Malware Analysis Report

2025-03-14 23:13

Sample ID 240406-3svyxsfc55
Target 9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992
SHA256 9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992

Threat Level: Known bad

The file 9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992 was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:47

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:47

Reported

2024-04-06 23:49

Platform

win7-20240215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5B7F9C-F1CC-4308-8A72-841D608134DD} C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D7967DA-C048-4b68-8FFA-05F885A504EE}\stubpath = "C:\\Windows\\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe" C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251E656D-2A9D-4ee9-95C1-E7430166BDCC} C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}\stubpath = "C:\\Windows\\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe" C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF} C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02} C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}\stubpath = "C:\\Windows\\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe" C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D7967DA-C048-4b68-8FFA-05F885A504EE} C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17E85704-1CFF-4da4-A70B-E292A7AA019D} C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31361BD-CE47-4da6-958D-C9DDB0FEF032} C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}\stubpath = "C:\\Windows\\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe" C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}\stubpath = "C:\\Windows\\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe" C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}\stubpath = "C:\\Windows\\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}.exe" C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296D62F2-7388-4349-8E9C-3CB44282905C}\stubpath = "C:\\Windows\\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe" C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95} C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD4D70F-089F-4759-90BE-C483EB296BDE} C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD4D70F-089F-4759-90BE-C483EB296BDE}\stubpath = "C:\\Windows\\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe" C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17E85704-1CFF-4da4-A70B-E292A7AA019D}\stubpath = "C:\\Windows\\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe" C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}\stubpath = "C:\\Windows\\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe" C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}\stubpath = "C:\\Windows\\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe" C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECCF4529-720E-42ab-B126-5963F8F9A5B5} C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296D62F2-7388-4349-8E9C-3CB44282905C} C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe N/A
File created C:\Windows\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}.exe C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe N/A
File created C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe N/A
File created C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe N/A
File created C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe N/A
File created C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe N/A
File created C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe N/A
File created C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
File created C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe N/A
File created C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe N/A
File created C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe
PID 2932 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe
PID 2932 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe
PID 2932 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe
PID 2932 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2708 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe
PID 2112 wrote to memory of 2708 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe
PID 2112 wrote to memory of 2708 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe
PID 2112 wrote to memory of 2708 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe
PID 2112 wrote to memory of 2560 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2560 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2560 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2560 N/A C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe
PID 2708 wrote to memory of 2736 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe
PID 2708 wrote to memory of 1712 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1712 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1712 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1712 N/A C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2952 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe
PID 2736 wrote to memory of 2952 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe
PID 2736 wrote to memory of 2952 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe
PID 2736 wrote to memory of 2952 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe
PID 2736 wrote to memory of 1792 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1792 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1792 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1792 N/A C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2820 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe
PID 2952 wrote to memory of 2820 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe
PID 2952 wrote to memory of 2820 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe
PID 2952 wrote to memory of 2820 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe
PID 2952 wrote to memory of 2964 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2964 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2964 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2964 N/A C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe
PID 2820 wrote to memory of 1860 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1860 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1860 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1860 N/A C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2168 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe
PID 2616 wrote to memory of 2168 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe
PID 2616 wrote to memory of 2168 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe
PID 2616 wrote to memory of 2168 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1556 N/A C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2508 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe
PID 2168 wrote to memory of 2508 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe
PID 2168 wrote to memory of 2508 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe
PID 2168 wrote to memory of 2508 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe
PID 2168 wrote to memory of 1652 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1652 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1652 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1652 N/A C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe

"C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe"

C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe

C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D3FFB~1.EXE > nul

C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe

C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{296D6~1.EXE > nul

C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe

C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7351A~1.EXE > nul

C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe

C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{251E6~1.EXE > nul

C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe

C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD4D~1.EXE > nul

C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe

C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D796~1.EXE > nul

C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe

C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17E85~1.EXE > nul

C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe

C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E3136~1.EXE > nul

C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe

C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14C17~1.EXE > nul

C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe

C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{962BE~1.EXE > nul

C:\Windows\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}.exe

C:\Windows\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A5B7~1.EXE > nul

Network

N/A

Files

C:\Windows\{296D62F2-7388-4349-8E9C-3CB44282905C}.exe

MD5 0a24ab7cbc982ab8b43cd018e00e0e9c
SHA1 ea06f27c7205f7cc27000befc86a22ab31708203
SHA256 1cc8d0fdb4fd09e100a287102f87a2c5adbe2f7de446c9dc1cbf025624acdfc8
SHA512 1888a242bc245cbc69608e0c939c4ae83e7b75ec0568535e87ad592e02c3b93024ad81a73e34b9ab6faf6bb3dcc5bd9709781608a4e1ed9b1dc4cf7838584456

