Malware Analysis Report

2025-08-10 14:58

Sample ID 241112-n7tbba1mhx
Target 449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe
SHA256 1132de8a4f69e915a2a8a55ff1468a0676c89581b5513847febb35fc4c6ee730
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1132de8a4f69e915a2a8a55ff1468a0676c89581b5513847febb35fc4c6ee730

Threat Level: Likely malicious

The file 449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:02

Reported

2024-11-12 12:04

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C517047-EB52-445a-9C89-89E52197860B} C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C517047-EB52-445a-9C89-89E52197860B}\stubpath = "C:\\Windows\\{7C517047-EB52-445a-9C89-89E52197860B}.exe" C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24671832-D1E0-4206-83E5-4C41DCECA58B} C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA} C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}\stubpath = "C:\\Windows\\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe" C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F40B7CBD-8DD1-4d9a-A441-0A9082614373} C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}\stubpath = "C:\\Windows\\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe" C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6} C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402FA2F3-38D5-467a-B038-56CED5E17AA1}\stubpath = "C:\\Windows\\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe" C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}\stubpath = "C:\\Windows\\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe" C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49989BCB-BCFB-46ce-B02D-333FE534EB2F} C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FDA8D5E-4749-4be3-901E-0004F863014B}\stubpath = "C:\\Windows\\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe" C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402FA2F3-38D5-467a-B038-56CED5E17AA1} C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58} C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}\stubpath = "C:\\Windows\\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe" C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}\stubpath = "C:\\Windows\\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe" C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24671832-D1E0-4206-83E5-4C41DCECA58B}\stubpath = "C:\\Windows\\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe" C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FDA8D5E-4749-4be3-901E-0004F863014B} C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe N/A
File created C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe N/A
File created C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe N/A
File created C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
File created C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe N/A
File created C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe N/A
File created C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe N/A
File created C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe N/A
File created C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
PID 2380 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2696 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
PID 1048 wrote to memory of 2696 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
PID 1048 wrote to memory of 2696 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
PID 1048 wrote to memory of 2696 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
PID 1048 wrote to memory of 2804 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2804 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2804 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2804 N/A C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2872 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
PID 2696 wrote to memory of 2872 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
PID 2696 wrote to memory of 2872 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
PID 2696 wrote to memory of 2872 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2792 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
PID 2872 wrote to memory of 2792 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
PID 2872 wrote to memory of 2792 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
PID 2872 wrote to memory of 2792 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
PID 2872 wrote to memory of 2668 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2668 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2668 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2668 N/A C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2468 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
PID 2792 wrote to memory of 2468 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
PID 2792 wrote to memory of 2468 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
PID 2792 wrote to memory of 2468 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
PID 2792 wrote to memory of 2600 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2600 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2600 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2600 N/A C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 1740 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
PID 2468 wrote to memory of 1740 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
PID 2468 wrote to memory of 1740 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
PID 2468 wrote to memory of 1740 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
PID 2468 wrote to memory of 2100 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2100 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2100 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2100 N/A C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1240 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
PID 1740 wrote to memory of 1240 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
PID 1740 wrote to memory of 1240 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
PID 1740 wrote to memory of 1240 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2028 N/A C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1456 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
PID 1240 wrote to memory of 1456 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
PID 1240 wrote to memory of 1456 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
PID 1240 wrote to memory of 1456 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
PID 1240 wrote to memory of 1612 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1612 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1612 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1612 N/A C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe

"C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"

C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe

C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\449984~1.EXE > nul

C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe

C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F40B7~1.EXE > nul

C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe

C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{402FA~1.EXE > nul

C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe

C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7C517~1.EXE > nul

C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe

C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B40E0~1.EXE > nul

C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe

C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9FBDB~1.EXE > nul

C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe

C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{49989~1.EXE > nul

C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe

C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{24671~1.EXE > nul

C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe

C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5FDA8~1.EXE > nul

Network

N/A

Files

C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe

MD5 4515dc7e1bdd4460afb039b2b4eeee8b
SHA1 95f8f27f4c5b2955e47b57daa949a403f00a86a6
SHA256 27b3417e19593a6ba0b53ed54b2cda9e961714093f8a609d08c8cbec4ad8c171
SHA512 7eea16061b5cd5a49d9f58af23efaa87951295b863e5848d46c1bf712650f13ca6442a4db8dc0a79e31c3af9abcd0625648e82b21d067d154fee545ca48973e7

