Malware Analysis Report

2025-04-03 19:48

Sample ID 241110-hfrerasare
Target 7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN
SHA256 7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9a
Tags
discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9a

Threat Level: Likely malicious

The file 7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence upx

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Deletes itself

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:41

Reported

2024-11-10 06:43

Platform

win7-20241010-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}\stubpath = "C:\\Windows\\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe" C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311CD4D7-6A3A-4487-94E4-E538031A4B07} C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311CD4D7-6A3A-4487-94E4-E538031A4B07}\stubpath = "C:\\Windows\\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe" C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}\stubpath = "C:\\Windows\\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe" C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB90095-9C50-42d5-BF82-A2707C89A36E} C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}\stubpath = "C:\\Windows\\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe" C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46747600-729E-40a2-AFA2-2389A6DCE912} C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46747600-729E-40a2-AFA2-2389A6DCE912}\stubpath = "C:\\Windows\\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe" C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF} C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9} C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9} C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D341AD-1033-476b-94EA-513EDA40E6C6} C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C4512C9-D4D3-4eb1-9714-238137A86051} C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93} C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB90095-9C50-42d5-BF82-A2707C89A36E}\stubpath = "C:\\Windows\\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe" C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D341AD-1033-476b-94EA-513EDA40E6C6}\stubpath = "C:\\Windows\\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe" C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C4512C9-D4D3-4eb1-9714-238137A86051}\stubpath = "C:\\Windows\\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe" C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}\stubpath = "C:\\Windows\\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe" C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe N/A
File created C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe N/A
File created C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe N/A
File created C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe N/A
File created C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
File created C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe N/A
File created C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe N/A
File created C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe N/A
File created C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe
PID 2292 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2844 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
PID 1536 wrote to memory of 2844 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
PID 1536 wrote to memory of 2844 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
PID 1536 wrote to memory of 2844 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe
PID 1536 wrote to memory of 2836 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2836 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2836 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2836 N/A C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2744 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
PID 2844 wrote to memory of 2744 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
PID 2844 wrote to memory of 2744 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
PID 2844 wrote to memory of 2744 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe
PID 2844 wrote to memory of 3008 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3008 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3008 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3008 N/A C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2652 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
PID 2744 wrote to memory of 2652 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
PID 2744 wrote to memory of 2652 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
PID 2744 wrote to memory of 2652 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe
PID 2744 wrote to memory of 2764 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2764 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2764 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2764 N/A C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2952 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
PID 2652 wrote to memory of 2952 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
PID 2652 wrote to memory of 2952 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
PID 2652 wrote to memory of 2952 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe
PID 2652 wrote to memory of 1308 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1308 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1308 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1308 N/A C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2996 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
PID 2952 wrote to memory of 2996 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
PID 2952 wrote to memory of 2996 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
PID 2952 wrote to memory of 2996 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe
PID 2952 wrote to memory of 1236 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1236 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1236 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1236 N/A C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1988 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
PID 2996 wrote to memory of 1988 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
PID 2996 wrote to memory of 1988 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
PID 2996 wrote to memory of 1988 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe
PID 2996 wrote to memory of 2512 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2512 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2512 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2512 N/A C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2324 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
PID 1988 wrote to memory of 2324 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
PID 1988 wrote to memory of 2324 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
PID 1988 wrote to memory of 2324 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe
PID 1988 wrote to memory of 2564 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2564 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2564 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2564 N/A C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe

"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"

C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe

C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F11BB~1.EXE > nul

C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe

C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{40C2C~1.EXE > nul

C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe

C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A49FD~1.EXE > nul

C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe

C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{311CD~1.EXE > nul

C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe

C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A2A~1.EXE > nul

C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe

C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46747~1.EXE > nul

C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe

C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB90~1.EXE > nul

C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe

C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{83D34~1.EXE > nul

C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe

C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5C451~1.EXE > nul

Network

N/A

Files

memory/2292-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2292-1-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2292-4-0x0000000000290000-0x00000000002A3000-memory.dmp

