Malware Analysis Report

2025-03-14 22:10

Sample ID 240407-2z8b6ahc82
Target 87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b
SHA256 87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b

Threat Level: Likely malicious

The file 87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:04

Platform

win7-20231129-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D52B5E3-C212-42eb-97D9-1B766580BCAA} C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}\stubpath = "C:\\Windows\\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe" C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750F0193-66CD-443e-8216-87D4F0C4B358} C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79C539C-014C-409f-91A1-0F692D6DFA9A} C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}\stubpath = "C:\\Windows\\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe" C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D72A03-3FBB-45e1-A726-EC0F831CF290}\stubpath = "C:\\Windows\\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe" C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34446D6E-3321-49f2-98CE-7626D267339F}\stubpath = "C:\\Windows\\{34446D6E-3321-49f2-98CE-7626D267339F}.exe" C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79C539C-014C-409f-91A1-0F692D6DFA9A}\stubpath = "C:\\Windows\\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe" C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DC7F07-6354-4260-812F-85022F1935C3} C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A66FEA0-DB6F-4eef-8403-62877876CF00} C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92792F98-96F6-412a-B11F-88D6CD134898}\stubpath = "C:\\Windows\\{92792F98-96F6-412a-B11F-88D6CD134898}.exe" C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34446D6E-3321-49f2-98CE-7626D267339F} C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92792F98-96F6-412a-B11F-88D6CD134898} C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DC7F07-6354-4260-812F-85022F1935C3}\stubpath = "C:\\Windows\\{67DC7F07-6354-4260-812F-85022F1935C3}.exe" C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A66FEA0-DB6F-4eef-8403-62877876CF00}\stubpath = "C:\\Windows\\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe" C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{476432E9-1C55-48a1-9C43-0EB364CF1C13} C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750F0193-66CD-443e-8216-87D4F0C4B358}\stubpath = "C:\\Windows\\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe" C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE} C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D72A03-3FBB-45e1-A726-EC0F831CF290} C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA} C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}\stubpath = "C:\\Windows\\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe" C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{476432E9-1C55-48a1-9C43-0EB364CF1C13}\stubpath = "C:\\Windows\\{476432E9-1C55-48a1-9C43-0EB364CF1C13}.exe" C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe N/A
File created C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe N/A
File created C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe N/A
File created C:\Windows\{476432E9-1C55-48a1-9C43-0EB364CF1C13}.exe C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe N/A
File created C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe N/A
File created C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe N/A
File created C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe N/A
File created C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe N/A
File created C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe N/A
File created C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
File created C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe
PID 2180 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe
PID 2868 wrote to memory of 2660 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe
PID 2868 wrote to memory of 2660 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe
PID 2868 wrote to memory of 2660 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe
PID 2868 wrote to memory of 2676 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2676 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2676 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2676 N/A C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2812 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe
PID 2660 wrote to memory of 2812 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe
PID 2660 wrote to memory of 2812 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe
PID 2660 wrote to memory of 2812 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe
PID 2660 wrote to memory of 2384 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2384 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2384 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2384 N/A C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 768 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe
PID 2812 wrote to memory of 768 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe
PID 2812 wrote to memory of 768 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe
PID 2812 wrote to memory of 768 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe
PID 2812 wrote to memory of 2960 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2960 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2960 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2960 N/A C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 2000 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe
PID 768 wrote to memory of 2000 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe
PID 768 wrote to memory of 2000 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe
PID 768 wrote to memory of 2000 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe
PID 768 wrote to memory of 1700 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1700 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1700 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 1700 N/A C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2064 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe
PID 2000 wrote to memory of 2064 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe
PID 2000 wrote to memory of 2064 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe
PID 2000 wrote to memory of 2064 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe
PID 2000 wrote to memory of 816 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 816 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 816 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 816 N/A C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe
PID 2064 wrote to memory of 1716 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe
PID 2064 wrote to memory of 1808 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1808 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1808 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1808 N/A C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1576 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe
PID 1716 wrote to memory of 1576 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe
PID 1716 wrote to memory of 1576 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe
PID 1716 wrote to memory of 1576 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe
PID 1716 wrote to memory of 1580 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1580 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1580 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1580 N/A C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe

"C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe"

C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe

C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\87EF78~1.EXE > nul

C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe

C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{750F0~1.EXE > nul

C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe

C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C79C5~1.EXE > nul

C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe

C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3AFA4~1.EXE > nul

C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe

C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{09D72~1.EXE > nul

C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe

C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{34446~1.EXE > nul

C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe

C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6D52B~1.EXE > nul

C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe

C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F4997~1.EXE > nul

C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe

C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{67DC7~1.EXE > nul

C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe

C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3A66F~1.EXE > nul

C:\Windows\{476432E9-1C55-48a1-9C43-0EB364CF1C13}.exe

C:\Windows\{476432E9-1C55-48a1-9C43-0EB364CF1C13}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{92792~1.EXE > nul

Network

N/A

Files

C:\Windows\{750F0193-66CD-443e-8216-87D4F0C4B358}.exe

MD5 adc9fb6c5c42c2533ea85496317d350c
SHA1 74fd6db855f21c6e7fc75b494556e74d7975ab00
SHA256 0a0b26b91467620a170a1839405925ef09986b79bea23efe21c5bdc7d5698e97
SHA512 54b7b4721d7e5674d48ab669b50ee8f740bcefe462e2a9ab42f7943105ddfca9d3615c65390053718d0d40e251c59327577d88aa68c54389116f063a96243113

C:\Windows\{C79C539C-014C-409f-91A1-0F692D6DFA9A}.exe

MD5 b6ee626ec653fe05a8150be119c37454
SHA1 406aec9811a8d3630d247dea60729a30216c60bb
SHA256 45770a72a17a7f123e86f7a90bfcb7223eb573b9775d9b7b269a776efde95747
SHA512 bfe2526d1d4a8e514ae0659dbf504398e5fc409e3763f1e5a26a42af08e4e64f23d663ad261a41681663d6063da0cf5b8cd76c991d3cba86ba13f75950d60903

C:\Windows\{3AFA433C-2225-4c54-911D-7FD3E71FC9EE}.exe

MD5 266a659f1bfc38642fb29e5a4aefe40e
SHA1 9830c4f45b249bf4261f91a0b24c99d2d3ac1bab
SHA256 6b00a4e92fa4b80285c600d84ec4ffa6b042b27e5fe3675d42279cc2b5d22625
SHA512 b05b61a1203157ce1545b60097c16a6a6fa76bdfc31a5460332b4fc35084c26c6e34ac5ff3e8bad10d248a23b27d377e822d0431ded568dc55ad261c52ac6b48

C:\Windows\{09D72A03-3FBB-45e1-A726-EC0F831CF290}.exe

MD5 35d57b4e898096933e7539c762486cfc
SHA1 1126c8ff0d64e1f7abbd902ae000a7283ce08bb1
SHA256 fccf342deda6d2610b6c9673cb829f9387f4aace37c905e1b6669f600c601627
SHA512 7a9da5106bfeaa784026e14b7f09a246e4695f320cf298ddd55f621000ddeed0940ee07d35a0c45661702a423d3fce2fccda7f0a4daae466fb7ac230981833eb

C:\Windows\{34446D6E-3321-49f2-98CE-7626D267339F}.exe

MD5 29dc20f3c3650ee3a050e515c88e623a
SHA1 915a91c0feb487c9745ec878e1d525c1ca4fcdf4
SHA256 5f204e826f43ffc6d9995111001a357f54851f52a15ebeed6a0e841b160feba0
SHA512 8e94cb04e443fe4f9e7e7030fc9af4ef600f96352e07a0a628ae4bedb10c10bc3e8dca0c3796a4ab9b60caaccfcd04d895da22a5661bc318baf73d360a30d0e8

