Analysis Overview
SHA256
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557
Threat Level: Likely malicious
The file 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:48
Reported
2024-11-09 19:50
Platform
win7-20240903-en
Max time kernel
119s
Max time network
117s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8} | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900} | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B} | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}\stubpath = "C:\\Windows\\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe" | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D} | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}\stubpath = "C:\\Windows\\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe" | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212}\stubpath = "C:\\Windows\\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe" | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507}\stubpath = "C:\\Windows\\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe" | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}\stubpath = "C:\\Windows\\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe" | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43} | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B}\stubpath = "C:\\Windows\\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe" | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507} | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA} | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900}\stubpath = "C:\\Windows\\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe" | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}\stubpath = "C:\\Windows\\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe" | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B} | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212} | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}\stubpath = "C:\\Windows\\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe" | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
| N/A | N/A | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| N/A | N/A | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| N/A | N/A | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| N/A | N/A | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| N/A | N/A | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| N/A | N/A | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| N/A | N/A | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
| N/A | N/A | C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| File created | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| File created | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| File created | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| File created | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| File created | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| File created | C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
| File created | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| File created | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"
C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul
C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5785E~1.EXE > nul
C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2631B~1.EXE > nul
C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9F6~1.EXE > nul
C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{49B72~1.EXE > nul
C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{72F24~1.EXE > nul
C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF03F~1.EXE > nul
C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D68~1.EXE > nul
C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe
C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5D4~1.EXE > nul
Network
Files
memory/1848-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1848-1-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1848-4-0x00000000005B0000-0x00000000005C1000-memory.dmp
C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
| MD5 | dad5e32fdff8b9261f2bd5ad03d965c6 |
| SHA1 | b19c85101b36a375970010771b5aca33238093bd |
| SHA256 | d0fcc934ca0c663f4e515d9c2ccdaf6f579c1dee0ac9b781aa30f352b4ed1259 |
| SHA512 | 4d0e56a679268514b7ab054b8094afdc299df08809eec12b4302af56d2ee1210a468125e3e59174a20617ede0f75278d7ee6c8fb430a5dce03fdb00129c71273 |
memory/1848-8-0x00000000005B0000-0x00000000005C1000-memory.dmp
memory/1848-10-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2400-13-0x0000000000420000-0x0000000000431000-memory.dmp
C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
| MD5 | 220250738f54fc7932ccc75d78cd1457 |
| SHA1 | ce855c9def53928476d328205dff0680cedf355c |
| SHA256 | 141b679178b0b868e98e8218273f431d1155a2c157b7e3046ad7fe74a5e1534a |
| SHA512 | df58a859fe6ee5075a7226f571b7d2b9462a9f731d6bed6fd28738be9c58843925122aec85d21cf6c97f4499a5deb6565b66f9a863d8e382f9882a04aa9ba969 |
memory/2400-19-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2600-20-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2600-28-0x00000000005B0000-0x00000000005C1000-memory.dmp
memory/2600-29-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2600-24-0x00000000005B0000-0x00000000005C1000-memory.dmp
C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
| MD5 | c08ef3b387f4a82201bfaf2e462953b7 |
| SHA1 | 3904b0bad0f9afdb6c05ee1a4b2356158e967921 |
| SHA256 | 77b31e6b995e749876c0b7b72f2ee9d341d9fd156dbe5ec6ffc71e12ebe78a0d |