C:\Windows\{7351A6A1-F0B9-43d9-973E-C10E1FB8FF95}.exe

MD5 1f58259bab3ae1ae0108c5540d24b74c
SHA1 26c5cab5e9816d5610b023cf6943acd4cac2521f
SHA256 b9e1921efe9cb18091fb7b7091f920586bbfdf7ca873007c46b0784b69a1b455
SHA512 29d361e588a41af2c5bb42cdb3a47a3d216a4c9bc44083412636374776efb31b2141faebd651ccf964a2aeb75f7b2d7c9b868777bac84ae24a5c0513520b60fa

C:\Windows\{251E656D-2A9D-4ee9-95C1-E7430166BDCC}.exe

MD5 12422c16cc7f7559c947a41aa5e50f4f
SHA1 62b84a461067d429ada0b0d8aa746073601bdcaa
SHA256 c731580c5b8c77a37e88d5656823c3f8d11807d16c2069df7ac94420d20eaa0c
SHA512 3170a03a543b4897d0cc95696147b30f3771a1c62dd777488542a38d217ede81e04c3c952654eff766bce02929cc55d81766eaf2ce77ca07332b05eda06b2d1c

C:\Windows\{4AD4D70F-089F-4759-90BE-C483EB296BDE}.exe

MD5 52bbd8a27eb392551c7f4bc1f786bb5b
SHA1 e0c1cb6fbd85c74b4e60aa82b7f7e6334861627b
SHA256 5082edfae17a3226852e1b7ecf91b37676ac12d1adad76d3f75102aac56824a1
SHA512 7c7d591da40d9c66d9328dd70f537daa66a91936fc67244b65e38fd41386d9376a97c6efcf5a1640c20492272147ed2228485464f261b6aee63840990fa540f3

C:\Windows\{1D7967DA-C048-4b68-8FFA-05F885A504EE}.exe

MD5 0e7e3115af3b10b07681bd05cee5cf90
SHA1 d266d9c04f15d951ebc625b2826c83b4fbbac32e
SHA256 8403a9d2ded90223e17957282836d451842311a8fe8886e9f0c271ecd6c778e7
SHA512 96a566d7518793a666f4c654f5a59d451eb68085c1b1041c82cb2d99cb8ed6ea70756b2027cce0c5313e0b3b51f9b8306daa4f021e2042a3bc923b0386f5b9f2

C:\Windows\{17E85704-1CFF-4da4-A70B-E292A7AA019D}.exe

MD5 3873494f635510ec4be212717d8a2e13
SHA1 5251b058dd436a4a08850854cb62a7ab9a78dfcb
SHA256 8f1a9bcc2bcea6ed95fa539de3c902dad30636bdb188f53601b0989e1f9fd4e4
SHA512 1e2a27cae271acbec3668a9ecf92d2f9e22b5e49dcf2f2db3e89f8b58ab8fac01a60ccea6cb67727bb8af9d812636220465a9ad56cf7346ee9e4b29465692b09

C:\Windows\{E31361BD-CE47-4da6-958D-C9DDB0FEF032}.exe

MD5 d5a296797f1cbc7d3b21d6dcb690fb95
SHA1 63937d8bea0e03f57bc51e6aebee9f225e76f971
SHA256 c57df8bb5c76123e5f53613d3be499137275f7fb0a9ca4df389e572b6293a8ea
SHA512 987dd902761a02bcc29348490cfe595b1b9ff982c7e8bc17044027026f34732da8c3dde4b09aab273f3036228a029fe0cca22bfdb1ef5035c3ceeaafe9f48d27

C:\Windows\{14C173F7-D690-4276-8AB2-F5B7DA92BFCF}.exe

MD5 cec701bbda6c683406c03acc3ceacdf0
SHA1 41e4325ed4c583db14f9bf99387e116ced1e3fcd
SHA256 c1bdfafec8c124ffd597e2300a1ac87ccb50dc7b420843f09aeb356ea8fa3815
SHA512 23046290fd8c70eac5c282b15ca95ddace5eb2b497eee6b559e23dbf8e021a090280b87002bc1a51742c15f4c3fd5ab7b9acf21435be40f23bf2157a333b540e

