Malware Analysis Report

2025-06-15 22:28

Sample ID 241109-yjh6js1cng
Target 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N
SHA256 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557

Threat Level: Likely malicious

The file 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:48

Reported

2024-11-09 19:50

Platform

win7-20240903-en

Max time kernel

119s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8} C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900} C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B} C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}\stubpath = "C:\\Windows\\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe" C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D} C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}\stubpath = "C:\\Windows\\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe" C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212}\stubpath = "C:\\Windows\\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe" C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507}\stubpath = "C:\\Windows\\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe" C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}\stubpath = "C:\\Windows\\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe" C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43} C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B}\stubpath = "C:\\Windows\\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe" C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507} C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA} C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900}\stubpath = "C:\\Windows\\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe" C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}\stubpath = "C:\\Windows\\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe" C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B} C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212} C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}\stubpath = "C:\\Windows\\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe" C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe N/A
File created C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe N/A
File created C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe N/A
File created C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe N/A
File created C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe N/A
File created C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe N/A
File created C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe N/A
File created C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
File created C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
PID 2400 wrote to memory of 2708 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2708 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2708 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2708 N/A C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2756 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
PID 2600 wrote to memory of 2756 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
PID 2600 wrote to memory of 2756 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
PID 2600 wrote to memory of 2756 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3068 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
PID 2756 wrote to memory of 3068 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
PID 2756 wrote to memory of 3068 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
PID 2756 wrote to memory of 3068 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
PID 2756 wrote to memory of 3064 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 836 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
PID 3068 wrote to memory of 836 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
PID 3068 wrote to memory of 836 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
PID 3068 wrote to memory of 836 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2828 N/A C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2920 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
PID 836 wrote to memory of 2920 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
PID 836 wrote to memory of 2920 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
PID 836 wrote to memory of 2920 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1996 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
PID 2920 wrote to memory of 1996 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
PID 2920 wrote to memory of 1996 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
PID 2920 wrote to memory of 1996 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
PID 2920 wrote to memory of 1204 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1204 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1204 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1204 N/A C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2164 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
PID 1996 wrote to memory of 2164 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
PID 1996 wrote to memory of 2164 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
PID 1996 wrote to memory of 2164 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
PID 1996 wrote to memory of 1040 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1040 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1040 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1040 N/A C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe

"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"

C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe

C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul

C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe

C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5785E~1.EXE > nul

C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe

C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2631B~1.EXE > nul

C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe

C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9F6~1.EXE > nul

C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe

C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49B72~1.EXE > nul

C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe

C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72F24~1.EXE > nul

C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe

C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AF03F~1.EXE > nul

C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe

C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D68~1.EXE > nul

C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe

C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5D4~1.EXE > nul

Network

N/A

Files

memory/1848-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1848-1-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1848-4-0x00000000005B0000-0x00000000005C1000-memory.dmp

C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe

MD5 dad5e32fdff8b9261f2bd5ad03d965c6
SHA1 b19c85101b36a375970010771b5aca33238093bd
SHA256 d0fcc934ca0c663f4e515d9c2ccdaf6f579c1dee0ac9b781aa30f352b4ed1259
SHA512 4d0e56a679268514b7ab054b8094afdc299df08809eec12b4302af56d2ee1210a468125e3e59174a20617ede0f75278d7ee6c8fb430a5dce03fdb00129c71273

memory/1848-8-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/1848-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2400-13-0x0000000000420000-0x0000000000431000-memory.dmp

C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe

MD5 220250738f54fc7932ccc75d78cd1457
SHA1 ce855c9def53928476d328205dff0680cedf355c
SHA256 141b679178b0b868e98e8218273f431d1155a2c157b7e3046ad7fe74a5e1534a
SHA512 df58a859fe6ee5075a7226f571b7d2b9462a9f731d6bed6fd28738be9c58843925122aec85d21cf6c97f4499a5deb6565b66f9a863d8e382f9882a04aa9ba969

memory/2400-19-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2600-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2600-28-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/2600-29-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2600-24-0x00000000005B0000-0x00000000005C1000-memory.dmp

