Malware Analysis Report

2025-05-06 00:50

Sample ID 241109-y9h88s1jgs
Target 221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a
SHA256 221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a

Threat Level: Likely malicious

The file 221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:29

Reported

2024-11-09 20:31

Platform

win7-20240708-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE01639-8037-44d6-9ACF-0FB737D534AE}\stubpath = "C:\\Windows\\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe" C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC013546-185D-4d0f-8DFB-ABCEA8140B96} C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}\stubpath = "C:\\Windows\\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe" C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{806FA20A-28A1-43b8-83C1-8C0630611F10}\stubpath = "C:\\Windows\\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe" C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE01639-8037-44d6-9ACF-0FB737D534AE} C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41011-39B3-4aab-9587-AEAFD6BF98A3} C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}\stubpath = "C:\\Windows\\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe" C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB} C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}\stubpath = "C:\\Windows\\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe" C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}\stubpath = "C:\\Windows\\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe" C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E727827-C793-4462-8A94-B5E28E075295}\stubpath = "C:\\Windows\\{4E727827-C793-4462-8A94-B5E28E075295}.exe" C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333DA285-29C9-49ba-96FD-1E957715E9C0} C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C74AD7-F4A3-4701-9849-81F792C94B13} C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}\stubpath = "C:\\Windows\\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe" C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}\stubpath = "C:\\Windows\\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe" C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6} C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{806FA20A-28A1-43b8-83C1-8C0630611F10} C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E727827-C793-4462-8A94-B5E28E075295} C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333DA285-29C9-49ba-96FD-1E957715E9C0}\stubpath = "C:\\Windows\\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe" C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C74AD7-F4A3-4701-9849-81F792C94B13}\stubpath = "C:\\Windows\\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe" C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA} C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF} C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe N/A
File created C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe N/A
File created C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe N/A
File created C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe N/A
File created C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe N/A
File created C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
File created C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe N/A
File created C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe N/A
File created C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe N/A
File created C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe N/A
File created C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
PID 2200 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
PID 2200 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
PID 2200 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2544 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
PID 2660 wrote to memory of 2544 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
PID 2660 wrote to memory of 2544 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
PID 2660 wrote to memory of 2544 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
PID 2660 wrote to memory of 2672 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2672 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2672 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2672 N/A C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
PID 2544 wrote to memory of 2196 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2196 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2196 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2196 N/A C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1088 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
PID 1644 wrote to memory of 1088 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
PID 1644 wrote to memory of 1088 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
PID 1644 wrote to memory of 1088 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
PID 1644 wrote to memory of 1820 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1820 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1820 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1820 N/A C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2224 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
PID 1088 wrote to memory of 2224 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
PID 1088 wrote to memory of 2224 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
PID 1088 wrote to memory of 2224 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1152 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
PID 2224 wrote to memory of 1152 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
PID 2224 wrote to memory of 1152 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
PID 2224 wrote to memory of 1152 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
PID 2224 wrote to memory of 1472 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1472 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1472 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1472 N/A C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 2336 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
PID 1152 wrote to memory of 2336 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
PID 1152 wrote to memory of 2336 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
PID 1152 wrote to memory of 2336 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
PID 1152 wrote to memory of 1592 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1592 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1592 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1592 N/A C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1292 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
PID 2336 wrote to memory of 1292 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
PID 2336 wrote to memory of 1292 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
PID 2336 wrote to memory of 1292 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
PID 2336 wrote to memory of 1952 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1952 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1952 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1952 N/A C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe

"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"

