Malware Analysis Report

2025-03-14 23:12

Sample ID 240406-3yjg3sfd65
Target a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191
SHA256 a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191

Threat Level: Likely malicious

The file a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:55

Reported

2024-04-06 23:57

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0BC754-A46A-455c-83F0-93F03D9559CB}\stubpath = "C:\\Windows\\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe" C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18FB57B8-C057-483c-A4A0-0454DE03F534} C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CF50BD-05DC-483b-84E6-0C3A360F60C4} C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}\stubpath = "C:\\Windows\\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe" C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9921E07-905E-4c1f-A945-8C79F1F38542}\stubpath = "C:\\Windows\\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe" C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24} C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}\stubpath = "C:\\Windows\\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe" C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}\stubpath = "C:\\Windows\\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe" C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9921E07-905E-4c1f-A945-8C79F1F38542} C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}\stubpath = "C:\\Windows\\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe" C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}\stubpath = "C:\\Windows\\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe" C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}\stubpath = "C:\\Windows\\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe" C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0BC754-A46A-455c-83F0-93F03D9559CB} C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004} C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18FB57B8-C057-483c-A4A0-0454DE03F534}\stubpath = "C:\\Windows\\{18FB57B8-C057-483c-A4A0-0454DE03F534}.exe" C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}\stubpath = "C:\\Windows\\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe" C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D} C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C} C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}\stubpath = "C:\\Windows\\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe" C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A} C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3} C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D} C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe N/A
File created C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe N/A
File created C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe N/A
File created C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe N/A
File created C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe N/A
File created C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe N/A
File created C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
File created C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe N/A
File created C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe N/A
File created C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe N/A
File created C:\Windows\{18FB57B8-C057-483c-A4A0-0454DE03F534}.exe C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe
PID 2992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe
PID 2992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe
PID 2992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe
PID 2992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2648 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe
PID 2872 wrote to memory of 2648 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe
PID 2872 wrote to memory of 2648 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe
PID 2872 wrote to memory of 2648 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe
PID 2872 wrote to memory of 2392 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2392 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2392 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2392 N/A C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2776 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe
PID 2648 wrote to memory of 2776 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe
PID 2648 wrote to memory of 2776 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe
PID 2648 wrote to memory of 2776 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2012 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe
PID 2776 wrote to memory of 2012 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe
PID 2776 wrote to memory of 2012 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe
PID 2776 wrote to memory of 2012 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe
PID 2776 wrote to memory of 2444 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2444 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2444 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2444 N/A C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2716 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe
PID 2012 wrote to memory of 2716 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe
PID 2012 wrote to memory of 2716 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe
PID 2012 wrote to memory of 2716 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe
PID 2012 wrote to memory of 2768 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2768 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2768 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 2768 N/A C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1496 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe
PID 2716 wrote to memory of 1496 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe
PID 2716 wrote to memory of 1496 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe
PID 2716 wrote to memory of 1496 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe
PID 2716 wrote to memory of 1960 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1960 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1960 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1960 N/A C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1820 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe
PID 1496 wrote to memory of 1820 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe
PID 1496 wrote to memory of 1820 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe
PID 1496 wrote to memory of 1820 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe
PID 1496 wrote to memory of 2016 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2016 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2016 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2016 N/A C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2556 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe
PID 1820 wrote to memory of 2556 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe
PID 1820 wrote to memory of 2556 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe
PID 1820 wrote to memory of 2556 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe
PID 1820 wrote to memory of 1700 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1700 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1700 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1700 N/A C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe

"C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe"

C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe

C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1DEF1~1.EXE > nul

C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe

C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B9A~1.EXE > nul

C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe

C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00CF5~1.EXE > nul

C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe

C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9921~1.EXE > nul

C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe

C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D7B~1.EXE > nul

C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe

C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A2CEB~1.EXE > nul

C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe

C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDAB~1.EXE > nul

C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe

C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD81~1.EXE > nul

C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe

C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F43F1~1.EXE > nul

C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe

C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0EA5A~1.EXE > nul

C:\Windows\{18FB57B8-C057-483c-A4A0-0454DE03F534}.exe

C:\Windows\{18FB57B8-C057-483c-A4A0-0454DE03F534}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2D0BC~1.EXE > nul