C:\Windows\{6D52B5E3-C212-42eb-97D9-1B766580BCAA}.exe

MD5 a9d24fd5643b32e641bab589380042cd
SHA1 c8d20d52ef2478edc50e08de313b4ec346911ffc
SHA256 aa50aed26d3cda943abe1245113041dae1c04226140667b019342674870f03c7
SHA512 1f2b415788eb6fe13f6986eca98cac58934afecf6ee500ab8a9aabc78f44b06b3dac58a8695d6a7bbfb0490599334f641f226d710cb823c77ca681ee252944f6

C:\Windows\{F49976A3-F2C5-4b12-A8A0-B7C8B1B5CCAA}.exe

MD5 89f01aef0f1fdfb2aec70a7309f5cf0c
SHA1 62466cf3fe63cb23c9efc02af2bf298c72b000a0
SHA256 f1d5d3f0f521e81ec1f6e969e6c63c863b7ea2fb4b93d89d30d1a64ba2a2141b
SHA512 accf8e4188cdede2eddc721f1997c7e5f259326caf28dae5f58e3a35f62f8021dd9892edd3e141ec1b99c76b2f9cdd99d0176ac3f63facc2b2a2ba3be48b41ed

C:\Windows\{67DC7F07-6354-4260-812F-85022F1935C3}.exe

MD5 01b8f383e9b61f4e4ff15e0ff42536b9
SHA1 6b71049689abeac3bb64873033ce829f6278283e
SHA256 647b2434ea7a81a62561625c3c966d696d46516825168c81ce48ab0eb3964bfa
SHA512 404a5f8f9d2e7c27fa6a4db77a2d4472d795355842a03e94e5d1cf5a93aa32969760cfe61f63609c331a952f1a34176598b50e3c019a3a902f56c0d113ef5ddd

C:\Windows\{3A66FEA0-DB6F-4eef-8403-62877876CF00}.exe

MD5 0169888d91f29e07a281a0c3168f3b0c
SHA1 e752fa489574e765934c1457885997d45a223d01
SHA256 d1de95ac94309d94ddc7e1476fcfd1f957a68e805cf62d1e25d82edb495487c7
SHA512 eb71ddcc7bf7b7e3da66926be2d93b90d089974b712b09753357dffa2edf54f1f15dbb56b3c07f3643b29e71fd533a296396bae8abdd32b6227a588c78344151

C:\Windows\{92792F98-96F6-412a-B11F-88D6CD134898}.exe

MD5 16caafb5711edeaee12e2ce0e72b3c83
SHA1 0bbe0aff7cc4a773a8496ad1a655745262f3e7b2
SHA256 8dad85326698c011a4ba5c505638065f2b6efc1a5a87ba9adad4ee0c13e475d9
SHA512 3f513945c0d9860d0634b7c5abf9553e909b80d159121f605a3b0d1d62253876045173389f0176c784de8ae64bd5b15a84c1e73f08a108a3744322c1ee5daea4

C:\Windows\{476432E9-1C55-48a1-9C43-0EB364CF1C13}.exe

MD5 3dde3f0c154a0686ac6481c2a989c180
SHA1 9c36da0d84855c6742cce713d3609608e51db449
SHA256 82bd9cd6837039c516fc3700b4144b06bfcb2e0ca7aad67d0a61ecdd8c064471
SHA512 28276597a824691fd2cf7ba2b69a545979f4b4b82e1079c8371458354399ce07a7ac759713cfdf31490ae429548f0d3b3091b6e9f82968d4004da427d2f8d931

