Malware Analysis Report

2025-03-14 22:45

Sample ID 240406-1r5qmacg54
Target 688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b
SHA256 688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b

Threat Level: Likely malicious

The file 688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:53

Reported

2024-04-06 21:56

Platform

win7-20240221-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46101982-71E9-49bb-84BE-5EFD07FB0359} C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}\stubpath = "C:\\Windows\\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe" C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2467D491-407E-484b-9F96-FC6A24DAF089} C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0} C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}\stubpath = "C:\\Windows\\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe" C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}\stubpath = "C:\\Windows\\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe" C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6E1DD2-3248-47f3-8F8E-313092B1E421} C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}\stubpath = "C:\\Windows\\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe" C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2} C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9} C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2467D491-407E-484b-9F96-FC6A24DAF089}\stubpath = "C:\\Windows\\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe" C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B} C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}\stubpath = "C:\\Windows\\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe" C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46101982-71E9-49bb-84BE-5EFD07FB0359}\stubpath = "C:\\Windows\\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe" C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}\stubpath = "C:\\Windows\\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe" C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53809E74-2B23-4dbf-BD73-1860977842FA} C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97260E75-C2BC-4701-AFF5-2E4DF57F4565} C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD} C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}\stubpath = "C:\\Windows\\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe" C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}\stubpath = "C:\\Windows\\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}.exe" C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E8EB6AC-08D5-4674-ABF7-53159A13947A} C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53809E74-2B23-4dbf-BD73-1860977842FA}\stubpath = "C:\\Windows\\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe" C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}\stubpath = "C:\\Windows\\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe" C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB} C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe N/A
File created C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe N/A
File created C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe N/A
File created C:\Windows\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}.exe C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe N/A
File created C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe N/A
File created C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe N/A
File created C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe N/A
File created C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe N/A
File created C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe N/A
File created C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe N/A
File created C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe N/A
File created C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2576 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe
PID 2020 wrote to memory of 2576 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe
PID 2020 wrote to memory of 2576 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe
PID 2020 wrote to memory of 2576 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe
PID 2020 wrote to memory of 2648 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2648 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2648 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2648 N/A C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2460 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe
PID 2576 wrote to memory of 2460 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe
PID 2576 wrote to memory of 2460 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe
PID 2576 wrote to memory of 2460 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2572 N/A C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2500 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe
PID 2460 wrote to memory of 2500 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe
PID 2460 wrote to memory of 2500 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe
PID 2460 wrote to memory of 2500 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe
PID 2460 wrote to memory of 2980 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2980 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2980 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2980 N/A C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2376 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe
PID 2500 wrote to memory of 2376 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe
PID 2500 wrote to memory of 2376 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe
PID 2500 wrote to memory of 2376 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe
PID 2500 wrote to memory of 2668 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2668 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2668 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2668 N/A C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1092 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe
PID 2376 wrote to memory of 1092 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe
PID 2376 wrote to memory of 1092 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe
PID 2376 wrote to memory of 1092 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe
PID 2376 wrote to memory of 1096 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1096 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1096 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1096 N/A C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 1768 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe
PID 1092 wrote to memory of 1768 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe
PID 1092 wrote to memory of 1768 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe
PID 1092 wrote to memory of 1768 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe
PID 1092 wrote to memory of 584 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 584 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 584 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 584 N/A C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 548 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe
PID 1768 wrote to memory of 548 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe
PID 1768 wrote to memory of 548 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe
PID 1768 wrote to memory of 548 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe
PID 1768 wrote to memory of 1488 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1488 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1488 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1488 N/A C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe

"C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe"

C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe

C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\688F9A~1.EXE > nul

C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe

C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C1B~1.EXE > nul

C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe

C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7E8EB~1.EXE > nul

C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe

C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2467D~1.EXE > nul

C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe

C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53B8A~1.EXE > nul

C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe

C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{53809~1.EXE > nul

C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe

C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C3BE7~1.EXE > nul

C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe

C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{97260~1.EXE > nul

C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe

C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7D1~1.EXE > nul

C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe

C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{46101~1.EXE > nul

C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe

C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5AFAD~1.EXE > nul

C:\Windows\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}.exe

C:\Windows\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B6E1~1.EXE > nul

Network

N/A

Files

C:\Windows\{D7C1B417-3E25-4b43-BCE7-846E7539C7D9}.exe

MD5 ce1a9cd53398928bb5d835646108f71f
SHA1 741a4fe321b9b60a3497a89830bf2b9d42491aa1
SHA256 06d206a5336cff8224044ffd342b77502350b1d5949118610e8dd3da9a8db4e1
SHA512 e8c07eedaee8ccc478b935bee9b688a50ccd8064193e4443c47670740277814c19b9d9af73af602d1f8d2ed80bedf750f4fcf1d05abb0e809d5d8adf01161651