C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe

MD5 c08ef3b387f4a82201bfaf2e462953b7
SHA1 3904b0bad0f9afdb6c05ee1a4b2356158e967921
SHA256 77b31e6b995e749876c0b7b72f2ee9d341d9fd156dbe5ec6ffc71e12ebe78a0d
SHA512 f19d827b820830e9a5c59055a40ac1a47dc3ce646440309c36bf57d0f8e3465f9c4c2f8304ba716776dac1a8b9f1353b93defee0dc2c8a9447c020cdcceadd5c

memory/2756-38-0x00000000002D0000-0x00000000002E1000-memory.dmp

memory/2756-39-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2756-34-0x00000000002D0000-0x00000000002E1000-memory.dmp

C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe

MD5 fce388c48a7702fe11cfe9663029bdc9
SHA1 a682a29da553f8fcabb1afb86a623f8808fe616d
SHA256 d3f66a1f74f93ff2cc0c020e35b7f4c2377a14128089ef8fdcf14d5febc24541
SHA512 f3fd11d957875addf46d6c7a8fc86e86433db524210419ebd5bf392b7641cc876bd8b4da72b5870aae82bb91b744fdb72c3af7f45743c1e81f9231310ba9f97d

memory/3068-41-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3068-50-0x00000000002B0000-0x00000000002C1000-memory.dmp

memory/3068-49-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3068-48-0x00000000002B0000-0x00000000002C1000-memory.dmp

C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe

MD5 16a3ca5899f03911ea95d1fbcd394fec
SHA1 26914c92bc18f1bed89a2bc7d00a216322c915bd
SHA256 11620bb104af87ec575b6077434ef01864764969d445fa62d7a01058aac0123b
SHA512 dc00351926d150ae7413830b45a6a9a8665382ee91829ab60fa51402baa1b71f9a59a97d709355d785b826abf19ab23725cfc699008991eac4b49c6bbf859e85

memory/836-52-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3068-53-0x00000000002B0000-0x00000000002C1000-memory.dmp

memory/836-61-0x00000000003A0000-0x00000000003B1000-memory.dmp

memory/836-57-0x00000000003A0000-0x00000000003B1000-memory.dmp

memory/836-62-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe

MD5 95ae5a19f060cca1d0a2ee342239efb2
SHA1 0620a3dd404b53158fb9c5faddc39cf5dd94f753
SHA256 9a36599a2fc9aad33094eaa1302fd330b0ad4bd21e08b2d8cab87f56be7fba4f
SHA512 88f5974f4e0991dfbd52f03d9f66528981a0a3ffb38f745f808c0df86a9a5fe9525c4c05d98360a2ad5ab0baf7df31b484dbb6e5e02972ca4b99ee35ed7b0779

memory/2920-71-0x00000000004B0000-0x00000000004C1000-memory.dmp

memory/2920-70-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe

MD5 2241293ed4fc69772ce9cd8e8b58d38e
SHA1 aee8a26af9f2d2e0693cfbb09ad07aad22e2a4fc
SHA256 8a1cf3a9151c7a0503b98c96c5e545586e9728fe7f391d90d00cbfe65719d397
SHA512 a27d51773d264ff2dced7439d09c01eca60b6d1e881eb7c2900fd0cd43e32bc0f57aee3fcd4d476db9031fd9d634f4dfdd88f1ff1232241e9e13ef0b5254ff0e

memory/1996-73-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2920-74-0x00000000004B0000-0x00000000004C1000-memory.dmp

memory/1996-78-0x00000000003E0000-0x00000000003F1000-memory.dmp

memory/1996-82-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe

MD5 bfeccaeab99b0c98313c61a65de3102d
SHA1 e9de292a121851daaa326a2d2e08a7b6d6453597
SHA256 154a2455827c6fb7b8869a91dd8747225ec199959cb6681c3e7940753ce8e1f4
SHA512 ccd67720eea04bd576653441ec1844d168992352fcd737b2cb0ef2ac910ed59463aaa5203401542b23aeb0b29209b4297d01945ba2fe2a246cffc7f1546d912e