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF166ED-5003-467d-B4EA-E2078C198480} C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCAF456-C654-477d-A6B3-546DF67500A8}\stubpath = "C:\\Windows\\{DFCAF456-C654-477d-A6B3-546DF67500A8}.exe" C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4777F8F1-2164-4f9a-AA08-869F08F395E6}\stubpath = "C:\\Windows\\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe" C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27ACBD75-C990-4b8b-900C-211214A597B4}\stubpath = "C:\\Windows\\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe" C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9208C552-97E7-4354-9195-A92D4297499F} C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}\stubpath = "C:\\Windows\\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe" C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C6068C-3F68-4bed-BA3B-723674281655} C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}\stubpath = "C:\\Windows\\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe" C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCAF456-C654-477d-A6B3-546DF67500A8} C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27ACBD75-C990-4b8b-900C-211214A597B4} C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC5563D6-01E5-45ee-99EC-160F892A3581} C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9208C552-97E7-4354-9195-A92D4297499F}\stubpath = "C:\\Windows\\{9208C552-97E7-4354-9195-A92D4297499F}.exe" C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB} C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96} C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4777F8F1-2164-4f9a-AA08-869F08F395E6} C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C6068C-3F68-4bed-BA3B-723674281655}\stubpath = "C:\\Windows\\{51C6068C-3F68-4bed-BA3B-723674281655}.exe" C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64D8602-7CF2-40a4-AE47-45889C8DF17C} C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}\stubpath = "C:\\Windows\\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe" C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}\stubpath = "C:\\Windows\\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe" C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF166ED-5003-467d-B4EA-E2078C198480}\stubpath = "C:\\Windows\\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe" C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC5563D6-01E5-45ee-99EC-160F892A3581}\stubpath = "C:\\Windows\\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe" C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919} C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}\stubpath = "C:\\Windows\\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe" C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C} C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
File created C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe N/A
File created C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe N/A
File created C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe N/A
File created C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe N/A
File created C:\Windows\{DFCAF456-C654-477d-A6B3-546DF67500A8}.exe C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe N/A
File created C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe N/A
File created C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe N/A
File created C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe N/A
File created C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe N/A
File created C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe N/A
File created C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe
PID 1896 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe
PID 1896 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 4780 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe
PID 3116 wrote to memory of 4780 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe
PID 3116 wrote to memory of 4780 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe
PID 3116 wrote to memory of 2796 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 2796 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 2796 N/A C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3760 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe
PID 4780 wrote to memory of 3760 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe
PID 4780 wrote to memory of 3760 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe
PID 4780 wrote to memory of 3704 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3704 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3704 N/A C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4212 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe
PID 3760 wrote to memory of 4212 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe
PID 3760 wrote to memory of 4212 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe
PID 3760 wrote to memory of 2596 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 2596 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 2596 N/A C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3336 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe
PID 4212 wrote to memory of 3336 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe
PID 4212 wrote to memory of 3336 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1504 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe
PID 3336 wrote to memory of 1504 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe
PID 3336 wrote to memory of 1504 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe
PID 3336 wrote to memory of 3084 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 3084 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 3084 N/A C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3392 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe
PID 1504 wrote to memory of 3392 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe
PID 1504 wrote to memory of 3392 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe
PID 1504 wrote to memory of 224 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 224 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 224 N/A C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 5064 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe
PID 3392 wrote to memory of 5064 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe
PID 3392 wrote to memory of 5064 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe
PID 3392 wrote to memory of 4992 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4992 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4992 N/A C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 4520 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe
PID 5064 wrote to memory of 4520 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe
PID 5064 wrote to memory of 4520 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe
PID 5064 wrote to memory of 2552 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2552 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2552 N/A C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 364 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe
PID 4520 wrote to memory of 364 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe
PID 4520 wrote to memory of 364 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe
PID 4520 wrote to memory of 2428 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2428 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2428 N/A C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3552 N/A C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe
PID 364 wrote to memory of 3552 N/A C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe
PID 364 wrote to memory of 3552 N/A C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe
PID 364 wrote to memory of 2784 N/A C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe

"C:\Users\Admin\AppData\Local\Temp\87ef784bf7fa79b260c357cf7386028c28d52ece9dc2a094f737f108d369f38b.exe"