C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe

C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul

C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe

C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD7DF~1.EXE > nul

C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe

C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{321BD~1.EXE > nul

C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe

C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{806FA~1.EXE > nul

C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe

C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE01~1.EXE > nul

C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe

C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E727~1.EXE > nul

C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe

C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{333DA~1.EXE > nul

C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe

C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81C74~1.EXE > nul

C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe

C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CC013~1.EXE > nul

C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe

C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14C80~1.EXE > nul

C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe

C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68F41~1.EXE > nul

Network

N/A

Files

C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe

MD5 ecca7a9d9c9a50c40392ce7bb1190a06
SHA1 54b356ca54e79b983ca7c678ec0b61acbc5a246c
SHA256 9f427b283b75b347f8ed75102160f06141f1eaad66c197f3ee319145b817bfff
SHA512 9fbff5663ab89059cc1c58c607ddedda78ef31922fe57590680038844566b4124bfc29e90dd5272ade6e33e45935658d84e4ccb8d87c9fdb8b1301aa685794fb

C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe

MD5 4adb2c4cee2053230f3392c38d69597f
SHA1 2cfc699b05e2f127cc192093fdc0303ec058325c
SHA256 7cfea42038a6e93d5c5cfbc9bbeac508406055ec08fae51dc6923939e5f94c56
SHA512 7823e0d63d33f227ec3a1ad2d2a69ebce4aea59bd33a1e96be7aecb4695e2f0e41fbcdf2df2411c760aa97eb000f54f553ccc2869572d0d5e13959c1e38147db

C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe

MD5 f56397d6d5b289c2d5a485244041c274
SHA1 d53b73ba9a9240a62d1f27a90ee77a62cb1f9678
SHA256 fd73b7b3b26b41703ff7af792f95b2fa9b240af806accad15b6771f9dd21cd48
SHA512 6d6d895bb6406d09d8da805aadfcdd01e689e5c076dc94ddc2b68a1bac362f88553d8c292f8a2ea68485f10d6b7cf89605973ef89407fe677ebdc491726ef117

C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe

MD5 6f7734a8f8f9bc0d758d6d5dcb4f5b65
SHA1 8fb934490984d40fc422f361f0d22ae14470c683
SHA256 0956cc9fb2df8f0b80471f9fcdabf15d10477727864bab9a88770f431bd4dfe0
SHA512 f66b83d465d5fef41a7478af2d87d13d35110c6f4fb6a424b0e95b1633f7095a11b7f04e9cd1887a3e7190b7ea66a203fcd34dd48e9a7059e6bf2072d60aa13a

C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe

MD5 684d2213fe3435a7667ecf3d48889d79
SHA1 03194886726475bb2e683b4a0bbad43cb800e9c4
SHA256 78727e5627f51083d2e32c76a9a00155d9a4382aff51aa30d5fb1756336a28ea
SHA512 224af68bf9049be1ce2969b8ab7a556877fdf1a38575321b3d0a0624bef4516083b37b3a3e15da4b3e62e5e2d4f942c821beb6dca1bfcb5c47969aac39e9af6b

C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe

MD5 cc62a883d244153a1dd9cc6dc86837bc
SHA1 ecc28bc0779911f7e543675100639d1f0684ea9c
SHA256 d928164fee36322a7116193d9e65d66c9bb4fb3af265b04ba04acefd6fb7b8ba
SHA512 6826e6c0d1630b234afd764cffc4bd1455327fb11994de207594881b0866a0fad3fbcffd72edf9a531964c3629ba49251afef8d0c5510b84f67edc43f48c37ee

C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe

MD5 f5f5827cce390bb883f14eb10dc21d44
SHA1 5be68615a08e5f7cdff6bd5cc636ff94d2f919bc
SHA256 b8adc5641110f385c27d671377bde963e046109027305b7812c52567253c99f8
SHA512 6bc430005f1e57096a27cb9cd315370c9c162382a7820bb882a1fdf89e6bf4996aff8f093b4cd77dd1ea71a2c24c7402c6132905bbe932590533f38a8b5ef313

C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe

MD5 49cba099509e5458c2893a5a00bbdca3
SHA1 7c3f973ddbb5ddd7c84a7a00d08f40092473d301
SHA256 ad86b16a2c156e544a9f2e1219198dffc7dbde2cd6dd3028f84fd37f77142cc4
SHA512 f76adceb8225d479b25fc1244fce249502e0766b247014b82e7b924093ad3849b413dfc48b8a753b073e0e4ac887a67e109d4b4fcf436ab770e79e5f2e705176