C:\Windows\{962BEC83-3606-44ac-8B2B-A9E3AD09EA02}.exe

MD5 426cb80c7afadd16de90bce47883499f
SHA1 1f8441eb8bedcc2dc87710ea2d55a64eeb845184
SHA256 32808ab857c42a46d4bf51b139facb6840b52f420e928282710bf2f721c7505a
SHA512 f84508ff41b9062d1eeba43bdd31352f4f5fe26236c135ff0b0ef79f557f313e21c77587f0d187ef45845f985200fc42b6bc64067b0166215e59bbf8ea9f805d

C:\Windows\{9A5B7F9C-F1CC-4308-8A72-841D608134DD}.exe

MD5 a148be00c5ac3a6f0047aa1fe22d80cd
SHA1 344688e63c2a049a954318432a62b36f501041d3
SHA256 79a49eba91a8a845c99a16ce3595091f4d630a82ff7a4a3b72ee1cff9cc148ea
SHA512 869c97dc05dbd3b83a37e2dcb40f6fc089f6748229421f1e75e1852e7fa7c9aedfe619230de9bf3fee8196bf9cca78620c9ae4fb3926f6869ecc8bd2d1c26a46

C:\Windows\{ECCF4529-720E-42ab-B126-5963F8F9A5B5}.exe

MD5 4d0e35de2806f288d94a83f47592ff18
SHA1 01d346a7573e52953873800fa0569a7ab4c0ff82
SHA256 77a45c698c5c783068a9310acdbddd272c0d3285f0e717a14f23c058f73b6d36
SHA512 a42c0387f1b5f490fe88ee5076e341ef9d6683f0ef719d5bd8c657a0b8e08db2b69b51a1c895148c5d22440deb3968f65329ecf3680baab6863339b7780548bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:47

Reported

2024-04-06 23:49

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3} C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}\stubpath = "C:\\Windows\\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe" C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F} C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F616B968-A0B2-413c-AE02-9A977F36C27E}\stubpath = "C:\\Windows\\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe" C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356015AB-922D-4168-BA8E-CE88BA550C70} C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F616B968-A0B2-413c-AE02-9A977F36C27E} C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}\stubpath = "C:\\Windows\\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe" C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}\stubpath = "C:\\Windows\\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}.exe" C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A907DB-B593-4275-82B0-1B82BC5317DB} C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A907DB-B593-4275-82B0-1B82BC5317DB}\stubpath = "C:\\Windows\\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe" C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356015AB-922D-4168-BA8E-CE88BA550C70}\stubpath = "C:\\Windows\\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe" C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D} C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}\stubpath = "C:\\Windows\\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe" C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34} C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}\stubpath = "C:\\Windows\\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe" C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68} C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}\stubpath = "C:\\Windows\\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe" C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB} C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98160805-914D-4429-B9C7-E7CE6F6D47A9} C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98160805-914D-4429-B9C7-E7CE6F6D47A9}\stubpath = "C:\\Windows\\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe" C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46} C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}\stubpath = "C:\\Windows\\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe" C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5} C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}\stubpath = "C:\\Windows\\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe" C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
File created C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe N/A
File created C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe N/A
File created C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe N/A
File created C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe N/A
File created C:\Windows\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}.exe C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe N/A
File created C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe N/A
File created C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe N/A
File created C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe N/A
File created C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe N/A
File created C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe N/A
File created C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe
PID 872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe
PID 872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe
PID 872 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 4260 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe
PID 4068 wrote to memory of 4260 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe
PID 4068 wrote to memory of 4260 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe
PID 4068 wrote to memory of 2996 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2996 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2996 N/A C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3632 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe
PID 4260 wrote to memory of 3632 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe
PID 4260 wrote to memory of 3632 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe
PID 4260 wrote to memory of 3520 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3520 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3520 N/A C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 4328 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe
PID 3632 wrote to memory of 4328 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe
PID 3632 wrote to memory of 4328 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe
PID 3632 wrote to memory of 816 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 816 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 816 N/A C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4536 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe
PID 4328 wrote to memory of 4536 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe
PID 4328 wrote to memory of 4536 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe
PID 4328 wrote to memory of 732 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 732 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 732 N/A C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4932 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe
PID 4536 wrote to memory of 4932 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe
PID 4536 wrote to memory of 4932 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe
PID 4536 wrote to memory of 2604 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 2604 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 2604 N/A C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe
PID 4932 wrote to memory of 4420 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 4420 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 4420 N/A C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 224 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe
PID 4344 wrote to memory of 224 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe
PID 4344 wrote to memory of 224 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe
PID 4344 wrote to memory of 3024 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 3024 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 3024 N/A C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2356 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe
PID 224 wrote to memory of 2356 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe
PID 224 wrote to memory of 2356 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe
PID 224 wrote to memory of 4688 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4688 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4688 N/A C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2544 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe
PID 2356 wrote to memory of 2544 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe
PID 2356 wrote to memory of 2544 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe
PID 2356 wrote to memory of 2700 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2700 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2700 N/A C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4316 N/A C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe
PID 2544 wrote to memory of 4316 N/A C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe
PID 2544 wrote to memory of 4316 N/A C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe
PID 2544 wrote to memory of 60 N/A C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe

"C:\Users\Admin\AppData\Local\Temp\9d3ffb3396fcb525cc9f30a72c318b4e563603a76f2479f40c15204515272992.exe"

C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe

C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D3FFB~1.EXE > nul

C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe

C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8C60B~1.EXE > nul

C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe

C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1A013~1.EXE > nul

C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe

C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{757A4~1.EXE > nul

C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe

C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F616B~1.EXE > nul

C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe

C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A32C7~1.EXE > nul

C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe

C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F0A90~1.EXE > nul

C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe

C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35601~1.EXE > nul

C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe

C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC67~1.EXE > nul

C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe

C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98160~1.EXE > nul

C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe

C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0B9E8~1.EXE > nul

C:\Windows\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}.exe

C:\Windows\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92D19~1.EXE > nul

Network

Country Destination Domain Proto
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

C:\Windows\{8C60B2D6-81F0-4cfd-90B1-942FA42C9B9F}.exe

MD5 4bbbab46959d5880a7702fdbe31d9f2c
SHA1 129a5da5f34041d996f674b0deabc9dfd854db57
SHA256 c3c398e5ceb8f5135836b2a39ba8cb90059c30bd99fc45d417027432977639ab
SHA512 f8e253f5a3d7f9ec5686a05b75365d910e2874033257de0df1a852ebbc6a2eef3074d7dd7008087ec6ed7dc872220b67c9002de709def236813a6c1786084cdf

C:\Windows\{1A013FF4-4D48-46c9-B9B0-040BD7A7BB34}.exe

MD5 73a0bda610aec4a74cc88198d9506b63
SHA1 6b15af46c41cb5ecba24d040a0c37160a3019f6d
SHA256 de523d555b10052e4b312a66cebf7597c2161c2f48837e6010ad13ac90ffa248
SHA512 71ce035ebae24159e90b23490948ce3ec41392a3bcd6c05f7fbe2a8884a1b914cbf6e628782ff713e58c534d4db1989ee2de75fcbeffb7a9972a5cdc379e46d0

C:\Windows\{757A4BCD-4680-4812-9C1D-6A3B57AD8DA5}.exe

MD5 742d97993cfaac41fe027562fd4f7a38
SHA1 e7fbe60c24299583acc22fdf3b789ec61dafabb1
SHA256 0f2f023b13e21b8d4ae8fc9f2cde3fa0b7c0d7a07171410c775476898edaa34b
SHA512 b2b1a3fe046ff1206cdf5710874a150fc4cbc89742319c7296ea4446be4b2ac8ff6a2d2719410308366bce8efa0f185e805f79ad269f11741574c5cc30398e36

C:\Windows\{F616B968-A0B2-413c-AE02-9A977F36C27E}.exe

MD5 3559fd01643d766124ec4d97ff1d8d23
SHA1 fccd300d716584fb4161c56fa51f2fa2ffc99715
SHA256 e96bebe88b38fec477595371481179f1e985d96e58080e285f953958a4f958ba
SHA512 b2154174dee03a8c9b76edf4332a5f4af629c936d70b6148380f3f15bec30c42dae2d1c9d8173982166d5cc10903c6f81022b1d9966c89edb5150b0745b3202a

C:\Windows\{A32C73EF-45E9-4846-8B3C-D8B9D6319A68}.exe

MD5 6fe9d11a0e070b0c8dc4330b5088aee3
SHA1 b4e74cdb5f5aba4e56d82ee8ed1dd3d80fc81f80
SHA256 03820abe8db6c2b61d31c850d5eea1881b1680e94a3292fe216e96091d6df8bc
SHA512 0db91ef7afc95d9fff69b0f42bac90b7ceb1451dcf3a6aacc18c4faa65ef072cb667215931cd52b7230c822517493054e450546224bef84d6dd8f3be917aec79