Network

N/A

Files

C:\Windows\{B0B9A1C7-C2D4-4695-B629-E5223784CB6D}.exe

MD5 837dd9919758d3e049d1d775a07b5f85
SHA1 60e48dceb0cdab292bc77ff055acf6a6bc0a4143
SHA256 f0d268b93c8c54e325341601d02d2250d31e3fe72e671dd0041f262c1d5b3a05
SHA512 6f70426ee4f17c557f5534ea0c9814bfcbc65a823d846d7a51081c75bd5acee5e389c669eed0d7e0a20e45c72a6140138a1ac64da9eb2fefbfd4892ca3c6f1fa

C:\Windows\{00CF50BD-05DC-483b-84E6-0C3A360F60C4}.exe

MD5 ab7fd804c3442cc8a31ad2684dee57f4
SHA1 ca3ef4f6fcda299912ab07cc6da78f7f28977746
SHA256 2b7beb6597a7d678cf8903858893a72ee7d8f278c8cb6d6d225630079db0ec1a
SHA512 79021e9b6ae7e81b8d38c0de9debeebbe74757a44b5040011f8ee3a2ea2610192baf5074f411c44963ffaab28b5bd35efec6c928bb826f6ff65aa712b97cb447

C:\Windows\{B9921E07-905E-4c1f-A945-8C79F1F38542}.exe

MD5 14c00344d2c9c42ec10bb014920f89ac
SHA1 205d9f3eeac576b4677d2fa5b6d65683d494d962
SHA256 40177e09a316529c61dce91b8b762d2fe163b1e5ddf5965fe1879691ee2604b5
SHA512 4c7b96b0b90c9a67a8ece849228f705f01ff3b6269d02c30b859a3259305b8df396182cbc46e8bcfc164b0fb10e7b467e9ce4554f5b13dea79fc590b218582e3

C:\Windows\{C2D7BC9C-56B4-4b2e-BC53-559AF44BFF24}.exe

MD5 9103a711cfada6fa0d6d41ce61804bb5
SHA1 2e5e7b46bcc26a842c38514d5c8d75b73f1350d5
SHA256 8c19d8fde30e3268e4343684c9cdd9a88dc9cbc6f573958ad51d30e1c44bfe13
SHA512 a64307eebe970d838d9aa02d8e7c1a3bd23cd261b6ba3755b83f257ac6d7d070a02d895fe93cad2e13918222bd0e263e1fcfe06d24a81443626522c4cb39eddf

C:\Windows\{A2CEB4A2-AED5-4cc6-BDD8-306A59E4082D}.exe

MD5 7ce1fee2becfe2e3f8c8ffc815cc337f
SHA1 676fbed410184c4608cedd05420412902612e4ee
SHA256 94872134397a9b2df424e7397776f0079a3dfa428a96b1f3411851da8e824f9d
SHA512 06f74c25f1b20393de7606c060a7dba706c6f54f05b0b19288b5949d46623915075730a54c0a5d8dfe6f4fe7053046f65dbf79b047b2ccb603d703eb15bf172e

C:\Windows\{EDDABBA2-9D43-454f-9187-D8A1FE0B8D2C}.exe

MD5 03bfebb61d915dbfbd6debe500e0ce4b
SHA1 08c2506011f6437a4b23f66f6ddb7629c545c239
SHA256 5c8cc13c1f173f0de249d1cf7220dd3c7d94e89f0f26170aef4d893f33c0b6e9
SHA512 d8a59fb66666949bd5acbe2e6f81de1a8b9afa894ec907b105434a5efd756f8ce832d02a07cb27a345b1396c8e354a6e8985652014c9acba453b5c7fef1ca308

C:\Windows\{1CD8184B-BBB4-4f5a-A4A0-1653EB72086A}.exe

MD5 53523d261898208973e47e82d43d820a
SHA1 633e4fac8bdcd23d36472f05a7a785d01a238891
SHA256 216b1f6ed06f37398bff93b27a7d733ccdd8dd93fb7fec0fe845cf1221a50f3e
SHA512 8b4bfbf5e553f5a7d30b5cb01c48d71d6d503ec0632fafdcfbc2e1cf429bcb47472f4e6abdec22e0ad47e4b5393602261fc8025641182eaaeb0654a779d5d8f3

C:\Windows\{F43F1BFB-FBB0-4e12-8DD4-495D8D1414E3}.exe

MD5 6fd6b4dbe9c35710a79c5ec750792f0b
SHA1 b9613c93c5c1e5639026d86cb8f822c876bf63ba
SHA256 5c25c0b87ba2a39dbf058839c60e53857649c25939026acfc3ef7b3e1155d4cd
SHA512 43e8f1bd79f7c33b06f2b224a90afbe59f96c7bab2db45f3938d3d7c3187fbd44bc3064a349abe3ac767fa68a2904bdacc56d0050c40c761c1c9654d05db0aeb

