646756b32d3af70b545dc73cd52afd5a204631

C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe

MD5 e2df25408083361b0e5ce3f8b6066da4
SHA1 2dcf283656b2669729dd331f92482d431f372975
SHA256 7983bc5e8254ebc00199f540448c79f0619681c15a0bad91361c521f74c50a23
SHA512 e205380666fe474dd7dd3d593274c5ecab88a269a3f8e81e0887a0181425a0b97191fb265b8bcd982ef26abfc62e85b22ac5dd08716d4270ea6d49c992931633

C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe

MD5 d608454c51e2b040242d08fcc2ad53e7
SHA1 e0440b4766e2968987326ed919030834c094f4e1
SHA256 f76001bc7fa13b5443a27f28f0cd3da477169b015d42471caf5260d0033650b7
SHA512 c3b5327178c609d3de0c795652089c8ed7b7a45cf169c87ec16790147f42e6f04da4138fe7d71a2ba2b37ec87ca8d88ab150b1fc2d8079d753fdca6f1d293662

C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe

MD5 d07adae407fe22b932ca84df03b5ca35
SHA1 83014b25f87c4c6ef5d517df281ce6fb6aed12ee
SHA256 8b583982e240af6110d4738cf18b83c8b27682f466eb429073d130f73e9c119f
SHA512 cf9232b3848c68b5ff68277dd4bcff671e2a70602eb8dba3ac997b2f47c77131a85716c88e0f01d81b156e1ccea36e25a2e0cb20403ccba855669febf9a1c382