Analysis Overview
SHA256
7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9a
Threat Level: Likely malicious
The file 7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Deletes itself
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:41
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:41
Reported
2024-11-10 06:43
Platform
win7-20241010-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}\stubpath = "C:\\Windows\\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe" | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311CD4D7-6A3A-4487-94E4-E538031A4B07} | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311CD4D7-6A3A-4487-94E4-E538031A4B07}\stubpath = "C:\\Windows\\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe" | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}\stubpath = "C:\\Windows\\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe" | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB90095-9C50-42d5-BF82-A2707C89A36E} | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}\stubpath = "C:\\Windows\\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe" | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46747600-729E-40a2-AFA2-2389A6DCE912} | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46747600-729E-40a2-AFA2-2389A6DCE912}\stubpath = "C:\\Windows\\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe" | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF} | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9} | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9} | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D341AD-1033-476b-94EA-513EDA40E6C6} | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C4512C9-D4D3-4eb1-9714-238137A86051} | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93} | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB90095-9C50-42d5-BF82-A2707C89A36E}\stubpath = "C:\\Windows\\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe" | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D341AD-1033-476b-94EA-513EDA40E6C6}\stubpath = "C:\\Windows\\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe" | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C4512C9-D4D3-4eb1-9714-238137A86051}\stubpath = "C:\\Windows\\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe" | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}\stubpath = "C:\\Windows\\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe" | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| N/A | N/A | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| N/A | N/A | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| N/A | N/A | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| N/A | N/A | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
| N/A | N/A | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| N/A | N/A | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| N/A | N/A | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
| N/A | N/A | C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| File created | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| File created | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| File created | C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
| File created | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| File created | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| File created | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| File created | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| File created | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe
"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"
C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F11BB~1.EXE > nul
C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40C2C~1.EXE > nul
C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A49FD~1.EXE > nul
C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{311CD~1.EXE > nul
C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A2A~1.EXE > nul
C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{46747~1.EXE > nul
C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB90~1.EXE > nul
C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{83D34~1.EXE > nul
C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe
C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5C451~1.EXE > nul
Network
Files
memory/2292-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2292-1-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2292-4-0x0000000000290000-0x00000000002A3000-memory.dmp