C:\Windows\{0EA5A4D5-2B6B-4ed1-B625-27B3D31DE004}.exe

MD5 fa25fdceccd132386c3bc274c4de92ff
SHA1 5208f315cfa10f96210998bb58b502916a8e2ebf
SHA256 5f0c951ef23fdd6cb10be5fb03a6437deb21b0a2fe33c4b8cc321923de09a5ce
SHA512 b1b583eb9e8ad4dc4d5233ed97e48770b3dd1f998f9edfe792fe85c1aa890ed5b9afdb6ebeb6ec854778bf69d8137c53da01320df10d34409638e2991b1488d5

C:\Windows\{2D0BC754-A46A-455c-83F0-93F03D9559CB}.exe

MD5 be5ca5f88a7d1d3ad666bcc768067e8e
SHA1 74bd527eb10bc9789d4e070c571d35a7240f9b5a
SHA256 37ad4c326edb6255bdfdfe96123955a64c3e769b689f3e0021206f3b9132e9c2
SHA512 3a25b11145f5a50ed8e16ca73d9c95bdff509c5645b1b544fb4305bb46de2367720fd933d5a14f73a8a1ec6857d357b578f462e0d87e2fcda47e411788e6082d

C:\Windows\{18FB57B8-C057-483c-A4A0-0454DE03F534}.exe

MD5 04a82d678269e994730c261d7b030d31
SHA1 3f22f6f556206c768455b9a96cc132d939066207
SHA256 79e3e51dfec4c51dc1e5176ea47b4f3fa70e32723f57d5ace353ec105534423a
SHA512 5555e9fadc4f36d78be6324b5e24e3e3a0959f2afc2186bfbeedd1f5b90135c819c3658d153ecdf79a1a52c687fcb82f97d620342a03299385659e85fc2e5e2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:55

Reported

2024-04-06 23:57

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}\stubpath = "C:\\Windows\\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe" C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B} C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}\stubpath = "C:\\Windows\\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe" C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}\stubpath = "C:\\Windows\\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe" C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A141E-C291-4a09-8456-206A1234BAFA}\stubpath = "C:\\Windows\\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe" C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A141E-C291-4a09-8456-206A1234BAFA} C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD44947-54D2-46f6-A40E-7E592BB2BF78} C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}\stubpath = "C:\\Windows\\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe" C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30C5178D-44AE-4425-858A-3D24E44FFC7E}\stubpath = "C:\\Windows\\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe" C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9BCEA4-D17F-452d-8661-29C151D97490} C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC3AE52D-47B9-4933-810D-7F281A895AB6}\stubpath = "C:\\Windows\\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe" C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65} C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7AE566D-3884-422b-B349-215F1EE33B3A}\stubpath = "C:\\Windows\\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe" C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}\stubpath = "C:\\Windows\\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe" C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E46377AB-5678-4d7d-B282-87B7A1D33177}\stubpath = "C:\\Windows\\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe" C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30C5178D-44AE-4425-858A-3D24E44FFC7E} C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC3AE52D-47B9-4933-810D-7F281A895AB6} C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8} C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E} C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}\stubpath = "C:\\Windows\\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}.exe" C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7AE566D-3884-422b-B349-215F1EE33B3A} C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0} C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9BCEA4-D17F-452d-8661-29C151D97490}\stubpath = "C:\\Windows\\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe" C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E46377AB-5678-4d7d-B282-87B7A1D33177} C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe N/A
File created C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe N/A
File created C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe N/A
File created C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe N/A
File created C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe N/A
File created C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe N/A
File created C:\Windows\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}.exe C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe N/A
File created C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
File created C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe N/A
File created C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe N/A
File created C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe N/A
File created C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe
PID 3940 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe
PID 3940 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe
PID 3940 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4092 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe
PID 1792 wrote to memory of 4092 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe
PID 1792 wrote to memory of 4092 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe
PID 1792 wrote to memory of 1528 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1528 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 1528 N/A C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4624 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe
PID 4092 wrote to memory of 4624 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe
PID 4092 wrote to memory of 4624 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe
PID 4092 wrote to memory of 3780 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3780 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3780 N/A C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3404 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe
PID 4624 wrote to memory of 3404 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe
PID 4624 wrote to memory of 3404 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe
PID 4624 wrote to memory of 2472 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2472 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2472 N/A C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4888 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe
PID 3404 wrote to memory of 4888 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe
PID 3404 wrote to memory of 4888 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe
PID 3404 wrote to memory of 1264 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 1264 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 1264 N/A C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2408 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe
PID 4888 wrote to memory of 2408 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe
PID 4888 wrote to memory of 2408 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe
PID 4888 wrote to memory of 2012 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2012 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2012 N/A C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4428 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe
PID 2408 wrote to memory of 4428 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe
PID 2408 wrote to memory of 4428 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe
PID 2408 wrote to memory of 4492 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4492 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4492 N/A C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 5044 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe
PID 4428 wrote to memory of 5044 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe
PID 4428 wrote to memory of 5044 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe
PID 4428 wrote to memory of 4668 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4668 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4668 N/A C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 3148 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe
PID 5044 wrote to memory of 3148 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe
PID 5044 wrote to memory of 3148 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe
PID 5044 wrote to memory of 2840 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2840 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2840 N/A C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 4128 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe
PID 3148 wrote to memory of 4128 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe
PID 3148 wrote to memory of 4128 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe
PID 3148 wrote to memory of 3288 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 3288 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 3288 N/A C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 4540 N/A C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe
PID 4128 wrote to memory of 4540 N/A C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe
PID 4128 wrote to memory of 4540 N/A C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe
PID 4128 wrote to memory of 4980 N/A C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe

"C:\Users\Admin\AppData\Local\Temp\a1def1c951f5c86146583e4796671a8e98c5e421edc8a9843cd97b80ae716191.exe"

C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe

C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1DEF1~1.EXE > nul

C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe

C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{70FEC~1.EXE > nul

C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe

C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C7AE5~1.EXE > nul

C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe

C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A25A1~1.EXE > nul

C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe

C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD44~1.EXE > nul

C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe

C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D16FF~1.EXE > nul

C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe

C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{30C51~1.EXE > nul

C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe

C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1B9BC~1.EXE > nul

C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe

C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC3AE~1.EXE > nul

C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe

C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B19D3~1.EXE > nul

C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe

C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4637~1.EXE > nul

C:\Windows\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}.exe

C:\Windows\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C24D0~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{70FEC7A9-CA4D-41cb-9904-D0858B8D1D65}.exe

MD5 c688bef1c115d8603771d1f84cdedab9
SHA1 b01d0a2e920dd363aeb51306febfd95cbf41121c
SHA256 4dcd64e6be4410053371b7c99990235dfd1b3d5f35f88a7540b44218b3a16042
SHA512 843c7812eb3da3e18f4105980c2dde87a1be47f9a0ef6b9ef3bc81305d15df8c5de34d48c5a1f289f055ed7c27708695d619660ca08a56ff7e1e496835234a34

C:\Windows\{C7AE566D-3884-422b-B349-215F1EE33B3A}.exe

MD5 912c8ebdf0d114b49b617c1ab3f51258
SHA1 9f9eff6d04dc4254c318ad770db9a2f6f61e2e32
SHA256 ad0f886e7e075df37b98500e3a4b713b1dab40e116373de227c98b62647ab930
SHA512 e9feb884c32550035e299033428bcb5ca1cf97d38399320fe4df67bb8cc51faf0a530f88e9466e2bf36d5ad64fadf399223d85f47e039b19ac43189487f32b4d

C:\Windows\{A25A141E-C291-4a09-8456-206A1234BAFA}.exe

MD5 985d23881f2f26274806f462def87ede
SHA1 de8290e96e891d62d2a52a36a05444c0caa60e6b
SHA256 f064a5f9a04fcf644e127de49b2bff9d134c8404709501e92aa2df45070f862e
SHA512 e173786dc076ffc84b5cfd3da41dbfa704c3f6c4c5a5a2e4b2256c3d0d7cb39282bea8ffa5fd05e412df27855102a684376601ef28268e7cfddc95726b65d75b

C:\Windows\{CCD44947-54D2-46f6-A40E-7E592BB2BF78}.exe

MD5 5916c882d5cfd89a90ba142383ed4bda
SHA1 1455bf07f1f7537a0e178a1712cf8f997d119fdb
SHA256 d3ad758586edf67810927fe15dbe44e486d3e96744f8afad8b41c7cae725dfa4
SHA512 1aa77361f586db969def41ba47a495c5dbe5a8dc5898c521b4e2b7a841a7538099649f3b26dbc3bf3d2eb94306a939d4814d06632b4062f2934043b18a258a19