C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe

MD5 3db363094444b957ae2390ba77714294
SHA1 c32845c37edace4cd5c23909848079ea68338f4d
SHA256 687303dad969280b55e5b15e612fa858f3a21cb996e07b1fdedb27d967010d0e
SHA512 e1728536edf31b41fad9212f7b39a818d7cac1b21e83f68f68d2b10a8a7bca32a689251b8e98e164b1bb7a71516b3bf8ae2dc3c1d934c52ccb31b40db1d931f8

C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe

MD5 2f8f22c0a36302d9019f9d38bd783f3a
SHA1 b207e0a4ae4bad92209d1aae26e3dc785828ecf7
SHA256 5da96a342a1eca174981e5cd2aa900b62a242d5fda6fde6b964a2917ee5865e6
SHA512 af167ccf911c08e6d650703cf0f9b2ffc33319630205ef5825edb2c3d485b459f331b297a9c04aae615ac651c707e69ad32d20626e490069fd8dae9a59280c83

C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe

MD5 84544ca5dd6c1fa334f39723f15de3aa
SHA1 5fba63b4006f5812d159ca2f3e5ea88ce1a4ae2d
SHA256 e4b08b13d6dfb0b544563cc7cf274562643874acbc9314af4eb8b2d669633cd6
SHA512 0cd7954126ee3bbdbc0fbfb3a31c3b2ba2ed8acd9ab9b66b83602cc6bafbfa9bff74440da209a7cc3213902c1fcfb0d0107602c9a07747dff2a76c5f60726eed

C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe

MD5 22b53b7f2d215f4200c7aa3aff71ad94
SHA1 7a7e9c437145513830f7a60ca9ca111bd54ee67d
SHA256 8154260b68544873a1d2d4c99f7e39a1b85355cf4a3ad239caa6d2ebc11f8720
SHA512 db1fe928f82dde536b200f83679c32c579d9dd7b034e34311733c2328ceabbb6b159b36b7b512c49f99620a96ee4827dced674b25432d0bcb8bd5a0dea01c71a

C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe

MD5 237987f5477df6817a726c558d4d9808
SHA1 6a934def7d5cd1222b0c7038f7c751177b12a67c
SHA256 2c2a15bdddedc71658f33c8b1dd11473e9b037050c03a079e9d0fbb90815df0d
SHA512 e63be8cb5da68e76b3a883a498bb8714246c0b5493950c2d302f385ef10d6709c12908563ee2424b27ad9d5d6c900a67acd46e030a941cf22ae84168af3f7525

C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe

MD5 c7e3be925eaea78d499d6f0c78a0bfa7
SHA1 b1c98dbd6eadf956ebf23b8a7aa9f4a9bc58cade
SHA256 fc43ed26187a0c4aafc4187846da4dc06de7a7e3eb3221bd17aa60731b398d58
SHA512 0d6ec1e83f8f7fd9feee40deab8e3750d7cc96d62cbed6bde59223280b92f00424648a8e56612d52b45ef9ae7159904fd816c76eedc253c527d54d095f735937

C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe

MD5 8f28bb3f6bc96da8e9f2089522ded173
SHA1 c27cb85ac4c3bb6f31ae64ed2202596920fa9a49
SHA256 5261c7e066a6d2f68633568eaaea14bc89dfa7ba5bebee213f354a414374cda4
SHA512 e374841b0e4a6cb345598f331fdaef07091dfd9caeaf4f8aa412385e5f2ea2a9e12ce3b8d6a027050f10184b4aa1ed7c21eb286b72ccbdd03a2846686ae7b620

C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe

MD5 8374d91e3f5f4b892e017cb28b9e5a4a
SHA1 dde483dfedd8e336b7b2c4be5552c856499ea853
SHA256 76c1dff7035090819f07f4da886bfaa49963c0a128be876586f11b5139c01c97
SHA512 4abec7988e32dd7e5e0a097b09f41dbcf8d7caf343304300921006912dfa4c69ce33ad70136a8ffd5662cd03f977dd1583c4f1ec6352fe8ea10cfb7fdc45d70e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 12:02