C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
| MD5 | 86aac459d7c8a17a988394fa93f6c882 |
| SHA1 | 27230dd836bb2d35d5e69a4c1b469508da595ec1 |
| SHA256 | f49adc3dd36b9b29a3883aa9ea3d3c8072cee0c0a39da02cfb8052ff21516dcf |
| SHA512 | 767ff60fb5bcd803b3552f10a74f1e03f87999593e2439f7c12a2b88f4ff224bf755181893f47362012afb81a6795f2691f70621fff132e06d07d69ba5f8ec77 |
memory/2292-8-0x0000000000290000-0x00000000002A3000-memory.dmp
memory/2292-10-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1536-11-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1536-15-0x0000000000500000-0x0000000000513000-memory.dmp
memory/2844-21-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1536-20-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
| MD5 | baf3bbb84999a5195c9a522f419f4852 |
| SHA1 | 43c4cc83399a8a52c382de25b28d6966cd3aaa09 |
| SHA256 | 4d6177d8ac7fbd34f1d192b5bd4eac4c1b57fe487bcd39437b4d19dcd6e189a9 |
| SHA512 | ce00687199c630b15d2d8e12032d1dffafe67452bb7968c32ffe222c968273c1861a23e2f31154644f9432d494db13671531111cf5cfea34c892179e43360f05 |
memory/2844-22-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2844-26-0x00000000002F0000-0x0000000000303000-memory.dmp
C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
| MD5 | 014bf65ec345a6b6f31bab3b45cc7b22 |
| SHA1 | b19bd0e720c468266431c8f2c63fe7923386a89e |
| SHA256 | 05bbd582d4edc5ebfa2fefb218f33e860795513ad2e7e040ebf10dec302f2a96 |
| SHA512 | 3aac1e651685c38459ff6d395c93b2e6247576f717bf83a1ab1c9218dee47175af179f4ffe76348af85ba7fe4060c837c4c84dd31f5c497806dc3fb2cb05e066 |
memory/2844-31-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2744-32-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2744-36-0x00000000002A0000-0x00000000002B3000-memory.dmp
memory/2744-41-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
| MD5 | dfa58c32ce09825adae93c83e53e7b1b |
| SHA1 | 8633eb480683a92c42e8f241a23ddf3874c42a76 |
| SHA256 | 5f9921c7614dc07fed00dc51db9d3dd20ad93d1a218f0098dda805748efa3098 |
| SHA512 | 565e09cbeb8df423ca5b78119ff03c690486420a1a6827b20d8e5077f57d59703d636066fa52deec562a095db872a8901bb6caacb7b89298398391c038f0f1cb |
memory/2652-42-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2652-46-0x0000000000280000-0x0000000000293000-memory.dmp
C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
| MD5 | a6d4a85a1bc06ead18a224096641b76b |
| SHA1 | d908cecfbaed9ca77ae5aadd7ab0d2b7f065f626 |
| SHA256 | fbc17c1e91bc7b1f58e95ef1794d73e40550b9c1dfb90243eb375bcd423e3c40 |
| SHA512 | 0c337a10b9eb2d56cc2ee117713f25a5cf008173d8ca2b61abb562bcfa61f68066e41ec793db658015c3d4e8194ee26e906297be09b0e0fa84f0cdc9f3efed20 |
memory/2952-52-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2652-51-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2952-56-0x0000000000320000-0x0000000000333000-memory.dmp
memory/2952-61-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
| MD5 | b5609ef00e7bfac87125ea558f903b74 |
| SHA1 | 6b7b15edf84a6c1c253da3052dbaee3cf21cbf67 |
| SHA256 | 6271621a2d4f91622adf6493448495244285257cf9fa0ba9580b55484d72d42d |
| SHA512 | e3871d236c338ac0635e9f78687313812b7637e9ddf3f0272a2127b9e8f8c4ff5e984dc8dbf4dd9df65017db13823c27dba2d428dca3d2c9fdf4da7c5a36c9d6 |
memory/2996-62-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2996-66-0x00000000003A0000-0x00000000003B3000-memory.dmp
C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
| MD5 | 7da20def6b95baec7626a229be08452e |
| SHA1 | cd605920c98f956de0385b9402bb60bb89a63be6 |
| SHA256 | 3779c6b9f04eb108ec793d6ecc3eceac8ccdffe32ee9492ea8fa210ecd64cdf3 |
| SHA512 | 8f3c78048ed8037e6ddfe66a03bfcd6885bcfb0679d4e5080746a138d4b1cc9206c5a03e7aebe2d8b2d3d864f1dd4a4e42f6a63308fbd7fd78ac51e175604939 |
memory/2996-71-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1988-72-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1988-80-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1988-79-0x0000000000290000-0x00000000002A3000-memory.dmp
C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
| MD5 | 360480aa85dae013692cabaa458ffb50 |
| SHA1 | 191906c0307568093e47fe09722cfb64844a0ae6 |
| SHA256 | efd581c3bac766e10eea13be20f800db8e7238a073a4cf712024cbc6aca14529 |
| SHA512 | 2e2ed296e515814a599ed71e4acbd4d252f6f299ef5d6b626d19abf0f86e7f00e042178ec06e14e09274e1c110f19f977028b77375ef2f3f7d4babf23e97a3f3 |
memory/2324-82-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1988-83-0x0000000000290000-0x00000000002A3000-memory.dmp
memory/2324-84-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2324-92-0x0000000000330000-0x0000000000343000-memory.dmp