C:\Windows\{D16FF5FD-52B0-426d-95F1-CFC148BECBA0}.exe

MD5 c9308ab84643552693a91bb8833bd79e
SHA1 2c93b2e4e8a1d45268df639b794de00e5f2708b3
SHA256 1d1f2adbbd7df36b5ebc750b3de8978042c5db598c3d11609d66b7fbad930a3b
SHA512 e9d3afc2d8812eb62baf7da370bca80c5128235f082be8ed0ae88d31d8d2a5ef526e6afb6f4cb5f0a0d5f67cc2eb8518c88353757aa772ce75e74b8cb7d0e516

C:\Windows\{30C5178D-44AE-4425-858A-3D24E44FFC7E}.exe

MD5 a38cc38654c19f729c4a71d17969ff74
SHA1 1612dfeeb869ec17e924c13a3afd16f8950ac25d
SHA256 4457ee21253e5f4707729d53b1df0ea3c55e285887680c725da3228096165ed9
SHA512 9f2070331c1f224505788b41f84310d54a68b0cb6eb9d4477860689b284a80c9181040996500e5ff461b6a56a346d2cd034fcd7f51993bd6d5c4f87b694d07b9

C:\Windows\{1B9BCEA4-D17F-452d-8661-29C151D97490}.exe

MD5 b11c008dca2ea5a0901930871dd118e7
SHA1 8f926440e0824f761c4bb6106b9df87239342a16
SHA256 e7980e6eafc0d69d40b4d29ca8e74d4054a9d4e7549badac1160ca1f473ad64e
SHA512 d13ff3f8a5d81be42cf280cb8d52c099d598ec3ca9f22c630806b2fa75ec37672a0094bdb57a08f26bf15018bc3ad1b01fb357df634ac2ae4727fbddb47a9bf5

C:\Windows\{FC3AE52D-47B9-4933-810D-7F281A895AB6}.exe

MD5 463d6eca88afcd145f9598e468f64793
SHA1 600aae6a8a9e292c3eecf3f9b2c6803580b9ce19
SHA256 4ab248272d32e03eca208572ca1df2250953a7eaaa0e7e967de347c3484cb8a9
SHA512 9de9f7124ccbe416094cfa4a1154d5b49b74350fd7e2c24e94c1605484131e3c9d783592f06305b917ce0f6b40188391354b431b0d4428d665ad2af4042d2e56

C:\Windows\{B19D350E-0681-44f5-BD22-DBBBBFB5E5F8}.exe

MD5 4d4c25a9c927de3e9c1c35cc584286fb
SHA1 1dd1f19f1443f29ff2f75806ba32e11f45b8b72e
SHA256 a5f50a1ff0d2af9bd35976294b7e453ed7e4f421f8eeec6bbcfc17b527cc24fa
SHA512 00fa916780120a5897e396b5ed0ad8a5b0fb40e85ab3ab85aee880a38f56af1efe53446588322f0aaa150c1545cefcf32f8bc9cc60d3d15b85917b97a3830de7

C:\Windows\{E46377AB-5678-4d7d-B282-87B7A1D33177}.exe

MD5 89b0af155133f824a96e817c0ceb964f
SHA1 ef7b3a172a086b45ecac417a4f46324e97d4b10b
SHA256 95ef8e984997f05cd1bfb87d0ead967dcff1d63e89048020094a9457bf7d89b0
SHA512 6ebf86d0f45875ee2ce8f9296275cac6dfdfe5da9dc50d5090b145e0e6d64fa9b0f9cb39df5620cb1a340a4084f59618bd1cb59e58ead029ac271ae5675dab36

C:\Windows\{C24D08A4-3891-4fae-AADB-380F7BA1CE0B}.exe

MD5 7bab0eb016f2e5d1a9e94234affbf329
SHA1 b04ad822f907450d9346259b4bcc1c95cce609ed
SHA256 d8879dd424e2b922152fba6b871830341167a8f0483c022735deec09e344ccac
SHA512 e95338394be807c51a4bfe4ce083dcafb548ba6010a93aa3290636282a70080c4d8f6f418a796147b7d5957e7a3704f640e7fe6630aafc4a575c545882f3ceb3

C:\Windows\{868C8A39-2A01-4934-9F7F-A74CFB3B3C9E}.exe

MD5 ca6266a5f4e4c3e98367e860867a2d74
SHA1 1f3628a720e82943dae37152d9d8e5cc8126d4cb
SHA256 5a88b6218d890b73a36bfb81a9be43c61e4517d07266265a2317bc48bbacb810
SHA512 e62072d3a448938702e001c4af3099e3063cf8a2bea0f2f448a52cc562cd512a7e0ff4ca590696994935170912e9447cc4a42abbe62dedaadd923ab156fa145d