Malware Analysis Report

2025-08-10 21:29

Sample ID 240527-w55kkadd4v
Target 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612
SHA256 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612

Threat Level: Likely malicious

The file 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:31

Reported

2024-05-27 18:33

Platform

win7-20240221-en

Max time kernel

144s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F3D28A-D8DD-4ec2-B187-35991BA6C152} C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}\stubpath = "C:\\Windows\\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe" C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}\stubpath = "C:\\Windows\\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe" C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD92855-6260-465a-92E4-C08D9F837A87}\stubpath = "C:\\Windows\\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe" C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA15A01-554C-4695-BB78-8D1AE9377523} C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}\stubpath = "C:\\Windows\\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe" C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081} C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA15A01-554C-4695-BB78-8D1AE9377523}\stubpath = "C:\\Windows\\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe" C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F} C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857} C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}\stubpath = "C:\\Windows\\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe" C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD} C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496BE844-EE47-450c-9802-4025A86DA30A} C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496BE844-EE47-450c-9802-4025A86DA30A}\stubpath = "C:\\Windows\\{496BE844-EE47-450c-9802-4025A86DA30A}.exe" C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD92855-6260-465a-92E4-C08D9F837A87} C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9} C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4} C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}\stubpath = "C:\\Windows\\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe" C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}\stubpath = "C:\\Windows\\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe" C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366} C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}\stubpath = "C:\\Windows\\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe" C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}\stubpath = "C:\\Windows\\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe" C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe N/A
File created C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe N/A
File created C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe N/A
File created C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe N/A
File created C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe N/A
File created C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe N/A
File created C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe N/A
File created C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
File created C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe N/A
File created C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe N/A
File created C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
PID 2864 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2560 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
PID 1976 wrote to memory of 2560 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
PID 1976 wrote to memory of 2560 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
PID 1976 wrote to memory of 2560 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
PID 1976 wrote to memory of 2656 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2656 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2656 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2656 N/A C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
PID 2560 wrote to memory of 2588 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
PID 2560 wrote to memory of 2732 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2732 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2732 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2732 N/A C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2484 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
PID 2588 wrote to memory of 2484 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
PID 2588 wrote to memory of 2484 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
PID 2588 wrote to memory of 2484 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2624 N/A C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2020 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
PID 2484 wrote to memory of 2020 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
PID 2484 wrote to memory of 2020 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
PID 2484 wrote to memory of 2020 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
PID 2484 wrote to memory of 2640 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2640 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2640 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2640 N/A C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 804 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
PID 2020 wrote to memory of 804 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
PID 2020 wrote to memory of 804 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
PID 2020 wrote to memory of 804 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
PID 2020 wrote to memory of 3048 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3048 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3048 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3048 N/A C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2348 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
PID 804 wrote to memory of 2348 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
PID 804 wrote to memory of 2348 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
PID 804 wrote to memory of 2348 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
PID 804 wrote to memory of 1760 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1760 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1760 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1760 N/A C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1420 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
PID 2348 wrote to memory of 1420 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
PID 2348 wrote to memory of 1420 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
PID 2348 wrote to memory of 1420 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
PID 2348 wrote to memory of 1424 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1424 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1424 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1424 N/A C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe

"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"

C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe

C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul

C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe

C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B4E2~1.EXE > nul

C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe

C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{496BE~1.EXE > nul

C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe

C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5BD92~1.EXE > nul

C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe

C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7FA15~1.EXE > nul

C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe

C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C4E~1.EXE > nul

C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe

C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{11F3D~1.EXE > nul

C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe

C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AC022~1.EXE > nul

C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe

C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9BA~1.EXE > nul

C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe

C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0A3E0~1.EXE > nul

C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe

C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6D2B~1.EXE > nul

Network

N/A

Files

C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe

MD5 79797b5ed8f13d93e5c00e120903b6d6
SHA1 2493d2fa5444064ed4e767fdff1e078e2fa21621
SHA256 1b73a318753598e01325b01b45bdfcb356de48e64bff8b6057d39a8d290d72ca
SHA512 613cc2eda48df39258062a2e7d724fc0b9e42bfaeb06d26dde49bcce83581aac179ea04245bb2a70d622f608d619c7972fe32f3b682f200713df0225545417f7