memory/2164-90-0x00000000003A0000-0x00000000003B1000-memory.dmp

C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe

MD5 fd7c5cf7c437347c0ec699e6973f493b
SHA1 cb49fe0b5f520bca7b568a7f15084f86d2f9c14b
SHA256 f93f78ca1afa2362b926ff178aa0a4cc8c11fc9c9df971238d3832f3dc25d07d
SHA512 4fc89379d18c0f2668d101bd8bb519e06a1ddb015f16c2c9f8d5613469ee031e5cde43146f2e2fb89c243dad8ba7e96eca5dec13205504864a833600da065e38

memory/2164-91-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:48

Reported

2024-11-09 19:50

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C}\stubpath = "C:\\Windows\\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe" C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}\stubpath = "C:\\Windows\\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe" C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}\stubpath = "C:\\Windows\\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe" C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C} C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}\stubpath = "C:\\Windows\\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe" C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE} C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}\stubpath = "C:\\Windows\\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe" C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D} C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F} C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8} C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3} C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5} C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}\stubpath = "C:\\Windows\\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe" C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D} C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}\stubpath = "C:\\Windows\\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe" C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D}\stubpath = "C:\\Windows\\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe" C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}\stubpath = "C:\\Windows\\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe" C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108} C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
File created C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe N/A
File created C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe N/A
File created C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe N/A
File created C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe N/A
File created C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe N/A
File created C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe N/A
File created C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe N/A
File created C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
PID 1092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
PID 1092 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
PID 1092 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3076 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
PID 2452 wrote to memory of 3076 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
PID 2452 wrote to memory of 3076 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
PID 2452 wrote to memory of 3272 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3272 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3272 N/A C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4876 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
PID 3076 wrote to memory of 4876 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
PID 3076 wrote to memory of 4876 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
PID 3076 wrote to memory of 4516 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4516 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4516 N/A C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4740 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
PID 4876 wrote to memory of 4740 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
PID 4876 wrote to memory of 4740 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
PID 4876 wrote to memory of 644 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 644 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 644 N/A C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4560 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
PID 4740 wrote to memory of 4560 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
PID 4740 wrote to memory of 4560 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
PID 4740 wrote to memory of 3712 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 3712 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 3712 N/A C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 5104 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
PID 4560 wrote to memory of 5104 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
PID 4560 wrote to memory of 5104 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
PID 4560 wrote to memory of 2604 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2604 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2604 N/A C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4036 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
PID 5104 wrote to memory of 4036 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
PID 5104 wrote to memory of 4036 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
PID 5104 wrote to memory of 4672 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4672 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4672 N/A C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4556 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
PID 4036 wrote to memory of 4556 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
PID 4036 wrote to memory of 4556 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
PID 4036 wrote to memory of 4764 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4764 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4764 N/A C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 3528 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
PID 4556 wrote to memory of 3528 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
PID 4556 wrote to memory of 3528 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
PID 4556 wrote to memory of 2412 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 2412 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 2412 N/A C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe

"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"

C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe

C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul

C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe

C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A83E~1.EXE > nul

C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe

C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3D0~1.EXE > nul

C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe

C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67AFF~1.EXE > nul

C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe

C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{250A4~1.EXE > nul

C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe

C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{15B8B~1.EXE > nul

C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe

C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F2917~1.EXE > nul

C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe

C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6ED2~1.EXE > nul

C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe

C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3D612~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp

Files

memory/1092-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1092-1-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2452-5-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe

MD5 73c016645f066042e21ce34b2f5731e3
SHA1 e87aec85b28063342654bc7e2286fb10598d7552
SHA256 2561708509b6fb1c7a4eceb1c2148957f45b3dc3c780e0c0bef6667c25e8e639
SHA512 79711bf16828973a5f9433560152c5d1e23268dea585593597c835ac919196fbe150cca65d56b34dcfd450a6751da81609c66939c00d908f40effd1b91d8894e

memory/1092-7-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe

MD5 4d2c5e8ba4c00bcf43e75dcfd95cc460
SHA1 48ea815a62b0d818cb72a6c142cdd1e2afcb285e
SHA256 93227d22e9720e5ab8fef4d5b6c877ccfdab318eef3aeabba6aff3c9a5dfc3d5
SHA512 323ef6e7a2c1e9d36f7350378872738159f929927ea2b4b121547bc79f909e361796ee376d2e6a6c93c2e1656111548f82d2448661ed722a97a1dbcfbc2605c4

memory/3076-13-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2452-12-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3076-14-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe

MD5 44e87882e71544fdd1a39f9f0908e11f
SHA1 c1fc0e9bc84766474dda3ff15c7e31099f26bf4d
SHA256 e4ef5471c81d2045a471fab212d3844cda164b8fea18b90c78bb3f3586c5110a
SHA512 8889b9d19fe46a9be3e6a249dbda95e16c0e73af8b55506133617a8f706e120b863196d646b77759c3547fc72c35c1db3d2a086398aa0704bf06a786c414b4ef

memory/3076-19-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4876-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4876-24-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe

MD5 0acb9e3a90c35532f9de3f3a37208c52
SHA1 4c33e5d1c6dcc5845c816e42880d64ad3958d24d
SHA256 30ab586b3759f869b348169a646264e0210b53d227db7c4093ecd4ff54b8804c
SHA512 a107fa6c0e86b600b5bfef7cee95673f1268b60377da84c32a264d9081fa7ace0931092bd0a8dbcc2aeac597256a07b894a6b9ac8afc1922a0e5d8de5c260c98

memory/4740-25-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe

MD5 2a2c04ac39201c8d046778757215f454
SHA1 78432332070cecae05d0d5594c682d84a54c30aa
SHA256 c85b0eec5600d942b8bfe485822a056667f550167faf89b556fefd9d49f1c747
SHA512 d11e58d672621a70ed9677d960030cab8327630418c2fe5d201a7722e57a74154f0c8330c8852635fd765b75e986dece616a1d464081d006ba19e37c5a7e0e93

memory/4740-31-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4560-32-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe

MD5 b0625623b1a0b5a4ee1b2c9c6cea6941
SHA1 a9b975b5cc8e718c6b906578d2bef5a4c7ac3fd7
SHA256 1063f7c06aa1aae9ef612bc6a765a05c4d526e6abfd92e6a098e33328abdfc00
SHA512 4c1d223b657df493721a18a896cb94833d04853c85af291be52d14926135c1288832406115a7160f175833b657a4e52f82d4414df90b070b9f0cbf7416e3159d

memory/4560-36-0x0000000000400000-0x0000000000411000-memory.dmp

memory/5104-37-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe

MD5 5c89603187dd11d676859cd80d268cfb
SHA1 0c78dc4dbfc72d4bc94776b6011136a5877b965e
SHA256 99921341c32464844a3a5e258c505f4524ab4cff210be16d1fccf78e096b9e44
SHA512 28b2a2fdaceddeeef0df6f7516c117812512e4ad55e259e39b9299799f177a1acd2721efcdaa9e83a37429720e5cb97178db151a9cec38ce3befb3dd7362ed03

memory/5104-42-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4036-44-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4036-48-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe

MD5 9e90b1e21e136380008bce9beba943bb
SHA1 39be035e807330b6732a01bb5a8d3c724cfaeb82
SHA256 535105885bfc3c1d3a3e8e5a7336802b0bfb31c24bd3ed9039d876ab48a898e2
SHA512 9efa9e71741fd5cfec03421a4201b620398e5a029854e9a381f272eab94e6474c93ced078f9880885e147118f3eea3ccfe157bf5a604f44cbf7f5bfd030c7729

memory/4556-50-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe

MD5 3ea8eb488d2c03a1b2aafc479bdad308
SHA1 7e0ebe05040e56e96c6e8d51e8d482c2be80f9f9
SHA256 a88c03e74d09f696d990d48a0590637966fa8ccc7d4f01e93e3f7c70be547e10
SHA512 8f9f2a2a6c76b00ca1350e371822d03f019dbf4a45f324227ea1054124fa347316999aa0e58f030a17191167915a42fe3d1322bb752151e0a6751e03832c15e8

memory/4556-55-0x0000000000400000-0x0000000000411000-memory.dmp