Reported

2024-11-12 12:04

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DB36FA-815B-4160-A971-68236282999A} C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82E763B6-276D-4730-A2C4-757D466869FE}\stubpath = "C:\\Windows\\{82E763B6-276D-4730-A2C4-757D466869FE}.exe" C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071AA0F7-92F8-408f-A434-4C8379165464} C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72AFF128-1022-4ca6-B050-648EAECDDC2E}\stubpath = "C:\\Windows\\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe" C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55B86B44-663D-4439-A03E-D62DC9D15BD4} C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13828EEA-C735-48e7-AD41-CCCC23DB16DA} C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}\stubpath = "C:\\Windows\\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe" C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594244E7-C045-46a4-8C3A-15CB14D025BF} C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594244E7-C045-46a4-8C3A-15CB14D025BF}\stubpath = "C:\\Windows\\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe" C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3} C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}\stubpath = "C:\\Windows\\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe" C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55B86B44-663D-4439-A03E-D62DC9D15BD4}\stubpath = "C:\\Windows\\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe" C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071AA0F7-92F8-408f-A434-4C8379165464}\stubpath = "C:\\Windows\\{071AA0F7-92F8-408f-A434-4C8379165464}.exe" C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72AFF128-1022-4ca6-B050-648EAECDDC2E} C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DB36FA-815B-4160-A971-68236282999A}\stubpath = "C:\\Windows\\{37DB36FA-815B-4160-A971-68236282999A}.exe" C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1294328C-014D-4fb8-B963-FDD6FD6F2745} C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1294328C-014D-4fb8-B963-FDD6FD6F2745}\stubpath = "C:\\Windows\\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe" C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82E763B6-276D-4730-A2C4-757D466869FE} C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe N/A
File created C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe N/A
File created C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe N/A
File created C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe N/A
File created C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
File created C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe N/A
File created C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe N/A
File created C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe N/A
File created C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe
PID 5100 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe
PID 5100 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe
PID 5100 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1508 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe
PID 1548 wrote to memory of 1508 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe
PID 1548 wrote to memory of 1508 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe
PID 1548 wrote to memory of 2892 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2892 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 2892 N/A C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 980 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe
PID 1508 wrote to memory of 980 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe
PID 1508 wrote to memory of 980 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe
PID 1508 wrote to memory of 4236 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 4236 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 4236 N/A C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 3396 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe
PID 980 wrote to memory of 3396 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe
PID 980 wrote to memory of 3396 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe
PID 980 wrote to memory of 1416 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 1416 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 1416 N/A C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4552 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe
PID 3396 wrote to memory of 4552 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe
PID 3396 wrote to memory of 4552 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe
PID 3396 wrote to memory of 4788 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4788 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4788 N/A C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1564 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe
PID 4552 wrote to memory of 1564 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe
PID 4552 wrote to memory of 1564 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe
PID 4552 wrote to memory of 1664 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1664 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1664 N/A C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4336 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe
PID 1564 wrote to memory of 4336 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe
PID 1564 wrote to memory of 4336 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe
PID 1564 wrote to memory of 4344 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4344 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4344 N/A C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3356 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe
PID 4336 wrote to memory of 3356 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe
PID 4336 wrote to memory of 3356 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe
PID 4336 wrote to memory of 4952 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4952 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4952 N/A C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 932 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe
PID 3356 wrote to memory of 932 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe
PID 3356 wrote to memory of 932 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe
PID 3356 wrote to memory of 1756 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 1756 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\SysWOW64\cmd.exe
PID 3356 wrote to memory of 1756 N/A C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe

"C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"

C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe

C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\449984~1.EXE > nul

C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe

C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55B86~1.EXE > nul

C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe

C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{13828~1.EXE > nul

C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe

C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{071AA~1.EXE > nul

C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe

C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{59424~1.EXE > nul

C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe

C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72AFF~1.EXE > nul

C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe

C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{37DB3~1.EXE > nul

C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe

C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12943~1.EXE > nul

C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe

C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C70AF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe

MD5 b990dfc0ededfd963017dc82aa0948ef
SHA1 a16c3befbbe496711823fadac519712a05d03282
SHA256 ebb1d56b7fc9637f869b21ff918bcf76b6d29922bccd5263667f714e9424888e
SHA512 d48679636658d2d179a79550f05475b430f4c9332d4f28dc8bf75904f255982f8807d72fdda85989e262d87b08a40b787eef283fbd050ccd139a29c82595c903