C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe

MD5 5b13c233faf7e20eec8beb6e9dfebbcb
SHA1 533aa1825e278229de84e56b802dddf6ae6fe86e
SHA256 8bec9c978d7f3fc66a5c22e31abf79b5b439904168aad904f20bd27c9c5948e9
SHA512 30241c432c56b358ccdbf93a136bc99a2bc275236b89f18bf9b081055c8c0c55acc4f274d0b2622048537746691081d26aef7496f0a34e5f6f72929b1f65e4d8

C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe

MD5 384fd64cd09db2c32b2e247a183167f9
SHA1 0fe4528ef8ff070218c198359ef42dfa62ea9bc8
SHA256 281b05ae56253a08d2fa940e1fe4674914c102b196aa0e281e73d26df20a40aa
SHA512 8ee1737ccab921e8e853dbacf8165188ec758c6f1c9787746d394eb8a9a38dc83dbfb7a321da6e9f9449aa9828597b7f16be04ec9a75e2949b5a71006609496d

C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe

MD5 b5f7dba88f84c4b8fc306f34b4a5ce10
SHA1 e3dd0970aa82ed221985105d0ec655457188097e
SHA256 d464a2141ef9b08261bd03c27747055ef49f51b7b8e467225536aca7c57141a3
SHA512 0355e3398f98d3552702a343262ef247920c74770a11d0c2ef1e61def72697e46be50eb4922bb6495e8bd1db64f5f27d5d7bb3d9e82d6e604dfa294e0c9cf008

C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe

MD5 295435613d33e1f61e3f8b3bf8633974
SHA1 4c27a8b2fa03c7d03a182f9a9acf6b25c27ccc8c
SHA256 c430dff9a693477c0740640320c92e8dc6848ccfb3cdab444f0ed6abefabb973
SHA512 de3f41a7f09f6132b12e01c09aa28f23b0b71fd4fcad5369f9aafd0eded9664dc5277990363f39045521bdcc5e567dca08f9f9666122c36cd94d170c14a973dd

C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe

MD5 b9caf1df98d8d67726541c9037362720
SHA1 0d310719e981d067f6d2a4d232303a63f403913b
SHA256 527b4c580715a56768c19a883c2722d147fcc92bc6ed2ea6fcdb62d6836b65c9
SHA512 fa0467c5fecfd11b71b06d0d86b0ef078ab5f0a4c739fce194a7390d284a715a99d72d41f17894bdfb327f9fa624212e217bdd27a6ec9ce0639c4b836db241d3

C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe

MD5 2c4466b8bc1137a516d14ef041fc340b
SHA1 17e4776539dcfe8f1d48a5b6201e082cf4d921b1
SHA256 f5c7d67b07a2055c0a9039cd8fecf67989cb431cbcd27843aee1934ac3ec9880
SHA512 e3950e2bf4cdc49d7cdd83c42cc66819e2a072028ad104d8d9e51f91b74fa0ecb813bf71527cc9ae237d8906ea977d0ce14a247ef1c21b902f5e17fab92ff707

C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe

MD5 3e4a0a2b8c41dd98e9eb0af750b8ca2f
SHA1 b97242c1330c10decd29d6e8fe4a99e5201a0f31
SHA256 b1875ec7ed36f40e18efe1289dd8cdaf18cd390f1d97a2137f2ed515ded51725
SHA512 405076e0e10ddd7bf6144309c9cd88dd7ea20ea93cf2fbf3781dab62218461464ff02199bfd207dcb9c600afd6b66fa8facd7f2f811d06d5059d7671ff19a832