memory/2180-95-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe
| MD5 | cdd682a25b95c16a3089cd6fc8b50a38 |
| SHA1 | 0a90eaec3b08b14d4ac4cc7c905f0a1e358a760f |
| SHA256 | 605b6677959e84d4a625a44ebac24ae9e20c49ac71b208b3f9815e27ffb60754 |
| SHA512 | b0b6c1ab917f4eac6a6a6d1c2c8ad871c831c5b2c6a3aad1b9279f2e39bdf557edbf59306cf138cefd1f178555189da5da5e80e4318e881839cc17db898ac3c2 |
memory/2324-93-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2324-91-0x0000000000330000-0x0000000000343000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:41
Reported
2024-11-10 06:43
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
97s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}\stubpath = "C:\\Windows\\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe" | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39FB5785-1658-4c5e-8E41-0E2A145BB19C} | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}\stubpath = "C:\\Windows\\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe" | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1} | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}\stubpath = "C:\\Windows\\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe" | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05C4442-3761-4921-9637-7EF5CF006FEF} | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3} | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6924BF2D-F710-4124-96E6-27A83304B195} | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A} | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}\stubpath = "C:\\Windows\\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe" | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942EC688-AC1D-463d-B7F1-373E3C06D3B3} | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}\stubpath = "C:\\Windows\\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe" | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6924BF2D-F710-4124-96E6-27A83304B195}\stubpath = "C:\\Windows\\{6924BF2D-F710-4124-96E6-27A83304B195}.exe" | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8} | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05C4442-3761-4921-9637-7EF5CF006FEF}\stubpath = "C:\\Windows\\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe" | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}\stubpath = "C:\\Windows\\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe" | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}\stubpath = "C:\\Windows\\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe" | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6EFA61D-5B0B-40e8-BDAA-90B342928132} | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| N/A | N/A | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| N/A | N/A | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| N/A | N/A | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| N/A | N/A | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
| N/A | N/A | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| N/A | N/A | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
| N/A | N/A | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
| N/A | N/A | C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
| File created | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| File created | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| File created | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| File created | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| File created | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
| File created | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| File created | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| File created | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe
"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"
C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F11BB~1.EXE > nul
C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39FB5~1.EXE > nul
C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6924B~1.EXE > nul
C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5F64C~1.EXE > nul
C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4904~1.EXE > nul
C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5E0CB~1.EXE > nul
C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{942EC~1.EXE > nul
C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B05C4~1.EXE > nul
C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F6EFA~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2344-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2344-1-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