C:\Windows\{F0A907DB-B593-4275-82B0-1B82BC5317DB}.exe

MD5 31e084c7f6224b7c8fbfb3ea01cdbcac
SHA1 4a453fa81fe2288fae184e82ed0db3fd952a1800
SHA256 52f88e6dbe615bdf93f98c7332229d27f704d3b2e54afcbcf7fee8361f12d7d6
SHA512 261fd05499bd4ad717e23c7db7fd5dc28e80ec9ba95239d62b5193655e22475f5b6b64f5f09a91dc577278a4bd39f8d4506b010c01aeb95bdbbf7e3fa0fa1da4

C:\Windows\{356015AB-922D-4168-BA8E-CE88BA550C70}.exe

MD5 73b0cb40e2caedbecca6c24459edc291
SHA1 1b572c2992272c687f1a1b798d224dc977f80137
SHA256 b8b6d78788b70e5483a93d65e1abc9939d313aa0d3cd1f2203ebb545607f50fd
SHA512 1025b1d272266e77d9d1260e3af469460781d8395855da37755c063ec4266a9e945699a24eec3492175f73b75aa76a057b0e32d7b207e09d3086daf27fac3ef4

C:\Windows\{EBC67108-F3C5-44ea-BD05-AD1C4CA22E8D}.exe

MD5 e71791efa8f064a7f82feae091111e7d
SHA1 45f8b15596e93240b5cd2a2800142d0a8effddb7
SHA256 549cd4ad997c19426ee43ff266618422f7e15f375a81a2d5975f062fef50e778
SHA512 e18043d479e2889cd75ad74353d41d48d09aa433b81de6c6254540cba20a40d4ddbdff99ed81f993e3b0e97cae2d964744016b9f779c126a2dc2d750a5ad1192

C:\Windows\{98160805-914D-4429-B9C7-E7CE6F6D47A9}.exe

MD5 dca5b88a213c2124bddc2df9a24fb20a
SHA1 d044710fcda876244696dcfe799a78cf141a5cb7
SHA256 fd42986c0b25f1638df263e03ae76db48a37b1519f2cb46fb111bee45ba32973
SHA512 59ad0d3670b949f565409f38fbfb3c14d0b6dfa446e8b89069a759e93ba182bdc22416b54f251602c59c75ffec2a0a3d7e98fe8fa192c469f3af36d79d807df5

C:\Windows\{0B9E80A4-BD7C-4846-A0C1-095531EF52D3}.exe

MD5 12e90355047c0064095ff430a5924a8f
SHA1 3953c93e1a2e9cfc5edd188ebc6e8e0ae2bbb567
SHA256 f032e184335bc1471138d3d337ee42f5f4e73d4af6464ce99efb82892e9a972b
SHA512 47225d2f8b27b164286a074395f332001e3b43822bad47717ed6cd7f2138c3fcb9373739f42e99e72330d4dc97ccbbd808cee0ad593dab8b855cb5dd18590558

C:\Windows\{92D1951D-F876-4adb-AC3E-FCA03ED5CE46}.exe

MD5 a43d236fc225bcd64a060a0955f0a067
SHA1 b2c1724e44c1217d85eeda65b997812c7e2cd68f
SHA256 f79f189ec73cd9a478a7b53d35ccd0934d021e74c19082feea11497da544d701
SHA512 7b7d7200f872304b81219115861a2bd19599e40adfdccfd837a1ba20c6354f5d363beed8aef1b90c76f4fc4da7eda93d798b81b9dcf3a3e720206716d0757038

C:\Windows\{D2D721A9-F279-4e7f-92EB-46B46B7DEBDB}.exe

MD5 0da87e8626d50f3b00c2190f50e7f702
SHA1 50412176c435195cea329c50fad9fa853d53766f
SHA256 889e4857ea455d58787c5eaa4610b7c87113495d6735651086aec578c880c694
SHA512 faa9411e7e3a7f5456a2d56d341a2db7299d8f6d70fef4d24538b3bbf20aad9d0b92d3523b28ef5cf3a8a1a6aab15797ad4d0b95a68e4e8372c8344e5b6221ed