C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe

C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\87EF78~1.EXE > nul

C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe

C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4777F~1.EXE > nul

C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe

C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{27ACB~1.EXE > nul

C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe

C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC556~1.EXE > nul

C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe

C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9208C~1.EXE > nul

C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe

C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9A35F~1.EXE > nul

C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe

C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B84~1.EXE > nul

C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe

C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51C60~1.EXE > nul

C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe

C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C64D8~1.EXE > nul

C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe

C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF1C0~1.EXE > nul

C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe

C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DDD~1.EXE > nul

C:\Windows\{DFCAF456-C654-477d-A6B3-546DF67500A8}.exe

C:\Windows\{DFCAF456-C654-477d-A6B3-546DF67500A8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF16~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Windows\{4777F8F1-2164-4f9a-AA08-869F08F395E6}.exe

MD5 54ee2f825cbe4f39797800bb9b4ae864
SHA1 e44396448beff9901dcc5587c356d7543f3428e9
SHA256 e7d5edf02e5ff7fa54e321623707fb62fbcb2033a567bb58ed08e265c7150c89
SHA512 0af9634c3e5f091f605f688b6282421df8437d6a6192448ad25f1d778a8487cb71bb3c60b04cb5132675d1975f0bf2b65e810aa67703443e1b426df54ae75ed7

C:\Windows\{27ACBD75-C990-4b8b-900C-211214A597B4}.exe

MD5 c616923081b099ff74879d33e691ecb9
SHA1 0ddd538dde6c3ee8b796ae32962cbd49a9a1690b
SHA256 44c5cdfa797df3391508a70133357df06e53c0953243fb5079477ab8ea56c957
SHA512 1f22822394b768bd716901d48774df1d0e407f4bb860b6e78ebd723d357c95982a5a3fe488d21aca69a79f9e5636e714a2a2589dc7c45be0ee9ab40c7197bf3f

C:\Windows\{FC5563D6-01E5-45ee-99EC-160F892A3581}.exe

MD5 9b69cf70afc260c64a5f57b7e3513baf
SHA1 87595c6fdee09c24f6dfd155c22f4c7a25e1d1b5
SHA256 bbae90398898259f2f59bee4a5072a5bbf8652f37a7d49c479ce01ef5257b8a7
SHA512 e142ee9885c2702244f1067a718c3dffcc85ef0c631e869d12845b730a53264f43faa33f438fa8e5ec7a2f799783bf3e137c741d962da2bd171c8dc7ccda4335

C:\Windows\{9208C552-97E7-4354-9195-A92D4297499F}.exe

MD5 ac774199bc289dae31483d38b370acaa
SHA1 e5b7482861f7337e512e94f4d8e1e9ef0a6241a9
SHA256 c75f372f6f6da747fa4884eeb75469b11fa0748d716c5092f6dc419daf37c366
SHA512 a2d9d381952b1a43cd6f62a71c2011583cd168eeefae70bbea2b02147b338073c18ec7d4d7605107169a97f5a0495c439ccc757ce0109e76909902671d58dd51

C:\Windows\{9A35FDE8-7FF6-48dd-891E-26F177A15FFB}.exe

MD5 dc07fcaceec8669bde32fc2a1fb82186
SHA1 b74fba965b4928215b45d1dfc7c46d7cdd3ff978
SHA256 7ca26f2c7906f99053b21904f329ab353d7797bb86c0b6a170c6502d1e0ba974
SHA512 a708033ab4923ac25c4d2807b4d84781054f891464c4b1a9b65c20fa774a73db8513d6ecc7862698cd2eaf042bc849679da3b8a2c095f2666975ab246467884a