C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe

MD5 151c1d780567a4e2023e90133a44a5a3
SHA1 f91121bf089140aa3801bdc939f64e02d48133ba
SHA256 062eea1d149e226a1cbeb76a9c6eb21d0b7ffb70efa9af1ae1d653bdd9c23072
SHA512 da75d209d184f167db6a9e4d8919c62a5f1b45b9fcbf7c8c858c9c5d716347c83f7935af5e267d9b7e1ca72fb656d65601391aaeafcb436d2e224062905d4fbe

C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe

MD5 97e1cb6a3c2dd585e360f20e061d9653
SHA1 33e725d5786cafe5d8f24663690bf31122d0fbe5
SHA256 49c91de8f0b3d092877a4b0aaec690d563ee77d496b401dbf389f118e5c9fc1b
SHA512 52923cf04d1e350e6c492fbfb4257915815934b3a71df79f8d444136483c96e326af62638c61a84fafdc2ce5fc09ec77b0a970abe0d38e1a28fc5637c830f9e8

C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe

MD5 7e2b4a3c5fb022a5a927bafe7cb94700
SHA1 82af7f34e86febc71c20c5dcc2e97d0b70b311a4
SHA256 4ee60a7473ba929bdb4a24a165e53cca6155506844e0b1d5f64521ad1eff3dd6
SHA512 7d277554374c3ae8bf051452b682c4de91490c885edb9ce77962128377f7074337857df1f9077dbeeb5d147df570bcd15c1908d168d73b43e93e2f720c20b6f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:31

Reported

2024-05-27 18:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91697043-EA59-4ef1-885C-D12248315A4C}\stubpath = "C:\\Windows\\{91697043-EA59-4ef1-885C-D12248315A4C}.exe" C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DD25BD-2067-47bb-8C96-5F6297DD7965} C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}\stubpath = "C:\\Windows\\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe" C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FB6E59-3E39-4010-A3FE-C84D725296F8} C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D4FE0E-4057-4664-B8FB-B81FA347978B}\stubpath = "C:\\Windows\\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe" C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE19830-1173-4c5b-ABC3-6FD420129889} C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B} C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668A4223-EA7B-434b-94FA-A329A407AA7F}\stubpath = "C:\\Windows\\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe" C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}\stubpath = "C:\\Windows\\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe" C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE19830-1173-4c5b-ABC3-6FD420129889}\stubpath = "C:\\Windows\\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe" C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116C2D37-F090-463c-8B22-0648C84A9477} C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116C2D37-F090-463c-8B22-0648C84A9477}\stubpath = "C:\\Windows\\{116C2D37-F090-463c-8B22-0648C84A9477}.exe" C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}\stubpath = "C:\\Windows\\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe" C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}\stubpath = "C:\\Windows\\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe" C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668A4223-EA7B-434b-94FA-A329A407AA7F} C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9207E61E-E895-45b0-9272-7E4FD4A6827F}\stubpath = "C:\\Windows\\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe" C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB72E0C2-2B50-426c-B8ED-15D41772A202}\stubpath = "C:\\Windows\\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe" C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FB6E59-3E39-4010-A3FE-C84D725296F8}\stubpath = "C:\\Windows\\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe" C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D4FE0E-4057-4664-B8FB-B81FA347978B} C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9207E61E-E895-45b0-9272-7E4FD4A6827F} C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB72E0C2-2B50-426c-B8ED-15D41772A202} C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A} C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE} C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91697043-EA59-4ef1-885C-D12248315A4C} C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe N/A
File created C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe N/A
File created C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe N/A
File created C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
File created C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe N/A
File created C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe N/A
File created C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe N/A
File created C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe N/A
File created C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe N/A
File created C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe N/A
File created C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe N/A
File created C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe
PID 1344 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe
PID 1344 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe
PID 1344 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2412 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe
PID 2492 wrote to memory of 2412 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe
PID 2492 wrote to memory of 2412 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe
PID 2492 wrote to memory of 3076 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 3076 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 3076 N/A C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 4076 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe
PID 2412 wrote to memory of 4076 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe
PID 2412 wrote to memory of 4076 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe
PID 2412 wrote to memory of 2568 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2568 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2568 N/A C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 4004 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe
PID 4076 wrote to memory of 4004 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe
PID 4076 wrote to memory of 4004 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe
PID 4076 wrote to memory of 4628 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 4628 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 4628 N/A C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 1388 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe
PID 4004 wrote to memory of 1388 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe
PID 4004 wrote to memory of 1388 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe
PID 4004 wrote to memory of 1252 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 1252 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 1252 N/A C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 2540 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe
PID 1388 wrote to memory of 2540 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe
PID 1388 wrote to memory of 2540 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe
PID 1388 wrote to memory of 3284 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 3284 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 3284 N/A C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 3956 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe
PID 2540 wrote to memory of 3956 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe
PID 2540 wrote to memory of 3956 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe
PID 2540 wrote to memory of 4184 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 4184 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 4184 N/A C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 408 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe
PID 3956 wrote to memory of 408 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe
PID 3956 wrote to memory of 408 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe
PID 3956 wrote to memory of 2740 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2740 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2740 N/A C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 4348 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe
PID 408 wrote to memory of 4348 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe
PID 408 wrote to memory of 4348 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe
PID 408 wrote to memory of 3104 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 3104 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 3104 N/A C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 2516 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe
PID 4348 wrote to memory of 2516 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe
PID 4348 wrote to memory of 2516 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe
PID 4348 wrote to memory of 3468 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3468 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3468 N/A C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 4368 N/A C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe
PID 2516 wrote to memory of 4368 N/A C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe
PID 2516 wrote to memory of 4368 N/A C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe
PID 2516 wrote to memory of 4108 N/A C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe

"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"

C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe

C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul

C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe

C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FB72E~1.EXE > nul

C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe

C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{668A4~1.EXE > nul

C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe

C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBAD1~1.EXE > nul

C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe

C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91697~1.EXE > nul

C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe

C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B4DD2~1.EXE > nul

C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe

C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{35FB6~1.EXE > nul

C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe

C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{39D4F~1.EXE > nul

C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe

C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE19~1.EXE > nul

C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe

C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{116C2~1.EXE > nul

C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe

C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E63D3~1.EXE > nul

C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe

C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CB547~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe

MD5 d131fb6c931a307da56ef4b780f78144
SHA1 6a59a0aa3c77d8d040fda58079bed7dad935bac3
SHA256 e51c4b8edb7526ceaf9752a784b04de716f0ca7fbb04e0cb479846dc4bee79c0
SHA512 82d828e9962f2d911f4105a3df8135db87defe8c69e672dd0822541af5b8ced2f928a71e5e4756a55cfc53aedb0d8457c2c9498607ada6a0ebf1e5aa8187ca0a

C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe

MD5 3077d6bf3f0fa2e8f162c2880fd40444
SHA1 0759c9318243260a4eadc5f5f7bbc4bbc990f368
SHA256 90083b7fb730aa759ab0838bef066ba977609d7859ad0c3e3df50c4e086b09d3
SHA512 ea2567914f1e7868ee639a877130f55d669701ae8d042222828c04aa621af78725fff8f89778a57511238714b779948d0c8f8500ae6b389b7ab1b58fb0bf58d4

C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe

MD5 4b9695a187cc7a43c4dae7028ed414fe
SHA1 54e4a93088c84be1185460822a96d56c234fc52b
SHA256 7045364e70c74679629a69cc095e99079687a4b7cf275cb41bb9f0ce799e6cb1
SHA512 baa6eb44fd16165599538c9a174a680c31f24097fdc489047286fcb78977ee3a8daddc9be11f7d583e946f5df61b636ede809857a8c16ca4e165c2b53c5ea776

C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe

MD5 800ce085edb1d8b1ece86dc90dc5aeb7
SHA1 1ef1a806ecb7df9df3f146bd55f7595e0d0970f4
SHA256 e70f6c47a82501844acf57e618358bc136805c0321aa3e9c506d08cd7b7bee24
SHA512 a4b19d19403a17be6466dc27a44b478300e2a9b6344e46a99b4da13c617e781c51281cd153959063f0a734f306631e67b9c88a23d3ae7009556fc20f29459300