C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe

MD5 e0f0440074bac29487ae52eb52634b78
SHA1 b56a43dbdfb1901dc38ba9a8506ad60dbf4e43a2
SHA256 28b4964ade4464effa0e1a855b2497630ed3e6bb63d278451e9280aad4a5fe7d
SHA512 c14a41aedef224832e5fec7814d6e0c0a00238be62836ec1e21379e47e15dbdf99334f3e32e72d1316b1f0d6d2d409fa0a1ca2e305b947f8e047c3c60563c195

C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe

MD5 90d9e2b0f302fb7a21d68b62682f4c99
SHA1 4372e08932a3067a1b4c4335e6ede8b3ec638b92
SHA256 ddb646aadc3b95adbefd882e839b37da5d67f93142ef69f4de579599bd221838
SHA512 66793eee94e25267ab8bc22b33ecf0fec1fe7b26a712242ab79131cf40edd6d8ee035d9cfc15fa0c14d0c81e8a05345963a3cb31f85523503b07622511cef520

C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe

MD5 02fe8e3e099e0236a313dc2f3d651244
SHA1 a6338936f2d302923c8f0e3a3328d2664099d078
SHA256 acec59430595dec6f1d44e055270835ac396107473598b68bec6477ad3e6eb52
SHA512 b61eb0451f2904fab2d177b28d15a82f5994da48057fbd01939e97eca63fc0638990fa64fbe5e47356989d976a3be97c99cfe05bd469a664bba4f17e1273c97e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:29

Reported

2024-11-09 20:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F} C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}\stubpath = "C:\\Windows\\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe" C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06} C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79949B-7A6A-475c-A651-426D690CD70E}\stubpath = "C:\\Windows\\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe" C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4} C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0380B552-6A05-4f10-B8EA-7EEECC384B32}\stubpath = "C:\\Windows\\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe" C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0EE301-9981-4641-8F1B-05C5D08A7146} C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0EE301-9981-4641-8F1B-05C5D08A7146}\stubpath = "C:\\Windows\\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe" C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28} C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}\stubpath = "C:\\Windows\\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe" C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}\stubpath = "C:\\Windows\\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe" C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3044246-53D8-40b8-A00F-50DBED6B20A8} C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0380B552-6A05-4f10-B8EA-7EEECC384B32} C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F856CE32-CC60-4296-995C-BE5FF262C76D}\stubpath = "C:\\Windows\\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe" C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEAA7FFB-0DBB-4661-9267-664930637360}\stubpath = "C:\\Windows\\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe" C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C} C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}\stubpath = "C:\\Windows\\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe" C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94} C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79949B-7A6A-475c-A651-426D690CD70E} C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3044246-53D8-40b8-A00F-50DBED6B20A8}\stubpath = "C:\\Windows\\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe" C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F856CE32-CC60-4296-995C-BE5FF262C76D} C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEAA7FFB-0DBB-4661-9267-664930637360} C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}\stubpath = "C:\\Windows\\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe" C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}\stubpath = "C:\\Windows\\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe" C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe N/A
File created C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe N/A
File created C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe N/A
File created C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe N/A
File created C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe N/A
File created C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe N/A
File created C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
File created C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe N/A
File created C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe N/A
File created C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe N/A
File created C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe N/A
File created C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
PID 2284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
PID 2284 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
PID 2284 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1756 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
PID 5068 wrote to memory of 1756 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
PID 5068 wrote to memory of 1756 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
PID 5068 wrote to memory of 772 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 772 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 772 N/A C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2804 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
PID 1756 wrote to memory of 2804 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
PID 1756 wrote to memory of 2804 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
PID 1756 wrote to memory of 1584 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1584 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1584 N/A C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4356 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
PID 2804 wrote to memory of 4356 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
PID 2804 wrote to memory of 4356 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
PID 2804 wrote to memory of 3088 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3088 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3088 N/A C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 1608 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
PID 4356 wrote to memory of 1608 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
PID 4356 wrote to memory of 1608 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
PID 4356 wrote to memory of 4072 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4072 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4072 N/A C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 540 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
PID 1608 wrote to memory of 540 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
PID 1608 wrote to memory of 540 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
PID 1608 wrote to memory of 2620 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2620 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2620 N/A C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 1996 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
PID 540 wrote to memory of 1996 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
PID 540 wrote to memory of 1996 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
PID 540 wrote to memory of 4372 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4372 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 4372 N/A C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 672 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
PID 1996 wrote to memory of 672 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
PID 1996 wrote to memory of 672 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1580 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
PID 672 wrote to memory of 1580 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
PID 672 wrote to memory of 1580 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
PID 672 wrote to memory of 1400 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1400 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1400 N/A C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 3520 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
PID 1580 wrote to memory of 3520 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
PID 1580 wrote to memory of 3520 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
PID 1580 wrote to memory of 2508 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2508 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2508 N/A C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 2404 N/A C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
PID 3520 wrote to memory of 2404 N/A C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
PID 3520 wrote to memory of 2404 N/A C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
PID 3520 wrote to memory of 2360 N/A C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe

"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"

C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe

C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul

C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe

C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAA7~1.EXE > nul

C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe

C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3D6~1.EXE > nul

C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe

C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E11DD~1.EXE > nul

C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe

C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3EA~1.EXE > nul

C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe

C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7CBBC~1.EXE > nul

C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe

C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC799~1.EXE > nul

C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe

C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9862E~1.EXE > nul

C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe

C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B3044~1.EXE > nul

C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe

C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C88~1.EXE > nul

C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe

C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0380B~1.EXE > nul

C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe

C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0EE~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe

MD5 05ac59ff6861b8c318708d23ec35a3fb
SHA1 b54ef50fe8e5ffda28660fc9709ce3f8ca5a39c4
SHA256 e48fbd8fc847f50d6f1bc0ca8ff4145ab5bfa66ae60d8bd3f5ae7ac2f697d997
SHA512 ebe388dd3a223e378c451c36989ee0d93df5ef06275b5c1549daa2f595810f1312cac1747a642b7971a391294abfb346311faa7b32b203ee057b18b557e28fa4

C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe

MD5 10adf0b43ec21e6d2b8d01920bc559c0
SHA1 ba13708ba2e4e70d60f4e8ca819bd184d4f350a6
SHA256 ddc8c70c83837d095b24627d61e14480a317a4a31ffdaed586874a19141d6dd7
SHA512 fb34b4d8d4c43fa277889bdc4bde1f5f0021d4b58006bed682fb7ea20e12e83eb006d1824b96d221a461f0ba56455229851ccd55094054dcca7b09b705efdda9

C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe

MD5 50bf7ee6ac0eeaaf502912f3f5c8fdf1
SHA1 46ba283dd15c6d6531b3ca3770486472b728ef2b
SHA256 293e2d3717e7466355874f9e0c4154302543d0326216163c11902d785fd234cf
SHA512 7bdd9097612893407e902fb075d5336a4d5b7afe982a723021613dab5961353269212eeb2aa83836a4b99961792a26495e80f64b2f87fd78038b2238c93f2e88

C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe

MD5 09c33b72e164d76177455d88e503c156
SHA1 789f2cf97eb25b962655e2e5a263b7a6d24eae4b
SHA256 54cb7037f2bcc83acc865d45b170194e853177cf89c34c842ed66bc549532f48
SHA512 a6f5c9bd59a79d0c67b78088327629aa6772ae025e15255367b294b965796ec41ddebb2f14ca15a3980af69724e0747ed3adc1073defc99ca397184c26fb58ef