C:\Windows\{E6B84AE3-ED71-4c19-BEFB-028BBD46B919}.exe

MD5 4117aa06881fbae7b7f6e391909dd2e7
SHA1 2e78eeffca433c6d03fd6029bf6b5729818d28cd
SHA256 2d46e9e300ee9a3efba43165dd9d04ee58934ec420f3a013b1adcb5f5e5f41c7
SHA512 290f5416febfd20d4e7ff3c87e83a96847861313ff276711caa44a09616d1b00fb286d2eeda86f577f6a9987007d735c2e05dfadd66db978486f19b8602950c3

C:\Windows\{51C6068C-3F68-4bed-BA3B-723674281655}.exe

MD5 94905c60c4da63705dba3e54950baa34
SHA1 66da7d34d59c80bbd54b35ed429e427d2cd6fc11
SHA256 169c6e4c7ccfe31646fed6eae44e7579d37733d37ab83ec0e4b3f336ce0429db
SHA512 f2a08b71651b9c8aff13764eb8c9252c3c7af727966ab1a95c09f5534da2bd0f2dc8199075f638b182876c8a8ed3ec5968d094cc329681321469241f4f56e293

C:\Windows\{C64D8602-7CF2-40a4-AE47-45889C8DF17C}.exe

MD5 0fbc90e28a4da0dc63b6acac2c9e0413
SHA1 6e7db3e4d8caeba513b5b6bd70a490ed68590a95
SHA256 582b926249cd10d2943db3ee238470870909691ea9dcfd89d8dec9de30a453a0
SHA512 7ccda7fd1691bd0f0ce92f7f46c06b753c0b52967effb70e9cd1ca0ebb200450ae5478f0b6d9b6d80cd961f07649881d1d1297d0376d320e2b489b0ed2c6908b

C:\Windows\{BF1C04B3-75D4-47fb-B1F2-5A1075BE644C}.exe

MD5 4e5ac823ea585bb20d166a0fa0f5e249
SHA1 343b6f4197cce5aea088827a74b0897c24a7cca7
SHA256 b6cc2fcbb17ae57beb9e95984af23ee20b1114314723cc52252e4f5e576fe804
SHA512 b3b78b25057c2d23e64a5161d2fc295d307fea8f95faec3ba4b37e0c9d5e7428391d7a61e98413ccfdbb7836f64d21fb6cf505a573f779ead5ef8adc87f0ac54

C:\Windows\{F6DDDA87-7B4F-43c8-AA78-2EBE95052C96}.exe

MD5 fa1f53c0b54a5c14c1ec9dd9bc437ea3
SHA1 00fd6230ec2a4da1dd070acd813b0acb1617dfb4
SHA256 2bd9645f96e98398620d53eb2b91095390cfdb5af1d216e0d09373396ef2b732
SHA512 c6ac7bb9d1f32709679d570ea1619be9dcb80246b13a57ea2029f06e2400329ec3b6045d1a1100553e80b3c6e904f67b484df8e590fc2b67e0866f2a3a410bc3

C:\Windows\{8CF166ED-5003-467d-B4EA-E2078C198480}.exe

MD5 5d7902a7a3b3c2736fb38685049479e0
SHA1 436cafdfc3102e5f77a4a26d77e4934bf1002b09
SHA256 b887f6263e92c7d51880cdf568916a8598082a13587582991bdf226ff12b286b
SHA512 6c2d3b18ce2be74a2072c4eb39df8eb34adb5a22860c3e51051deee9f30b3abe44f45f9a1841e9bf96158874f0271f83728942c1c9135b081468483123412b13

C:\Windows\{DFCAF456-C654-477d-A6B3-546DF67500A8}.exe

MD5 9f1a5d93ae96e024e4e55e17fa7d58f5
SHA1 ffb06f5c965648e001231e46a69b640cfc9c19df
SHA256 27224193fa67b9129049d800c35553f661c953c7813707d294e3615586bc30e9
SHA512 3f8799a484355863a614ba0f0932e5b9bfc41cb3ed10188a9b77296e659234e4dc4b949e8148d85994fa9febd079205ee4693a3e2163f32ff0dbd9e7d9f2703b