C:\Windows\{40C2C80F-C2A7-4f80-B405-8E9E533A8BAF}.exe

MD5 86aac459d7c8a17a988394fa93f6c882
SHA1 27230dd836bb2d35d5e69a4c1b469508da595ec1
SHA256 f49adc3dd36b9b29a3883aa9ea3d3c8072cee0c0a39da02cfb8052ff21516dcf
SHA512 767ff60fb5bcd803b3552f10a74f1e03f87999593e2439f7c12a2b88f4ff224bf755181893f47362012afb81a6795f2691f70621fff132e06d07d69ba5f8ec77

memory/2292-8-0x0000000000290000-0x00000000002A3000-memory.dmp

memory/2292-10-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1536-11-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1536-15-0x0000000000500000-0x0000000000513000-memory.dmp

memory/2844-21-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1536-20-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{A49FD422-873B-4dd5-AAAB-D1A6C3EC76D9}.exe

MD5 baf3bbb84999a5195c9a522f419f4852
SHA1 43c4cc83399a8a52c382de25b28d6966cd3aaa09
SHA256 4d6177d8ac7fbd34f1d192b5bd4eac4c1b57fe487bcd39437b4d19dcd6e189a9
SHA512 ce00687199c630b15d2d8e12032d1dffafe67452bb7968c32ffe222c968273c1861a23e2f31154644f9432d494db13671531111cf5cfea34c892179e43360f05

memory/2844-22-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2844-26-0x00000000002F0000-0x0000000000303000-memory.dmp

C:\Windows\{311CD4D7-6A3A-4487-94E4-E538031A4B07}.exe

MD5 014bf65ec345a6b6f31bab3b45cc7b22
SHA1 b19bd0e720c468266431c8f2c63fe7923386a89e
SHA256 05bbd582d4edc5ebfa2fefb218f33e860795513ad2e7e040ebf10dec302f2a96
SHA512 3aac1e651685c38459ff6d395c93b2e6247576f717bf83a1ab1c9218dee47175af179f4ffe76348af85ba7fe4060c837c4c84dd31f5c497806dc3fb2cb05e066

memory/2844-31-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2744-32-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2744-36-0x00000000002A0000-0x00000000002B3000-memory.dmp

memory/2744-41-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{B1A2A6D7-21EE-437f-ABA1-2BE4EF8599E9}.exe

MD5 dfa58c32ce09825adae93c83e53e7b1b
SHA1 8633eb480683a92c42e8f241a23ddf3874c42a76
SHA256 5f9921c7614dc07fed00dc51db9d3dd20ad93d1a218f0098dda805748efa3098
SHA512 565e09cbeb8df423ca5b78119ff03c690486420a1a6827b20d8e5077f57d59703d636066fa52deec562a095db872a8901bb6caacb7b89298398391c038f0f1cb

memory/2652-42-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2652-46-0x0000000000280000-0x0000000000293000-memory.dmp

C:\Windows\{46747600-729E-40a2-AFA2-2389A6DCE912}.exe

MD5 a6d4a85a1bc06ead18a224096641b76b
SHA1 d908cecfbaed9ca77ae5aadd7ab0d2b7f065f626
SHA256 fbc17c1e91bc7b1f58e95ef1794d73e40550b9c1dfb90243eb375bcd423e3c40
SHA512 0c337a10b9eb2d56cc2ee117713f25a5cf008173d8ca2b61abb562bcfa61f68066e41ec793db658015c3d4e8194ee26e906297be09b0e0fa84f0cdc9f3efed20

memory/2952-52-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2652-51-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2952-56-0x0000000000320000-0x0000000000333000-memory.dmp

memory/2952-61-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{BCB90095-9C50-42d5-BF82-A2707C89A36E}.exe