| SHA512 | f19d827b820830e9a5c59055a40ac1a47dc3ce646440309c36bf57d0f8e3465f9c4c2f8304ba716776dac1a8b9f1353b93defee0dc2c8a9447c020cdcceadd5c |
memory/2756-38-0x00000000002D0000-0x00000000002E1000-memory.dmp
memory/2756-39-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2756-34-0x00000000002D0000-0x00000000002E1000-memory.dmp
C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
| MD5 | fce388c48a7702fe11cfe9663029bdc9 |
| SHA1 | a682a29da553f8fcabb1afb86a623f8808fe616d |
| SHA256 | d3f66a1f74f93ff2cc0c020e35b7f4c2377a14128089ef8fdcf14d5febc24541 |
| SHA512 | f3fd11d957875addf46d6c7a8fc86e86433db524210419ebd5bf392b7641cc876bd8b4da72b5870aae82bb91b744fdb72c3af7f45743c1e81f9231310ba9f97d |
memory/3068-41-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3068-50-0x00000000002B0000-0x00000000002C1000-memory.dmp
memory/3068-49-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3068-48-0x00000000002B0000-0x00000000002C1000-memory.dmp
C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
| MD5 | 16a3ca5899f03911ea95d1fbcd394fec |
| SHA1 | 26914c92bc18f1bed89a2bc7d00a216322c915bd |
| SHA256 | 11620bb104af87ec575b6077434ef01864764969d445fa62d7a01058aac0123b |
| SHA512 | dc00351926d150ae7413830b45a6a9a8665382ee91829ab60fa51402baa1b71f9a59a97d709355d785b826abf19ab23725cfc699008991eac4b49c6bbf859e85 |
memory/836-52-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3068-53-0x00000000002B0000-0x00000000002C1000-memory.dmp
memory/836-61-0x00000000003A0000-0x00000000003B1000-memory.dmp
memory/836-57-0x00000000003A0000-0x00000000003B1000-memory.dmp
memory/836-62-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
| MD5 | 95ae5a19f060cca1d0a2ee342239efb2 |
| SHA1 | 0620a3dd404b53158fb9c5faddc39cf5dd94f753 |
| SHA256 | 9a36599a2fc9aad33094eaa1302fd330b0ad4bd21e08b2d8cab87f56be7fba4f |
| SHA512 | 88f5974f4e0991dfbd52f03d9f66528981a0a3ffb38f745f808c0df86a9a5fe9525c4c05d98360a2ad5ab0baf7df31b484dbb6e5e02972ca4b99ee35ed7b0779 |
memory/2920-71-0x00000000004B0000-0x00000000004C1000-memory.dmp
memory/2920-70-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
| MD5 | 2241293ed4fc69772ce9cd8e8b58d38e |
| SHA1 | aee8a26af9f2d2e0693cfbb09ad07aad22e2a4fc |
| SHA256 | 8a1cf3a9151c7a0503b98c96c5e545586e9728fe7f391d90d00cbfe65719d397 |
| SHA512 | a27d51773d264ff2dced7439d09c01eca60b6d1e881eb7c2900fd0cd43e32bc0f57aee3fcd4d476db9031fd9d634f4dfdd88f1ff1232241e9e13ef0b5254ff0e |
memory/1996-73-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2920-74-0x00000000004B0000-0x00000000004C1000-memory.dmp
memory/1996-78-0x00000000003E0000-0x00000000003F1000-memory.dmp
memory/1996-82-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
| MD5 | bfeccaeab99b0c98313c61a65de3102d |
| SHA1 | e9de292a121851daaa326a2d2e08a7b6d6453597 |
| SHA256 | 154a2455827c6fb7b8869a91dd8747225ec199959cb6681c3e7940753ce8e1f4 |
| SHA512 | ccd67720eea04bd576653441ec1844d168992352fcd737b2cb0ef2ac910ed59463aaa5203401542b23aeb0b29209b4297d01945ba2fe2a246cffc7f1546d912e |
memory/2164-90-0x00000000003A0000-0x00000000003B1000-memory.dmp
C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe
| MD5 | fd7c5cf7c437347c0ec699e6973f493b |
| SHA1 | cb49fe0b5f520bca7b568a7f15084f86d2f9c14b |
| SHA256 | f93f78ca1afa2362b926ff178aa0a4cc8c11fc9c9df971238d3832f3dc25d07d |
| SHA512 | 4fc89379d18c0f2668d101bd8bb519e06a1ddb015f16c2c9f8d5613469ee031e5cde43146f2e2fb89c243dad8ba7e96eca5dec13205504864a833600da065e38 |
memory/2164-91-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:48
Reported
2024-11-09 19:50
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C}\stubpath = "C:\\Windows\\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe" | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}\stubpath = "C:\\Windows\\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe" | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}\stubpath = "C:\\Windows\\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe" | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C} | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}\stubpath = "C:\\Windows\\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe" | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE} | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}\stubpath = "C:\\Windows\\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe" | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D} | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F} | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8} | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3} | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5} | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}\stubpath = "C:\\Windows\\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe" | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D} | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}\stubpath = "C:\\Windows\\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe" | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D}\stubpath = "C:\\Windows\\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe" | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}\stubpath = "C:\\Windows\\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe" | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108} | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| N/A | N/A | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| N/A | N/A | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| N/A | N/A | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
| N/A | N/A | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| N/A | N/A | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| N/A | N/A | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