C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe

MD5 e8fa048bab164e9ca6ea138d1b45b7bb
SHA1 1130861882f230d2b234bed11d8a51062ce6a071
SHA256 cf631501cfb12d789b98e12b106c9ba0488feb9547d646c9527dc257bf43ff42
SHA512 b202cbe6e0ebded7e0342bd268264ea41317c8db940403ee0f0499e04bcc0c5ed25cc8862136aa24bc2b34e9948f19d28c7be94c46f30eacc97320bd9fb31100

C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe

MD5 832d4c368e3533fa011e83c24cbb0766
SHA1 bc6bca0875d1f1bf9e6484237500144afd2b00bd
SHA256 134654f351b9e0691abb81187c9a5a4bd7b72881fc83908dacfe067060596928
SHA512 17b38c729f3ed6b575ebfcf8ec7945c7f19ac077af285a840335c55ded0f934db16a940ed2f63d777e00d64adfb18b01d74fe9ee6e074c92be7adea7fab2e9bf

C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe

MD5 157e292e9f1d7b4144a339c78c114dcf
SHA1 320cb690feb45df718a3ddf34ef5b8d47089fc18
SHA256 883a2e267240d0bc7a4e257c0a4e1f6f7d6207aafff0c49bfa2d988f184c617c
SHA512 1d6f83f3bd142f13e7ab755948d0e107789c1055dd4b5d11e339746c831f69673ee554ce93c9dcfa464e30115671f579f540fd57d42c22c1f33d744d54d7ef12

C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe

MD5 80c394ffe199e423b5ba645f876eaa1d
SHA1 2159393a2858eb7ea0c0180237d0bbc85122a051
SHA256 6ccd638c1f4df47c938ccaf63de9c1a6aa0ebaa7f1d758c9e45f567cf3e8647c
SHA512 c5c48da979cea481771619a1a762462f12ee2a1b17b8f4807fec4a4cde8fd05821397da6fe6ccbd3dacb3c177855816ba49bf298be70d124e4a85541d5366ca2

C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe

MD5 560ddb9c34043387d7029b77daa3393a
SHA1 12919cec7b98a32837f7f3d5078a100b5dbbb02c
SHA256 1bde82f4b0fee88a8cecef541a0bcb01f9d6b3abbdb7d4126ecdc1f5c69d45e0
SHA512 1d2e1507726d74005b23d8202ac18716d7ff2d4b1ef900069bebbe57041f09dc6999d1c7547c1d5aa23822ede806d01ab4c710136e5ecf2b72f5c275b1140d6c

C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe

MD5 056fcb88b5b00928325be9b1efd222ad
SHA1 c3ccb693baf91481a759ecedd75d63814d56c2b8
SHA256 5043a2007174a3312773ba872e7add2aed5e7b08bb337b3aa9d34f0bfe319864
SHA512 2f2881a4be0455e61a295a4a4da22cd7190986a3766fe2a588bbe8a1b41a962adc7fc4b4ff985dc2b0c69dca3e04dfea6e44a167c5fb45840937e91c160808a1

C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe

MD5 fbc2b8bc47d3764f576e4e1b89910762
SHA1 41fd78d48c9a5c8a634131ace12bb6d303792e77
SHA256 6573b7883b339cfc0b1e40627140ffa6edcc7017cd6dec0162c743a403d8083c
SHA512 d49ee44084b45ff440512fee88a462405670df081be36952028af2f6fe4b2818a666db0dd3c0945a202704e373b851784ce82491958980c8f56dc1a0c4109b32

C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe

MD5 0d88f40deeb776f26217cfbd4dbf9092
SHA1 cf13cb872e35f051e846cb04ba8f439e73b93371
SHA256 083a592b2b8e0c20857be3cc2edf632ecdb763006f208c0c5d1ce45efa1e05c5
SHA512 328967ce78799f53a91e8f9687783012bfb5bcf340b3fd43dae0feea74fe2e84d7e9f4bc7620e103c11348ef45818be47aa4e6e069df81c2ec602bf4ce4d2e44