C:\Windows\{7E8EB6AC-08D5-4674-ABF7-53159A13947A}.exe

MD5 2957ba5b922547d0acabe702848feeba
SHA1 5e8ecb3c25c8037f0a31e3b37e2c73308c4d204d
SHA256 04d4e5eb8a0d54e9c8cac70497515dc7fbaad2c37c26b8a15750c9f50acae8a8
SHA512 7d578b4cdab304a8d0661505a5e5f2a8c7cc9ce6113c8d80b72a15c0732475e65573b77cbc66b863fdf9366ffd874fe17b442b3ff1fa1d9c58c7669bc566437a

C:\Windows\{2467D491-407E-484b-9F96-FC6A24DAF089}.exe

MD5 64ce9f5deb84c23cfb110e5e45c69afb
SHA1 b9efb95ccd82d6da47af4b67da0d554b44fad523
SHA256 76b3fdb69e4ccd00beb5d7015e4e3f4da7d75c44eb16e07896acafde0f0e570c
SHA512 5f93720a746ad3fe7aa24e4a67ed7161d0c23068f55e9f039901f2567368cd13050d27cc442d79b0abe788ed231288c07a56cd261d33f6095e711c3fb2b3ef9f

C:\Windows\{53B8AE8F-A3F3-4de9-BF87-78FE05EDABB0}.exe

MD5 68a809e10158e37249d0793f7c90caf9
SHA1 f6f738234018bdbb6529b322a3e59bf5308463dc
SHA256 1eb2092e1903452f0f8db8e1974a9bb19501d562ec578deccda13662d9fa7345
SHA512 0a0a0a585a32ec12252096e0f039c772380f66333acf19d7f6b43285caa7e758d8836596cac2cb1927e0fdea8906fc2b0fa130426b9f2cca41e14c2c67e2d5ed

C:\Windows\{53809E74-2B23-4dbf-BD73-1860977842FA}.exe

MD5 f4a7194d5234dafb339ad3a3f7ececdf
SHA1 11deb8a37f9566fff806f51538b71e8ab0efc938
SHA256 dae5c24fcc9fbe5f930fb00ea84cacc9f2d43f643914e4ba94be842052035e73
SHA512 6215684830becc8176f1202fe9e2b6f8ad1a05da4a5e368145aee32995585b3db8ab7b11620ee7fce95f2c1df8bd8bd3a42a17f354fdf958ad1dfcb14a70b518

C:\Windows\{C3BE7C93-A299-4e7f-BC60-069D36ABDC2B}.exe

MD5 ab1a24564444a4817ce48e16c6ea1b4a
SHA1 e642f9d31aed037ec395fe1a86a5e99a70d4662b
SHA256 99bd78d0f2857bb550486a07f1be7adaae6b625c4b223a50d80a3333550fc47e
SHA512 d39ecad64504f6f051672236a43046805582f1861bec7233da355f590fe82172a1d8943e9ea3b0ad6b6eed98b00f5f0577a81e47387373d8f05216018cc2230f

C:\Windows\{97260E75-C2BC-4701-AFF5-2E4DF57F4565}.exe

MD5 be7572338806209fd6e214e28646b08b
SHA1 4bbe5d093d54431d34af78fd6f84f490789984d6
SHA256 862ce52b4cb0063c9a80fcca143d5c6dbe0abcb022bb3651a73b31fc4e4b8477
SHA512 ea84dcc27ddaa0bf49851798318aa95fa4780873d933315c5d70419334bf5422ede98eb94d504ee49a1c49023292421dac68fd4521448269122a32b218526de1

C:\Windows\{BC7D15C5-93C3-434c-BA62-90E7EBC744CD}.exe

MD5 46bdddb7e5448aff81c2c1018f703fcf
SHA1 6eb2b9d4a32c32d076db57d46380be99da268e3e
SHA256 4045c566df57f575d8db1e4a1944bd4706007b6d6da4364fa6150e38fcebb8b7
SHA512 874a51be411937effb2eec9c26c3f03d7a008aa0618701b0e8c5c9462de1e9c9a726d5afcb39f92811e2eaf3976fd26394d0ad3538d282723e00410bf06afa06