| N/A | N/A | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
| N/A | N/A | C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| File created | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
| File created | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| File created | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| File created | C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
| File created | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| File created | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| File created | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| File created | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"
C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul
C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A83E~1.EXE > nul
C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3D0~1.EXE > nul
C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{67AFF~1.EXE > nul
C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{250A4~1.EXE > nul
C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15B8B~1.EXE > nul
C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F2917~1.EXE > nul
C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6ED2~1.EXE > nul
C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3D612~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
Files
memory/1092-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1092-1-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2452-5-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
| MD5 | 73c016645f066042e21ce34b2f5731e3 |
| SHA1 | e87aec85b28063342654bc7e2286fb10598d7552 |
| SHA256 | 2561708509b6fb1c7a4eceb1c2148957f45b3dc3c780e0c0bef6667c25e8e639 |
| SHA512 | 79711bf16828973a5f9433560152c5d1e23268dea585593597c835ac919196fbe150cca65d56b34dcfd450a6751da81609c66939c00d908f40effd1b91d8894e |
memory/1092-7-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
| MD5 | 4d2c5e8ba4c00bcf43e75dcfd95cc460 |
| SHA1 | 48ea815a62b0d818cb72a6c142cdd1e2afcb285e |
| SHA256 | 93227d22e9720e5ab8fef4d5b6c877ccfdab318eef3aeabba6aff3c9a5dfc3d5 |
| SHA512 | 323ef6e7a2c1e9d36f7350378872738159f929927ea2b4b121547bc79f909e361796ee376d2e6a6c93c2e1656111548f82d2448661ed722a97a1dbcfbc2605c4 |
memory/3076-13-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2452-12-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3076-14-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
| MD5 | 44e87882e71544fdd1a39f9f0908e11f |
| SHA1 | c1fc0e9bc84766474dda3ff15c7e31099f26bf4d |
| SHA256 | e4ef5471c81d2045a471fab212d3844cda164b8fea18b90c78bb3f3586c5110a |
| SHA512 | 8889b9d19fe46a9be3e6a249dbda95e16c0e73af8b55506133617a8f706e120b863196d646b77759c3547fc72c35c1db3d2a086398aa0704bf06a786c414b4ef |
memory/3076-19-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4876-20-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4876-24-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
| MD5 | 0acb9e3a90c35532f9de3f3a37208c52 |
| SHA1 | 4c33e5d1c6dcc5845c816e42880d64ad3958d24d |
| SHA256 | 30ab586b3759f869b348169a646264e0210b53d227db7c4093ecd4ff54b8804c |
| SHA512 | a107fa6c0e86b600b5bfef7cee95673f1268b60377da84c32a264d9081fa7ace0931092bd0a8dbcc2aeac597256a07b894a6b9ac8afc1922a0e5d8de5c260c98 |
memory/4740-25-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
| MD5 | 2a2c04ac39201c8d046778757215f454 |
| SHA1 | 78432332070cecae05d0d5594c682d84a54c30aa |
| SHA256 | c85b0eec5600d942b8bfe485822a056667f550167faf89b556fefd9d49f1c747 |
| SHA512 | d11e58d672621a70ed9677d960030cab8327630418c2fe5d201a7722e57a74154f0c8330c8852635fd765b75e986dece616a1d464081d006ba19e37c5a7e0e93 |
memory/4740-31-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4560-32-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
| MD5 | b0625623b1a0b5a4ee1b2c9c6cea6941 |
| SHA1 | a9b975b5cc8e718c6b906578d2bef5a4c7ac3fd7 |
| SHA256 | 1063f7c06aa1aae9ef612bc6a765a05c4d526e6abfd92e6a098e33328abdfc00 |
| SHA512 | 4c1d223b657df493721a18a896cb94833d04853c85af291be52d14926135c1288832406115a7160f175833b657a4e52f82d4414df90b070b9f0cbf7416e3159d |
memory/4560-36-0x0000000000400000-0x0000000000411000-memory.dmp
memory/5104-37-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
| MD5 | 5c89603187dd11d676859cd80d268cfb |
| SHA1 | 0c78dc4dbfc72d4bc94776b6011136a5877b965e |
| SHA256 | 99921341c32464844a3a5e258c505f4524ab4cff210be16d1fccf78e096b9e44 |
| SHA512 | 28b2a2fdaceddeeef0df6f7516c117812512e4ad55e259e39b9299799f177a1acd2721efcdaa9e83a37429720e5cb97178db151a9cec38ce3befb3dd7362ed03 |
memory/5104-42-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4036-44-0x0000000000400000-0x0000000000411000-memory.dmp
memory/4036-48-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
| MD5 | 9e90b1e21e136380008bce9beba943bb |
| SHA1 | 39be035e807330b6732a01bb5a8d3c724cfaeb82 |
| SHA256 | 535105885bfc3c1d3a3e8e5a7336802b0bfb31c24bd3ed9039d876ab48a898e2 |
| SHA512 | 9efa9e71741fd5cfec03421a4201b620398e5a029854e9a381f272eab94e6474c93ced078f9880885e147118f3eea3ccfe157bf5a604f44cbf7f5bfd030c7729 |
memory/4556-50-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
| MD5 | 3ea8eb488d2c03a1b2aafc479bdad308 |
| SHA1 | 7e0ebe05040e56e96c6e8d51e8d482c2be80f9f9 |
| SHA256 | a88c03e74d09f696d990d48a0590637966fa8ccc7d4f01e93e3f7c70be547e10 |
| SHA512 | 8f9f2a2a6c76b00ca1350e371822d03f019dbf4a45f324227ea1054124fa347316999aa0e58f030a17191167915a42fe3d1322bb752151e0a6751e03832c15e8 |
memory/4556-55-0x0000000000400000-0x0000000000411000-memory.dmp