MD5 b5609ef00e7bfac87125ea558f903b74
SHA1 6b7b15edf84a6c1c253da3052dbaee3cf21cbf67
SHA256 6271621a2d4f91622adf6493448495244285257cf9fa0ba9580b55484d72d42d
SHA512 e3871d236c338ac0635e9f78687313812b7637e9ddf3f0272a2127b9e8f8c4ff5e984dc8dbf4dd9df65017db13823c27dba2d428dca3d2c9fdf4da7c5a36c9d6

memory/2996-62-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2996-66-0x00000000003A0000-0x00000000003B3000-memory.dmp

C:\Windows\{83D341AD-1033-476b-94EA-513EDA40E6C6}.exe

MD5 7da20def6b95baec7626a229be08452e
SHA1 cd605920c98f956de0385b9402bb60bb89a63be6
SHA256 3779c6b9f04eb108ec793d6ecc3eceac8ccdffe32ee9492ea8fa210ecd64cdf3
SHA512 8f3c78048ed8037e6ddfe66a03bfcd6885bcfb0679d4e5080746a138d4b1cc9206c5a03e7aebe2d8b2d3d864f1dd4a4e42f6a63308fbd7fd78ac51e175604939

memory/2996-71-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1988-72-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1988-80-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1988-79-0x0000000000290000-0x00000000002A3000-memory.dmp

C:\Windows\{5C4512C9-D4D3-4eb1-9714-238137A86051}.exe

MD5 360480aa85dae013692cabaa458ffb50
SHA1 191906c0307568093e47fe09722cfb64844a0ae6
SHA256 efd581c3bac766e10eea13be20f800db8e7238a073a4cf712024cbc6aca14529
SHA512 2e2ed296e515814a599ed71e4acbd4d252f6f299ef5d6b626d19abf0f86e7f00e042178ec06e14e09274e1c110f19f977028b77375ef2f3f7d4babf23e97a3f3

memory/2324-82-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1988-83-0x0000000000290000-0x00000000002A3000-memory.dmp

memory/2324-84-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2324-92-0x0000000000330000-0x0000000000343000-memory.dmp

memory/2180-95-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{E43C8250-667D-48b6-B4EF-4C57DD6CCE93}.exe

MD5 cdd682a25b95c16a3089cd6fc8b50a38
SHA1 0a90eaec3b08b14d4ac4cc7c905f0a1e358a760f
SHA256 605b6677959e84d4a625a44ebac24ae9e20c49ac71b208b3f9815e27ffb60754
SHA512 b0b6c1ab917f4eac6a6a6d1c2c8ad871c831c5b2c6a3aad1b9279f2e39bdf557edbf59306cf138cefd1f178555189da5da5e80e4318e881839cc17db898ac3c2

memory/2324-93-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2324-91-0x0000000000330000-0x0000000000343000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:41