C:\Windows\{46101982-71E9-49bb-84BE-5EFD07FB0359}.exe

MD5 fe2f97972e020378d820b8d70b859029
SHA1 0ba22d5c942972c6c08e9a82b37574dcec5db6f0
SHA256 024f41ce6d46aafd653962d890bcf6efbf755fd65a994e67d59a9f24ccb40e0b
SHA512 a10b6476723af70d3524936057cfef503b3115c0a6b76a6b4b07f9730c48ad4ef5ca2af52253f696aed3cc94a8bc89656f4464d5469c22c54c1517175bc65a48

C:\Windows\{5AFAD9E6-51FE-4218-8D92-65C8619F9EEB}.exe

MD5 cc360d1782aa846c1b46a448b06a4857
SHA1 bad68eef95e032ad3deaec7ffdb6c90a378b965e
SHA256 066c30016cb8b200c04339670d0ef5cd42d2b3bfc862a9200dba974d22e9ff55
SHA512 40addbddfe8112436a43902574caa4eab28278babac88bb39974b1ae6409b53a751f60942c454b99d4c0b52e56d804822c93e6a7613b0567d2f30ccb9f870a2e

C:\Windows\{6B6E1DD2-3248-47f3-8F8E-313092B1E421}.exe

MD5 6b0a549dac9500e91b681df03bb0c481
SHA1 7a13a44a6230e83a6ed6f56ef1d88d10027f9724
SHA256 5de9eb12ff5a651409e1252f22e9d1480a13972f7be006744d1ddb3eeb2f2281
SHA512 0dd6686bcbef0938aa28d80b4fa4b9109e6f01f8bb4835e1db2e980d9c78ead6f5d2d10cc4c92f8de585f750d4b45af27d8ae368f106dab08b1a6db421e5faa8

C:\Windows\{CE3FA365-6DBC-49c3-8B76-ACC3677BAAC2}.exe

MD5 57c0b6d3d4e9efa901d2c0a93dfdb93d
SHA1 f465f6c0703059c17fd8bfe4b77357148ae00bb5
SHA256 c585aca6a32be8f8343ebdfefb036cc813938c2c4cf3275d8e2ac3d89f857178
SHA512 06d878737810cfe5abce985fe8ada9dd74b0a39c2144734d0acc21e1c9abe50e5ef2db060a208610364f4ea5c8440a73901a6cf71f8712c1f1a33068b83a4a5e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:53

Reported

2024-04-06 21:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850} C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}\stubpath = "C:\\Windows\\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe" C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F} C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B05D7D0-7689-4bac-866E-201A91585AFF} C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0679CA80-DA7E-4fe0-B400-56AFEE97E152} C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7} C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}\stubpath = "C:\\Windows\\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe" C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B05D7D0-7689-4bac-866E-201A91585AFF}\stubpath = "C:\\Windows\\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe" C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55ADCB2B-3324-44b5-8539-532A5B126F01}\stubpath = "C:\\Windows\\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe" C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}\stubpath = "C:\\Windows\\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe" C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}\stubpath = "C:\\Windows\\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe" C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B6041A-9663-4591-96A4-07C62AA6FE53}\stubpath = "C:\\Windows\\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe" C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7069BC63-9265-4ee0-93D4-D6ABB43214FA} C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}\stubpath = "C:\\Windows\\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe" C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55ADCB2B-3324-44b5-8539-532A5B126F01} C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B6041A-9663-4591-96A4-07C62AA6FE53} C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}\stubpath = "C:\\Windows\\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe" C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}\stubpath = "C:\\Windows\\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe" C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845} C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321} C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0} C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12E630F3-CB06-4f2f-B696-83D7BAA72115} C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12E630F3-CB06-4f2f-B696-83D7BAA72115}\stubpath = "C:\\Windows\\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe" C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}\stubpath = "C:\\Windows\\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}.exe" C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe N/A
File created C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe N/A
File created C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe N/A
File created C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe N/A
File created C:\Windows\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}.exe C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe N/A
File created C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
File created C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe N/A
File created C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe N/A
File created C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe N/A
File created C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe N/A
File created C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe N/A
File created C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe
PID 3496 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe
PID 3496 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe
PID 3496 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1556 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe
PID 3348 wrote to memory of 1556 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe
PID 3348 wrote to memory of 1556 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe
PID 3348 wrote to memory of 2676 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2676 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2676 N/A C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 4652 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe
PID 1556 wrote to memory of 4652 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe
PID 1556 wrote to memory of 4652 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe
PID 1556 wrote to memory of 4796 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 4796 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 4796 N/A C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 4884 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe
PID 4652 wrote to memory of 4884 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe
PID 4652 wrote to memory of 4884 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe
PID 4652 wrote to memory of 2324 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 2324 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 2324 N/A C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 908 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe
PID 4884 wrote to memory of 908 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe
PID 4884 wrote to memory of 908 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe
PID 4884 wrote to memory of 4052 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 4052 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 4052 N/A C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3780 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe
PID 908 wrote to memory of 3780 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe
PID 908 wrote to memory of 3780 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe
PID 908 wrote to memory of 2296 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2296 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2296 N/A C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4100 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe
PID 3780 wrote to memory of 4100 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe
PID 3780 wrote to memory of 4100 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe
PID 3780 wrote to memory of 3088 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 3088 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 3088 N/A C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4612 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe
PID 4100 wrote to memory of 4612 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe
PID 4100 wrote to memory of 4612 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe
PID 4100 wrote to memory of 3572 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3572 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3572 N/A C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 3628 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe
PID 4612 wrote to memory of 3628 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe
PID 4612 wrote to memory of 3628 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe
PID 4612 wrote to memory of 4964 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4964 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4964 N/A C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2664 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe
PID 3628 wrote to memory of 2664 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe
PID 3628 wrote to memory of 2664 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe
PID 3628 wrote to memory of 3140 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3140 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3140 N/A C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 4356 N/A C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe
PID 2664 wrote to memory of 4356 N/A C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe
PID 2664 wrote to memory of 4356 N/A C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe
PID 2664 wrote to memory of 4700 N/A C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe

"C:\Users\Admin\AppData\Local\Temp\688f9af10f63309f43dbeae5e50a01a88dfc6d03446dba2e5ae6abd00c82135b.exe"

C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe

C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\688F9A~1.EXE > nul

C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe

C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A8F~1.EXE > nul

C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe

C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{88D6B~1.EXE > nul

C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe

C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D56AF~1.EXE > nul

C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe

C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68F02~1.EXE > nul

C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe

C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9B0D0~1.EXE > nul

C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe

C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B05D~1.EXE > nul

C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe

C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{12E63~1.EXE > nul

C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe

C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B60~1.EXE > nul

C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe

C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0679C~1.EXE > nul

C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe

C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7069B~1.EXE > nul

C:\Windows\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}.exe

C:\Windows\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55ADC~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Windows\{C7A8F606-3DD8-40ee-BC2D-D0B231DD8850}.exe

MD5 53663cc12c9e95ca9f164742bcc6ee1d
SHA1 310c97fbbbe5563c9e6d2cbbe8030348bcdcaa76
SHA256 95c10c2c77b2e8428970ec75ee41b119ee9bfd975edb22972dc3a8b1d8d46ed3
SHA512 2a21b2e2905ee0462c9e09fbf49568de10a0595e37e636294fc2446cd25294cdd9b4bfa1be73704f9f3762c02ab01781e5b1fd6ab0a8d79c0f97aa0eac35dbb7

C:\Windows\{88D6B9C6-F965-4cd8-9F7C-6F995EA46845}.exe

MD5 4c3cbb6c234e9f8ac28e5dd95fc24da8
SHA1 7e5494030ef787a7420b52f38ca9728f737700b0
SHA256 77716c5d05da6330e274b7cef0fe8413bcab630a9917b72b1454dd1e7d25874b
SHA512 45081157ec13c5136860647c190609e2e4021bb430a9bba3f5bc5ba7aac31eb01346424225435392d2834260ae238b33007af980610a5b96a0659e1dd499986b

C:\Windows\{D56AFA83-FFE9-41a1-AC6A-CF63E2BDD321}.exe

MD5 6cf75a8026427d350821970e08b446a8
SHA1 b20924da956ba1afb7ea5c019317161316bdedf1
SHA256 b9fecda25f6a21cd903f6c4f102de778ab3bef7676ee6cbddbd85e57dea2f050
SHA512 5047724664a8e7a6700d0f22fa1588ac5a749ebfb54e46ff9f63ce58f7a4c02dd8c6f1819d52b593535fdf8926bff3018e2059baf6608c6b0bf11e46a61c4086

C:\Windows\{68F02873-FDB4-42a0-8C6A-9327F3F8D38F}.exe

MD5 e8ecdc4c427d12e757d21da94a732e13
SHA1 217d1b0b1504743ec42be28c9c7bae85eccf6d15
SHA256 e47ecebe2814416df4bf7a6ac1a760d3b208d1821ee05aba053aa60f206f7111
SHA512 e3e08a31010c1a7ddfd5790913d7dbbb0ae8b9c51887400c8a344dcc9246f358875539153cfdb6419500e22ff260866c2714938da1a433050b0f0c919516978e