| MD5 | bd6da98ec4a6fc64483a319d0d7cc27c |
| SHA1 | f780a43a903d0554f556846519a66f0320b8635f |
| SHA256 | 24c0f101e2f421a3c032baed68f5c06435382656fa7e6128687c84d8424ad2a8 |
| SHA512 | 6d325cac2dd2a1fcf53c3aa483b30c00cf491c2386470164d6e38bcbcb18ca1d374e0d32bd3c381d37895abd40872309dc4d5b6b1a00012557dcdfe99dc19f17 |
memory/2372-5-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2344-7-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2372-8-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
| MD5 | 59a0dd7a3783cff2fd7089be91a26b21 |
| SHA1 | 08bc0d22e457df27fc449ee1e74b01d45e8dd72d |
| SHA256 | df692ff8054be213f1660689c995e11619c7f729eeae8d4e3953ab4b9de201bd |
| SHA512 | 320dcad7f7f2891a87d16b4d4f3865c601ad907a321213c133f2c0e8807abc6be73790fd6cd6446d973b994ede9ebd6e840117d327da86e9241cc1f4534e9a54 |
memory/3572-13-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2372-12-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3572-15-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
| MD5 | be83f1e1faf03137de3d9bee1e9175e9 |
| SHA1 | 265db128c28de410fbcaf5c53d588cfae881cf24 |
| SHA256 | 784886f1cbdb3f80fa205e6396cdf2587316cb528323e38f4a3565737aeea944 |
| SHA512 | beb928ed9edbb0ac8719aacc1249d6c894e4f6d27f9e40836ac8dc348b1f498781713fc3e792bd25a9fe6691c838d6f0b9e9cb16d08aa003904cd504967530eb |
memory/3572-20-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2524-21-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2524-22-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
| MD5 | 5fb15f2c4afbd28c46f277482abe96cd |
| SHA1 | 55529dd0394e7ad77334dbbf9273ef484771bbe7 |
| SHA256 | ba7bc500f1b09deaf7148ecd3f38d58d68472d5aa2f7d483ae33ea5434fad62e |
| SHA512 | 62b19c41d14b0e2f2597f282557c30e91a048954afe68f6642ad04f836e8e8560c7d04b99058d600a4c2072094b8c8751338afd08567257a5d222eef4ea0dbf5 |
memory/2524-25-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1852-27-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1852-29-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1852-34-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4236-35-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
| MD5 | 58d5ed20bcac4ebb69c2c21299d360de |
| SHA1 | ec3d91785a3ff926fe56e5397f26f099201ad6ec |
| SHA256 | ac302d81b8b52e66224a37fe6776a02cd0c5ec1165c1548f564f4c16cd180388 |
| SHA512 | 9d3437a565c4067cf03801bc777f2ac1795bee6d58f7e47a1f9841095a7c71ce497407a862c529ef62f035e7674da236cca3cda34ccc0e25b31293b6bd51e262 |
memory/4236-36-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
| MD5 | 1ec4bcc10169eaa11fd870c321448c0c |
| SHA1 | 82b6dad405e41ca10172ae4ba8a7bccbf7560db0 |
| SHA256 | 3267a1df993f6d73919d0f03bae0a3b827a7b4d177e59d415a03ca449c3f9bcb |
| SHA512 | f8ce2f8345dd71854d70509d73bf3fefe32278b05830a6f7f17ea7db986a1e1ff3ca65a2af52f2539ed927c6718f0d37c406133d196cc94667cb4dfa345dd3e1 |
memory/4224-42-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4236-40-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4224-43-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
| MD5 | a77d94dffb06eb70cebd2eadcaf69679 |
| SHA1 | baee24f7f5d6f6c4845e420284e8f43206dcb850 |
| SHA256 | 340985efee24ef86b911dddd4570ad2312bbd36fde173c7827657ede6a60a56a |
| SHA512 | b834ba7ea04383c71ea3215f63f35f9a281731e13b6c5102f1f57c9b5ec8ac48be9b0f04b90e1783a73433ed88f6ff3e2b05cb3fc2e3da2f6eee36e14e92ae10 |
memory/4948-49-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4224-47-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
| MD5 | 988fb564bbc220efc5ab6d72d94dc69e |
| SHA1 | 1aa78d1790162c73fb066c447e0b2fbfcbfe0123 |
| SHA256 | c56715d884ddafdb8470a496f0f339920f9dbe13558539578b10f1de5eb10d4e |
| SHA512 | bf3db0788a94c85beb368221f8e7c781295350c6a9f02783b238acf5010bc9925cd5ac397fb0bde1bc8b69473a0ca9acc49bfeec9c811760551017b60915c6fe |
memory/812-54-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4948-52-0x0000000000400000-0x0000000000413000-memory.dmp
memory/812-56-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
| MD5 | bdd5c0b41aa87a3f897102ccdf30a8cd |
| SHA1 | 43a457f7dde4956be8a8ab217f3f04951c4f1715 |
| SHA256 | 214ff6cdc9c896483f5f497fc1df1c318ce58cf4e00a5d8ef90cc7a53fec22d8 |
| SHA512 | 017138a5073edfe5e3946fe6b9bb53f1e86c1c867cf5a29ab8ee2b91dfd8164934d8b2e4d420bdbc866b100f3d7b9bd89101c89fc43b3255fb51401861bd0264 |
memory/812-60-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4184-61-0x0000000000400000-0x0000000000413000-memory.dmp