C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe

MD5 c75f9909291fb0e57cc6336420dc416d
SHA1 35a3a1340fafb58b3988de0d308ed8171e752934
SHA256 4b10f42c4af86467ddf0e53b1890a3ab44b31c5d53caae29f84e2bd617bd3abb
SHA512 d9f50cec803f0c3156c523532a137aedea13608b6b99a44ccb8e67b8a2abc4b7ba52b79f2378c7e8b1d5a03e2cf9b3fc9e530afa4b68e42912a0bc680e51bcbd

C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe

MD5 3bb618823146cf7d16437f28ead95527
SHA1 74a52432ece42863146bdbac8ee1a065506291b0
SHA256 65ddcbf24e8db9038cfdc37a0c2a61c614492d0e83dbc8935c784f91fdf4d288
SHA512 cf6f738ef329f6f59980b7d9d3700990e0ffabfe33e40f09380112b0eaa3a48163add3af657a129275a76cac084a30b291369030a4810256c482e74a15b78472

C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe

MD5 70901328e4abf0b2199e690bf34878c2
SHA1 b2f354a27e934b7210e33ce98dbd38c1a58653ff
SHA256 8fbe90ff7f68303cef628fda5b52ca40217b64f20e64690a8f09579b94655efc
SHA512 60d3a6578cfc9497b9d832d87f19855e18deb4a382e061404a7d6cd06cde4cd897e50ec391e1d1ed0f4739d3b58a2a423577a4465c162da156368d1a3bf85c22

C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe

MD5 2a29295af098067b5d56300cb3ecc5b3
SHA1 fd686e88f85e21029b9bb38bb226427428b2a9da
SHA256 6c94526a3f7a0c550c57de2131425c42c52a9d77d83dbfc4bf19f7001bc422e7
SHA512 258dc5188019edce06bb03cf0a1479b905eaa1dd6ef959b31b7dd3d409e19d392204b70b75e298c45ef0cf1d9341cd7724ef6da5c4903ac0a382f76d611fa70b

C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe

MD5 c5506a1fc2d37f41aa86df28910f5981
SHA1 8b0504fc770815c9b5b9a2bcbc401db10d078a93
SHA256 a82b95ff4b4aad8fed08f5af247a246eaee8ae524ec604b2a133adacb3a183fc
SHA512 116edf39be420bbfe03e233b8ad1e17ab7f6eedaff6c05294465014a60e4af94a58dc423a42b9c0f1b00d540e03ee7b6e25d793b5cb64fc3c945b898b5bb43a7

C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe

MD5 67e235d0a385e4e4b056267b3792a983
SHA1 4ee3f316cfcc4c96d6217f5160b0af4d8132a734
SHA256 b535f3fe06da3c855211d17ec75587bbe1dfcd8cf6ab27e871178327ba45a004
SHA512 16238c153b0b762bc0b32a383a0accd544f753e98029bcfff571280376df087ccd0f63e5336ce56d2f6f9ddd200ab0be95bcecea2a25623bbe9eb0029f909a30

C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe

MD5 319c3ea26eb77cb2600a3eab7b35986d
SHA1 bf9e8ed702f03090585a7c3f2abcf61f67fb9d7d
SHA256 ada1ad0d602db58ae7e0254f1c11cbeb87a42f8cb1ab1a546bbeccd0cc28b27c
SHA512 a1f378a71aaf1910c01391fe244e90684f7c212362885d5c52440d375c1e8f5cd063223d625213096e418200294e1140ccf99f34a7658eb128176deea29db6e8

C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe

MD5 f347439c3f63c73200083a06ce391785
SHA1 eaab98cda111cd523867a68c5341a1af5df9bbd7
SHA256 dffe782e19572cc04d9d05842bf07a0e3d3b99c4ac2d41a1473ad90cbf853c59
SHA512 70350345c093914f40c74ae6c8c25d4bbf24190b30f02d2b6f127d746eb3e06de5eab7c67a5e76207392e8de85a06053bae0109b65b3f9dfde79dd8de79be72a