C:\Windows\{9B0D0879-F5FC-4a0f-ABB0-F22C00899CC0}.exe

MD5 4cafdcb97dfcd36cab642f91b2d827b7
SHA1 ce543267fe1308f91d4e3edc4563ccadca4d684c
SHA256 4a9d46200373bd9ac9da144ebde4eb8e010eda5b5015449ef975618a455ce6f3
SHA512 06b38f3c10d442e1af905b5d584161d4cdaeb32285532b3f3c6976fcb337f23c60262177218456d1d121bdfbe6066dc03bbd96261e911bae10fd3118de04c1b5

C:\Windows\{8B05D7D0-7689-4bac-866E-201A91585AFF}.exe

MD5 a3dddf95d21e939a4fbd726cb9b0705e
SHA1 d5f9eb25c5f6efac9d2f7da02d4efe55bee9f53d
SHA256 4d9e01ace26ba2d55219e4b3e4422b5eff3f6e8e9b5241966447d2e1c21800ea
SHA512 b25e36f3469517b948a43d5822fc3e7ab343a46cdb85dd1ec4f3328797b8f4f3c1d23551c7c8f8ec080842e20aeea411715253f05658a53a56f44a3dd11bbada

C:\Windows\{12E630F3-CB06-4f2f-B696-83D7BAA72115}.exe

MD5 c700462642fa6132766292fbe90c326e
SHA1 a98afa7f5ba880881437f2e2657b216037102383
SHA256 2c2b795b13a45e7a1d158004ca033a11399714bc90a0aa8d8d2eda0dc81529fd
SHA512 f61d427e524534d13d0d091ade62655af4a6224fa04b227912bcce15d4949aed3841810bc044f4f7665faf0065ec19f5d89177e6f57631410053c2198ba4483a

C:\Windows\{C5B6041A-9663-4591-96A4-07C62AA6FE53}.exe

MD5 d859be7e67ff7288c418d422dcb72fb8
SHA1 77a59a3f005615ebd84e5218ea97e29ccb12cad5
SHA256 5a2f8f5d1a7f5f38d37d217f084f4b40290a25ed511ce31b2c7256ece489f4a0
SHA512 0dd626dfa01a892ebee687c2546813348c7791614a1274a5c737b581646ec6534b31db7f9d7d00ea1afb9189e5e3ea1e5f977854a97dfd6ed647c9d0f45ebf66

C:\Windows\{0679CA80-DA7E-4fe0-B400-56AFEE97E152}.exe

MD5 796b986db4b6435a5edf931da9b44b4b
SHA1 f8a361dbef82cfc01406e3b504190925f3173622
SHA256 52c69f60c8b6b5b85fb5a11f74554596042465c2fc842514f63d62028a4fb99a
SHA512 33cba1c44cf77c1d83155747f7bf7dffd23e3bd82519a7491169e617cfdabe5f0873ab286606eda9742b5c7ce7169f6fb26bee25038d31a1ec9fe13fe6c22e79

C:\Windows\{7069BC63-9265-4ee0-93D4-D6ABB43214FA}.exe

MD5 6cc71c856365410efec92a6bba1c00ec
SHA1 879e03401813bb395b09c919378eb9965b67e825
SHA256 c25728842a75e267f68b8f3f417dbce2e5657d1b13bb48327bc4ebcac77d9e3a
SHA512 665ece7b672470986b638b1a19a1341acdf08dfe1a6267828246ab006877a77e981d141501d1b1bbd20d4178407185d579fcd143b57f2e53957ce2597800bb5e

C:\Windows\{55ADCB2B-3324-44b5-8539-532A5B126F01}.exe

MD5 abb5c2579a27c2a9bc2739e7bd84b634
SHA1 ce18ac3b468635787c77bc6c84562a801aa88f5e
SHA256 96d5827bc34bafb2025ad9edc9923f8f7b3765a3efdad713b61a967d9d27d5bf
SHA512 b26ef66b969ee6288a401443d097a8f51fc09b7c1d1eb0312501cc2e6cbabcc3165735c8a62b1b94546c3887a3a7340b89718e2e0016e6524a55160763654461

C:\Windows\{D464FBF3-2B4E-4f1c-8C9D-AC35F967F4A7}.exe

MD5 b3fac78398463527faf18b212df841af
SHA1 793c52bf15bcd414d1f568901657acc73581ddfb
SHA256 d51c4518a4997613f5f16212d190b10c36ad5aa18913301b024896e78abaa9fb
SHA512 9a3e393f120b0e30cafab7bbbeb9a48dffab66d8d41efc27d41d6b12509b5b81022e191040684cb893a15ac011ec566c95d2bff5cfc6945edfc033a00880c767