Reported

2024-11-10 06:43

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}\stubpath = "C:\\Windows\\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe" C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39FB5785-1658-4c5e-8E41-0E2A145BB19C} C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}\stubpath = "C:\\Windows\\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe" C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1} C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}\stubpath = "C:\\Windows\\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe" C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05C4442-3761-4921-9637-7EF5CF006FEF} C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3} C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6924BF2D-F710-4124-96E6-27A83304B195} C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A} C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}\stubpath = "C:\\Windows\\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe" C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942EC688-AC1D-463d-B7F1-373E3C06D3B3} C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}\stubpath = "C:\\Windows\\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe" C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6924BF2D-F710-4124-96E6-27A83304B195}\stubpath = "C:\\Windows\\{6924BF2D-F710-4124-96E6-27A83304B195}.exe" C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8} C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05C4442-3761-4921-9637-7EF5CF006FEF}\stubpath = "C:\\Windows\\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe" C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}\stubpath = "C:\\Windows\\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe" C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}\stubpath = "C:\\Windows\\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe" C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6EFA61D-5B0B-40e8-BDAA-90B342928132} C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe N/A
File created C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe N/A
File created C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe N/A
File created C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe N/A
File created C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe N/A
File created C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe N/A
File created C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
File created C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe N/A
File created C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
PID 2344 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
PID 2344 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe
PID 2344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 3572 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
PID 2372 wrote to memory of 3572 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
PID 2372 wrote to memory of 3572 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe
PID 2372 wrote to memory of 1668 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1668 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1668 N/A C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2524 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
PID 3572 wrote to memory of 2524 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
PID 3572 wrote to memory of 2524 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe
PID 3572 wrote to memory of 1656 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 1656 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 1656 N/A C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1852 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
PID 2524 wrote to memory of 1852 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
PID 2524 wrote to memory of 1852 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe
PID 2524 wrote to memory of 4392 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4392 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4392 N/A C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 4236 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
PID 1852 wrote to memory of 4236 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
PID 1852 wrote to memory of 4236 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe
PID 1852 wrote to memory of 4072 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 4072 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 4072 N/A C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4224 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
PID 4236 wrote to memory of 4224 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
PID 4236 wrote to memory of 4224 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe
PID 4236 wrote to memory of 2696 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 2696 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 2696 N/A C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4948 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
PID 4224 wrote to memory of 4948 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
PID 4224 wrote to memory of 4948 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe
PID 4224 wrote to memory of 2260 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 2260 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 2260 N/A C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 812 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
PID 4948 wrote to memory of 812 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
PID 4948 wrote to memory of 812 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe
PID 4948 wrote to memory of 3028 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3028 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3028 N/A C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4184 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
PID 812 wrote to memory of 4184 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
PID 812 wrote to memory of 4184 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe
PID 812 wrote to memory of 4232 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4232 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4232 N/A C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe

"C:\Users\Admin\AppData\Local\Temp\7f11bbaedacecc229b7d8a21dcc86c455c9e8313326bf95f84fd985ec8bf5a9aN.exe"

C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe

C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F11BB~1.EXE > nul

C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe

C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{39FB5~1.EXE > nul

C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe

C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6924B~1.EXE > nul

C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe

C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F64C~1.EXE > nul

C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe

C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4904~1.EXE > nul

C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe

C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5E0CB~1.EXE > nul

C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe

C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{942EC~1.EXE > nul

C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe

C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B05C4~1.EXE > nul

C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe

C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6EFA~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2344-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2344-1-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{39FB5785-1658-4c5e-8E41-0E2A145BB19C}.exe

MD5 bd6da98ec4a6fc64483a319d0d7cc27c
SHA1 f780a43a903d0554f556846519a66f0320b8635f
SHA256 24c0f101e2f421a3c032baed68f5c06435382656fa7e6128687c84d8424ad2a8
SHA512 6d325cac2dd2a1fcf53c3aa483b30c00cf491c2386470164d6e38bcbcb18ca1d374e0d32bd3c381d37895abd40872309dc4d5b6b1a00012557dcdfe99dc19f17

memory/2372-5-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2344-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2372-8-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{6924BF2D-F710-4124-96E6-27A83304B195}.exe

MD5 59a0dd7a3783cff2fd7089be91a26b21
SHA1 08bc0d22e457df27fc449ee1e74b01d45e8dd72d
SHA256 df692ff8054be213f1660689c995e11619c7f729eeae8d4e3953ab4b9de201bd
SHA512 320dcad7f7f2891a87d16b4d4f3865c601ad907a321213c133f2c0e8807abc6be73790fd6cd6446d973b994ede9ebd6e840117d327da86e9241cc1f4534e9a54

memory/3572-13-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2372-12-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3572-15-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{5F64C1B2-A6CF-4bf5-BC85-2D25AB371BD1}.exe

MD5 be83f1e1faf03137de3d9bee1e9175e9
SHA1 265db128c28de410fbcaf5c53d588cfae881cf24
SHA256 784886f1cbdb3f80fa205e6396cdf2587316cb528323e38f4a3565737aeea944
SHA512 beb928ed9edbb0ac8719aacc1249d6c894e4f6d27f9e40836ac8dc348b1f498781713fc3e792bd25a9fe6691c838d6f0b9e9cb16d08aa003904cd504967530eb

memory/3572-20-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2524-21-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2524-22-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{B49044DA-8320-4905-ABF8-18FC5C4A1E5A}.exe