C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe

MD5 6c4d2a1961bb95f51ac3a15195144cf5
SHA1 9e75bdb35a18edc304254c380ca333038c45c20d
SHA256 52a4542fc2c45a1deb69bbc482c386492aa5eb4e15ab2bfee56d6eadb1a7b5b9
SHA512 25bc44380cec29e2f272291e80068587318785f369060138eb85969b802e4dd9f6e1c213899c888cb629be757d1b8cdd53862451b9e23cb813bf0060104a46de

C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe

MD5 3b9a0ddf6e52116798361f3f17a2b84f
SHA1 f76de4c90352564a85ff735fa79a014d8acb9464
SHA256 070ecbfff2908c5108094b271fa70dd4e4c9ceebde1bda948d4b2155b1e4a11e
SHA512 a283438bad5e4282f429f3f6e22df42d453b1a6c1b5f6c7ae558a19d59ebdb418be7e358a8726e00ad920314c3492ddd3773d725a1dff8c1fd496860b57b9057

C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe

MD5 32045503fcd29c0685839929fb576314
SHA1 d04acf96bda21e329aebb96b3c7fba88e3a00a17
SHA256 a9ed8320010a58eb05217cd4e858a88b8054cb9c66749347f3fd878dd413f2e1
SHA512 37e47690200cb4a5c9a43741939f60d332fd06990fbb80ad50acfed14769d4d026e8fd16fc62459ff9547cfa7749526bb2e9e5ae365e2c5e3cd1f0b8838db835

C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe

MD5 4d4f18010b6da167220524bf5d717722
SHA1 8f2d36274671b2571212b7c08a94e830c8a9fde3
SHA256 d26b7254a2bf06f64fdf0f27b298af63b7a0e45c15cbe892bf620dfda84ab6a9
SHA512 cbf39ab5f87858a96220cef293b5fb6007c3e68a9615c6a97b795794f1088c38e354bd34438290959c0aa8014d79cb7b9941b6152c8eec93bdc264a16a8c9d1d

C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe

MD5 f0fab57bd0623d70d996097ca5e83a7b
SHA1 de2234f724f24c4338b38d26b2cf0ac15f52e9e4
SHA256 7166d1b08d4d86eb38c7d5a0fd3f54e3ea7da95aeef8462232215b976d218424
SHA512 27ec875299e42ba5ed268b9cdc087298e3d75a895826929d074837e0e691010faa6773b90403a817c09de57a275ac9fbcf1585fa848a6dbe8166236c595c69d3

C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe

MD5 4258c4247e788d30168f8161f462d05c
SHA1 a51ffa0ae0387ac560b7e60572714ac9b7c59f88
SHA256 7214640cbf4e7b88f310d55adbb43e1f6d5be46ebb587f42cc2c21487e4c2f9a
SHA512 d932e0328c23d532fbcddca592c0003263cc4420106ebf8dd19f793e9c82ff51c80490c5d7d3f8c696a36091632f9da3ecb437951c8daf6117a6323ea8e7ad3d

C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe

MD5 7b3a97f3026625a071771020163f9d0a
SHA1 ed459be7baa97201beba5630364608adbc80f9a5
SHA256 931e5bab0fe7b4490dc0a2f4fd2694e44cb0c3ecd6c7e98585ca0c296a58ed46
SHA512 3c325c8f89a11540ca414c1bac990f99f5fe9d4b4b10032d3cc6a5025243dbc6f4e58dc4c96680d52f1d3903efbb93522296d78b5272acb1c223a5d48c6b6adf

C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe

MD5 1e4bb860f56bf494169e5ff77ed779b8
SHA1 9c0f9b62dd6b3e3a5e90fc9e136574dc947c0845
SHA256 ab9b4c3e70d2597188241d57ea0adbbcd8f556353a93a59e97c22311c9848a6a
SHA512 f6c703316a033dfa649b77638ea8e0b7e45a2e1a59a8ad189b3ef48ebb628f2aaeb0dc11581ef0f94c6e1bb43ae124a8d976bd964b9453c5fab8ebdecd250fd9