MD5 5fb15f2c4afbd28c46f277482abe96cd
SHA1 55529dd0394e7ad77334dbbf9273ef484771bbe7
SHA256 ba7bc500f1b09deaf7148ecd3f38d58d68472d5aa2f7d483ae33ea5434fad62e
SHA512 62b19c41d14b0e2f2597f282557c30e91a048954afe68f6642ad04f836e8e8560c7d04b99058d600a4c2072094b8c8751338afd08567257a5d222eef4ea0dbf5

memory/2524-25-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1852-27-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1852-29-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1852-34-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4236-35-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{5E0CB925-3A82-49b7-88D5-5F8ADE615DC8}.exe

MD5 58d5ed20bcac4ebb69c2c21299d360de
SHA1 ec3d91785a3ff926fe56e5397f26f099201ad6ec
SHA256 ac302d81b8b52e66224a37fe6776a02cd0c5ec1165c1548f564f4c16cd180388
SHA512 9d3437a565c4067cf03801bc777f2ac1795bee6d58f7e47a1f9841095a7c71ce497407a862c529ef62f035e7674da236cca3cda34ccc0e25b31293b6bd51e262

memory/4236-36-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{942EC688-AC1D-463d-B7F1-373E3C06D3B3}.exe

MD5 1ec4bcc10169eaa11fd870c321448c0c
SHA1 82b6dad405e41ca10172ae4ba8a7bccbf7560db0
SHA256 3267a1df993f6d73919d0f03bae0a3b827a7b4d177e59d415a03ca449c3f9bcb
SHA512 f8ce2f8345dd71854d70509d73bf3fefe32278b05830a6f7f17ea7db986a1e1ff3ca65a2af52f2539ed927c6718f0d37c406133d196cc94667cb4dfa345dd3e1

memory/4224-42-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4236-40-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4224-43-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{B05C4442-3761-4921-9637-7EF5CF006FEF}.exe

MD5 a77d94dffb06eb70cebd2eadcaf69679
SHA1 baee24f7f5d6f6c4845e420284e8f43206dcb850
SHA256 340985efee24ef86b911dddd4570ad2312bbd36fde173c7827657ede6a60a56a
SHA512 b834ba7ea04383c71ea3215f63f35f9a281731e13b6c5102f1f57c9b5ec8ac48be9b0f04b90e1783a73433ed88f6ff3e2b05cb3fc2e3da2f6eee36e14e92ae10

memory/4948-49-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4224-47-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{F6EFA61D-5B0B-40e8-BDAA-90B342928132}.exe

MD5 988fb564bbc220efc5ab6d72d94dc69e
SHA1 1aa78d1790162c73fb066c447e0b2fbfcbfe0123
SHA256 c56715d884ddafdb8470a496f0f339920f9dbe13558539578b10f1de5eb10d4e
SHA512 bf3db0788a94c85beb368221f8e7c781295350c6a9f02783b238acf5010bc9925cd5ac397fb0bde1bc8b69473a0ca9acc49bfeec9c811760551017b60915c6fe

memory/812-54-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4948-52-0x0000000000400000-0x0000000000413000-memory.dmp

memory/812-56-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\{C7D6A2F0-F18F-40b4-9A80-0FB2CA585FD3}.exe

MD5 bdd5c0b41aa87a3f897102ccdf30a8cd
SHA1 43a457f7dde4956be8a8ab217f3f04951c4f1715
SHA256 214ff6cdc9c896483f5f497fc1df1c318ce58cf4e00a5d8ef90cc7a53fec22d8
SHA512 017138a5073edfe5e3946fe6b9bb53f1e86c1c867cf5a29ab8ee2b91dfd8164934d8b2e4d420bdbc866b100f3d7b9bd89101c89fc43b3255fb51401861bd0264

memory/812-60-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4184-61-0x0000000000400000-0x0000000000413000-memory.dmp